KYC/CDD is the foundation every other financial-crime control rests on: establish who the customer really is, who ultimately owns and controls them, and what normal looks like for them. Get this thin and your monitoring, screening and reporting are all built on sand. Here is CDD vs EDD, beneficial ownership, eKYC, and the ongoing-diligence loop.
KYC is not the box at onboarding. It is a living model of the customer that other controls query — and it decays the moment you stop maintaining it.
KYC (Know Your Customer) and CDD (Customer Due Diligence) are the obligation to identify and verify who you are doing business with, understand the nature and purpose of the relationship, and keep that understanding current. CDD is the FATF/regulatory term; KYC is the operational practice, often used interchangeably.
Everything downstream depends on it. Sanctions screening needs accurate identity data to match against lists. Transaction monitoring needs a baseline of "normal" for this customer to detect the abnormal. Beneficial-ownership visibility is what exposes who actually controls a shell. Thin KYC poisons every other control silently — the alerts you never get are the ones the missing data would have raised.
CDD applies on a risk-based basis: standard diligence for ordinary customers, simplified for demonstrably low-risk ones, and Enhanced Due Diligence (EDD) for higher-risk cases — PEPs, high-risk jurisdictions, complex ownership, correspondent banking.
| CDD element | What you do |
|---|---|
| Identify & verify the customer | Collect identity attributes and verify them against reliable, independent sources (ID document, registry, biometrics). |
| Identify the beneficial owner | Determine the natural person(s) who ultimately own or control the customer; verify on a risk basis. |
| Understand purpose & intended nature | Why is this relationship being formed? What activity is expected? This becomes the monitoring baseline. |
| Conduct ongoing due diligence | Keep information current and scrutinise activity against the expected profile over the life of the relationship. |
FATF (Recommendation 10) frames CDD as four things you must do. EDD adds intensity on top — not a different list, but deeper and ongoing.
This is hard precisely because it is what criminals work to obscure — nominee directors, layered holdings across jurisdictions, trusts. It is also the data that OFAC’s 50% rule (see sanctions) depends on: without UBO you cannot see an entity that is sanctioned-by-ownership. South Africa’s creation of beneficial-ownership registers (Companies and Intellectual Property Commission, and the Master’s Office for trusts) was a central FATF action item behind its 2025 greylist exit.
The point of beneficial ownership (UBO) is to pierce corporate structures and identify the natural person who ultimately owns or controls a customer — typically via an ownership threshold (commonly 25%, lower for higher risk) and/or control by other means (voting rights, senior management, trust arrangements).
Generative video and camera-feed injection can defeat weak liveness checks. Document-plus-selfie is no longer sufficient on its own for higher-risk onboarding — you need robust, tested liveness and ideally source-data corroboration.
A fabricated identity stitched from real and fake attributes (sometimes a real ID number with a different face) can pass document checks. Cross-source corroboration — does the identity exist consistently across independent sources — is the defence.
Onboarding verification with no refresh leaves you screening and monitoring against years-stale data. Ongoing CDD is a requirement, not a nicety — trigger- and time-based reviews both.
In much of Africa, thin-file customers and informal addresses make rigid documentary KYC exclusionary. Tiered / risk-based KYC (lower limits for lighter verification) is the regulated way to include them — rigid one-size KYC just locks people out.
Relying on a third party’s KYC (or a shared utility) is permitted in many regimes — but you remain accountable. Undocumented reliance is a finding.
eKYC performs identity verification digitally — document capture and authentication, biometric face match with liveness detection, and checks against authoritative data sources. In South Africa this includes verification against the Department of Home Affairs / DHA (and the NPR), and against credit-bureau and other reliable databases. eKYC slashes onboarding friction and cost — but introduces its own attack surface.
KYC design is a friction-vs-risk dial. Every extra check costs conversion; every gap costs exposure. The art is spending diligence where risk actually concentrates.
Apply light, fast verification to demonstrably low-risk, low-limit products and reserve EDD (source of funds, senior sign-off) for the segments your risk assessment flags. Uniform heavy KYC just kills conversion and inclusion.
For any non-individual customer, the UBO chain is where your real exposure hides. Budget for registry access and structure-mapping — it is what makes sanctions and AML actually work.
Liveness and injection-attack resistance, not just pass rates, are the selection criteria. A vendor with a high pass rate and weak liveness is optimising the wrong number.
Event-driven refresh — ownership changes, adverse media, list hits, behavioural shifts — beats calendar-only reviews. It keeps the baseline that monitoring depends on actually current.
Use the regulator-sanctioned tiered approach (e.g. lower-limit accounts with lighter verification) to include thin-file customers without breaching CDD. Verify against DHA/authoritative sources where available; document the reliance.
Weak KYC is rarely fined on its own — it surfaces as the root cause when monitoring or sanctions fail. Onboarding a sanctioned UBO or a synthetic identity is the failure that every downstream control was supposed to be sitting on top of.