In one sentence: KYC for banking is the customer-identification (CIP under USA PATRIOT Act 326, EU AMLD6 transpositions, UK FCA SYSC), beneficial-ownership at 25% UBO threshold, source-of-wealth, and correspondent enhanced due diligence layer retail and commercial banks run. Post TD Bank’s USD 1.3B FinCEN penalty (October 2024), perpetual CDD has replaced periodic review.
KYC for banking is the verified-identity layer a traditional retail or commercial bank runs across account opening, beneficial-owner verification (25 percent UBO threshold), correspondent-banking due diligence, and perpetual CDD. It covers CIP under USA PATRIOT Act Section 326, EU AMLD6 transpositions, UK FCA SYSC, source-of-wealth on enhanced due diligence, and integration with Temenos, FIS, or Jack Henry core banking systems.
What does KYC for banking actually require, and how is it different from fintech KYC?
KYC for banking covers the four customer surfaces that traditional banks, private banks, wealth managers, and correspondent banks operate against simultaneously: retail individuals, corporate customers, high-net-worth and ultra-high-net-worth clients, and counterparty institutions in correspondent relationships. Each surface has different regulatory floors, different documentation requirements, and different ongoing-monitoring cadences.
KYC for banking differs from KYC for fintech (see our KYC for fintech industry page) in five material ways:
- Beneficial ownership depth. Banks routinely onboard corporate customers with multi-jurisdictional ownership trees that fintechs do not see. KYB depth matters more.
- Correspondent banking due diligence. A bank that maintains nostro/vostro accounts with another bank inherits the counterparty bank’s KYC failures. KYC for banking has to cover the institutional relationship as well as the underlying customers.
- Wealth management EDD. Private banking and wealth management require enhanced due diligence on source of funds, source of wealth, and PEP status, with documented evidence trails the regulator can audit years later.
- Branch-level supervision. Most banks operate under multiple supervisors (federal + state in the US, ECB + national in the EU, FCA + PRA in the UK) and the KYC for banking program has to satisfy all of them.
- Legacy infrastructure constraints. Most banks run KYC against core-banking systems that were built before reusable credentials existed. The migration path matters more than the greenfield design.
For the deeper neobank and digital-bank view, see our KYC for neobanks page. For the corporate KYB depth, see our KYB software guide.
What are the regulatory baselines for KYC for banking across the US, EU, and UK?
The regulations are denser for banking than for any other category. The three jurisdictions matter for any cross-border bank.
United States: BSA, FinCEN, and the new AML/CFT Program Rule
The Bank Secrecy Act is the foundational US AML statute. KYC for banking obligations include the Customer Identification Program (CIP), Customer Due Diligence (CDD) Rule (effective May 2018) covering beneficial ownership at 25%, Currency Transaction Reports above USD 10,000, SAR filing within 30 days, and a documented five-pillar AML program. The FinCEN AML/CFT Program Rule effective January 1, 2026 added a “Reasonably Designed and Risk-Based” standard that materially raised the documentation bar. Federal supervision is split across OCC (national banks), Federal Reserve (state member banks), FDIC (state non-member banks), and FinCEN (financial-crime-specific). The TD Bank USD 1.3B FinCEN penalty (October 2024) is the current enforcement benchmark.
European Union: AMLR, AMLD6, and AMLA direct supervision
The 2024-2025 EU package replaced the directive-based AML framework with a single rulebook regulation (AMLR), a new directive (AMLD6 in the new numbering), and the Anti-Money Laundering Authority (AMLA) operational from 2025 in Frankfurt. AMLA has direct supervisory authority over approximately 40 EU banks (the largest, plus those with cross-border activity exceeding thresholds). National supervisors handle the rest under coordination by AMLA. Per-decision defensibility (every alert closure, every CDD decision, documented and auditable) is the operating standard. The Revolut Bank UAB EUR 3.5M penalty (April 2025) is the early signal of how AMLA-era supervision treats KYC for banking documentation gaps.
United Kingdom: FCA, PRA, MLR 2017, and the Senior Managers Regime
The UK splits prudential supervision (PRA) and conduct supervision (FCA) for the largest banks. KYC for banking obligations sit under the Money Laundering Regulations 2017, the FCA Handbook (SYSC 6.1, SYSC 6.3), and the Senior Managers and Certification Regime (SMCR) which assigns personal accountability for AML/KYC programs to named individuals. The 2024-2025 enforcement wave landed at GBP-billion-scale: Starling GBP 29M (October 2024), Monzo GBP 21M (July 2025), and continuing actions against established banks for sanctions-screening and KYC for banking program gaps.
