KYC stands for know your customer and describes the work of identifying the customer, understanding the purpose of the relationship, and reopening the file when risk facts change. It matters at onboarding, during periodic review, and when earlier information is no longer enough for a new decision. Record source + timestamp + rationale + policy version + owner role for every material outcome.

Quick answer

• KYC applies when a business relationship starts, when an occasional transaction must be assessed, when there is suspicion, and when earlier customer data is no longer adequate.
• Keep identity evidence, purpose-and-nature notes, risk profile, decision rationale, and owner role so the assessment can be replayed later.
• A common mistake is treating a screening result as the KYC conclusion.
• Clear KYC makes follow-up faster and makes later decisions easier to compare and reopen.

Records to keep (for traceable control)

• Identity and verification evidence: Show which customer details were actually checked — Store as: Source log with timestamp
• Purpose and nature note: Explain why the relationship is being established and what it is meant to be used for — Store as: Customer profile with purpose field
• Risk profile and trigger events: Show why the level of diligence was chosen and when renewed review is required — Store as: Risk assessment with version reference
• Decision note and rationale: Explain why the relationship was accepted, escalated, or followed up — Store as: Review note with rationale field
• Responsible role and decision date: Show who owned the outcome and when it was taken — Store as: Decision record with owner and date

Definition and scope

KYC means knowing who the customer is, what the relationship is for, and what level of risk the relationship carries. It includes identification, verification, understanding the purpose and intended nature of the relationship, and ongoing review when new facts mean an earlier decision should be tested again.

For risk and compliance teams, that makes KYC broader than a single ID check. The work also includes risk profiling, deciding whether more information about ownership or control is needed, and keeping the records that allow a later reviewer to explain why the original decision was reasonable at the time.

When those elements stay connected, KYC becomes a traceable process rather than a set of isolated controls. When they are split across systems, notes, and one-off screening findings, similar customers become harder to handle consistently.

Why KYC matters

KYC shapes which relationships you start, what needs deeper review, and when an existing file must be revisited. It affects onboarding, periodic review, and the judgement that decides whether an earlier outcome still stands.

Weak records create avoidable remediation work. If a reviewer cannot reconstruct which data was collected, which purpose was documented, or which risk profile applied when the decision was taken, the organisation ends up relying on memory instead of evidence.

It also affects how well later controls work. PEP or sanctions findings are harder to assess if the baseline facts about the customer, the purpose of the relationship, and the earlier rationale are not available in the same review trail.

What needs to be assessed in each case

Each KYC case needs to start with identity and reliable sources. Teams need to know who the customer is, which details have been verified, and which parts of the file still rely on customer-provided information or incomplete external data.

The next step is to understand the purpose and intended nature of the relationship. Knowing who the customer is is not enough if it is still unclear why the relationship is being established, how it will be used, and which risk facts mean more measures are needed.

In some cases, teams also need ownership or control data, for example when a company has no clearly registered beneficial owner or when the natural person who should be assessed needs to be found through fallback logic. When that happens, the file also needs to show why those specific details were used in the case.

Common pitfalls

• Identity is verified at the start, but the purpose and intended nature of the relationship are documented too thinly.
• Earlier customer data is reused even when new facts should trigger renewed review.
• Screening findings are stored without a clear connection to the customer risk profile and the rationale behind the decision.
• Ownership or control evidence is collected, but it is unclear why those specific details mattered in the case.
• Policy version or responsible role is missing, which makes similar customers harder to compare later.

These problems are usually operational rather than theoretical. The issue is rarely whether teams know KYC is required. The issue is whether evidence, risk logic, and review notes actually stay connected in day-to-day work.

A process for KYC

1) Define when KYC must be refreshed

Set out which events should lead to fresh collection, new verification, or enhanced review. That makes it clear when earlier evidence is no longer enough.

2) Keep evidence separate from decision

Separate source data, verification steps, and the final assessment in each material case. That makes it possible to see both what facts you had and how you used them.

3) Record purpose, risk profile, and rationale

Tie the purpose of the relationship and the risk level to the selected level of diligence. That makes it easier to explain why a case was accepted, monitored, or escalated.

4) Reopen the file when facts change

If transaction patterns, ownership, PEP exposure, or other risk facts change, the same relationship should be reviewed again without forcing the team to rebuild the case from zero.

Roaring field guide

• Define which events should trigger renewed KYC, enhanced measures, or ongoing follow-up before live cases reach the team.
• Store identity source, timestamp, purpose note, risk profile, and decision rationale so outcomes can be replayed later.
• Keep baseline facts, screening outputs, and the final judgement separate so each step can be explained clearly.
• Route new risk events to the right team or process with enough context to support a fresh decision.
• Treat KYC as an ongoing review discipline rather than a one-off onboarding check.

How Roaring can help

• The KYC platform can bring sanctions, PEP, and beneficial-owner screening into one workspace and support customer measures when a case needs deeper review.
• Integration Suite can bring person and company data into existing workflows so identity checks, review steps, and decision support can run in the same process.
• Lookup can act as the entry path for teams that want to test data, verify details manually, or understand information needs before building an integration.
• Monitoring and webhooks can route new events into existing workflows when sanctions exposure, ownership, or other risk facts change after onboarding.