KYC Checklist

Capture an unexpired passport, driver's license, or state-issued ID. CIP rule (31 CFR 1023.220) requires name, DOB, address, and ID number for every individual customer. Reject expired documents — a common NIGO reason.

Record legal name, date of birth, residential address (no PO box for individuals), and SSN or other taxpayer ID. These four data points are the CIP minimum and must match the photo ID exactly.

Entity accounts (LLC, corporation, partnership, trust) trigger CDD beneficial-owner collection for any 25%+ owner plus one control person. Individual and joint accounts skip that step. Get this right early — entity onboarding takes longer.

Run the customer through LexisNexis Bridger, IDology, or your custodian's built-in CIP service. Document the verification result in the file. If the vendor returns a no-match, escalate to manual documentary verification before proceeding.

Articles of incorporation or organization, operating agreement or bylaws, EIN letter (CP 575 or 147C), and certificate of good standing. For trusts, collect the trust agreement and trustee certification.

Per FinCEN CDD rule, capture name, DOB, address, and SSN/passport for every individual owning 25% or more of the entity, plus one control person (CEO, managing member, etc.). FinCEN's certification form is the standard intake. Skipping ownership tiers in layered entities is a common AML exam citation.

Each beneficial owner gets the same CIP verification as a primary customer — vendor lookup, ID match, recorded result. Don't shortcut this on the assumption the entity is reputable.

Accept a utility bill, bank statement, lease, or government tax notice dated within the last 90 days. Cell phone bills and credit card statements are typically rejected. Address must match the CIP record.

Three-way match: photo ID address, proof-of-address document, and account application. Mismatches require either a written explanation from the customer or a second proof document. Note any discrepancy in the file.

Cross-check address country against FATF high-risk and monitored jurisdictions, OFAC sanctioned countries, and your firm's internal high-risk country list. A flag here triggers EDD in the AML phase, not a rejection.

Record annual income, liquid net worth, and total net worth using the customer-attested figures from the new account form. These drive Reg BI suitability and accredited investor determination for any private offerings.

How did the customer accumulate their wealth: salary and savings, business sale, inheritance, investment returns, real estate? A narrative answer is required; vague answers like "savings" on a $5M account warrant follow-up.

Run the Riskalyze, Tolerisk, or FinaMetrica questionnaire. Capture years of investing experience and product familiarity (equities, bonds, options, alts). Reg BI requires the firm to consider risk tolerance when making recommendations.

Bank ACH transfer, wire from another financial institution, ACATS in-kind transfer, rollover from a qualified plan, or check. Each funding type has different documentation expectations.

Last 60 days of bank statements for ACH, wire confirmations and originating bank info for wires, prior-firm statements for ACATS, plan administrator letter for rollovers. Document any large unexplained inflows in the prior 90 days.

EDD triggers: PEP status, high-risk jurisdiction, third-party funding, cash-intensive business, structured deposits, or initial deposit above the firm's high-value threshold (commonly $1M+). Document the EDD determination in the file regardless of outcome.

EDD adds: independent verification of source-of-wealth narrative, adverse-media search via World-Check or LexisNexis, senior management approval memo, and a written EDD memo justifying the relationship. Refresh annually for high-risk customers vs. every 3 years for standard.

Screen the primary customer, all beneficial owners, all signatories, and any beneficiaries against OFAC SDN, consolidated sanctions, and the FinCEN 314(a) list. Save the screening report with timestamp; an OFAC hit halts onboarding pending Compliance review.

Use Refinitiv World-Check, ComplyAdvantage, or Bridger for politically exposed person and adverse media searches. PEP status doesn't reject a customer but does require EDD and senior management approval.

Combine customer type, geography, product, and source-of-funds risk into a low/medium/high rating per the firm's AML risk methodology. The rating drives review cadence — high risk every 12 months, medium every 24, low every 36.

Configure the customer profile in the AML monitoring system (Verafin, Actimize, Alessa) with expected activity baselines: typical deposit size, frequency, geography, counterparties. Deviations generate alerts that feed the SAR review queue.

Compile CIP documents, beneficial owner certifications, address proof, economic profile, source-of-funds review, OFAC and PEP results, and risk rating into a single client file in NetDocuments or Laserfiche. Books-and-records retention is 5 years post-account-closure under SEC Rule 17a-4.

The CCO or designated principal reviews the complete file, confirms all required elements are present, and signs off. High-risk customers also require senior management approval per the firm's AML program.

Set the next KYC refresh date in the CRM based on the customer risk rating: 12 months for high, 24 for medium, 36 for low. A trigger-based refresh also fires on material change events (new beneficial owner, address change, large unusual transaction).