“Know Your Customer” or “Know Your Client” (KYC) refers to the process of identifying, validating, and verifying a client’s identity and relevant information to understand the client and assess the financial crime risks associated with them.
A client’s risk profile—typically classified as low, medium, or high—determines whether the client should be onboarded and the level of due diligence required.
KYC is a fundamental compliance process aimed at preventing money laundering, terrorism financing, proliferation financing, and other financial crimes. A robust and well-documented KYC framework also enables organisations to demonstrate compliance with regulatory requirements.
While KYC is most commonly associated with banks and financial institutions, it also applies to a wide range of sectors, including law firms, accountants, real estate agents, company secretaries, and trust or corporate service providers.
Examples of key regulators and standard-setting bodies include Bank Negara Malaysia, Monetary Authority of Singapore, Financial Conduct Authority (UK), Hong Kong Monetary Authority, and the Financial Action Task Force.
Ultimately, KYC helps businesses mitigate legal and reputational risks while supporting the integrity of the global financial system.
Overview of a typical KYC workflow
A typical KYC process involves several key stages:
- Identifying the client’s entity type
- Determining the client’s risk rating and appropriate level of due diligence
- Conducting client due diligence (including identification, verification, plausibility checks, and validation using reliable sources)
- Understanding the client’s profile and risk factors
Key information collected includes:
- Nature of business and purpose of the relationship
- Source of funds and source of wealth
- Customer segment managers (CSMs) and relevant parties
- Ownership structure and ultimate beneficial owners (UBOs)
- Screening results (sanctions lists and PEP status)
Lifecycle of the client relationship
KYC is not a one-off process but applies throughout the entire client lifecycle:
- New Client Adoption (NCA) (onboarding)
- Regular Review (RR) (periodic reassessment)
- Event-Driven Review (EDR) (triggered by material changes)
- Ongoing monitoring, including one-off transactions
- Exit, where risks cannot be adequately managed
Customer Identification Programme (CIP)
The Customer Identification Programme (CIP) is conducted at the onboarding stage.
At this point, key client data is collected, including:
- Name
- Date of birth or incorporation
- Address
- Identification number or company registration number
To verify this information, supporting documents are obtained, such as:
- Proof of Identity (POI)
- Proof of Address (POA)
- Corporate documents (e.g. incorporation documents, constitution, resolutions)
All documents must be issued by recognised authorities, be clear and legible, current, and unexpired.
Screening and Initial Risk Rating
Clients are screened against sanctions lists and Politically Exposed Persons (PEP) databases to identify potential risks.
An initial risk rating (Low, Medium, or High) is then assigned. Based on this rating:
- Customer Due Diligence (CDD) applies to low and medium-risk clients
- Enhanced Customer Due Diligence (ECDD) applies to high-risk clients
The initial risk rating is typically determined based on five core risk factors:
- Customer risk
- Geographic risk
- Product and service risk
- Delivery channel risk
- Transaction behaviour risk
Customer Due Diligence (CDD)
CDD is central to the KYC process and consists of four key pillars:
- Customer identification and verification
- Beneficial ownership identification
- Understanding the nature and purpose of the relationship
- Ongoing monitoring
Based on the information gathered, a Client Risk Rating (CRR) is assigned. This determines whether enhanced due diligence is required and the level of monitoring to be applied.
Three Tiers of Due Diligence
- Simplified Due Diligence (SDD) – for low-risk clients
- Customer Due Diligence (CDD) – for standard-risk clients
- Enhanced Customer Due Diligence (ECDD) – for high-risk clients
Entity Types and Risk Indicators
Determining the client’s entity type is a crucial early step in assessing risk.
Common entity types include:
- Natural persons
- Legal entities, such as:
- Private and listed companies
- State-owned enterprises
- Special purpose vehicles (SPVs)
- Private investment vehicles
- Trusts and foundations
- Collective investment schemes
- Charities and political or religious organisations
- FinTech companies
- Gambling operators
- Money services businesses
Certain structures (such as SPVs, trusts, or entities operating in high-risk industries) may indicate elevated risk and require enhanced scrutiny.
Ongoing Monitoring and Review
KYC obligations continue throughout the relationship.
An initial risk rating is assigned at the New Client Adoption (NCA) stage and is subsequently reassessed during:
- Regular Reviews (RR)
- Event-Driven Reviews (EDR)
Ongoing monitoring ensures that transactions remain consistent with the client’s risk profile and expected behaviour.
Conclusion
KYC is a cornerstone of modern compliance frameworks. By implementing a structured, risk-based approach to client onboarding, due diligence, and ongoing monitoring, businesses can effectively mitigate financial crime risks and meet regulatory expectations.
Beyond compliance, a strong KYC framework enhances transparency, builds trust, and safeguards an organisation’s reputation in an increasingly regulated and data-driven environment.
