Building a KYC program from scratch means establishing a structured, documented process for verifying customer identities, assessing their risk levels, and monitoring their activity on an ongoing basis, before your institution acquires its first customer. Whether you are a compliance officer at a traditional bank upgrading a legacy framework or a fintech building from zero, the core legal obligation is identical: you must know your customer before you serve them.

Global AML and KYC enforcement fines totalled $3.8 billion in 2025 alone, according to Fenergo. Starling Bank was fined £28.96 million in 2024. Monzo received a £21.1 million penalty from the FCA in 2025 for inadequate onboarding controls. TD Bank paid $3.09 billion in 2024 for systemic compliance failures. Binance settled for over $4.3 billion in 2023. The consistent finding across every major enforcement case is the same: institutions that treated KYC as an afterthought, a checkbox, or a post-growth project paid far more to regulators than a well-built program would have cost.

This guide walks compliance professionals at both fintechs and banks through the full process of building a KYC program that satisfies regulators, survives examination, and scales with the business.

What Is Know Your Customer (KYC)?

Know Your Customer (KYC) is the process by which financial institutions and regulated businesses verify the identity of their customers, assess the risk those customers represent, and monitor their ongoing activity to detect and report suspicious behaviour.

KYC is not a single check conducted at account opening. It is a continuous compliance function that runs from the moment a prospective customer applies to join your institution until the relationship ends. The process encompasses identity verification, document authentication, database screening, risk scoring, and transaction surveillance.

For banks, KYC has been a regulatory obligation since the Bank Secrecy Act (BSA) was enacted in the US in 1970. For fintechs, the same obligations apply from the moment the institution begins serving customers, regardless of whether it holds a direct licence or operates through a banking partner.

KYC sits within the broader Anti-Money Laundering (AML) framework. KYC focuses on who your customer is. AML governs how you monitor what they do after onboarding. Your KYC data feeds your AML transaction monitoring engine. Weak KYC means your monitoring systems are working with unverified data, which undermines every downstream compliance control.

What Is the Difference Between KYC and AML?

KYC and AML are distinct but deeply connected functions. KYC is the entry gate: it establishes and verifies who the customer is before they can use your product or service. AML is the ongoing surveillance: it monitors what that verified customer does over the life of the relationship.

In practice, the two functions share data and escalation pathways. A customer who passes KYC onboarding may later be flagged by transaction monitoring, triggering an enhanced KYC review. Conversely, a risk indicator identified during CDD at onboarding shapes the transaction monitoring rules applied to that account going forward.

For compliance teams building or rebuilding a KYC program, KYC and AML should be designed as a unified system. Purchasing separate identity verification and transaction monitoring tools from different vendors without integrating them creates data silos that regulators consistently cite as a primary cause of compliance failures.

What Is Know Your Customer (KYC) in Banking?

KYC in banking is a mandatory process that involves verifying a customer's identity and risk profile to prevent illegal activities such as money laundering, fraud, and terrorism financing. KYC enables banks to ensure customers are who they claim to be.

In banking, KYC carries the full weight of both direct regulatory obligation and supervisory examination. Banks are Accountable Institutions or financial institutions under every major AML framework globally, meaning they are subject to mandatory KYC requirements by statute, not by contract or policy choice.

How Does KYC for Fintechs Differ from Banks?

KYC for fintech differs from banks in terms of licensing structure, technology, onboarding volume and speed pressure, and unique fraud exposure.

Fintechs and banks face the same KYC obligations under the same laws. A neobank, payment platform, lending app, or crypto exchange is subject to the same CIP, CDD, EDD, and ongoing monitoring requirements as a high-street bank. What differs is the execution environment.

1. Licensing structure. 

A fintech operating under its own licence (as a Money Services Business, Electronic Money Institution, or Payment Institution) owns its KYC obligations directly. A fintech operating through a BaaS (Banking-as-a-Service) partner bank has those obligations either passed down through contractual agreements with the partner bank, or shared between the two parties. In either case, regulators look through the BaaS structure to assess the quality of controls wherever the customer relationship sits.

