What is KYC (Know Your Customer)?

Know Your Customer (KYC) is a legal and regulatory requirement that obliges firms in regulated sectors, primarily financial services, to verify who their customers are before establishing a business relationship. It applies to banks, investment managers, brokers, insurers, and increasingly to law firms, accountants, estate agents, and other designated non-financial businesses and professions (DNFBPs).

KYC is not a single check. It is a process: a set of procedures that identify a customer, verify that identity against reliable documents, assess the customer's risk profile, and maintain ongoing monitoring of the relationship. The depth of due diligence required depends on the assessed risk level of the customer and the nature of the business relationship.

The three components of KYC

Most regulatory frameworks decompose KYC into three elements. Customer Identification Program (CIP) establishes who the customer is: for individuals, this means name, date of birth, address, and a government-issued identifier. Customer Due Diligence (CDD) goes further: for corporate customers, it means identifying the entity's ownership structure, its directors, and its Ultimate Beneficial Owners (UBOs). Enhanced Due Diligence (EDD) applies additional scrutiny to higher-risk customers, including politically exposed persons (PEPs), customers from high-risk jurisdictions, and unusual or complex ownership structures.

Ongoing monitoring is the fourth element: the requirement to keep customer information current and to flag transactions or activities that are inconsistent with the customer's known risk profile.

Why corporate KYC is harder than individual KYC

Verifying an individual's identity is relatively mechanical: a passport, a utility bill, and a database check. Verifying a corporate entity is considerably more complex, because the regulated firm must identify not just the entity but the natural persons who ultimately control it.

This is the UBO problem. A company owned by a holding company owned by a trust administered by a nominee on behalf of a politically exposed person is, on its face, a clean corporate entity. The firm cannot form a view on the customer's risk profile without resolving the full ownership chain to identify who is actually in control. In complex corporate structures spanning multiple jurisdictions, this requires access to multiple national registries, the ability to cross-reference entities across those registries, and a methodology for calculating indirect ownership stakes through layered corporate chains.

Most firms rely on corporate ownership data providers to do this. The quality of those providers, and in particular their ability to show the provenance of each ownership claim they make, directly affects the quality of the firm's KYC documentation. A UBO identified by a data provider that cannot show its working is a UBO the firm may struggle to defend to a regulator.

The regulatory framework

In the UK, KYC requirements derive from the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, as amended. These implement the EU's Fourth and Fifth Anti-Money Laundering Directives. The Financial Conduct Authority (FCA) supervises compliance for regulated financial services firms and has published detailed guidance, including thematic reviews on the quality of financial crime controls, which frequently cite deficiencies in corporate KYC as a recurring failure point.

In the United States, KYC requirements are set primarily by the Bank Secrecy Act (BSA) and implemented through FinCEN (Financial Crimes Enforcement Network) rules. The Customer Due Diligence Final Rule, updated to align with the Corporate Transparency Act's beneficial ownership reporting requirements, has significantly raised expectations for corporate KYC.

The cost of failure

Regulatory penalties for KYC failures are material. Major banks including Barclays, HSBC, and Goldman Sachs have paid enforcement actions running into hundreds of millions of dollars for deficiencies in their financial crime controls, including KYC. Supervisors have also imposed remediation requirements, restricting business activities until controls are demonstrated to meet the required standard.

Beyond penalties, the reputational risk of being associated with money laundering or sanctions evasion through inadequate KYC is significant. The commercial case for investing in quality KYC infrastructure, including good corporate ownership data, is both a regulatory obligation and a risk management decision.

For more on the underlying data requirements, see what Ultimate Beneficial Ownership means and how it is calculated. For enterprise data infrastructure designed for KYC pipelines, see Briefed Atlas.