Skip to content

DOMAIN:EU_REGULATION:KYC_PROCESSES

OWNER: eric ALSO_USED_BY: julian, aimee, hugo, ALL dev agents building regulated features UPDATED: 2026-03-26 SCOPE: Complete KYC process deep dive — due diligence levels, verification methods, screening, monitoring

PURPOSE

This page details the operational KYC process. It complements kyc-aml.md (regulatory framework) with step-by-step procedures. Two use cases: (1) Eric verifying GE clients, (2) dev agents building KYC features in client projects.

CUSTOMER DUE DILIGENCE LEVELS

The risk-based approach mandates three tiers of due diligence. The tier is determined by the risk profile of the customer, product, channel, and geography.

SIMPLIFIED DUE DILIGENCE (SDD)

WHEN_ALLOWED: - customer is a listed company subject to public disclosure requirements - customer is a government body or EU institution - customer is a regulated financial institution in an EEA state - product or transaction carries demonstrably low ML/TF risk - national risk assessment of the Member State permits SDD for the category

WHAT_SDD_MEANS: - reduced scope of information collected at onboarding - less frequent ongoing monitoring (e.g., every 36 months instead of 12) - may defer full verification until transaction exceeds threshold - still MUST identify the customer — SDD is not "no diligence"

WHAT_SDD_DOES_NOT_ALLOW: - skipping identity verification entirely - ignoring sanctions screening (always mandatory regardless of risk tier) - ignoring PEP screening (always mandatory regardless of risk tier)

SDD_DOCUMENTATION: - record the reasoning for applying SDD - record which risk factors were assessed - retain for 5 years after end of relationship (Wwft)

AMLR_CHANGE (from Jul 2027): - AMLR Article 29 codifies SDD conditions EU-wide - Member States lose discretion to expand SDD beyond harmonised criteria - AMLA will publish RTS specifying exact SDD triggers by Jul 2026

STANDARD DUE DILIGENCE (CDD)

DEFAULT_LEVEL: applies to all customers unless SDD or EDD is triggered.

STEP_1_IDENTIFY: - natural person: full name, date of birth, place of birth, nationality, residence address - legal entity: legal name, registered office, registration number, legal form, articles of association - beneficial owner(s): identify all natural persons with 25%+ ownership/control

STEP_2_VERIFY: - natural person: government-issued photo ID (passport preferred, national ID card, residence permit) - legal entity: KvK extract (NL), company register extract (other jurisdictions), certified copy of articles - beneficial owner: verify identity using same methods as natural person

STEP_3_UNDERSTAND_RELATIONSHIP: - document purpose of the business relationship - document expected transaction patterns (type, volume, frequency) - document source of funds for recurring transactions

STEP_4_ONGOING_MONITORING: - transaction monitoring against expected profile - periodic review of customer data accuracy - re-screening against sanctions and PEP lists - trigger-based review upon material changes

TIMING: - CDD must be completed BEFORE establishing the business relationship - exception: may begin relationship while completing CDD if (a) necessary for normal business and (b) ML/TF risk is low and (c) CDD is completed within reasonable timeframe - for GE: Eric must complete CDD before contract signing

ENHANCED DUE DILIGENCE (EDD)

MANDATORY_TRIGGERS: - customer is or is associated with a PEP - customer is established in a high-risk third country (EU Commission delegated list) - complex or unusual transaction structure with no apparent economic rationale - correspondent banking relationships (cross-border) - any situation where the risk assessment outcome is "high"

ADDITIONAL_EDD_MEASURES:

SOURCE_OF_FUNDS: - document the origin of funds used in the business relationship - distinguish from source of wealth (overall financial position) - acceptable evidence: bank statements, investment records, property sale documentation - for business clients: audited accounts, tax returns, contract documentation

SOURCE_OF_WEALTH: - required for PEPs and highest-risk customers - document the origin of the customer's overall wealth - evidence: employment history, business ownership, inheritance records

