Guide: KYC and AML Requirements by Entity Type

This guide provides general, FATF-aligned KYC/AML requirements for onboarding by entity type. Specific requirements - including beneficial ownership thresholds, acceptable documents, certification rules, and when simplified due diligence is permitted - vary by jurisdiction, sector, and organisational policies.  

 

 

Individuals 

Individuals are typically the simplest customer type to onboard. However, businesses are required, thorough identity verification and a clear baseline of expected activity, to confirm their clients and related parties are legitimate, and to understand the reason for the relationship, and identify risk indicators such as sanctions and political exposure.  

 

Key requirements:

• Proof of identity - Government-issued photo ID (passport, driving licence, national ID). Additional verification or second ID may be required for higher-risk cases.  
  
• Personal information - Full name, date of birth, nationality, residential address. Proof of address and tax identifier number may also be required.  
  
• Purpose and expected activity – Why the relationship exists and what baseline activity looks like (income source, likely transaction types, typical volumes, relevant geographies). 
  
• Authority - Verify authority (power of attorney/guardianship) and apply KYC to the relevant principal and any additional controllers where applicable. 

Most jurisdictions will require that the documentation provided is validated either through an Electronic Identification system, or through wet-ink certification identifying the legal identification is a “true likeness” to the individual.   

 

Corporations and LLCs/LTDs (limited companies) 

Corporations require evidence of legal existence and a clear view of ultimate beneficial ownership, direct ownership and controllers. The aim is to ensure the company is real and operating legitimately, and to identify the people who ultimately benefit from or direct activity. 

 

Key requirements:

• Formation and registration evidence - Certificate of incorporation/formation plus reliable registry evidence (status, registered office, identifiers).
  
• Address - Registered address and trading address evidence where relevant.  
  
• Ownership structure and UBO identification - Identify and verify ultimate natural persons with ownership/control (shareholder register/cap table, voting rights, structure chart for layered ownership).  
  
• Directors and authorised signatories - Identify and verify relevant directors/controllers and anyone operating the relationship.  
  
• Service providers - Identify and verify key parties such as administrator, custodian, prime broker, and their jurisdictions. 
  
• Business activity and purpose – Identify what the company does, where it operates, and why it needs the relationship. Note expected flows and any counterparties. 
  
• Source of funds/wealth (risk-based) - Identification is particularly important for new entities with large funding, unusual activity, complex ownership, or high-risk sectors/geographies. 

Limited partnerships (LPs) and partnerships 

Partnerships can separate economic ownership from decision-making authority. Limited partnerships commonly place control with the general partner while limited partners contribute capital. The aim is to identify who controls decisions and where the money originates. 

 

Key requirements:

• Partnership agreement/deed - Confirm partner roles, ownership/capital commitments, and control rights. Identify registration evidence where applicable. 
  
• General Partner (GP) and controllers - Identify and verify the GP and, if the GP is an entity, the individuals who control it. Identify authorised signatories and retain authority documentation. 
  Limited Partners (LPs)/partners and beneficial owners - Identify and verify partners who meet your beneficial ownership/control criteria.  
  
• Evidence of ownership/control - Typical sources can include shareholder registers, PSC-style registers where applicable, cap tables, and board resolutions for control rights. 
  
• Purpose and funding – Verify reason for formation, expected activity, and how capital contributions are funded. Stronger evidence may be required where funding is high-value, cross-border, or inconsistent.
  
  
  

Trusts 

Trusts are legal arrangements where in trustees hold and manage assets for beneficiaries. They are widely used for estate planning and asset management but can present higher AML risk because ownership and benefit can be separated and sometimes obscured. The aim is to identify all relevant parties, understand control, and establish the origin of trust assets. 

Key requirements:

• Trust deed and amendments – Establish the trust’s purpose, powers, parties, and operating rules. 
  
• Trust parties – Identify and verify settlor(s), trustee(s), protector(s) (if any), beneficiaries (or clearly defined beneficiary classes), and anyone with effective control. 
  
