KYC, or Know Your Customer, is the process by which financial institutions and regulated entities verify the identity of their customers before establishing a business relationship and monitor that relationship on an ongoing basis. In payments, KYC applies to the onboarding of merchants, cardholders, and account holders, requiring the collecting and verifying of identity documentation, business registration information, beneficial ownership details, and other data required by anti-money laundering regulations.
KYC is a legal requirement under the Bank Secrecy Act and related anti-money laundering regulations in the United States, as well as equivalent frameworks in other jurisdictions. Financial institutions that fail to implement adequate KYC programs face significant regulatory penalties, reputational damage, and potential criminal liability.
KYC requirements vary based on the risk profile of the customer and the nature of the financial relationship. Higher-risk customers, higher transaction volumes, and certain business types trigger enhanced due diligence requirements that go beyond standard identity verification.
Diving Deeper into KYC
KYC sits at the intersection of compliance, risk management, and customer experience. It is one of the most operationally significant requirements financial institutions and payments companies face, both because the regulatory consequences of getting it wrong are severe and because the friction it introduces into onboarding directly affects business performance.
The challenge of KYC is balancing thoroughness with speed. Collecting and verifying everything required to satisfy regulatory obligations while onboarding customers quickly enough to compete effectively requires careful process design, technology investment, and risk-based calibration.
The Regulatory Foundation of KYC
KYC requirements in the United States derive primarily from the Bank Secrecy Act of 1970 and its subsequent amendments, implemented through regulations issued by the Financial Crimes Enforcement Network. The Customer Identification Program rule requires financial institutions to collect and verify the identity of customers opening new accounts. The Customer Due Diligence rule, updated in 2016, added requirements for financial institutions to identify and verify the beneficial owners of legal entity customers.
These requirements apply directly to banks and other regulated financial institutions. For payments companies that are not themselves banks, KYC obligations flow through their banking relationships. An acquiring bank sponsors a payment facilitator and requires the payfac to collect and maintain KYC information on its sub-merchants. The bank is ultimately responsible to regulators, but the payfac assumes contractual responsibility for the KYC function under the terms of its sponsorship agreement.
What KYC Requires
The specific information required varies by entity type and risk level but follows a common framework.
Individual Identity Verification
For individual customers — cardholders, sole proprietors, and beneficial owners — KYC typically requires collecting full legal name, date of birth, residential address, and a government-issued identification number such as a Social Security number. Verification involves matching this information against authoritative data sources and may require document verification, where the customer submits a photo of their ID, combined with liveness checks or biometric verification.
Business Verification
For business customers, KYC requires verifying the legal existence of the business through registration documents, confirming the business address and contact information, verifying the nature of the business and its intended use of financial services, and identifying the individuals who own or control the business.
Beneficial Ownership
The FinCEN Customer Due Diligence rule requires financial institutions to identify and verify the identity of individuals who own 25% or more of a legal entity customer, as well as the individuals who control the entity. This beneficial ownership requirement is designed to prevent the use of shell companies to obscure the true owners of accounts used for money laundering or other financial crimes.
Risk-Based KYC
Regulatory frameworks require KYC programs to be risk-based, meaning the depth and rigor of due diligence should be proportional to the risk posed by the customer relationship. Low-risk customers with transparent business models and modest transaction volumes may be onboarded with standard identity verification. High-risk customers require enhanced due diligence that may include additional documentation, source of funds verification, and ongoing transaction monitoring.
Risk factors that trigger enhanced due diligence include high transaction volumes, cash-intensive business types, customers in geographic regions associated with elevated financial crime risk, politically exposed persons, and business types that regulators have identified as higher risk such as money services businesses, cryptocurrency exchanges, and certain retail categories.
KYC in Payments Onboarding
For acquiring banks, payment facilitators, and ISOs, KYC is embedded in the merchant onboarding process. When a business applies for a merchant account, the acquiring bank or payfac collects the business and owner information required for KYC, verifies it against authoritative sources, screens the applicant against sanctions lists and adverse media, and makes an underwriting decision that incorporates both risk and compliance considerations.
The speed and user experience of this process matters commercially. Merchants who encounter lengthy, friction-heavy onboarding processes abandon applications at meaningful rates. Modern KYC technology — including automated document verification, database-driven identity matching, and API-connected sanctions screening — has significantly reduced the time required to complete KYC without compromising compliance rigor.
Ongoing Monitoring
KYC is not a one-time onboarding event. Regulated entities are required to monitor customer relationships on an ongoing basis and update customer information when material changes occur. Transaction monitoring systems flag unusual activity patterns for investigation. Periodic reviews refresh customer information and reassess risk ratings. Customers whose risk profiles change over time may be subject to enhanced due diligence or relationship termination.