KYC 101: Know Your Customer

Know Your Customer (KYC) is the U.S. regulatory framework requiring financial institutions to verify customer identity at account opening, monitor activity against an expected profile, and identify the natural persons behind legal entities. Its three pillars are the USA PATRIOT Act's Customer Identification Program, FinCEN's Customer Due Diligence rule, and ongoing screening against sanctions and adverse media. This article covers what each pillar requires and how criminals build synthetic identities specifically to defeat them.

The Perfect Customer

The application looked clean. Name: Michael Torres. Date of birth: April 12, 1985. Social Security number verified. Address in suburban Denver matched public records. Credit file showed seven years of history with no delinquencies.

Priya Anand, a compliance analyst at a regional bank, was reviewing new account applications flagged for enhanced review. Michael Torres wanted a business checking account for a consulting firm. He'd provided articles of incorporation, an EIN from the IRS, and a driver's license photo.

Priya ran the standard checks. Name and SSN matched. Address was real. No adverse media. No hits on sanctions lists. The credit bureau returned a healthy file.

One thing nagged her. The consulting firm was incorporated three weeks ago. Torres had no social media presence. His credit file, while clean, showed a pattern she'd seen before: a secured credit card opened four years ago, a small auto loan two years later, a credit limit increase last year. Clean, gradual, deliberate. The kind of credit history someone builds on purpose.

She pulled the SSN trace. The number was issued in 2003 to a person born in 1998. Michael Torres was supposedly born in 1985. The SSN belonged to someone who would have been five years old when it was issued. Torres would have been eighteen.

The Social Security number was real. Michael Torres was not. Someone had combined a legitimate SSN (likely belonging to a minor who wouldn't be checking their credit for years) with a fabricated identity and spent four patient years building a credit profile.

Priya flagged the application. The "consulting firm" would have become a vehicle for laundering, lending fraud, or both. But only because someone looked past the surface.

This story is fictional, but the patterns are real.

Why This Matters

In BSA/AML Fundamentals, you learned about Customer Due Diligence as one of the five pillars of a BSA/AML compliance program. This article goes deeper into what that actually looks like in practice: how financial institutions verify who their customers are, why it's harder than it sounds, and what happens when criminals build identities specifically designed to pass these checks.

Know Your Customer (KYC) isn't just a compliance checkbox. It's the first line of defense against financial crime. Every common fraud scheme, every money laundering operation, every terrorist financing effort starts with an account. And every account starts with identity verification.

If the identity verification fails, everything downstream fails. A criminal who passes KYC has a legitimate-looking account they can use for months or years. The monitoring systems calibrate to their "normal" behavior. By the time suspicious activity appears, the initial identity fraud is buried under layers of apparently legitimate activity.

The Customer Identification Program

What does CIP legally require?

The USA PATRIOT Act's Section 326^[1] requires every financial institution to implement a Customer Identification Program (CIP). At minimum, CIP must collect four pieces of information from every customer:^[2]

1. Name
2. Date of birth
3. Address
4. Identification number (SSN for U.S. persons; passport number or equivalent for non-U.S. persons)

The institution must then verify this information using documentary or non-documentary methods. "Documentary" means checking a government-issued ID like a driver's license or passport. "Non-documentary" means verifying through other sources like credit bureau data, public records databases, or checking references.

Banks aren't required to use both methods, but most do. A driver's license confirms the name and photo match, while a credit bureau check confirms the SSN ties to that name and address. Neither method is foolproof alone.

Beyond the Minimum

CIP sets the floor, not the ceiling. Most institutions go well beyond the four basic data points, especially for higher-risk customers or products.

Common additional verification steps include:

• Phone number verification through one-time passcodes
• Email verification to confirm the applicant controls the stated email
• Employment and income verification for lending products
• Source of funds documentation for large initial deposits
• Beneficial ownership identification for business accounts (who actually controls the entity)

The depth of verification should match the risk. Opening a basic savings account might require minimal documentation. Opening a business account that will process international wire transfers demands significantly more.

Customer Due Diligence: Beyond Identity

CDD vs. CIP

CIP asks: "Is this person who they say they are?"

Customer Due Diligence (CDD) asks the bigger question: "What should I expect from this customer, and does their activity make sense?"

CDD involves understanding the customer's business, their expected transaction patterns, their source of wealth, and their risk profile. This information becomes the baseline against which future activity is measured. When someone's behavior deviates significantly from their established profile, that deviation triggers review.

Risk Rating

Not every customer carries the same risk. Institutions assign risk ratings at onboarding and update them as the relationship evolves.

