Skip to content
Case studiesPricingSecurityCompareBlog

Europe

Americas

Oceania

Compliance9 min read

KYC: The Complete Guide for Businesses in 2026

What is KYC? Definition, legal obligations, process steps and best practices for UK businesses. Updated complete guide covering FCA requirements for 2026.

James Whitfield, Head of Compliance
James Whitfield, Head of Complianceยท
Illustration for KYC: The Complete Guide for Businesses in 2026 โ€” Compliance

Summarize this article with

ChatGPTChatGPTClaudeClaudePerplexityPerplexityGeminiGeminiGrokGrok

KYC โ€” Know Your Customer โ€” is a mandatory regulatory process requiring businesses to verify the identity of their clients before establishing a business relationship and on an ongoing basis thereafter. In the UK, KYC obligations are set by the Financial Conduct Authority (FCA) under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017), which transposes the Fourth EU Anti-Money Laundering Directive into UK law.

Non-compliance is costly. NatWest was fined ยฃ264.8 million in 2021 for systemic AML failures, while the FCA imposed over ยฃ176 million in fines on banks including Metro Bank, TSB, and Starling Bank in 2024 for KYC and AML control deficiencies. Understanding KYC is not optional for regulated businesses โ€” it is the foundation of lawful operation.

This article is for informational purposes only and does not constitute legal, financial, or regulatory advice. Consult a qualified compliance professional for guidance specific to your situation.

What Is KYC?

KYC is the process by which businesses identify and verify the identity of their customers, understand the nature of their business relationships, and assess the associated money laundering and terrorist financing risks. The FCA defines this as Customer Due Diligence (CDD) in its Handbook under SYSC 6.3.1.

As of February 2026, the MLR 2017 remains the primary legislative framework governing KYC in the UK, supplemented by the Proceeds of Crime Act 2002 (POCA) and the Terrorism Act 2000. The FCA takes a risk-based approach, meaning firms must calibrate the intensity of their KYC measures to the level of money laundering risk each customer presents (MLR 2017, Regulation 28).

KYC encompasses three core elements:

  • Customer identification: collecting personal data (name, date of birth, address, nationality)
  • Identity verification: confirming that individuals are who they claim to be using reliable, independent documentation
  • Risk assessment: classifying customers by risk profile and applying proportionate due diligence measures

Which Businesses Must Comply with KYC in the UK?

KYC obligations apply to all "relevant persons" defined in Regulation 8 of the MLR 2017. The scope extends well beyond traditional banks.

Sector Examples of Obliged Entities
Banking and credit Banks, building societies, credit institutions
Financial services Investment firms, financial advisers, asset managers
Insurance Life insurance companies and intermediaries
Legal professions Solicitors, barristers, notaries, accountants
Estate agency Estate agents (residential and commercial property)
Crypto-assets Cryptoasset exchange providers registered with the FCA
High-value dealers Dealers accepting cash payments of โ‚ฌ10,000 or more
Gambling Casinos (land-based and remote)

There are over 100,000 businesses in the UK subject to AML and KYC regulations. Since 10 January 2020, the FCA has been the AML/KYC supervisor for UK cryptoasset businesses under the MLR 2017.

The Four Steps of KYC Due Diligence

Step 1: Customer Identification Programme (CIP)

Before establishing any business relationship, firms must collect identifying information. For individuals, this means full name, date of birth, residential address, and nationality. For corporate entities, this extends to company registration number, registered address, nature of business, and the identity of directors and beneficial owners.

Firms must verify the identity of any beneficial owner holding more than 25% of shares or voting rights, a threshold set by Regulation 5 of the MLR 2017 in line with the Fourth AMLD.

Step 2: Customer Due Diligence (CDD)

Standard CDD requires verifying identity using reliable, independent source documents or data. Acceptable evidence includes a valid passport or driving licence for proof of identity, and a utility bill or bank statement dated within three months for proof of address. Digital verification using electronic identity checks is fully acceptable under the FCA's guidance, provided it meets equivalent standards to documentary verification.

Step 3: Enhanced Due Diligence (EDD)

EDD is mandatory for higher-risk customers and relationships. The MLR 2017 mandates EDD in specific circumstances, including:

  • Customers identified as Politically Exposed Persons (PEPs) or their family members and known close associates
  • Business relationships or transactions involving high-risk third countries (as listed by the European Commission)
  • Correspondent banking relationships
  • Transactions with no apparent economic or legal purpose

EDD for PEPs requires establishing the source of wealth and source of funds, in addition to standard identity verification. The FCA's Financial Crime Guide provides detailed guidance on EDD obligations.

Step 4: Ongoing Monitoring

KYC is not a one-time event. MLR 2017 requires firms to keep customer information up to date and monitor business relationships on an ongoing basis. High-risk customers typically warrant annual reviews; standard risk customers may be reviewed every three to five years. Any unusual transaction or change in customer circumstances triggers an immediate reassessment.

