A KYC checklist is the operational mechanism that prevents those failures. It's what separates a documented, auditable compliance program from a collection of good intentions.
This guide covers what a KYC checklist actually includes, how each step applies across the customer lifecycle, and what regulators consistently penalize when firms cut corners.
TL;DR
- A KYC checklist is a structured verification program covering identity, risk assessment, sanctions screening, and ongoing monitoring.
- The five core steps are: CIP, CDD, EDD, Sanctions/PEP Screening, and Ongoing Monitoring.
- A risk-based approach is required — low-risk customers may qualify for simplified due diligence; high-risk customers require EDD.
- Rules differ by jurisdiction: US (BSA/FinCEN), UK (FCA/MLRs), Canada (FINTRAC), and EU (AMLD) each impose distinct requirements.
- KYC is a continuous program, not a one-time onboarding event.
What Is a KYC Checklist?
A KYC checklist is a structured, repeatable set of procedures that regulated businesses use to verify customer identities, assess financial crime risk, and maintain compliance with AML obligations — not just at onboarding, but throughout the customer relationship.
The KYC process is the overarching compliance framework — the policies, regulations, and governance structure. The KYC checklist is the operational tool that executes that framework consistently across every customer interaction and every team member.
A well-built checklist:
- Creates a consistent onboarding experience regardless of which team member handles it
- Produces an auditable evidence trail that regulators can review
- Reduces the risk of gaps when staff turn over or processes scale
- Enables firms to grow their customer base without sacrificing due diligence quality
For early-stage fintechs and crypto firms, this last point matters most. Fraxtional's AML program build engagements consistently show that growth-stage companies are most vulnerable when their compliance procedures haven't kept pace with their customer volumes. A well-maintained checklist is what keeps due diligence intact as customer volume grows.
The Essential KYC Compliance Checklist: 5 Core Steps
These five steps cover the complete customer relationship, from first contact through the life of the account. Each step builds on the one before it. Skipping or shortcutting any one of them creates downstream compliance gaps that are difficult to remediate after the fact.
Step 1: Customer Identification Program (CIP)
CIP is the entry point for every customer relationship. Under 31 CFR 1020.220, US banks must collect and verify four minimum data points before account opening:
- Full legal name
- Date of birth (for individuals)
- Address
- Government-issued identification number
Acceptable verification documents include passports, driver's licenses, and official government correspondence.
For legal entity customers — relevant to B2B fintechs, BaaS providers, and embedded finance companies — CIP extends further. Firms must collect company registration documents, business licenses, director identification, and registered address verification. This lays the groundwork for the beneficial ownership analysis that follows in CDD.
Step 2: Customer Due Diligence (CDD)
CDD goes beyond identity to assess the customer's risk profile. Firms must document:
- The nature and purpose of the business relationship
- Expected transaction behavior and volumes
- Industry and geographic footprint
- Any red flags indicating elevated financial crime risk
The Ultimate Beneficial Owner (UBO) requirement is a central CDD obligation. Across all four major jurisdictions, firms must identify individuals who own or control a legal entity at or above the 25% threshold — though exact wording varies:
| Jurisdiction | Beneficial Ownership Threshold |
|---|---|
| US (31 CFR 1010.230) | 25% or more of equity interests, plus one control-prong individual |
| UK (MLR 2017 Reg. 5) | More than 25% of shares or voting rights |
| EU (AMLD Art. 3) | 25% plus one share, or more than 25% ownership interest |
| Canada (FINTRAC) | 25% or more of a corporation or other entity |
Compliance teams must document the full ownership chain — not just surface-level entity names.
Step 3: Enhanced Due Diligence (EDD)
EDD is triggered when a customer presents elevated risk. This is a regulatory requirement, not an optional upgrade.
EDD is typically required for customers with:
- Politically Exposed Person (PEP) status
- Complex or opaque ownership structures
- Connections to high-risk or sanctioned jurisdictions
- Unusual transaction patterns inconsistent with their stated profile
FATF Recommendation 12 requires financial institutions to obtain source of wealth and source of funds information for foreign PEPs, along with enhanced ongoing monitoring.
UK MLR 2017 Regulation 35 and EU AMLD Article 20 both explicitly require senior management approval before establishing or continuing a PEP relationship.
In practice, EDD includes:
- Source of funds and wealth documentation
- Adverse media screening
- Additional background checks on beneficial owners
- Senior management sign-off (required in UK and EU; best practice universally)
- More frequent review cadences than standard CDD
Step 4: Sanctions and PEP Screening
All customers — individuals, entities, directors, and UBOs — must be screened against major global watchlists before onboarding and on a continuous basis thereafter.
