KYC onboarding process with clear verification steps

Here’s something that drives me slightly mad about KYC onboarding. Everyone treats it like a compliance checkbox. If you need a primer on what Know Your Customer actually entails beyond the acronym, start there. Fill out the forms. Collect the documents. Check the sanctions lists. Move on.

But a Fenergo study found that 70% of banks lost business in the past year because their onboarding was too slow and painful. That’s not a compliance problem. That’s a business survival problem dressed up in regulatory clothing.

The firms that do KYC well don’t think about it as a regulatory burden. They think about it as the first real interaction with someone who’s about to trust them with money. And in the age of AI, defining these processes matters more than ever - because AI amplifies whatever workflow it follows. A messy KYC process automated with AI just creates mess at scale.

What KYC verification actually requires

Let me strip this down. KYC has three layers, and most institutions only do the first one properly.

Layer 1: Customer Identification Program (CIP). This is the basics. Name, date of birth, address, ID number. For individuals, you’re collecting government-issued photo ID and proof of address. For businesses, you need articles of incorporation, beneficial ownership declarations, and tax identification. The FFIEC BSA/AML manual spells out the minimum requirements clearly.

Nothing complicated here. And yet - this is where abandonment starts. If someone has to scan six documents, fill out four forms, and wait three weeks for a response, they leave. Research from Signicat shows abandonment rates for financial services onboarding have been rising steadily year over year.

Layer 2: Customer Due Diligence (CDD). This is where you figure out what the relationship should look like. What’s the purpose of the account? What’s the expected transaction pattern? Who are the beneficial owners if it’s a business entity? You’re building a baseline profile so you can spot anomalies later.

Layer 3: Enhanced Due Diligence (EDD). For high-risk situations. More documentation, deeper source-of-funds analysis, more frequent reviews. I’ll cover the specific triggers below, because getting this wrong is expensive in both directions.

What surprised us when we dug into the data with workflow automation, the institutions that stumble aren’t confused about what to collect. They’re confused about the workflow connecting these layers. Documents arrive in email attachments. Verification results sit in one system. Risk scores live in another. Nobody has a single view of where any given application stands.

That’s a process problem. And process problems need process solutions.

Building the document collection workflow

Here’s where I think most KYC programs go wrong. They treat document collection as a task, not a workflow.

A task is: “Get proof of address from the applicant.” A workflow is: “Request proof of address, validate it isn’t expired, confirm the name matches the application, flag discrepancies, escalate if the document is from a high-risk jurisdiction, and record the verification outcome with a timestamp.”

See the difference? One is a to-do item. The other is a traceable, auditable process.

The document collection sequence for a standard individual looks something like this:

Government-issued photo ID. Passport, driver’s license, or national ID card. You’re verifying it’s not expired, the photo matches the person, and the document hasn’t been tampered with. Increasingly, this happens through automated document verification - OCR reads the fields, liveness checks confirm the person is real, and the system flags anomalies.

Proof of address. Utility bill, bank statement, or government correspondence. Must be recent - typically within the last three months. This catches more fraud than people think. Fake IDs are relatively sophisticated. Fake utility bills? Usually terrible.

Tax identification. Social Security number, Tax ID, or equivalent. Cross-referenced against government databases where possible.

Source of funds documentation. For higher-value accounts or higher-risk profiles. Pay stubs, tax returns, business financial statements. This is where things slow down, because people don’t have these documents sitting in a folder waiting to upload.

Beneficial ownership declaration. For entities, you need to identify every person who owns 25% or more, or who exercises significant control. The Corporate Transparency Act in the US has made this even more explicit.

The mistake I see repeatedly? Requesting everything at once. You send someone a list of twelve documents and they freeze. Better approach - sequential collection with smart branching. Collect the basics first. Based on the risk assessment, request additional documents only when needed. If someone’s opening a basic checking account, don’t ask for source of funds documentation upfront. It’s overkill, and it drives people away.

The pattern we keep running into this pattern across financial services implementations. The workflow itself determines the experience. A linear “send us everything” checklist creates friction. A branching workflow that adapts based on what’s been submitted and what the risk profile demands - that’s how you keep people moving through the process without cutting compliance corners.

Identity verification - what it looks like in practice

Identity verification used to mean a branch employee looking at your passport and nodding. Done.

Now it’s a multi-step process, and honestly, it’s better for it. Here’s what a modern identity verification workflow includes:

Document authenticity checks. Is the ID real? Automated systems check for security features - holograms, microprint, UV patterns in the document image. They cross-reference the document format against known templates for that country and document type.

Data extraction and cross-referencing. OCR pulls the name, DOB, ID number, and expiry date. That data gets checked against the application form. Mismatches get flagged. Not rejected - flagged. Because sometimes people use a middle name on one form and not the other. That’s human, not fraudulent.