• Control and authority – Identify who can instruct transactions and whether trustees act jointly. Retain evidence of signing rules and trustee powers. 
  
• Source of funds/wealth - The origin of trust assets and the settlor’s wealth are often required. 
  
• Ongoing updates - Record changes to trustees, protectors, beneficiaries, and controlling powers. Refresh KYC in line with risk. 

Foundations

Foundations are common in international finance centres and often combine features of companies and trusts. The aim is to establish legitimacy, identify who controls decisions, and determine who benefits. 

Key requirements:

• Charter/founding documents - Confirm legal existence, purpose, governance, and key roles. Registration/proof of good standing may be required where relevant. 
  
• Structure and key persons – Identify and verify founder(s), board/council members, guardians/protectors (if any), beneficiaries (or purpose class), and anyone with effective control. 
  
• Authority – Identify who can operate accounts and approve distributions.  
  
• Source of funds/wealth - Verify origin of assets and ongoing funding flows, supported by risk-appropriate evidence. 
  
   

Investment funds (private equity, hedge funds, mutual funds) 

Funds vary widely in legal form and regulation. Some are widely held and tightly regulated. Others are private vehicles with concentrated investors and complex structures. The aim is to confirm the fund is legitimate, identify who controls it, and apply a risk-based approach to investor and funding transparency. 

 

Key requirements:

• Fund structure documentation – Identify appropriate documents for the fund’s formation (LPA for LP funds, prospectus/offering memorandum, constitutional documents, regulatory status where applicable). 
  
• Controllers and operators - Identify and verify the GP/manager/management company and the individuals who operate the relationship. Retain authority evidence. 
  
• Investor approach (risk-based) - Understand investor concentration, jurisdictions, and whether enhanced due diligence is needed for significant investors or other higher-risk indicators.  
  
• Purpose and expected flows - Identify typical inflows/outflows (subscriptions/capital calls, investments, distributions), counterparties, and geographies.  
  
• Source of funds/wealth - Identification is particularly important for private funds with concentrated or higher-risk investor profile
  
  

Estates

Estates involve managing and distributing a deceased person’s assets through an executor or administrator. The aim is to verify legal authority, identify who can act, and ensure distributions align with the lawful estate process. 

 

Key requirements:

• Proof of death and authority - Death certificate and probate/letters of administration (or local equivalent). 
  
• Executor/administrator - Identify and verify the individual(s) with authority to act. Retain evidence of signing rules where there are multiple executors. 
  
• Beneficiaries - Identify beneficiaries from the will/probate and apply risk-based checks where required, particularly for cross-border distributions or unusual arrangements. 
  
• Nature of assets and expected flows - Understand expected inflows (asset realisation, account closures) and planned outflows (liabilities, distributions). 
  
  

Non-bank financial institutions (NBFIs) 

NBFIs may handle cash, cross-border flows, and customer funds. This can create higher AML exposure, particularly where activity is high-volume, opaque, or linked to higher-risk corridors. The aim is to confirm licensing, understand the business model in practical terms, and establish clear monitoring expectations. 

 

Key requirements:

• Licensing/registration - Verify the entity is authorised where required and understand the scope of permissions. 
  
• Full KYB – Verify formation documents, registry evidence, ownership/control, UBOs, directors, authorised signatories, and authority documentation. 
  
• Business model and expected activity – Identify customer types, products, corridors/geographies, typical volumes, counterparties, and what would be unusual. 
  
• Regulatory history (risk-based) - Identify past regulatory action, licence restrictions, or adverse findings. 
  
• Enhanced measures (risk-based) - Enhanced measures require stronger corroboration, clearer funds/wealth narratives for owners/controllers where relevant, tighter monitoring, and more frequent reviews. 

 

General AML/KYC requirements (all entity types)

 

Risk-Based Approach

The successor of the Rule-based approach that regulated industries had been following since the 70s, the Risk-based approach places emphasis on flexibility within internal structures to identify, assess and prioritise threats. KYC/AML controls must be proportionate to risk. The same checks that are appropriate for a low-risk retail customer will not be sufficient for a complex, cross-border structure or a customer linked to higher-risk industries and geographies. A risk profile at onboarding should be refreshed when new information emerges or behaviour changes. 

