KYC stands for Know Your Customer and is the process of verifying the identity of your clients, assessing their risk level, and periodically reviewing and updating their information. Conducting a KYC process is a necessary step in ensuring compliance with Anti-Money Laundering (AML) rules in your company.

All obliged entities must conduct KYC checks to ensure they only do business with trustworthy entities.

For example, banks need to perform a KYC verification when someone wants to open a bank account to confirm that potential customers are who they claim to be.

Verifying the identity of potential customers allows banks to steer clear of people engaged in illegal financial activities.

Similarly, certain business-to-business companies need to perform KYC checks to identify the beneficial owners and verify the legitimacy of the entities they are in a business relationship with. The beneficial owners are the persons who ultimately control the company.

KYC checks help B2B companies understand and monitor the risks associated with each customer and protect them from working with entities involved in money laundering or terrorist financing. What’s more, KYC verification is a necessary step in ensuring compliance with the Anti-Money Laundering (AML) legislative package.

Does your company need to comply with AML rules? Do you want to automate your KYC process and simplify compliance? Then keep on reading.

Is the KYC process mandatory for all businesses?
What are the five steps of a KYC process?
How can digital solutions simplify KYC verification?


Is the KYC process mandatory for all businesses?

No, carrying out KYC checks is only mandatory for entities regulated under AML/CTF rules such as:

  • Financial institutions
  • Auditors, accountants, and tax advisors
  • Lawyers and notaries
  • Real estate agents
  • Gambling service providers
  • Trust and company service providers
  • Other entities that sell high-value goods (diamonds, fine art, collectibles, etc.) and accept cash payments of €10,000 or more

However, more and more non-obliged companies started conducting KYC checks to protect themselves from financial crime.


What are the five steps of a KYC process?

A KYC process consists of customer due diligence measures such as customer identification and verification, establishing the purpose and nature of the business relationship, and ongoing monitoring. Besides CDD measures, risk assessment and record-keeping are essential steps in the KYC process.

1. Customer identification and verification

The first step of a KYC process is collecting data about potential customers.

If the customer is an individual or the beneficial owner of a company, the information you need to ask for commonly includes their full name, address, date and place of birth, and national identification number. You can verify the accuracy of the provided information either by requesting copies of official documents such as passports or national identity cards or with the help of trusted electronic identification means (such as a national eID).

For businesses, you should collect information regarding the company’s legal name, legal form (sole proprietorship, partnership, etc.), registration number, products/services, address, and beneficial owners. In some cases, you also need to ask for supporting documentation such as certificates of incorporation, articles of association, organizational charts, and shareholder registers.

The collected information must also be checked against sanctions and PEP lists for individuals/beneficial owners and against official business registers for companies.

Keep in mind that the necessary information and supporting documents can differ based on the ML/TF risk posed by the customer. For low-risk customers, you can collect less data while for high-risk customers additional information is always needed.

2. Establishing the purpose and nature of the business relationship

During this step, you need to understand why the client wants to use your products or services. For example, a person opens a bank account with the primary purpose of keeping their money in a safe place and having easy access to them.

You also need to understand how the customer intends to use your product/service. To do so, you need to collect information about:

  • the types of transactions
  • expected size and frequency of transactions
  • countries involved in the transactions

For example, a person who just opened a bank account to get their salary credited to it. The client expects to withdraw a maximum of €100 per month and make cash deposits of a maximum of €500 every year. They don’t intend to make any cross-border transfers.

Knowing the intended nature and purpose of the business relationships will help you detect any suspicious activity potentially related to money laundering. In the example above, a suspicious transaction would be transferring a large amount of money to a cross-border bank account.

3. Risk assessment

The next step is assessing the customer’s risk level.

To determine the risk posed by individuals, you’ll need to ask questions such as:

  • Is the customer a PEP (politically exposed person)?
  • Is the customer running a business that presents a higher risk for financial crime, such as a cash-intensive business?
  • Do you have any face-to-face contact with the customer?
  • Do you sell the product directly to the customer or do you rely on intermediaries?
  • Is the customer asking about loopholes to reduce or eliminate their tax liability? And if yes, do you think this leads to a higher risk for money laundering or terrorist financing?
  • Is the customer interested in a high-risk product/service such as correspondent banking?

To identify the risk level associated with a company, answer the following questions:

  • Does the company have a complex structure that makes it difficult to establish the identities of the beneficial owners?
  • Is the client’s industry prone to money laundering or terrorist financing (e.g., financial industry)?
  • Do the products, services, or delivery channels they provide pose a high risk for financial crime (e.g., private banking services or non-face-to-face interactions)?
  • Does the customer operate in countries outside of the EU that don’t have sufficient money laundering regulations in place?
  • Is the company making large cash transactions that are abnormal for their industry?

By answering these questions, you can identify the level of money laundering and terrorist financing risks associated with each potential customer. The three levels of risk are low, medium, and high.

4. Ongoing monitoring and updates

Customer circumstances change over time. Therefore, you should review and update all KYC data at least once a year to make sure the information you hold is accurate.

For example, let’s say one of your existing customers is appointed as the senior executive of a state-owned corporation, thus becoming a PEP (politically exposed person).

Since PEPs pose a higher level of money laundering, you’ll need to update the customer’s risk level and collect additional information and supporting documentation.

5. Record-keeping

In Finland, obliged entities need to retain KYC documents and personal data for five years after the termination of the business relationship.


How can digital solutions simplify KYC verification?

Digital KYC solutions automate manual work, reduce errors, cut down costs, and save you time. What’s more, KYC software encrypts your client’s personal data and official documents to protect them against hackers.

Penneo KYC is a digital solution that starts the KYC process by checking individual clients and UBOs against PEP and sanctions lists.

If the client is an organization, Penneo KYC automatically retrieves all available data from official business registers (e.g., registration number, beneficial owners, legal form).

Next, the system asks you a few questions about your customer to help you assess their risk profile.

The third step is asking for documentation. You can select the official documents you need from a list and send the request to your client.

When the customer gets the request, they can use any device to upload pictures or copies of the documents in the app.

Once you get the documents, you can either approve or reject them. If everything is in order and the documentation is approved, the business relationship starts. Our system stores the client’s KYC information you can easily retrieve and access it when needed.

What’s more, our digital KYC solution regularly screens your customers against PEP and sanctions lists and business registers throughout the whole duration of the business relationship. If any changes are detected, Penneo KYC will notify you about them.

When a business relationship ends, you need to mark it as ”ended” in the app. The system will automatically delete the customer’s KYC information after five years from the end date of the business relationship.

As you can see, the KYC process doesn’t have to be tedious and time-consuming. So, get a free trial of Penneo KYC today and start exploring its benefits!



If you're looking to learn more, we have a few suggestions for you

Electronic document signing

The Ultimate Guide to Electronic Document Signing

Enhanced due diligence (EDD)

Enhanced Due Diligence for High-Risk Customers

Qualified electronic signatures

Qualified Electronic Signatures (QES)