Side-by-side: KYC for banking regulatory obligations
| Dimension | US | EU | UK |
|---|---|---|---|
| Primary statute | BSA + FinCEN AML/CFT Program Rule (2026) | AMLR + AMLD6, AMLA Regulation | MLR 2017, FCA Handbook SYSC, SMCR |
| BO threshold | 25% (CDD Rule) | 25% (AMLD6) | 25% (MLR 2017) |
| CDD timing standard | At onboarding + perpetual | At onboarding + perpetual | At onboarding + perpetual |
| Audit standard | Reasonably designed and risk-based | Per-decision defensibility | Proportionate to risk + SMCR accountability |
| Direct supervisor | OCC / Fed / FDIC + FinCEN | AMLA (top 40 banks) + national | FCA + PRA |
| Recent enforcement | TD Bank USD 1.3B (Oct 2024) | Revolut UAB EUR 3.5M (Apr 2025) | Starling GBP 29M, Monzo GBP 21M |
Where do bank KYC programs fail, and what does it cost?
Five reproducible failure modes show up in every recent megabank Final Notice. Each one is preventable with KYC for banking software that builds the audit trail as a primitive rather than an after-the-fact reconstruction.
Periodic re-KYC missing or stale
Banks running annual or three-year re-KYC cycles inherit the TD Bank pattern: customer status changed, internal records did not. Perpetual KYC at the credential layer is now the regulatory expectation. See our perpetual KYC piece for the architectural argument.
Sanctions screening at account level only, not transaction-counterparty level
Banks that screen the customer at onboarding and forget to screen counterparties at every transaction get the Binance USD 4.3 billion / Standard Chartered / BNP Paribas pattern: years of unscreened flows, nine-figure cheques on resolution. KYC for banking has to extend through the AML transaction monitoring layer.
KYB depth shortfall on corporate customers
Corporate customer onboarding stops at the registered entity, with no UBO trace and no operating-entity verification. Wirecard EUR 1.9 billion (2020) is the canonical example. KYC for banking that does not include real KYB is shipping a known regulator-finding pattern.
Correspondent banking due diligence gaps
The originating bank inherits the correspondent bank’s KYC failures. Most banks know this. Few document it well enough to satisfy a regulator. Charlene Wang, Zyphe’s CRO, framed it on a customer call in March 2026: “correspondent banking is the surface where one bank’s KYC for banking program fails another bank’s audit. The architectural fix is shared credentials with revocable status, not duplicated databases.”
Audit-trail reproducibility
When the regulator pulls the case file 18 months later, the closure rationale does not reproduce. The TD Bank, Starling, Monzo, Revolut UAB, and Cash App / Block penalties all cited reproducibility gaps as core findings. KYC for banking software has to write per-decision triage records as the side effect of running the workflow.
Recent enforcement timeline
| Date | Action | Penalty | Why it matters for KYC for banking |
|---|---|---|---|
| 2018 | Danske Bank Estonia | ~EUR 200B suspicious flows | UBO trace stopped at corporate-name match |
| 2020 | Wirecard collapse | EUR 1.9B missing | Operating-entity verification fictional |
| 2023 | Binance settlement | USD 4.3B | Sanctions screening gaps at transaction layer |
| Oct 2024 | TD Bank | USD 1.3B FinCEN, USD 3.1B combined | Five-pillar program failures |
| Oct 2024 | Starling Bank | GBP 29M FCA | Sanctions screening + control framework |
| Apr 2025 | Revolut Bank UAB | EUR 3.5M Bank of Lithuania | Per-decision defensibility under AMLA |
| Jul 2025 | Monzo | GBP 21M FCA | High-risk customer onboarding gaps |
How does Zyphe deliver KYC for banking at the post-TD Bank audit bar?
Zyphe’s KYC for banking stack ships four primitives that map directly to the regulator’s audit checklist.
Perpetual KYC at the credential layer. Customer credentials carry expiry, revocation pointers, and continuous re-screening status. Sanctions, PEP, and adverse media re-screening run on a defined cadence. A customer whose status changes has the credential revoked. The next AML transaction monitoring rule that checks credential status fails the transaction deterministically.
KYB depth across 190+ corporate registries. Zyphe KYB walks the corporate customer’s ownership tree to natural persons or regulated parents. Wirecard-style operating-entity verification, BVI/Cayman opacity flagging, and recursive UBO trace are built in. Median completion under 8 minutes for tier-1 jurisdictions.
Identity-linked AML monitoring. Every alert in the Zyphe AML transaction monitoring stack carries the verified credential, the KYC tier, and the perpetual re-screening status. Mule indicators fire at the rule level. Sanctions screening at the transaction-counterparty layer is automatic. See our AML transaction monitoring 2026 piece for the deeper operational detail.
Zero-PII storage architecture. Source documents are sharded across 60,000+ decentralised storage nodes using a 29-of-100 threshold scheme. The bank holds the credential and the audit trail. The bank does not hold the underlying passport, the underlying address proof, or the underlying biometric. The IDmerit-shaped breach exposure that drove banking procurement decisions in 2025-2026 disappears at the architecture layer. See our decentralised KYC primer.
How do you implement KYC for banking across retail, private, and correspondent banking?
Three patterns covering the most common bank use cases.