Factors that elevate risk:

Higher-risk customers receive Enhanced Due Diligence (EDD), which typically includes more frequent monitoring, deeper documentation of source of funds, senior management approval for the relationship, and more detailed ongoing reviews.

Enhanced Due Diligence

EDD isn't a separate process. It's a more thorough version of standard CDD, applied to customers whose risk profile warrants it.

For a politically exposed person, EDD might include researching the individual's government role and jurisdiction, understanding the source of their wealth, obtaining senior management approval to open or maintain the account, and conducting more frequent reviews of transaction activity.

For a business with complex ownership, EDD might involve tracing the ownership chain to identify all natural persons with significant control, verifying the business purpose with independent sources, and documenting the rationale for each entity in the structure.

The goal is proportionality. A low-risk customer with a straightforward profile doesn't need the same level of scrutiny as a foreign political figure with shell companies in multiple jurisdictions.

Beneficial Ownership: Who's Really in Control?

The Shell Company Problem

For decades, criminals exploited a simple gap in U.S. law: they could form anonymous shell companies and open bank accounts without revealing who actually controlled the entity. The company had a name on paper. The actual human behind it was invisible.

Shell companies aren't inherently criminal. Legitimate businesses use corporate structures for tax planning, liability protection, and operational efficiency. But the anonymity made shell companies attractive for money laundering, sanctions evasion, and fraud.

The Beneficial Ownership Rule

FinCEN's Customer Due Diligence Rule was finalized in 2016 with an applicability date of May 11, 2018.^[3] From that date forward, financial institutions have had to identify the beneficial owners of new legal entity customers. The applicability date matters because the rule's "new account" definition keys off it. A beneficial owner is any natural person who:

• Owns 25% or more of the equity of the entity, or
• Has significant responsibility to control, manage, or direct the entity (even without an ownership stake)

Every legal entity customer opened on or after May 11, 2018 must have at least one beneficial owner identified: the individual with control responsibility. Banks collect and verify this information at account opening.

The Corporate Transparency Act (CTA) took effect on January 1, 2024 and was originally written to extend beneficial ownership reporting much further by requiring most U.S. companies to report their beneficial owners directly to FinCEN through a national Beneficial Ownership Information (BOI) registry. The picture has changed substantially since then. After litigation in the Fifth Circuit and a series of Treasury actions, FinCEN announced an interim final rule on March 21, 2025 (published in the Federal Register on March 26, 2025) that removed BOI reporting obligations for U.S.-formed entities and U.S. persons.^[4] As of May 2026, only foreign reporting companies (entities formed under non-U.S. law and registered to do business in a U.S. state or tribal jurisdiction) are required to file BOI reports, and even those entities are not required to report any U.S. persons as beneficial owners. Domestic LLCs and corporations are exempt under the current rule.

Separately, FinCEN's Beneficial Ownership Information Access and Safeguards Final Rule was finalized December 21, 2023 and took effect February 20, 2024, with financial-institution access phased in. What remains unsettled is the companion revision of the 2016 CDD Rule that would update the existing customer-due-diligence workflow to lean on the BOI registry. In practice, this means the FinCEN CDD Rule from 2016 remains the operative onboarding requirement: banks still collect beneficial ownership directly from legal entity customers and verify it through their own processes. The CTA landscape is unsettled and worth tracking; further rulemaking and possible litigation will likely shape what reporting and access look like over the next year or two.

Why This Matters for Fraud

Priya's case illustrates the connection. The "consulting firm" had articles of incorporation and an EIN. It looked legitimate on paper. But the person behind it was using a synthetic identity. If the bank had accepted the application without deeper scrutiny, the criminal would have had a business account capable of receiving wires, initiating ACH transfers, and applying for business loans, all under an identity that didn't belong to a real person.

Beneficial ownership verification adds another layer. Even if the individual identity checks pass, understanding who controls the entity and why it exists can reveal inconsistencies.

Ongoing Monitoring: KYC Doesn't Stop at Onboarding

The Living Profile

Identity verification at account opening is just the beginning. A customer's risk profile changes over time. A low-risk retail customer might start a business. A domestic-only account might begin receiving international wires. A customer who was clean at onboarding might appear on a sanctions list two years later.

Ongoing monitoring involves:

Transaction monitoring. Comparing actual activity to the customer's expected profile. A customer who told the bank they expected $5,000 in monthly deposits but is now receiving $50,000 warrants a closer look.