2. Technology starting point. 

Fintechs building from scratch have the advantage of choosing modern, API-first verification and monitoring infrastructure from the outset. Legacy banks can take months to update core systems that a fintech could reconfigure in days.

3. Onboarding volume and speed pressure.

Fintechs face commercial pressure to minimise onboarding friction. The average KYC abandonment rate in fintech onboarding flows ranges from 25% to 40%. This pressure can create a compliance risk if it leads to weakening verification requirements to improve conversion rates. 

Regulators have penalised institutions specifically for this trade-off: Starling Bank's 2024 FCA fine cited repeated breaches of a restriction against onboarding high-risk customers, with the institution prioritising growth over compliance controls.

4. Unique fraud exposure by product type:

Different fintech business models carry different financial crime risk profiles. Neobanks face synthetic identity fraud at account opening. BNPL platforms face income falsification and fraud ring exploitation. Crypto exchanges face wallet anonymity and cross-chain laundering. 

Payment and remittance platforms face cross-border exposure and sanctions screening complexity. Your KYC program must be calibrated to the specific fraud typologies associated with your product, not copied from a generic template.

What are The Three Pillars of KYC?

The 3 pillars of KYC are customer identification, customer due diligence, and ongoing monitoring.

Every effective KYC programme is built on three functional pillars that are recognised by regulators across the US, UK, EU, and most other jurisdictions.

Pillar 1: Customer Identification

Customer identification is the process of establishing who your customer is. This involves collecting the minimum set of identity attributes required to form a reasonable belief that the customer is a real, identifiable person or entity. In the US, this is formalised as the Customer Identification Program (CIP) under the PATRIOT Act.

For individual customers, identity collection requires at minimum: full legal name, date of birth, current residential address, and a government-issued identification number. For business customers, this extends to company registration details, registered address, the identities of directors and authorised signatories, and the identities of ultimate beneficial owners (UBOs).

Pillar 2: Customer Due Diligence

CDD is the process of verifying the identity information collected against independent and reliable sources, understanding the nature and intended purpose of the business relationship, and developing a risk profile for the customer.

Customer Due Diligence (CDD) goes beyond identification to assess the risk a customer represents to your institution.

What are the 3 Tiers of Customer Due Diligence?

CDD operates at three tiers: Simplified CDD for very low-risk, low-value products; Standard CDD for most customers; and Enhanced Due Diligence (EDD) for high-risk customers including Politically Exposed Persons (PEPs), customers from high-risk jurisdictions, and customers with complex ownership structures.

Pillar 3: Ongoing Monitoring

Ongoing monitoring is the continuous surveillance of customer transactions and behaviour throughout the entire customer lifecycle. 

It involves transaction monitoring against defined rule sets, periodic reviews of customer risk profiles, re-screening against updated sanctions and PEP lists, and updating customer information when circumstances change.

This is the pillar most frequently inadequately resourced in both banks and fintechs. Onboarding verification is the visible part of KYC. Ongoing monitoring is the continuous engine beneath it, and it is where criminal activity is most frequently detected. Every major enforcement action in 2024 and 2025 cited weaknesses in ongoing monitoring as a contributing cause of the penalty.

The Importance of KYC Program in Banking?

KYC programmes are the primary mechanism through which banks and fintechs prevent their platforms from being used to facilitate financial crime. Without an effective KYC programme, your institution becomes a pathway for money laundering, fraud, and in some cases, terrorist financing.

The scale of the problem is significant. The United Nations estimates that between $800 billion and $2 trillion is laundered globally each year, representing 2 to 5 percent of global GDP. Fintech platforms and digital banking services, with their scale, transaction volumes, and cross-border reach, are disproportionately attractive to criminals seeking to move money through formal financial channels.