SENIOR_MANAGEMENT_APPROVAL: - required to establish or continue EDD-flagged relationships - approval must be documented with name, role, date, reasoning - "senior management" = board level or designated compliance officer

ENHANCED_MONITORING: - increased transaction monitoring frequency (real-time where feasible) - periodic review cycle shortened (minimum every 12 months, often 6 months) - any deviation from expected pattern triggers immediate review

FOR_GE: - if Eric identifies EDD triggers during client onboarding, escalate to Dirk-Jan - GE is not an obliged entity but applies proportionate due diligence as best practice - document decision whether to proceed or decline the relationship

IDENTITY VERIFICATION METHODS

DOCUMENT VERIFICATION

PASSPORT: - strongest identity document globally - machine-readable zone (MRZ): two lines of OCR-B characters encoding name, nationality, DOB, expiry - biometric chip (RFID/NFC): stores facial image, fingerprints (if enrolled), digital signature - security features: watermarks, holograms, UV-reactive ink, microprinting - ICAO Doc 9303 standard governs format and machine-readability

NATIONAL_ID_CARD: - accepted across EU/EEA under Regulation (EU) 2019/1157 - NFC chip on newer cards (post-2021 issuance) provides biometric verification - MRZ present on most cards — validates against visual data - LIMITATION: not universally accepted outside EU as sole ID document

DRIVING_LICENCE: - NOT sufficient as sole identity document in most AML frameworks - may serve as supplementary document alongside passport or ID card - EU harmonised format (credit card size, photo, categories) since 2013 - no biometric chip, limited security features compared to passport - RULE: never accept driving licence as sole CDD document

RESIDENCE_PERMIT: - valid for identity verification of non-EU/EEA nationals - biometric chip on newer permits - must be current (not expired) - verify issuing country and permit type (temporary vs permanent)

DOCUMENT PROCESSING TECHNOLOGY

OCR (Optical Character Recognition): - extracts text from document images - validates against MRZ data for cross-check - accuracy depends on image quality — guide users to good lighting and flat surface

MRZ READING: - machine-readable zone parsed per ICAO 9303 - check digits validate data integrity - cross-reference MRZ data against visual zone (VIZ) — mismatches flag fraud

NFC CHIP VERIFICATION: - reads biometric data directly from document chip via smartphone NFC - cryptographic signature proves chip was written by issuing authority - passive authentication: verify digital signature chain to country signing CA - active authentication: challenge-response proves chip is original (not cloned) - HIGHEST_ASSURANCE method for remote identity verification

LIVENESS DETECTION

PURPOSE: confirm that the person presenting the document is physically present. PREVENTS: printed photo attacks, screen replay, deepfake injection, 3D mask attacks.

ACTIVE_LIVENESS: - user follows instructions: turn head, blink, smile, read random text - PRO: higher assurance, harder to spoof - CON: worse UX, accessibility concerns, higher drop-off rates - WHEN: use for EDD or high-value onboarding

PASSIVE_LIVENESS: - AI analyses single selfie or short video without user instructions - detects texture, depth cues, reflection patterns, micro-expressions - PRO: better UX, faster, accessible - CON: requires sophisticated AI, ongoing updates against deepfake evolution - WHEN: use for standard CDD, combine with NFC for higher assurance

CERTIFICATION: - ISO/IEC 30107-3: Biometric Presentation Attack Detection standard - iBeta Level 1 and Level 2 testing: independent spoof detection validation - REQUIREMENT: any verification provider used must hold ISO 30107-3 or iBeta certification

DEEPFAKE_THREAT (2026 reality): - generative AI produces increasingly convincing face swaps and synthetic video - passive liveness alone is insufficient for EDD - best practice: combine passive liveness + NFC chip read + document verification - monitor provider updates — deepfake detection is an arms race

BIOMETRIC MATCHING

FACE_MATCH: - compare selfie/liveness capture against document photo (visual zone or NFC chip) - similarity threshold typically 85-95% depending on provider and risk tier - account for aging (document photo may be up to 10 years old) - store match score and decision in audit trail

