TLDR: Fraud losses hit $12.7 billion in 2024, up 25% year-on-year, and AML penalties exceeded $4.3 billion. Here’s a step-by-step guide to KYC verification — and how verifiable credentials are reshaping the process.
What Is KYC Verification?
KYC (Know Your Customer) verification is how financial institutions confirm customer identities, assess risk, and evaluate exposure to money laundering or fraud — before and during a business relationship.
It has three layers:
- Customer Identification Program (CIP): collecting and verifying name, date of birth, address, and identification number
- Customer Due Diligence (CDD): assessing risk profiles and understanding the nature of customer relationships
- Enhanced Due Diligence (EDD): deeper scrutiny for high-risk factors, including source-of-wealth verification
These obligations now extend beyond banks — fintech companies, virtual asset dealers, and non-profits in many jurisdictions face the same requirements.
What Are the Legal Foundations of KYC?
- Bank Secrecy Act (1970): established due diligence rules to deter money laundering
- USA PATRIOT Act, Section 326: mandates a CIP — verify every account opener’s identity, maintain records, and cross-reference against government terrorist lists
- FINRA Rules 2090 & 2111: require diligence in identifying customers and ensuring recommendations suit their financial situations
- CDD Rule (2016): requires verification of beneficial owners — individuals with 25%+ equity interest or those exercising control
Together: identify and verify customers, identify beneficial owners, understand the nature of relationships, and monitor for suspicious activity.
Step 1: How Do You Set Up a Customer Identification Program?
Federal regulations require four minimum data points for every customer:
- Name — as it appears on official documents
- Date of birth — for individuals
- Address — residential or business street address
- Identification number — taxpayer ID for U.S. persons; passport or government-issued document number for non-U.S. persons
Business customers also need articles of incorporation, partnership agreements, or trust instruments.
Verification methods:
- Documentary: unexpired government-issued ID with photograph; incorporation certificates for entities
- Non-documentary: consumer reporting agencies, public databases, or references from other institutions
- Digital: biometric verification, face recognition, and digital document checks for remote onboarding
Screen all names against global sanctions lists and PEP databases before establishing relationships. Retain records for five years after account closure.
Step 2: How Does Customer Due Diligence Work?
Assess each customer’s risk profile across:
- Geographic risk: FATF-identified high-risk jurisdictions with weak AML controls
- Industry risk: cash-intensive businesses like casinos and money service businesses
- Ownership complexity: multi-layered structures or secrecy jurisdictions
- Transaction patterns: expected volumes and behavior baselines
Assign risk ratings (low, medium, high) with a documented scoring system. Screen against sanctions lists (OFAC, EU, UN, HMT), watchlists, adverse media, and PEP databases — at onboarding and continuously.
Step 3: When Is Enhanced Due Diligence Required?
EDD applies for:
- Politically exposed persons or close associates
- FATF third countries with weak AML controls
- Complex corporate structures with obscure ownership
- Unusual transaction patterns or sudden high-risk influxes
- Cash-intensive industries and adverse media flags
Source of wealth verification is central — tax filings, property records, audited financials, and third-party checks. Regulators expect EDD reviews every two to three years for high-risk clients.
Step 4: What Does Ongoing KYC Monitoring Require?
Customer risk profiles evolve. Continuous compliance includes:
- Transaction monitoring: automated detection of unusual patterns — AI-driven screening enables real-time alerts
- Data maintenance: automated syncing with global compliance databases to keep records current
- SAR filing: Suspicious Activity Reports filed within 30 days of detection (60 if no suspect identified). Retain records for five years
How Is Digital Identity Changing KYC?
Traditional KYC is document-heavy. Verifiable credentials are changing that — letting customers prove facts like age, residency, or financial standing with cryptographic proofs, without handing over raw personal data. Zero-knowledge proofs go further: confirm a requirement is met without revealing the underlying information.
This aligns with both KYC goals and privacy regulations:
- Less data to protect: confirm claims without storing sensitive documents
- Faster onboarding: credential-based verification cuts manual review
- Cross-border portability: credentials verified once work across jurisdictions
Moca Network and its AIR Kit are building the infrastructure for this shift — enabling verifiable credential issuance and verification using zkProofs, with W3C-standard schemas for identity, location, and financial standing.
Key Takeaways
- CIP first: verify the four minimum data points before opening any account
- Risk-rate everything: assign ratings by geography, industry, ownership, and transaction patterns
- Apply EDD proportionally: high-risk customers need source-of-wealth checks and dedicated monitoring
- Monitor continuously: transaction screening, data updates, and SAR filing are ongoing
- Embrace the shift: credential-based verification reduces data burden while strengthening compliance
KYC compliance isn’t a one-time checkpoint — it’s a continuous process. Your diligence today prevents violations that prove far more costly tomorrow.
Sources
- Flagright. Best Practices for Customer Risk Assessment
- Veriff. Enhanced Due Diligence in KYC
- FFIEC BSA/AML Manual. Risk Assessment
- Financial Crime Academy. Transaction Monitoring & Due Diligence
- OneSpan. Identity Verification
- Flagright. Customer Due Diligence Guide
- LexisNexis. Watchlist Screening
- NetBank Audit. Enhanced Due Diligence Guide
- Regly. KYC Compliance Best Practices
- Quantexa. Continuous KYC Monitoring