Biometric verification. Selfie matching against the ID photo, liveness detection to confirm it’s a real person and not a printed photo held up to a camera. This has gotten remarkably good. It’s also gotten remarkably annoying for people with older phones or poor lighting.

Sanctions and watchlist screening. The name and identifying information get run against OFAC’s SDN list, EU sanctions lists, Interpol databases, and country-specific watchlists. This should happen automatically, in real-time, during the application flow. Not as a batch process three days later.

PEP screening. Politically Exposed Persons - government officials, their family members, close associates. PEP status doesn’t mean someone is a criminal. It means the risk profile is elevated and enhanced due diligence applies. The FATF guidance is clear on this.

Adverse media screening. Searching news sources for negative coverage connected to the individual or entity. This is where AI is genuinely useful - natural language processing can scan thousands of articles and flag relevant hits far faster than any human analyst.

The problem? Each of these steps might involve a different vendor, a different system, and a different format for results. The compliance analyst ends up tabbing between six applications to piece together a verification picture that should be in one place.

This is exactly what workflow automation fixes. Not the individual checks - those are specialized tools doing specialized work. But the orchestration between them. The routing logic. The escalation paths. The audit trail. That’s where tools like Tallyfy sit - tracking what’s been done, what’s pending, and what needs attention.

Risk assessment scoring that isn’t just guesswork

I’m not convinced most financial institutions have risk scoring models that work well. They have models. Whether those models produce meaningful risk differentiation is a different question.

The FATF risk-based approach says you should assess risk across four dimensions: customer type, geographic location, delivery channel, and product or service type. Let me make that concrete.

Customer type risk factors. An individual opening a personal savings account? Low risk. A shell company incorporated in a secrecy jurisdiction with nominee directors and a complex ownership chain? Obviously higher risk. But the spectrum between those extremes is where scoring gets tricky.

Score contributors for customer risk: entity type (individual vs. corporate vs. trust vs. foundation), industry or occupation, years in business, ownership transparency, and whether they’re a PEP.

Geographic risk factors. Where the person lives, where they do business, where they send and receive money. Countries on FATF’s grey list or black list elevate the risk score. So do countries with known deficiencies in AML controls — and this ties directly into your broader AML compliance workflow.

Channel risk factors. In-person, face-to-face onboarding is lower risk than fully remote digital onboarding. Not because digital is bad - it’s because the verification methods are different, and the opportunities for fraud vary.

Product risk factors. A simple savings account is lower risk than a private banking relationship. Correspondent banking accounts are higher risk than retail accounts. Products that allow rapid movement of large sums - wire transfers, trade finance, cryptocurrency - carry higher inherent risk.

Most institutions score each factor on a three-point or five-point scale, weight them, and produce a composite score that drops into one of three buckets: low, medium, or high risk. That bucket determines the CDD level and review frequency.

Here’s where I think the scoring breaks down in practice. The models are built once and rarely updated. Feedback we’ve received suggests that many compliance teams inherit a scoring model from five years ago and never recalibrate it. The world changes. Risk profiles change. Your model should change too.

And this connects to a bigger trend - the operational plumbing for AI agents stays conspicuously unbuilt. An AI system can absolutely improve risk scoring. It can identify patterns humans miss, flag unusual combinations of risk factors, and adapt scores based on portfolio-level trends. But only if it’s operating within a defined process. Otherwise it’s just a black box producing numbers nobody trusts.

What triggers enhanced due diligence

Enhanced due diligence isn’t something you choose to do. It’s something specific situations demand. Get the triggers wrong and you’re either burning resources on low-risk cases or missing high-risk ones entirely.

The FFIEC guidance and FATF recommendations lay out the mandatory triggers. Here they are, plainly:

Politically Exposed Persons. Any current or former senior government official, their immediate family members, and known close associates. This isn’t negotiable. PEPs get enhanced due diligence. Period.

High-risk jurisdictions. If the person or entity has connections to countries on FATF’s list of jurisdictions with strategic AML deficiencies, that’s an automatic EDD trigger. The list updates regularly. Your process needs to account for that.

Complex ownership structures. Multiple layers of holding companies, trusts within trusts, nominee arrangements, bearer shares. If you can’t clearly identify who ultimately owns and controls the entity, EDD kicks in.

Unusual transaction patterns. Activity that doesn’t match the stated purpose of the account. Someone who said they’d be making small domestic transfers suddenly receiving large international wires? That’s a trigger.

Cash-intensive businesses. Restaurants, parking garages, laundromats, convenience stores. Not because they’re inherently suspicious - but because cash businesses are historically harder to audit and more susceptible to being used for laundering.