Recent enforcement actions illustrate the real-world consequences of inadequate KYC:

• Binance (2023): Binance fined over $4.3 billion for failing to maintain effective KYC and AML programmes, including onboarding millions of users without adequate identity verification or sanctions screening. Regulators documented a deliberate "growth at all costs" culture where compliance was subordinated to acquisition.
• TD Bank (2024): TD Bank Fined $3.09 billion for systemic AML compliance failures and weak governance structures. Deputy Attorney General Lisa Monaco noted the bank "failed to meet its obligations, day after day, year after year."
• Starling Bank (2024): Fined £28.96 million by the FCA for deficiencies in sanctions screening and repeated onboarding of high-risk customers in breach of a specific regulatory restriction.
• Monzo (2025): Fined £21.1 million by the FCA for failures in financial crime controls during customer onboarding.
• KuCoin (2024): Alleged to have transmitted over $4 billion in suspicious proceeds due to failure to maintain required AML and KYC programmes. Its KYC checks applied only to new customers, leaving millions of existing customers unscreened.

Beyond fines, weak KYC results in banking partner terminations, regulatory restrictions on customer acquisition, reputational damage, and in serious cases, criminal charges against executives.

Effective KYC also carries commercial value. Institutions with demonstrably robust compliance programmes close banking partnerships faster, secure regulatory approvals more efficiently, and retain investor confidence through scaling periods.

How to Build Your KYC Program: The Step-by-Step Sequence

For compliance officers and founders building a KYC programme from scratch, the build sequence below reflects the order in which each component must be operational before the next can function effectively.

Step 1: Conduct a Risk Assessment

Before drafting policies or selecting vendors, conduct a formal risk assessment of your institution. Identify: what types of customers you serve or will serve; what geographic markets you operate in; what products and services you offer and what financial crime risks they present; and what your anticipated transaction volumes and patterns look like.

This document is the foundation of your KYC programme. Every policy, procedure, and control must be calibrated to the specific risks identified here. Regulators will request this document during examination. It must be updated annually and whenever your business model changes materially.

Step 2: Write Your KYC and AML Policy

Draft a written KYC and AML policy. This document must specify: your CIP requirements and verification procedures; your CDD tiers and the criteria for each; your EDD triggers and procedures; your ongoing monitoring methodology; your SAR and STR filing procedures and thresholds; your record retention policy; and the identity and responsibilities of your designated compliance officer or MLRO.

This document must be approved by your board or senior management before any customers are onboarded. It must describe what actually happens in practice, not what you intend to happen. The FCA has been explicit: well-written policies that do not match operational reality provide no protection during enforcement proceedings.

Step 3: Appoint a Compliance Officer or MLRO

Appoint a named individual as compliance officer, Money Laundering Reporting Officer (MLRO), or equivalent title depending on your jurisdiction. This person is legally responsible for overseeing your KYC and AML programme, receiving internal suspicious activity reports, and deciding whether to file external reports with your financial intelligence unit.

The compliance officer must have sufficient seniority, authority, and resources to operate independently. Regulators in multiple jurisdictions have penalised institutions where the compliance function lacked board-level access or was under-resourced relative to the volume of the institution's compliance obligations.

Step 4: Build and Test Your CIP Workflow

Design and implement your customer onboarding flow to collect and verify the required identity information. Configure your third-party identity verification, biometric, and screening vendors. Test every outcome state: customers who pass cleanly; customers who fail identity verification; customers flagged on sanctions or PEP lists; customers who require EDD review before activation.

Document the workflow in a written procedure. Train every team member who has a role in the onboarding process. Establish clear escalation paths for customers who cannot be automatically cleared.

Step 5: Implement Transaction Monitoring and Ongoing Review

Configure your transaction monitoring platform with rule sets calibrated to your customer risk profiles. Define alert thresholds based on your risk assessment. Establish a process for triaging alerts, escalating cases for investigation, and filing SARs or STRs when the threshold for suspicious activity is met.

