What does Know-Your-Customer (KYC) mean?

Why does a KYC procedure have to be carried out?

The natural enemy of money laundering is transparency, so it is important to know your customer. According to the Money Laundering Act, the central task is to determine and verify certain customer data. The more unusual the individual case, the more information must be collected about the customer.

All processes and documents must be comprehensively documented. The documentation protects you and the company from having to pay high fines. The supervisory authorities check that complete documentation is available for each customer.

How does a KYC procedure work?

The KYC process is essentially divided into three sections: Identification, i.e. the collection of data from the customer, verification and, finally, risk assessment. The individual steps can be very complicated.

KYC for natural persons

If your customer is a natural person, i.e. not a company, there are a few things to bear in mind. Firstly, you must establish exactly who the contractual partner is. Sometimes it can happen that another person acts on behalf of the contractual partner. There can be various reasons for this, e.g. the contractual partner is not on site or there are language barriers. However, it is also possible that someone is deliberately being used as a front man. The person acting as a front man must therefore always be included in the verification process in accordance with the Money Laundering Act. The following information must be collected from the contractual partner and any person acting as a front man:

First name and surname, place of birth, date of birth, nationality (both in the case of dual nationality) and
a residential address

All information of the customer and any persons appearing must be verified by a valid identification document.

KYC for legal entities

If the customer is a legal entity, i.e. a company, there are many things to consider. Firstly, you need to establish exactly who the contractual partner is. There are many types of company, such as limited liability companies, public limited companies, limited partnerships or civil law partnerships (GbR for short). It is also possible that a foreign company form is involved. The following information must be collected from the contractual partner:

Company name, name or designation, legal form, registration number, if available, address of the registered office or principal place of business and the names of the members of the representative body or the names of the legal representatives.
Representative.

If a member of the representative body or the legal representative is again a legal entity, the company name or designation, legal form, registration number, if available, and address of the registered office or principal place of business must also be collected.

The information must be verified on the basis of suitable documents. These include, for example, an extract from the commercial, co-operative or association register or founding documents or comparable documents.

Appearing person

Companies are always represented by a natural person. This can be the managing director, an authorised signatory or another representative of the company.

The following information must again be collected from the performing person:

First name and surname, place of birth, date of birth, nationality and a residential address.

The information must be verified using a valid official photo ID, e.g. identity card or passport. It must also be checked whether the person appearing is authorised to act on behalf of the contractual partner.

Beneficial owner

Furthermore, a beneficial owner must always be identified for legal entities. This is the natural person who owns or controls a legal entity. It must be checked whether the information requested from the customer matches the information contained in the transparency register.

Risk assessment

Finally, a risk assessment is necessary based on a large number of factors. There are typical risk persons and risk situations where additional measures (so-called enhanced due diligence) must be taken, e.g. in the case of politically exposed persons (PEP), high-risk countries or other conspicuous situations.

At what point does a KYC procedure have to take place?

The KYC procedure must always take place before the business relationship is established.

Doesn't that all speak against data protection?

The Money Laundering Act expressly stipulates that the customer must be identified and checked.
There is a special legal basis for this in § 11a GwG.

How long do the KYC documents have to be kept?

All information collected and verification processes relating to customers must be documented in detail and retained for at least 5 years. A breach of the documentation and retention obligation can be severely penalised.