Key screening lists by jurisdiction:
- US: OFAC SDN List and consolidated sanctions lists
- UK: UK Sanctions List (administered by OFSI, part of HM Treasury)
- Canada: Consolidated Canadian Autonomous Sanctions List (Global Affairs Canada)
- EU: EU Consolidated Sanctions List
Point-in-time screening at onboarding is not sufficient. OFAC's compliance framework specifically identifies failure to update screening tools for SDN or SSI list changes as a compliance weakness.
Designations occur regularly. A customer who cleared screening at onboarding can appear on a sanctions list weeks or months later — which is why continuous monitoring is a regulatory expectation, not a best practice.
Step 5: Ongoing Monitoring and Periodic Review
KYC is a continuous obligation. FinCEN states explicitly that ongoing CDD includes maintaining and updating customer information and monitoring transactions to identify and report suspicious activity.
Ongoing monitoring includes:
- Transaction monitoring for patterns inconsistent with the established risk profile
- Updating customer records when material changes occur (ownership shifts, adverse media, address changes)
- Periodic re-verification on a risk-tiered schedule (e.g., annually for high-risk, every 2-3 years for low-risk)
- Filing Suspicious Activity Reports (SARs) or Suspicious Transaction Reports (STRs) when unusual activity is detected
SAR/STR filing requirements vary by jurisdiction:
| Jurisdiction | Threshold | Filing Timeframe |
|---|---|---|
| US Banks | USD $5,000 | Within 30 days of detection; up to 60 days to identify suspect |
| US MSBs | USD $2,000 (generally) | Within 30 days of detection |
| Canada | No monetary threshold | As soon as practicable |
| UK | No monetary threshold | Upon knowledge, suspicion, or reasonable grounds |
This step is where many smaller fintechs and crypto firms have the most significant compliance gaps — particularly around SAR/STR workflows and periodic re-verification schedules.
Applying a Risk-Based Approach to Your KYC Checklist
Not every customer presents equal risk, and compliance resources should reflect that. The risk-based approach is a foundational principle across FATF, FinCEN, FCA, FINTRAC, and EU frameworks — applying more scrutiny where risk is higher, and permitting simplified due diligence (SDD) where risk is demonstrably lower. UK MLR 2017 Regulation 37 and EU AMLD Article 15 both explicitly permit SDD for low-risk relationships, as long as ongoing monitoring remains in place.
Building a Practical Risk-Scoring Matrix
A risk-scoring matrix assigns customers to tiers based on documented criteria. Factors that typically increase a customer's risk tier include:
- Jurisdiction: High-risk, sanctioned, or FATF grey-listed countries
- Industry: Cash-intensive businesses, crypto, gambling, real estate
- Ownership structure: Complex, opaque, or multi-layered ownership
- PEP association: Customer is or is connected to a politically exposed person
- Transaction profile: High volumes, unusual patterns, or cross-border activity
Risk Tiers Require Regular Review
A customer's risk tier can change. A company that was low-risk at onboarding may move to a higher tier if their ownership structure changes, their jurisdiction is added to a grey list, or their transaction behavior shifts materially.
Risk tiers should be reviewed on a schedule and re-triggered by specific events — not left static from onboarding. Fraxtional's risk assessment engagements are built around this principle: each client framework includes defined re-scoring triggers, updated monitoring rules, and policy revisions as the business and regulatory landscape shift.
KYC Requirements Across the US, UK, Canada, and EU
Firms operating across multiple jurisdictions face different — and sometimes conflicting — requirements. Here's what each regime requires:
United States
- Governed by the Bank Secrecy Act (BSA), FinCEN's CDD Rule (31 CFR 1010.230), and Section 326 of the USA PATRIOT Act
- Requires CIP, CDD, beneficial ownership identification, and SAR filing
- FinCEN has issued updated guidance limiting Corporate Transparency Act (CTA) beneficial ownership reporting to certain foreign entities registered to do business in the US — firms should confirm their current obligations
United Kingdom
- Governed by the Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 (MLRs) and the Proceeds of Crime Act (POCA)
- FCA supervises authorized firms; HMRC supervises certain other regulated businesses
- UK financial sanctions are administered by OFSI (Office of Financial Sanctions Implementation) within HM Treasury
- Requires CIP, CDD, EDD for PEPs and high-risk customers, and SAR filing under POCA
Canada
- Governed by the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), administered by FINTRAC
- Applies to banks, money services businesses, and crypto asset trading platforms
- Requires identity verification, beneficial ownership documentation, and STR filing with no monetary threshold
- FINTRAC's guidance confirms reporting entities must register and meet all applicable obligations
European Union
- Governed by the Anti-Money Laundering Directives (4AMLD, 5AMLD, and transitioning to the new AML Regulation published June 2024)
- Requires CIP, CDD, EDD, UBO registration, and ongoing monitoring for all obliged entities
- The new Anti-Money Laundering Authority (AMLA) will take on direct supervision of selected high-risk entities — firms should monitor AMLA's rollout closely
- Cross-border firms must comply with both the EU framework and national transposition rules
Managing obligations across four distinct regulatory regimes is one of the harder operational challenges in compliance. Fraxtional places named compliance leaders — including BSA Officers, CAMLOs, and MLROs — across all four jurisdictions, with credentials spanning CAMS certification, BSA regulatory experience, and FINTRAC-aligned program design.