Schedule periodic KYC refresh reviews at the frequency required by each risk tier. Build re-screening triggers for sanctions list updates. Ensure all monitoring outputs are retained in your audit-ready record system.

KYC Program Online: Can You Build and Run It Entirely Digitally?

Yes. A KYC programme can be built and operated entirely online using third-party RegTech providers integrated through APIs. Banks and fintechs do not need to build identity verification infrastructure from scratch. Regulators assess whether controls are effective, not whether they are manual or automated.

A complete KYC programme online requires the following functional components:

For most institutions, the practical approach is a hybrid model: use purpose-built RegTech for identity verification, document authentication, biometrics, and PEP/sanctions screening; maintain internal tooling for case management, alert triage, and escalation workflows; and deploy an integrated transaction monitoring platform that connects directly to your KYC data.

Common KYC Program Mistakes That Banks and Fintechs Make

Understanding where KYC programmes consistently fail in practice saves your institution from repeating the same errors that generated billions in fines over the past three years.

1. Treating KYC as an onboarding check, not a continuous programme:

Onboarding verification is the visible entry point of KYC. Ongoing monitoring is where criminal activity is actually detected and interrupted. Both functions must be equally resourced.

2. Applying KYC only to new customers:

KuCoin's enforcement case demonstrated this risk specifically: its KYC programme covered new users but left millions of existing customers unscreened. Periodic reviews must cover every customer in your book, not only those onboarded after your programme was implemented.

3. Collecting identity data without independent verification:

A form that collects customer information without checking it against any external database is not a KYC programme. Every major regulatory framework requires verification against independent and reliable sources.

4. Missing beneficial ownership for business customers:

FinCEN's CDD Final Rule, the EU AML Directives, and the UK MLRs all require identification and verification of UBOs for legal entity customers. Collecting a declaration without verifying it against company registry data does not satisfy this requirement.

5. Writing a policy without operationalising it:

The FCA has specifically stated it does not give compliance credit for well-written policies that do not match operational reality. Your KYC programme is assessed by what happens when a high-risk customer applies, not by what your policy document says should happen.

6. Growing customer acquisition ahead of compliance infrastructure:

This is the defining failure pattern of every major fintech enforcement case from 2023 to 2025. Growth that outpaces your compliance team's capacity to conduct due diligence is a regulatory breach in progress.

7. Siloed KYC and AML systems:

When identity verification, transaction monitoring, and sanctions screening operate on separate, non-integrated platforms, risk signals are missed. Regulators consistently cite data fragmentation as a material control weakness.

What Are the Four Key Components of a KYC Program?

The 4 components of a KYC program are: customer identification program (CIP), customer due diligence, enhanced due diligence and ongoing monitoring.

A fully operational KYC programme has these four components:

1: Customer Identification Program (CIP)

The CIP is the formal, written process for collecting and verifying the identity of every customer before they are onboarded. In the US, a written CIP is a legal requirement under the PATRIOT Act and BSA for all financial institutions. It must be approved by the board or senior management and incorporated into the institution's broader BSA/AML compliance programme.

Your CIP must specify: what identity information you will collect; how you will verify that information (through documentary or non-documentary methods); what happens when verification cannot be completed; and how customers will be notified that their information is being collected.

For banks, the CIP must also address existing customers during periodic reviews, not only new applicants. For fintechs operating through a BaaS partner, the CIP must clarify which party owns each verification step and how results are shared.

2: Customer Due Diligence (CDD)

CDD is the risk assessment function of your KYC programme. After establishing identity through your CIP, CDD determines the level of risk each customer represents and assigns the appropriate level of scrutiny. 

FinCEN's CDD Final Rule (2018) requires US financial institutions to: identify and verify customer identity; identify and verify beneficial owners of legal entity customers; understand the nature and purpose of customer relationships; and conduct ongoing monitoring.

