KYC stands for Know Your Customer and is the process of verifying the identity of your clients, assessing their risk level, and periodically reviewing and updating their information. Conducting a KYC process is a necessary step in ensuring compliance with Anti-Money Laundering (AML) rules in your company.

All obliged entities must conduct KYC checks to ensure they only do business with trustworthy entities.

KYC (Know Your Customer)

For example, auditors need to perform a KYC verification before accepting an audit engagement in order to confirm that the client is who they claim to be and to determine the client’s risk profile.

Verifying the identity of potential clients and assessing their ML/TF risks protects auditors from establishing business relationships with suspicious people or companies that are likely to be involved in illicit activities.

In cases where the client is a company, the auditors must also take reasonable measures to identify the ultimate beneficial owners of the client. The ultimate beneficial owners are the persons who ultimately control the company.

This blog post aims to help SMEs stay on top of AML compliance by answering some of the most frequently asked questions about the KYC process:


Why is the KYC process important?

KYC verification is a necessary step in ensuring compliance with the Anti-Money Laundering (AML) legislative package. Know Your Customer processes help B2B companies understand and monitor the risks associated with each customer and protect them from working with entities involved in money laundering or terrorist financing.

Ultimately, KYC checks help companies to comply with the law, mitigate risks, protect their reputation, and steer clear of penalties and hefty fines.

Does your company need to comply with AML rules? Do you want to automate your KYC process and simplify compliance? Then keep on reading.


Which businesses and persons are covered by the Anti-Money Laundering legislation?

The businesses and persons covered by the AML legislation include, but are not limited to:

  • Auditors, accountants, and tax advisors
  • Bookkeepers
  • Lawyers and notaries
  • Real estate agents
  • Trust and company service providers
  • Financial institutions
  • Gambling service providers
  • Trust and company service providers
  • Other entities that sell high-value goods (diamonds, fine art, collectibles, etc.) and accept cash payments of โ‚ฌ10,000 or more
Businesses that need to carry out KYC checks


What are the Know Your Customer requirements?

Generally, a KYC process consists of customer due diligence measures such as customer identification and verification, establishing the purpose and nature of the business relationship, and ongoing monitoring. Besides CDD measures, risk assessment, and record-keeping are essential steps in the KYC process.

KYC process

1. Customer identification and verification

The first step of a KYC process is collecting data about potential customers.

If the customer is an individual or the beneficial owner of a company, the information you need to ask for commonly includes their full name, address, date and place of birth, and national identification number. You can verify the accuracy of the provided information either by requesting copies of official documents such as passports or national identity cards or with the help of trusted electronic identification means (such as a national eID).

KYC verification when the client is a natural person

For businesses, you should collect information regarding the company’s legal name, legal form (sole proprietorship, partnership, etc.), registration number, products/services, address, and beneficial owners. In some cases, you also need to ask for supporting documentation such as certificates of incorporation, articles of association, organizational charts, and shareholder registers.

KYC verification when the client is a company

The collected information must also be checked against sanctions and PEP lists for individuals/beneficial owners and against official business registers for companies.

Keep in mind that the necessary information and supporting documents can differ based on the ML/TF risk posed by the customer. For low-risk customers, you can collect less data while for high-risk customers additional information is always needed.

2. Establishing the purpose and nature of the business relationship

During this step, you need to understand why the client wants to use your products or services. For example, a person opens a bank account with the primary purpose of keeping their money in a safe place and having easy access to them.

You also need to understand how the customer intends to use your product/service. To do so, you need to collect information about:

  • the types of transactions
  • expected size and frequency of transactions
  • countries involved in the transactions

For example, a person who just opened a bank account to get their salary credited to it. The client expects to withdraw a maximum of โ‚ฌ100 per month and make cash deposits of a maximum of โ‚ฌ500 every year. They don’t intend to make any cross-border transfers.

Knowing the intended nature and purpose of the business relationships will help you detect any suspicious activity potentially related to money laundering. In the example above, a suspicious transaction would be transferring a large amount of money to a cross-border bank account.

3. Risk assessment

The next step is assessing the customer’s risk level.

