A KYC programme is not a one-time check at signup. It is a five-stage process that runs from a prospect's first interaction with you through the close of the relationship. Each stage has its own evidence requirements, retention rules, and trigger conditions.
Stage 1: Customer identification (CIP)
Collect verified identifying information. For individuals: legal name, date of birth, residential address, and a government-issued ID number. For entities: registered name, incorporation number, registered office, and beneficial ownership.
Stage 2: Customer due diligence (CDD)
Build a risk profile. What is the customer's occupation? Source of funds? Expected transaction patterns? Geographic exposure? Tier the customer as low, medium, or high risk — this tier drives the rest of the programme.
Stage 3: Enhanced due diligence (EDD)
Trigger EDD when any of the following hold: customer is a PEP, customer is from a high-risk jurisdiction, customer's business is cash-intensive, expected volume exceeds threshold, or any adverse-media hit. EDD adds: source-of-wealth documentation, in-person verification (or supervised remote), and senior-management sign-off.
Stage 4: Ongoing monitoring
Re-screen the customer against sanctions and PEP lists every 24 hours. Monitor transaction patterns against the expected profile from Stage 2. Re-verify identity periodically by risk tier — annually for high, every 3 years for medium, every 5 years for low.
Stage 5: Record-keeping and offboarding
Retain all verification artifacts for 5 years after the relationship ends. On offboarding, ensure exit reason is documented — voluntary, regulatory, or risk-based — and that any STR/SAR obligations have been met.
How KYC.bd maps to the process
NID verification covers Stage 1. Liveness binds the human to the identity. Document OCR handles Stage 1 for entities. AML screening drives Stages 2, 3, and 4. The audit receipt covers Stage 5.