Your CDD methodology must be documented and consistently applied. The risk factors you use to tier customers (geography, source of funds, product type, PEP status, transaction profile) must be coherent and defensible. Regulators do not accept programmes where every customer is conveniently categorised as low-risk.

3: Enhanced Due Diligence (EDD)

EDD is applied to customers whose initial CDD screening identifies elevated risk. Common EDD triggers include confirmed PEP status, residence in a FATF high-risk jurisdiction, complex or opaque corporate ownership structures, high expected transaction volumes, adverse media hits, and discrepancies between declared source of funds and observed account behaviour.

EDD procedures must be documented and proportionate to the risk identified. They typically include collecting detailed source of wealth and source of funds documentation, obtaining senior management approval before account activation, and applying a shorter periodic review cycle. Every EDD decision and its rationale must be documented in the customer file.

4: Ongoing Monitoring

Ongoing monitoring is the systematic review of customer accounts and transactions throughout the customer lifecycle. For banks, this typically means automated transaction monitoring platforms with defined rule sets, alert triage workflows, periodic KYC refresh reviews, and SAR filing procedures. For fintechs, the same functions apply, calibrated to the specific transaction patterns, volumes, and financial crime typologies associated with their product.

Ongoing monitoring must be risk-based: the frequency of periodic reviews, the sensitivity of transaction monitoring rules, and the re-screening cadence for sanctions and PEP lists should all reflect the customer's risk tier. High-risk customers require more intensive monitoring than standard-risk customers.

What Are the Five Steps of KYC?

The 5 steps of  KYC are: collecting customer identification number, verify identity against independent source, assessing customer risk, applying appropriate level of due diligence, continuous monitoring and updating.

Every KYC interaction, whether at onboarding or during a periodic review, follows five core steps. Building these steps into your programme architecture ensures that every customer goes through a consistent, auditable process.

Step 1: Collect Customer Identity Information

Collect the minimum identity attributes required by your jurisdiction. For individuals: full name, date of birth, residential address, and a government-issued identification number. For business customers: company name, registered address, company registration number, the identities of directors and authorised persons, and the identities of ultimate beneficial owners at the applicable ownership threshold.

Collect only what is required for compliance purposes. Collecting unnecessary personal data creates exposure under data protection regulations including GDPR in the EU, POPIA in South Africa, and equivalent frameworks elsewhere.

Step 2: Verify Identity Against Independent Sources

Collecting identity information is not the same as verifying it. Verification requires cross-referencing the information provided against independent and reliable sources: government identity databases, credit bureau records, biometric matching against government biometric registries, and AI-powered document authentication for passports and national identity cards.

This step is the most frequently cited as inadequate in enforcement actions against both banks and fintechs. Allowing customers to self-declare their identity without independent verification does not constitute KYC under any major regulatory framework. It is a form collection exercise.

Step 3: Assess Customer Risk

Using the verified identity data, assign each customer a risk tier using your documented risk methodology. Risk factors to consider include: country of residence and nationality, source of funds and source of wealth, type of product or service being used, expected transaction volumes, PEP or sanctions screening results, and adverse media findings.

Your risk methodology must be applied consistently. Regulators audit whether risk tiers are triggered correctly in practice, not whether a risk policy exists on paper.

Step 4: Apply the Appropriate Level of Due Diligence

Map the customer's risk tier to the appropriate CDD level. Low and standard risk customers proceed through Standard CDD: identity verification, PEP and sanctions screening, and risk profile documentation. High-risk customers require EDD before activation: additional source of funds documentation, senior management sign-off, and a shorter periodic review cycle.

For banks dealing with large corporate customers, this step frequently involves beneficial ownership mapping across multi-layered structures, requiring CIPC, Companies House, or equivalent registry verification depending on the customer's jurisdiction.