Common KYC Checklist Mistakes to Avoid
Treating KYC as a One-Time Onboarding Checkbox
The most common and costly mistake: completing identity verification at onboarding and then doing nothing further. No periodic re-verification schedule, no event-driven review triggers, no adverse media alerts.
The enforcement record makes the cost clear. In 2020, the FCA fined Commerzbank London £37,805,400 for AML control failures that included a backlog of 2,226 existing clients overdue for KYC refresh. In 2024, FINTRAC imposed a CAD $9,185,000 penalty on TD Bank in part for failure to submit suspicious transaction reports.
These weren't onboarding failures. They were ongoing monitoring failures.
Applying the Same Process to All Customers Regardless of Risk
A flat, non-risk-tiered checklist is a red flag in any regulatory review. Over-applying EDD to low-risk customers wastes compliance resources and damages the onboarding experience. Under-applying scrutiny to high-risk customers creates direct financial crime exposure.
The checklist must reflect actual risk differentiation — documented, defensible, and consistent.
Building the Checklist Without Dedicated Compliance Expertise
Early-stage fintechs and crypto firms often rely on generic templates or outside legal counsel to design KYC procedures. Legal counsel can advise on obligations, but day-to-day compliance leadership — someone who calibrates procedures to the firm's specific regulatory environment, business model, and risk profile — is a different need.
Fractional compliance leadership fills that gap for growth-stage firms. Through Fraxtional, companies get a named fractional BSA Officer, CAMLO, or MLRO without the cost of a full-time hire. Each engagement is built around the firm's actual operating model, not a generic template.
A fractional compliance officer through Fraxtional typically handles:
- Designing KYC procedures calibrated to the firm's risk profile and regulatory environment
- Conducting BSA risk assessments aligned to sponsor bank requirements
- Owning SAR/STR workflows and ongoing reporting obligations
- Keeping the checklist current as regulations and business models evolve
Frequently Asked Questions
What is a KYC checklist?
A KYC checklist is a standardized set of verification and due diligence steps covering identity verification, risk assessment, sanctions screening, and ongoing monitoring. Regulated businesses use it to confirm who they're dealing with, meet AML obligations, and maintain a consistent, auditable process.
What are the 6 KYC documents?
Commonly required documents include: government-issued photo ID (passport or driver's license), proof of address (utility bill or bank statement), tax identification number, date of birth confirmation, and for entities — certificate of incorporation and beneficial ownership documentation, though exact requirements vary by jurisdiction.
What do KYC checks include?
KYC checks cover identity verification (CIP), customer due diligence (CDD), enhanced due diligence for high-risk customers (EDD), sanctions and PEP screening, and ongoing transaction monitoring. The process runs throughout the entire customer relationship, not just at onboarding.
What is the difference between CDD and EDD in KYC?
CDD is standard due diligence applied to all customers: verifying identity, understanding the business relationship, and identifying beneficial owners. EDD applies to elevated-risk customers (PEPs, high-risk jurisdictions, complex structures) and adds source of wealth documentation and senior management sign-off.
How often should a KYC checklist be reviewed and updated?
Review the checklist at least annually to catch regulatory changes. Customer files should be re-verified on a risk-tiered schedule: annually for high-risk, every 2-3 years for low-risk, and immediately following material events like ownership changes, adverse media, or suspicious activity.
What are the consequences of failing to implement a proper KYC checklist?
Global AML and KYC penalties reached USD $6.6 billion in 2023, with individual enforcement actions reaching into the billions — FinCEN assessed USD $3.4 billion against Binance for BSA violations. Beyond fines, consequences include loss of operating licenses, reputational damage, and the risk of being exploited for money laundering or terrorist financing.