Retail banking onboarding
NFC-grade identity verification at account opening, sanctions and PEP screening, address verification, source-of-funds collection where threshold-relevant. Continuous re-screening at the credential layer. Periodic enhanced CDD review for high-risk customers. The standard KYC for banking flow lands in 5 to 10 minutes for the customer and produces an audit-ready case file as the side effect.
Private banking and wealth management EDD
Standard onboarding plus source-of-funds documentation, source-of-wealth narrative, PEP screening with adverse media depth, multi-jurisdictional UBO trace where the customer is a corporate entity or trust, and ongoing monitoring at elevated cadence. The case file carries every piece of evidence with timestamps and policy versions. Regulator audit response time drops from weeks to hours.
Correspondent banking due diligence
KYB on the correspondent bank itself (licensing, ownership, sanctions exposure, regulator standing), credential-based verification of the underlying customers where permitted under the correspondent agreement, and continuous monitoring of the relationship. Where the correspondent bank uses Zyphe credentials, the originating bank reads the same credentials and inherits the same audit trail. The duplicated-database problem disappears.
What are the real edge cases KYC for banking still struggles with?
Five edge cases worth flagging in procurement.
Trust structures terminating in opaque jurisdictions. BVI, Cayman, certain Liechtenstein vehicles, and similar structures hide UBOs behind nominee directors. KYC for banking flags the opacity, surfaces every available signal, routes to enhanced CDD with documented residual gap.
Politically exposed persons with shifting status. PEP status changes (newly elected officials, family-member designations, post-office cooling periods). Continuous re-screening at the credential layer is the architecturally correct response.
Wealth-management cross-border source-of-wealth. A UHNW client whose wealth originated in a third jurisdiction with regulatory opacity around the underlying business. KYC for banking has to support documentary EDD that can be evidenced years later.
Correspondent banking with smaller counterparts. A correspondent relationship with a Tier-2 bank in a higher-risk jurisdiction inherits the counterpart’s KYC standards. The originating bank’s KYC for banking program is only as strong as its weakest correspondent.
Legacy core-banking integration. Most banks’ KYC layers are wired into core-banking systems built before reusable credentials existed. Migration path matters as much as greenfield architecture.
How do you evaluate KYC for banking in the next 30 days?
Five concrete moves for a head of financial crime, MLRO, or CRO.
- Audit your current re-KYC cadence. If the answer is annual or three-year for any non-low-risk customer, you are operating below the post-TD Bank bar.
- Map your KYB depth. Corporate customers with multi-jurisdictional ownership trees need recursive UBO trace, not flat entity verification.
- Pressure-test the AML monitoring identity linkage. Does every alert carry the verified credential? If not, mule detection is post-facto.
- Run an audit-export drill. Pull a SAR filed 18 months ago and trace the evidence chain. If reconstruction takes more than an hour, the architecture is the problem.
- Update the SMCR responsibility map (UK) or the Reasonably Designed standard documentation (US). The named accountable individual needs the architectural decisions documented, not just the process.
How do you integrate KYC for banking with Zyphe across retail, commercial, and correspondent flows?
A retail or commercial bank goes from quarterly review cycle to perpetual CDD in six steps. The sequence assumes a Tier 2 or Tier 3 bank with a Temenos, FIS, or Jack Henry core, multiple business lines, and at least one cross-border correspondent relationship.
- Map the bank’s regulatory regime per business line. Federal supervisors (OCC, Federal Reserve, FDIC, FinCEN), state charters (NYDFS, DFPI), EU AMLR/AMLD6 transpositions under AMLA coordination, and UK FCA SYSC plus PRA prudential rules. Document which obligations apply to which legal entity and customer surface.
- Define risk-based customer tiers. Low-risk retail, standard CIP, enhanced due diligence for high-net-worth and correspondent counterparts, and PEP-tier with adverse media depth. Each tier carries documented thresholds, evidence requirements, refresh cadence, and escalation paths to financial crime second line.
- Integrate with the core banking system. Wire the verification layer into Temenos, FIS, Jack Henry, or Finastra through REST APIs and signed webhooks. Persist the credential identifier alongside the legacy customer record so account opening, lending origination, and treasury workflows all read the same verified attestation.
- Wire perpetual screening at the credential layer. Implement FATF Recommendation 10 ongoing CDD: continuous sanctions, PEP, and adverse media re-screening, document expiry triggers, and event-driven revocation. Status changes flow into AML transaction monitoring rules and suspend dependent products until remediation closes.
- Maintain an audit-ready record schedule per jurisdiction. BSA five-year retention from account closure in the US, MLR 2017 five years in the UK, AMLR five-to-ten-year retention across EU member states. Every CIP decision, EDD evidence pack, and SAR filing reproduces on regulator request.
- Document the MLRO sign-off chain end to end. Tier policy approval, EDD case escalation, SAR filing decision, and annual program attestation. Under UK SMCR and the FinCEN AML/CFT Program Rule, the named accountable Money Laundering Reporting Officer signs every material decision.