BUSINESS VERIFICATION

CHAMBER OF COMMERCE (KvK) — NETHERLANDS

SOURCE: Kamer van Koophandel (kvk.nl) API: KvK Handelsregister API — programmatic access to trade register COST: EUR 3.45 per online extract (2026 pricing)

KVK_EXTRACT_CONTAINS: - legal name and trade names - legal form (BV, NV, VOF, eenmanszaak, stichting, etc.) - registration number (KvK-nummer) - date of registration - SBI codes (Standard Business Classification) - registered address - authorised signatories and their signing authority - branch offices

WHAT_KVK_DOES_NOT_CONTAIN: - UBO information (separate register) - financial data - compliance history

VERIFICATION_PROCESS: 1. obtain KvK extract (online or via API) 2. confirm legal name, registration number, legal form match client-provided data 3. verify authorised signatory — person signing contract must have signing authority 4. check registration date — newly registered entities warrant closer scrutiny 5. record SBI codes — flag if inconsistent with stated business purpose

UBO (Ultimate Beneficial Owner) REGISTER

LEGAL_BASIS: Wwft implementing 4AMLD/5AMLD MANAGED_BY: KvK (integrated into Handelsregister infrastructure)

WHO_MUST_REGISTER: - all Dutch legal entities: BV, NV, VOF, CV, maatschap, stichting, cooperatie, OWM - sole proprietorships (eenmanszaak) are EXEMPT

UBO_DEFINITION: - natural person(s) holding 25%+ of shares, voting rights, or ownership interest - natural person(s) exercising actual control through other means - if no person identified: senior managing official(s) — this is a fallback, not default

ACCESS_LEVELS (post-CJEU ruling, Nov 2022): - Level 1: Wwft obliged entities (banks, accountants, notaries) — broadest access - Level 2: competent authorities and FIUs — full access - Level 3: general public — NO ACCESS (closed after CJEU ruling) - from Q2 2026: online ordering with eHerkenning + UBO API available

GE_ACCESS: - GE is not a Wwft obliged entity — no direct access to UBO register - alternative: request UBO declaration from client directly - cross-reference with KvK extract and shareholder register - if client is a BV: request copy of shareholder register (aandeelhoudersregister)

EUROPEAN_INTERCONNECTION (BORIS): - Beneficial Ownership Registers Interconnection System - connects all EU Member State UBO registers via European e-Justice Portal - enables cross-border UBO verification from a single access point - rollout in phases — NL connection expected 2026-2027

COMPANY STRUCTURE VERIFICATION

COMPLEX_STRUCTURES: - holding companies, subsidiaries, multi-layer ownership - verify each layer until all natural person UBOs are identified - request and review organisational charts - for foreign parent companies: obtain equivalent register extracts

RED_FLAGS: - circular ownership structures - nominee shareholders or directors - shell companies with no apparent operational activity - entities in jurisdictions with no public register - frequent changes in ownership or directors

PEP SCREENING

WHAT IS A PEP

DEFINITION: a natural person who holds or has held a prominent public function.

CATEGORIES: - heads of state, heads of government - government ministers and secretaries of state - members of parliament or equivalent legislative body - members of supreme courts, constitutional courts - members of courts of auditors, central bank governing bodies - ambassadors, charges d'affaires - senior officers in armed forces - members of governing bodies of state-owned enterprises - directors and board members of international organisations

ASSOCIATED_PERSONS: - family members: spouse/partner, children, children's spouses, parents - close associates: known close business or personal relationships - beneficial owners of legal entities known to exist for PEP's benefit

EU PEP LISTS

NO_SINGLE_EU_PEP_LIST exists — this is a known gap being addressed by AMLA. CURRENT_APPROACH: commercial databases aggregate PEP data from multiple sources.

