casemark/reviewing-kyc-documentation

Reviewing KYC Documentation

Evaluates customer identification and verification documentation against Customer Identification Program (CIP), Customer Due Diligence (CDD), and Enhanced Due Diligence (EDD) requirements to determine whether a KYC file is complete, accurate, and risk-appropriate.

When To Use

• Reviewing a new customer onboarding file before account opening approval
• Periodic re-review of existing customer KYC files (annual, trigger-based, or risk-cycle)
• Assessing whether a customer risk rating change requires EDD uplift
• Auditing a portfolio of KYC files for regulatory exam readiness
• Evaluating remediation files flagged by compliance monitoring

Inputs To Gather

• Customer identification documents: government-issued ID (passport, driver's license, national ID), articles of incorporation, certificate of formation, or trust instrument for entities
• Verification records: documentary vs. non-documentary verification method used; third-party verification results (e.g., LexisNexis, World-Check, Dow Jones)
• Beneficial ownership declaration: ownership structure chart, UBO identification form, percentage thresholds applied [VERIFY: 25% threshold under CDD Rule; jurisdiction may differ]
• Risk rating worksheet: initial and current risk score, scoring methodology, risk factors applied
• Source of funds / source of wealth documentation: bank statements, tax returns, business financials, or self-certification
• Screening results: OFAC/SDN, PEP databases, adverse media, sanctions lists — with date of last screening
• Account activity profile: expected transaction types, volumes, jurisdictions, and any deviations flagged post-opening
• Prior review notes: previous findings, remediation status, outstanding deficiencies

Workflow

1. Confirm file completeness — Check that all required CIP elements are present for the customer type:

   • Individuals: name, date of birth, address, government ID number [VERIFY: specific ID requirements vary by jurisdiction]
   • Legal entities: legal name, formation jurisdiction, principal place of business, EIN/TIN, formation documents
   • Trusts/other structures: trust agreement, trustee identification, beneficiary information where required

2. Validate identification and verification — Assess whether:

   • Documentary verification uses unexpired, legible, government-issued documents
   • Non-documentary methods (database checks, credit bureau, references) are adequately documented
   • Discrepancies between ID documents and application data are noted and resolved
   • For entities: verify legal existence through formation documents or registry searches

3. Assess beneficial ownership compliance — Confirm:

   • All individuals owning 25% or more are identified with full CIP-level information [VERIFY: threshold per CDD Final Rule; some jurisdictions use 10% or 20%]
   • A single individual is identified as having significant management control
   • Ownership structure is diagrammed for multi-layered entities
   • Nominee/bearer share arrangements are flagged and investigated

4. Evaluate risk rating — Review the assigned risk level against:

   • Customer type (individual, corporate, PEP, MSB, NBFI, charity/NPO)
   • Geographic risk (FATF high-risk jurisdictions, sanctioned countries, tax havens)
   • Product/service risk (correspondent banking, private banking, trade finance, virtual assets)
   • Transaction risk (expected volume, cash intensity, cross-border activity)
   • Confirm the risk rating methodology matches institutional policy and that the score is correctly calculated

5. Review EDD where applicable — For high-risk customers, verify:

   • Source of wealth and source of funds are independently documented (not just self-declared)
   • Senior management approval for relationship establishment or continuation is on file
   • Enhanced monitoring parameters are defined (transaction thresholds, review frequency)
   • Negative news and PEP screening performed at closer intervals

6. Check screening and ongoing monitoring — Confirm:

   • OFAC/sanctions screening was run at onboarding and is current
   • PEP screening covers the customer and all beneficial owners
   • Adverse media screening is documented with disposition of hits
   • Screening is re-run at each periodic review and upon trigger events

7. Classify findings — Assign severity to each deficiency:

   • Critical: missing CIP element, unresolved sanctions hit, no beneficial ownership on file
   • Major: expired identification document, risk rating inconsistent with profile, EDD not performed for high-risk customer
   • Minor: formatting gaps, outdated contact information, missing secondary documentation

Output

Produce a structured KYC review report containing:

• File summary: customer name, account number, customer type, risk rating, review date, reviewer
• Completeness checklist: pass/fail for each CIP, CDD, and EDD element
• Findings table: finding description, severity (Critical/Major/Minor), regulatory reference, evidence citation
• Remediation recommendations: specific corrective action for each finding, responsible party, deadline
• Overall assessment: file status recommendation — Satisfactory, Conditional (with remediation required), or Unsatisfactory (escalation required)
• Escalation flags: any findings requiring SAR consideration, account restriction, or senior management review

Quality Checks

• Every finding cites a specific regulatory requirement or internal policy section (e.g., 31 CFR 1020.220, BSA/AML Manual Section X) [VERIFY: cite institution-specific policy references]
• Beneficial ownership analysis accounts for all layers of the ownership chain, not just the first tier
• Risk rating review confirms arithmetic accuracy and that all applicable risk factors were scored
• Screening results include date stamps — reject any screening older than the institution's policy window [VERIFY: typical policy is 30-90 days; confirm institutional standard]
• No finding is marked "Minor" if it would independently constitute a regulatory violation
• Flag any assumption or unverifiable data point with [VERIFY] rather than presenting it as confirmed
• If the file involves a jurisdiction, product, or customer type outside the reviewer's expertise, escalate to specialized compliance staff