To determine the risk posed by individuals, you’ll need to ask questions such as:

  • Is the customer a PEP (politically exposed person)?
  • Is the customer running a business that presents a higher risk for financial crime, such as a cash-intensive business?
  • Do you have any face-to-face contact with the customer?
  • Do you sell the product directly to the customer or do you rely on intermediaries?
  • Is the customer asking about loopholes to reduce or eliminate their tax liability? And if yes, do you think this leads to a higher risk for money laundering or terrorist financing?
  • Is the customer interested in a high-risk product/service such as correspondent banking?

To identify the risk level associated with a company, answer the following questions:

  • Does the company have a complex structure that makes it difficult to establish the identities of the beneficial owners?
  • Is the client’s industry prone to money laundering or terrorist financing (e.g., financial industry)?
  • Do the products, services, or delivery channels they provide pose a high risk for financial crime (e.g., private banking services or non-face-to-face interactions)?
  • Does the customer operate in countries outside of the EU that don’t have sufficient money laundering regulations in place?
  • Is the company making large cash transactions that are abnormal for their industry?

By answering these questions, you can identify the level of money laundering and terrorist financing risks associated with each potential customer. The three levels of risk are low, medium, and high.

KYC risk assessment

If a customer poses a high risk of money laundering, you will have to carry out enhanced due diligence for that client.

4. Ongoing monitoring and updates

Customer circumstances change over time. Therefore, you should regularly review and update all KYC data to make sure the information you hold is accurate.

For example, let’s say one of your existing customers is appointed as the senior executive of a state-owned corporation, thus becoming a PEP (politically exposed person).

Since PEPs pose a higher level of money laundering, you’ll need to update the customer’s risk level and collect additional information and supporting documentation.

Continuous monitoring

5. Record-keeping

The time period during which obliged entities need to retain KYC documents and personal data depends on their national AML legislation:

  • ๐Ÿ‡ง๐Ÿ‡ช Belgium: 10 years
  • ๐Ÿ‡ฉ๐Ÿ‡ฐ Denmark: 5 years
  • ๐Ÿ‡ณ๐Ÿ‡ด Norway: 5 years
  • ๐Ÿ‡ธ๐Ÿ‡ช Sweden: 5 years
  • ๐Ÿ‡ซ๐Ÿ‡ฎ Finland: 5 years


Anti-Money Laundering in Europe

In Europe, KYC requirements vary from country to country. For country-specific requirements, check out the following articles:


KYC documents

KYC documents are documents collected from independent and reliable sources that can prove the identity of the client.

If the customer is an individual, the documents that you normally have to collect during a KYC process include documents issued by public authorities, such as passports, national ID cards, and driver’s licenses.

If the customer is a legal person, the KYC documents you should collect often include the customer’s articles of association and extracts from national UBO registers.

KYC documents


The difference between KYC and AML

As mentioned above, KYC refers to the process of identifying and verifying the identity of your clients and their beneficial owners, determining the risk of money laundering associated with each client, and keeping client records in accordance with the law.


AML, on the other hand, refers to all of the legal obligations set out by anti-money laundering laws, including the KYC process.


Therefore, the difference between KYC and AML is that the KYC process is only a component of AML compliance.


How can digital solutions simplify KYC verification?

Digital KYC solutions automate manual work, reduce errors, cut down costs, and save you time. What’s more, KYC software encrypts your client’s personal data and official documents to protect them against hackers.

Penneo KYC is a digital solution that starts the KYC verification by checking individual clients and UBOs against PEP and sanctions lists.

Digital KYC verification

If the client is an organization, Penneo KYC automatically retrieves all available data from official business registers (e.g., registration number, beneficial owners, legal form).

Next, the system asks you a few questions about your customer to help you assess their risk profile.

The third step is asking for documentation. You can select the official documents you need from a list and send the request to your client.

When the customer gets the request, they can use any device to upload pictures or copies of the documents in the app.

Once you get the documents, you can either approve or reject them. If everything is in order and the documentation is approved, the business relationship starts. Our system stores the client’s KYC information you can easily retrieve and access it when needed.

What’s more, our digital KYC solution regularly screens your customers against PEP and sanctions lists and business registers throughout the whole duration of the business relationship. If any changes are detected, Penneo KYC will notify you about them.

As you can see, the KYC process doesn’t have to be tedious and time-consuming.

If you're looking to learn more, we have a few suggestions for you

9 expert tips for picking the perfect KYC solution

9 expert tips for picking the perfect KYC solution

eIDAS 2.0

eIDAS 2.0 and its impact on digital transactions and identity verification

EU unveils ambitious AML package

EU unveils ambitious AML package