Periodic reviews. Revisiting customer profiles on a schedule based on risk rating. High-risk customers might be reviewed annually. Low-risk customers might be reviewed every three to five years.

Trigger-based reviews. Certain events force an immediate review: negative media mentions, sanctions list matches, law enforcement inquiries, significant changes in account activity, or address changes to high-risk jurisdictions.

Adverse media screening. This is the practice Priya ran at the top of the article when she checked for "adverse media" on Michael Torres. Adverse media (sometimes called negative news) screening checks the customer's name against news sources, regulatory enforcement databases, court records, and watchdog publications for credible reporting that links them to financial crime, corruption, sanctions evasion, or related conduct. It is not strictly mandated by U.S. regulation, but examiners treat it as expected practice for higher-risk customers and as a standard component of EDD and ongoing review.^[5] Most institutions use a commercial adverse media tool that pulls from structured news feeds and applies risk-tiered categorization rather than relying on free-form web searches.

Sanctions screening. Ongoing checks against OFAC's Specially Designated Nationals (SDN) list^[6] and other sanctions lists. A customer who was clear at onboarding might be sanctioned later, and the institution must catch that.

What happens when KYC data goes stale?

One of the biggest practical challenges in KYC is keeping information current. Customers move, change jobs, start businesses, and get married. Their documented profile drifts from reality.

Stale KYC data creates blind spots. If a customer's file says they're a retired teacher in Ohio but they've actually moved to Dubai and started an import-export business that wires funds internationally, the monitoring systems are calibrated to the wrong baseline. Activity that should look suspicious appears normal because the system is comparing it to an outdated profile.

Regulators have increasingly emphasized the importance of "refresh" programs that systematically update customer information, particularly for higher-risk relationships.

Key Takeaways

• KYC is the first line of defense against financial crime. Every fraud scheme, money laundering operation, and sanctions evasion starts with gaining access to the financial system. Identity verification is the gate.
• CIP sets the floor, not the ceiling. The four minimum data points (name, DOB, address, ID number) are just the starting point. Risk-appropriate verification goes much deeper.
• Beneficial ownership closes the shell company gap. Identifying the natural persons who control legal entities prevents criminals from hiding behind corporate structures.
• Customer due diligence is ongoing, not one-time. Profiles change, risks evolve, and sanctions lists update. KYC at onboarding means nothing if the institution stops paying attention.
• Synthetic identities are designed to pass standard checks. Criminals invest years building credit histories that look legitimate. Catching them requires looking at patterns, not just individual data points.

What's next: The Identity Fraud Detection article covers the technology and techniques used to catch synthetic identities, detect forged documents, and verify that the person on the screen is who they claim to be.

Key Terms

References

1. 31 USC 5318(l) — Identification and verification of accountholders↗ (Cornell LII). Statutory basis for CIP, enacted via Section 326 of the USA PATRIOT Act: Treasury "shall prescribe regulations setting forth the minimum standards for financial institutions and their customers regarding the identity of the customer that shall apply in connection with the opening of an account."

2. 31 CFR 1020.220 — Customer Identification Program requirements for banks↗ (Cornell LII). Subsection (a)(2)(i)(A) lists the four required data elements: name, date of birth (for individuals), address, and identification number. Subsection (a)(2)(ii) authorizes documentary, non-documentary, or combined verification methods.

3. 31 CFR 1010.230 — Beneficial ownership requirements for legal entity customers↗ (Cornell LII). FinCEN's CDD Rule. Defines a beneficial owner as each individual who owns 25 percent or more of the equity interests of a legal entity customer, plus a single individual with significant responsibility to control, manage, or direct the entity. Applicability date: May 11, 2018.

4. FinCEN — Beneficial Ownership Information↗. Per the March 26, 2025 alert: "On March 21, 2025, [FinCEN] announced... it was issuing an interim final rule that removes the requirement for U.S. companies and U.S. persons to report beneficial ownership information." The IFR "revises the regulatory definition of 'reporting company' to mean only those entities that are formed under the law of a foreign country and that have registered to do business in any U.S. State or Tribal jurisdiction." Foreign reporting companies "will not be required to report any U.S. persons as beneficial owners."

5. FFIEC BSA/AML Examination Manual↗. Examiner guidance on CDD/EDD, ongoing monitoring, and refresh expectations. Adverse media review is addressed within EDD and risk-based monitoring sections.

6. OFAC Sanctions List Search↗. The U.S. Treasury's public-facing search tool for the Specially Designated Nationals (SDN) and Blocked Persons List and other consolidated sanctions lists.