What does Know-Your-Customer (KYC) mean?

Why must a KYC process be conducted?

The natural enemy of money laundering is transparency. That is why it is essential to know your customer. According to the German Anti-Money Laundering Act (GwG), a key obligation is to collect and verify specific customer data. The more unusual a case appears, the more information must be gathered about the customer.

All procedures and documents must be thoroughly documented. Proper documentation protects both you and your company from severe fines. Supervisory authorities routinely check that complete and accurate records are available for every customer.

How does the KYC process work?

The KYC process typically consists of three stages: 1. Identification – collecting customer data 2. Verification – confirming the information using valid documents 3. Risk assessment – evaluating the level of AML/CFT risk These steps can be complex and must be tailored to the individual case.

KYC for natural persons

If your customer is a natural person (i.e. not a legal entity), certain aspects must be considered. First, it must be determined exactly who the contracting party is. It may happen that another person appears on behalf of the actual customer – for example, due to absence, language barriers or even as a so-called “front person”. This individual must always be included in the verification process under the GwG.

The following information must be collected from the contracting party and, if applicable, the person acting on their behalf: First and last name, Place and date of birth, Nationality (both, if dual nationality), Residential address.

This information must be verified using a valid official identification document, such as a passport or national ID card.

KYC for legal entities

If the customer is a legal entity (e.g. a company), the process is more extensive. First, you must determine who the actual contracting party is, considering various legal forms such as GmbH, AG, KG or GbR. Foreign corporate forms may also be relevant. The following information must be collected:

Company name or designation, Legal form, Register number (if available), Address of the registered office or main place of business, Names of the members of the executive or representative body or legal representatives.

If a member of the executive body is itself a legal entity, the same information must be collected for that entity as well.

Verification must be based on suitable documentation, such as: Extracts from the commercial, cooperative or association register, Incorporation documents or equivalent official records.

Acting person

In business transactions, a natural person always appears on behalf of a company – e.g. the managing director, an authorised signatory (Prokurist), or another legal representative.

The following information must be collected from the acting person:

First and last name, Place and date of birth, Nationality and Residential address.

This must be verified using an official photo ID, such as a passport or national ID. It must also be confirmed that the person is authorised to act on behalf of the customer.

Beneficial owner

For legal entities, the beneficial owner must also be identified. This is the natural person who ultimately owns or controls the company. It must be verified whether the information provided by the customer matches the entries in the German Transparency Register.

Risk assessment

A final step is the risk assessment, based on numerous factors. Certain persons and situations require enhanced due diligence, such as: Politically exposed persons (PEPs), high-risk countries, unusual or suspicious circumstances.

When must a KYC process be conducted?

The KYC process must be completed before entering into a business relationship.

Doesn’t all of this conflict with data protection?

No – the Anti-Money Laundering Act explicitly provides a legal basis for identifying and verifying customers. This is set out in Section 11a GwG.

How long must KYC documents be retained?

All collected data and verification steps must be carefully documented and retained for at least five years. Failure to comply with these documentation and retention requirements may result in significant penalties.