What is KYC?

KYC (Know Your Customer) is a legally required process through which businesses identify, verify and assess the risk of their customers in order to prevent money laundering, terrorist financing and financial crime.

In practice, however, KYC is more than a regulatory obligation. It is the foundation of responsible business conduct. As a central part of the Danish Anti-Money Laundering Act, KYC defines how businesses document that they know who they are entering into relationships with.

When carried out correctly, KYC does not merely document who the customer is — it also demonstrates that the business understands the risk inherent in the relationship. This is precisely the understanding that supervisory authorities expect to see during an inspection.

KYC is therefore not simply an administrative formality. It is an active risk management tool.

What does KYC include?

An effective KYC process — also referred to as a customer due diligence (CDD) procedure — consists of five core elements. These elements are interconnected and must be viewed as a single, coherent process. Together, they ensure that the business maintains an accurate and well-documented understanding of the customer:

1. Customer identification

   Collection of basic information such as name, address and personal or company registration number.

2. Identity verification

   Verification of the customer’s identity using reliable and independent sources, such as passports, driving licences or official registers.

3. Identification of beneficial owners

   For corporate entities, the natural persons who ultimately own or control the company must be identified and verified.

4. Risk assessment

   A concrete assessment of the risk that the customer may be involved in money laundering or terrorist financing.

5. Ongoing monitoring

   Regular updates of customer information and assessment of whether the risk profile changes over time.

It is not sufficient simply to complete these steps. The business must be able to explain and document its approach. KYC is as much about documentation as it is about control. It is not a one-off onboarding exercise, but an ongoing obligation throughout the customer relationship.

Why is KYC important?

KYC serves both a societal and a commercial purpose. Broadly speaking, it protects three things:

• Society from financial crime

• The business from regulatory risk

• The organisation from reputational damage

Inadequate or insufficient KYC can lead to enforcement orders, fines or public criticism from supervisory authorities. However, the consequences do not end there. For many organisations, reputation and trust are at least as valuable as any financial penalty.

In an era of tightened regulation and increased public scrutiny of financial crime, compliance is no longer a back-office function. It is an integral part of corporate accountability and credibility.

Who must perform KYC?

The KYC requirement applies to businesses covered by anti-money laundering legislation. This includes:

• Banks and financial institutions

• Lending and financing companies

• Insurance providers

• Auditors and audit firms

• Lawyers

• Bookkeepers

• Real estate agents

In Denmark, audits are carried out by:

• Finanstilsynet - Danish Financial Supervisory Authority (financial institutions)

• Erhvervsstyrelsen - Danish Business Authority (auditors and bookkeepers)

• Advokatsamfundet - The Danish Bar and Law Society (lawyers)

At European level, anti-money laundering efforts have been strengthened through the establishment of AMLA, which aims to ensure more consistent enforcement across Member States.

The direction is clear: greater transparency, more documentation and higher expectations of risk understanding.

KYC versus AML – what is the difference?

The terms are often used interchangeably, but they refer to different aspects of compliance.

In short, KYC is the practical execution, while AML (Anti-Money Laundering) is the overarching regulatory framework. A mature compliance function understands and manages both.

The risk-based approach

Anti-money laundering regulation is built on a risk-based approach. This means businesses are not required to treat all customers identically, but instead to tailor their level of control according to the specific risk involved.

Businesses must, among other things:

• Conduct an overall risk assessment

• Define internal policies and risk appetite

• Establish clear procedures and controls

• Document and justify their assessments to supervisory authorities

A low-risk customer requires less extensive due diligence than a high-risk customer. What matters is that the assessment is documented and defensible.

The key question is not: “What have we checked?”

But rather: “Have we applied proportionate controls, and can we justify why?”

A strong risk culture is characterised by considered decisions — not simply extensive procedures.

What is a PEP?

A PEP (Politically Exposed Person) is an individual who holds a prominent public function and is considered to present a higher risk of corruption and money laundering. Examples include ministers, members of parliament or senior public officials.

If a customer is identified as a PEP, enhanced due diligence measures must be applied. This is not based on suspicion, but on risk management. PEP requirements are a clear example of how regulation operationalises the risk-based approach.

How often must KYC be performed?

KYC must be carried out when establishing a new customer relationship and updated on an ongoing basis. This may be required, for example, when there are significant changes in the customer’s circumstances.

The frequency depends on the risk level. Higher risk requires closer and more frequent monitoring.

What matters is that the business can document why the chosen review frequency is appropriate. Standard intervals without an underlying risk assessment are rarely sufficient.

What happens if KYC requirements are not met?

During supervisory inspections, authorities assess whether the business can demonstrate its understanding of risk and the controls it has implemented. Non-compliance may result in:

• Enforcement orders

• Formal reprimands

• Fines

• Criminal referral

Supervisory reports are published and may impact both reputation and customer trust. Compliance with KYC is therefore not merely a legal matter — it is a business-critical concern.

Can KYC be automated?

KYC is often perceived as resource-intensive, particularly when processes are handled manually and documentation is fragmented.

However, complex regulation does not have to result in complex workflows. By partnering with a software provider to digitalise the KYC process, businesses can:

• Structure and document risk assessments

• Automate the collection and validation of information

• Support ongoing monitoring

• Centralise documentation for supervisory inspections

When your KYC process is systematised, your compliance efforts become not only easier to manage — but also more robust.

Compliance should not be a burden. It should be an integrated part of your organisation.

At Creditro, we work to make exactly that possible: bringing together regulatory requirements and efficient workflows, so businesses can focus on their core operations without compromising on documentation or legal obligations.

Say hello to simplified compliance with Creditro Comply 👋