COMMERCIAL_PROVIDERS: - Refinitiv World-Check (LSEG) - Dow Jones Risk & Compliance - Moody's (formerly Bureau van Dijk / Orbis) - ComplyAdvantage - LexisNexis Risk Solutions

AMLA_CHANGE (from 2027): - AMLA will maintain a centralised list of prominent public functions across Member States - will reduce reliance on commercial aggregation - RTS on PEP identification expected by Jul 2026

ONGOING PEP MONITORING

FREQUENCY: at onboarding + ongoing (minimum annually, quarterly for high-risk) BATCH_VS_REAL_TIME: real-time screening preferred for onboarding, batch acceptable for ongoing MATCH_HANDLING: 1. potential match flagged by screening tool 2. investigate: compare full name, date of birth, nationality, photo where available 3. if false positive: document investigation and reasoning, clear the alert 4. if confirmed PEP: apply EDD measures, obtain senior management approval 5. if confirmed PEP and risk unacceptable: decline or exit the relationship

POST_FUNCTION: - current framework: EDD applies for at least 12 months after leaving office - AMLR (from 2027): harmonised 12-month minimum - risk assessment may extend beyond 12 months based on individual factors

SANCTIONS SCREENING

SANCTIONS LISTS

EU_CONSOLIDATED_LIST: - source: data.europa.eu / EU Sanctions Map (sanctionsmap.eu) - updated: frequently (upon new Council decisions) - covers: asset freezes, travel bans, arms embargoes, sectoral restrictions

UN_SANCTIONS: - source: UN Security Council Consolidated List - implements: resolutions under Chapter VII of UN Charter - all EU sanctions lists incorporate UN listings

OFAC (US exposure): - SDN (Specially Designated Nationals) list - Sectoral Sanctions Identifications (SSI) - relevant if: client has US operations, USD transactions, US persons involved - WARNING: OFAC applies extraterritorially — even non-US entities can be caught

DUTCH_NATIONAL: - sanctiekaart.nl: overview of all sanctions regimes applicable in NL - implemented via Sanctiewet 1977

UK_SANCTIONS: - OFSI (Office of Financial Sanctions Implementation) consolidated list - relevant if: client has UK operations or GBP transactions

SCREENING PROCESS

FREQUENCY: - at onboarding: mandatory, before establishing relationship - ongoing: real-time (preferred) or daily batch screening against list updates - upon list update: re-screen entire customer base against new designations

MATCHING_ALGORITHM: - fuzzy matching required (name transliterations, aliases, misspellings) - phonetic matching (Soundex, Metaphone) for similar-sounding names - match threshold tuning: too low = excessive false positives, too high = missed matches

MATCH_HANDLING: 1. potential match flagged 2. investigate: compare all available data points (name, DOB, nationality, address) 3. if false positive: document and clear 4. if confirmed match (designated person): STOP — do not proceed 5. report to competent authority (FIU-Nederland for NL) 6. freeze any existing assets or transactions 7. NEVER tip off the customer

RISK ASSESSMENT FRAMEWORK

FOUR RISK DIMENSIONS

COUNTRY_RISK: - EU high-risk third country list (Commission Delegated Regulation) - FATF grey list (jurisdictions under increased monitoring) - FATF black list (high-risk jurisdictions subject to call for action) - Transparency International CPI (Corruption Perceptions Index) - tax haven or secrecy jurisdiction indicators

PRODUCT_RISK: - products enabling anonymity (prepaid, crypto, bearer instruments) - products with cross-border nature - products with high-value single transactions - new or innovative products with untested risk profile

CUSTOMER_RISK: - PEP status - complex ownership structure - cash-intensive business model - adverse media - industry sector (high-risk sectors: gambling, precious metals, crypto, real estate) - newly established entity

TRANSACTION_RISK: - unusual transaction size relative to customer profile - unusual transaction patterns (frequency, timing, counterparties) - transactions inconsistent with stated business purpose - transactions involving high-risk jurisdictions

RISK SCORING

APPROACH: weighted scoring across all four dimensions.