Step 5: Monitor Continuously and Update

The KYC obligation does not end at onboarding. Configure transaction monitoring rules calibrated to the customer's risk profile. Schedule periodic KYC refresh reviews at the appropriate frequency: annually for high-risk customers, every two to three years for standard-risk customers. Re-screen all customers against updated sanctions and PEP lists whenever those lists change. Update customer records when circumstances change.

KYC Requirements and the Global KYC Compliance Program: What Laws Apply?

Building a global KYC compliance programme requires mapping your institution's activities to the applicable regulatory framework in every jurisdiction where you operate or serve customers. The core KYC obligations are consistent across FATF-member countries, but implementation rules, reporting thresholds, and supervisory expectations vary.

1. United States

The primary KYC framework is the Bank Secrecy Act (BSA), amended by the USA PATRIOT Act (2001) and the Anti-Money Laundering Act (AMLA, 2020), enforced by FinCEN. Mandatory requirements include: a written, board-approved CIP; CDD for all customers including beneficial ownership identification at the 25% threshold under FinCEN's 2018 CDD Final Rule; transaction monitoring and SAR filing; and CTRs for transactions above $10,000.

Fintechs qualifying as Money Services Businesses (MSBs) under FinCEN rules must register with FinCEN and comply with BSA requirements directly. Fintechs operating through a bank partner typically have BSA obligations passed down contractually.

2. United Kingdom

The UK framework is the Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 (MLRs 2017), enforced by the FCA. Obligations include: CDD on all customers; EDD for high-risk customers, PEPs, and their associates; beneficial ownership identification for legal entities; ongoing monitoring; and five-year record retention post-relationship.

Both banks and fintechs holding FCA authorisation are subject to identical MLR obligations. The distinction is execution capacity, not legal obligation. Monzo and Starling holding full banking licences face the same requirements as HSBC and Barclays. The FCA has demonstrated in 2024 and 2025 that enforcement applies equally to neobanks and legacy institutions.

3. European Union

The EU KYC framework is built on successive AML Directives, with the Sixth Anti-Money Laundering Directive (6AMLD, effective December 2020) as the current baseline. 6AMLD expands criminal liability for money laundering, harmonises penalties across member states, and extends liability to legal entities. The EU's new Anti-Money Laundering Authority (AMLA), operational from 2026, will directly supervise high-risk financial institutions across EU member states.

4. Africa: Key Jurisdictions

For institutions operating in African markets, South Africa's FICA (Financial Intelligence Centre Act) governs KYC and AML compliance for Accountable Institutions. Nigeria's CBN AML/CFT Framework applies to financial institutions operating in-country. Both frameworks align with FATF 40 Recommendations. South Africa's exit from the FATF grey list in October 2025 has increased enforcement intensity domestically, with the Prudential Authority imposing substantial fines on major banks in 2024 and 2025 as part of the grey-list remediation process.

How Youverify Supports KYC Programme Development for Banks and Fintechs

Banks and fintechs building or upgrading a KYC programme need a platform that satisfies the full compliance requirement without creating friction that undermines the onboarding experience. The regulatory checklist is specific: CIP, CDD, EDD, ongoing monitoring, PEP and sanctions screening, beneficial ownership verification, and audit-ready record retention for at least five years.

Youverify's KYC platform delivers all of these capabilities through a single API integration built for institutions across Africa, Europe, and beyond. Pre-built integrations with government identity databases, CIPC-grade beneficial ownership verification, certified biometric liveness detection, domestic and international PEP and sanctions screening, and structured audit trails configured for FIC, FCA, FinCEN, and FATF examination are all available within one platform.

For banks modernising legacy KYC infrastructure and for fintechs building their first programme, Youverify provides the technology foundation that lets your compliance team focus on risk judgement rather than data plumbing.

Book a demo with our KYC compliance experts to see how banks and fintechs across Africa and beyond are building audit-ready KYC programmes at scale.