Risk Level Review Frequency Due Diligence Standard
Low risk Every 5 years Simplified CDD permissible
Standard risk Every 3 years Standard CDD required
High risk / PEP Annually Enhanced Due Diligence mandatory

Suspicious Activity Reporting (SAR)

Any employee or business that knows or suspects that another person is engaged in money laundering must submit a Suspicious Activity Report (SAR) to the National Crime Agency (NCA). The NCA's SARs Online portal processed over 901,000 SARs in the year ending September 2024. Failure to report a known or suspected instance of money laundering is a criminal offence under POCA 2002, carrying a maximum sentence of five years' imprisonment.

Tipping off a suspect that a SAR has been filed is also a criminal offence under Section 333A of POCA 2002.

KYC Documents: What to Collect and Accept

Users on compliance forums regularly ask what constitutes acceptable KYC evidence. The FCA does not prescribe a definitive list but requires that evidence be "satisfactory" and from a "reliable, independent source."

For individuals, standard acceptable documents include:

  • Proof of identity: valid passport, national identity card, or photocard driving licence
  • Proof of address: utility bill, bank statement, council tax bill, or HMRC correspondence dated within three months

For businesses, standard requirements include company registration documents from Companies House, articles of association, and confirmation of the Ultimate Beneficial Owner (UBO) structure. Our KYB guide for business document verification covers the additional checks required when onboarding corporate clients.

Consequences of Non-Compliance

The FCA's enforcement record demonstrates that KYC failures attract severe sanctions:

  • Civil financial penalties: unlimited for most breaches under FSMA 2000
  • Criminal prosecution: for individuals under POCA 2002 and the Terrorism Act 2000
  • Prohibition orders: banning individuals from working in regulated financial services
  • Withdrawal of FCA authorisation: effectively shutting down the business

Our KYC requirements for 2026 provides a detailed breakdown of the regulatory changes businesses need to prepare for this year.

Automating KYC: eKYC in Practice

Manual KYC processes are slow, expensive, and error-prone. Industry data indicates that manual KYC onboarding can take 30 to 90 days for complex corporate clients, with document collection accounting for 60% of that time. Electronic KYC (eKYC) platforms cut these timelines dramatically.

CheckFile's automated document verification solution processes over 200 document types across 195 countries in under 10 seconds, with tamper detection and liveness checks built in. Explore our pricing plans designed for businesses of all sizes.

For a broader perspective on compliance best practices, our documentary compliance guide covers the full landscape of document verification obligations across regulated sectors.

KYC and AML: Understanding the Relationship

KYC and AML are often used interchangeably, but they are distinct. KYC is the customer identification and verification layer โ€” a component of a broader AML programme. AML encompasses the full suite of controls required to detect, prevent, and report money laundering: transaction monitoring, SAR filing, staff training, risk assessments, and governance frameworks. Our AML compliance guide explains how KYC fits within a complete AML programme.

Frequently Asked Questions

What is KYC in banking?

KYC in banking is the mandatory process by which banks and other financial institutions verify the identity of their customers before opening accounts or providing services. Under the MLR 2017, UK banks must collect proof of identity and address, verify their authenticity, assess money laundering risk, and monitor the relationship on an ongoing basis. Failure to comply can result in unlimited fines from the FCA.

What documents are required for KYC?

For individuals, standard KYC documents are a valid government-issued photo ID (passport, national identity card, or driving licence) and proof of address from the last three months (utility bill, bank statement). For businesses, you need company registration documents, details of directors, and identification of beneficial owners holding more than 25% of the entity.

What is KYC in crypto?

KYC in crypto means the same thing as in traditional finance: exchanges and wallet providers must verify the identity of their users before allowing them to trade or hold assets. Since January 2020, FCA-registered cryptoasset businesses in the UK are subject to the full MLR 2017 requirements, including CDD, EDD for high-risk users, and ongoing transaction monitoring.

What is the difference between KYC and AML?

KYC (Know Your Customer) is the identity verification and risk assessment process applied at customer onboarding and throughout the relationship. AML (Anti-Money Laundering) is the broader framework of controls โ€” of which KYC is one element โ€” designed to prevent, detect, and report money laundering and terrorist financing. Every regulated business needs both: KYC to know who its customers are, and AML controls to monitor what those customers do.

How long does KYC take?

For individuals with standard documentation, digital KYC can be completed in under two minutes. For corporate clients requiring UBO verification and enhanced due diligence, the process typically takes between three and fifteen business days depending on the complexity of the corporate structure and the jurisdictions involved.

Explore further

Discover our practical guides and resources to master document compliance.

Related articles

Compliance10 min

Third-Party Risk Management (TPRM): Complete Guide 2026

Master third-party risk management (TPRM): DORA compliance, FCA expectations, vendor assessment, continuous monitoring and supplier due diligence guide for 2026.

Read
Compliance17 min

Compliance Risk Assessment: A Practical Guide for UK Firms

Learn how to identify, evaluate, and mitigate regulatory risks. A step-by-step compliance risk management framework aligned with FCA expectations and Money Laundering Regulations 2017.

Read
Compliance9 min

Governance Risk Management Compliance (GRC): Complete Guide 2026

What is governance risk management compliance (GRC)? Learn the three pillars, UK regulatory requirements under FCA, ARGA, and how to build an effective GRC programme.

Read