EXAMPLE_MATRIX: - each dimension scores LOW (1), MEDIUM (2), HIGH (3) - overall score = weighted average - overall LOW: SDD permitted (if other conditions met) - overall MEDIUM: standard CDD - overall HIGH: EDD mandatory

DOCUMENTATION: - risk assessment must be documented for every customer - scoring methodology must be documented in internal policy - risk assessment must be reviewed upon trigger event or periodic review

ONGOING MONITORING

TRANSACTION MONITORING

PURPOSE: detect transactions inconsistent with customer profile or indicating ML/TF.

RULES-BASED: - threshold alerts (transactions above defined amounts) - velocity alerts (unusual number of transactions in period) - geographic alerts (transactions to/from high-risk jurisdictions) - pattern alerts (structuring, round-tripping, layering)

BEHAVIOUR-BASED: - deviation from established customer profile - statistical anomaly detection - peer group comparison

FOR_GE: - GE's transaction monitoring is limited to invoice payments received - flag: payment from unexpected source (not the contracting entity) - flag: payment from high-risk jurisdiction - flag: multiple rapid project cancellations and refund requests

PERIODIC REVIEW

FREQUENCY_BY_RISK: - high-risk: every 12 months (minimum) - medium-risk: every 24 months - low-risk: every 36 months

REVIEW_SCOPE: - verify customer data is still current (name, address, ownership) - re-assess risk score - update screening results (PEP, sanctions) - review transaction activity against expected profile - refresh KvK extract and UBO information

TRIGGERS_FOR_UNSCHEDULED_REVIEW: - material change in ownership or control - change in nature of business - unusual or suspicious transaction - adverse media report - sanctions list update affecting customer's jurisdiction - customer request for unusual product or service

SUSPICIOUS ACTIVITY REPORTING

NETHERLANDS (Wwft): - report to FIU-Nederland via goAML portal - report "unusual transactions" (ongebruikelijke transacties) — NOT just "suspicious" - both objective indicators (threshold-based) and subjective indicators (anomaly-based) - tipping-off prohibition: NEVER inform the customer about the report - internal escalation: compliance officer reviews before filing

OBJECTIVE_INDICATORS: - cash transaction above EUR 15,000 - transaction involving high-risk country - transaction where customer cannot be identified

SUBJECTIVE_INDICATORS: - transaction with no apparent economic or lawful purpose - customer behaves unusually (evasive, changes story, pressures for speed) - discrepancies in documentation - pattern inconsistent with customer profile

INTERNAL_REPORTING: - all staff must report suspicions to the compliance function - compliance function assesses and decides whether to file with FIU - document all internal reports, including those not escalated externally

DATA RETENTION (SUMMARY)

RETENTION_PERIOD: 5 years after end of business relationship (Wwft Article 33). WHAT_TO_KEEP: identity documents (copies), verification records, risk assessments, transaction records, screening results, SARs/UTRs, correspondence. WHAT_TO_DELETE: personal data no longer needed after retention period expires. GDPR_TENSION: right to erasure vs obligation to retain — see kyc-data-retention.md. FORMAT: machine-readable, encrypted at rest, access-controlled, audit-logged.

PROCESS CHECKLIST FOR ERIC (GE CLIENT ONBOARDING)

PRE_CONTRACT: - [ ] identify client (natural person or legal entity) - [ ] verify identity (passport/ID for natural person, KvK for legal entity) - [ ] identify and verify UBO(s) - [ ] screen against sanctions lists - [ ] screen against PEP databases - [ ] assess risk (country, product, customer, transaction) - [ ] apply SDD/CDD/EDD based on risk assessment - [ ] if EDD required: obtain source of funds, source of wealth, senior management approval - [ ] document all checks and reasoning

POST_CONTRACT: - [ ] set periodic review schedule based on risk tier - [ ] monitor transactions against expected profile - [ ] re-screen on sanctions/PEP list updates - [ ] update customer data upon material changes - [ ] report unusual transactions to FIU if warranted - [ ] retain all records for 5 years after relationship ends

READ_ALSO: kyc-aml.md, kyc-implementation.md, kyc-data-retention.md, kyc-for-platforms.md