Private banking relationships. High-net-worth individuals with private banking accounts receive EDD by default. The ACAMS guidance on this is thorough.

Correspondent banking. When you’re providing banking services to another bank, you’re exposed to the risk profile of their entire operation. EDD is required.

What does EDD actually involve beyond standard CDD? More documentation - specifically around source of wealth and source of funds, not just source of income. More frequent reviews - annual instead of every few years. Senior management approval for establishing and continuing the relationship. And more intensive ongoing monitoring of the account activity.

The workflow implications are significant. Your KYC process can’t just have a single track. It needs branching logic - if the risk score exceeds a threshold or a specific trigger is hit, the workflow automatically expands to include EDD steps, routes to senior compliance officers for approval, and sets a shorter review cycle.

Ongoing monitoring - the part that quietly falls apart

I’ve probably said this fifty times in different contexts, but the beginning of any process gets all the attention. The ongoing maintenance gets ignored.

KYC ongoing monitoring is a textbook example. Institutions invest heavily in onboarding. The initial verification is thorough. The risk assessment is documented. And then… the file sits there for three years until the periodic review comes up and someone realizes half the information is outdated.

Fenergo’s perpetual KYC research makes the case for continuous monitoring rather than periodic snapshots. The traditional approach - review high-risk every 12 months, medium-risk every 24 months, low-risk every 36-60 months - is better than nothing. But it creates windows where risk changes go undetected.

What ongoing monitoring should include:

Transaction monitoring. Automated surveillance of account activity against the established baseline. Significant deviations trigger alerts - unusual amounts, unusual counterparties, unusual geographic patterns. The Financial Crime Academy emphasizes that this needs to be a continuous, systematic process rather than periodic spot-checking.

Sanctions rescreening. Your initial sanctions check is valid for that moment. Lists update constantly. The person who was clean at onboarding might appear on a sanctions list six months later. Rescreening needs to happen automatically whenever lists are updated.

Adverse media monitoring. Same logic. Negative news about an existing account holder is a risk signal that can emerge at any time. Automated news monitoring with relevance filtering catches this.

Trigger-based reviews. Beyond the scheduled periodic reviews, certain events should trigger an immediate review: significant changes in transaction patterns, change of beneficial ownership, expansion into new jurisdictions, new negative media hits, or regulatory actions against the individual or entity.

Periodic KYC refresh. The scheduled review itself. Confirm identity information is still accurate. Update the risk assessment. Verify that the source of funds and business activities haven’t materially changed. Renew any documentation that’s expired.

In discussions we’ve had about compliance workflows, the biggest gap is always between “we know we should do ongoing monitoring” and “we have a system that ensures it happens.” Reminders get ignored. Review queues grow. Low-priority reviews get pushed quarter after quarter.

That’s not a technology gap. It’s a process gap. The monitoring rules might exist in a policy document. But if those rules aren’t embedded in the workflow - if the system doesn’t automatically assign the review, set the deadline, escalate when it’s overdue, and block certain activities until the review is complete - then the policy is fiction.

Making the whole thing work without drowning in it

Look, I’m not going to pretend KYC is simple. It isn’t. Regulatory requirements are genuinely complex, and they vary by jurisdiction, institution type, and product.

But the complexity should live in the rules, not in the execution. The execution should be boringly predictable. Same steps, same order, same documentation, same escalation paths, every single time. That’s what keeps regulators happy and what keeps the process from eating your compliance team alive.

Thomson Reuters research found that over half of financial institutions still complete 31-60% of KYC tasks manually. That’s insane when you think about it. Manual processes in a high-volume, high-stakes environment where consistency is legally required.

Three things separate the institutions that do KYC well from those that don’t:

First - the workflow is the process, not a document describing the process. Nobody reads your 80-page KYC policy manual. Nobody. Build the steps into the system so following the process isn’t optional. At Tallyfy, that’s fundamentally what we do - we turn policy documents into executable workflows. You can’t skip steps because the next step doesn’t appear until the current one is done.

Second - branching logic handles the complexity. Don’t force everyone through the EDD track. Don’t let high-risk applications slide through the standard track. Build the if-then rules into the workflow. Risk score above threshold? Automatically route to EDD. PEP flag triggered? Senior management approval step appears. This isn’t rocket science. It’s just good process design.

Third - the system enforces the review schedule. Periodic reviews don’t depend on someone remembering. The workflow assigns them automatically based on the risk rating established during onboarding. Due dates, assignments, escalation when overdue - all built in. All auditable.

The firms spending $73 million a year on KYC aren’t spending it because the regulations are that expensive to follow. They’re spending it because their processes are fragmented, manual, and dependent on people remembering to do things that a well-designed workflow would handle automatically.

That’s fixable. Not easy. But fixable.