 

 

Customer Identification, Verification, and Authority

KYC must establish who the customer is and who can act on their behalf.

• Identify the customer using core data (names, dates, addresses, registration details, identifiers).
  
• Verify those details using reliable evidence (government ID, registry extracts, trustworthy data sources, and certified copies where required.
  
• Confirm authority for anyone giving instructions (signatory list, mandate, board resolution, trustee powers, power of attorney).

 

 

Ownership and control

For entities and legal arrangements, the aim is to understand who ultimately owns or controls the relationship. This requires:

• Identifying the natural persons who ultimately own/control the customer. 
  
• Understanding the ownership and control structure, including voting rights, appointment/removal powers, veto rights, and informal control where relevant. 
  
• Recording the rationale when ownership is diffuse or control is exercised through management rather than equity. 

 

Structure Charts

Structure charts should be obtained whenever there is complexity, layering, cross-border ownership, trustees/foundations, nominee roles, multiple share classes, or non-obvious control. A usable chart shows the ownership/control path to the ultimate natural persons and links each layer to supporting documents (registers, agreements, deeds, charters).

 

 

Screening

Screen the customer and relevant connected parties for:

• Sanctions and watchlists 
  
• PEP status 
  
• Adverse media (risk-based, especially for higher-risk customers and when negative information could affect the risk assessment) 
  
• Screening should occur at onboarding and on an ongoing basis to reflect list updates and changing customer risk profile. 

 

 

Source of Funds and Source of Wealth

Source checks should support a credible, evidence-based understanding of how money enters and moves through the relationship.

• Source of funds – the activity(s) that generate the funds for a customer 
  
• Source of wealth - how the ultimate owner acquired their overall wealth.

The strength of evidence should increase when the relationship is higher risk, the values are high, or the funding story is inconsistent with the customer profile.

 

Enhanced Due Diligence

Higher-risk customers, such as those identified as PEPs or where there is exposure to high-risk jurisdictions. require stronger measures. Typical enhanced due diligence measures include deeper independent corroboration, stronger funds/wealth evidence, clearer rationale for complexity, senior approvals for onboarding (common for PEP risk), tighter monitoring, and more frequent reviews.

 

 

Ongoing Monitoring and Refresh

Ongoing monitoring tests whether activity matches the expected profile established at onboarding. KYC refresh keeps information current as customers change (ownership updates, new controllers, new products/geographies, new negative information).

 

 

Record-keeping and Governance

Maintain a defensible audit trail of what was collected, how it was verified, and why risk decisions were made. Ensure policies, procedures, training, QA, escalation routes, and reporting controls are in place. Regulators often require records to be kept for at least 5 years after a customer has been offboarded.  

 

Certification (Electronic and Wet-Ink)

For most due diligence documentation collected, whether in the form of Identity verification documents (such as passports, driving licences, formation documentation) or in the form of Address verification (such as utility bills or bank statements) or structure charts - certification is required to verify that the documents held are true and accurate representations of the relevant individual or entity. This is particularly pertinent for Individual CDD where companies must be sure that the identity verification document is a ‘true likeness’ to the individual.  

Historically, certification has been carried out by a legal or authorised signatory. However, in recent years (in part due to the COVID-19 pandemic), FATF aligned jurisdictions have permitted electronic certification and digital identification, including online biometric checks, to verify customer identities and supporting documents. These checks must be aligned to regulatory requirements and support a risk-based approach.  

 

 

How KYC360 Streamlines Complex Onboarding  

The KYC360 Onboarding solution is built for onboarding complex customers where ownership and control are layered across corporates, trusts, funds, and partnerships. It helps teams visualise and validate UBO structures using KYB sources, automate data collection through dynamic forms and automated entity creation, and apply flexible risk scoring at both the individual and structure level. It also supports faster, more consistent onboarding through a rapid data “waterfall” across multiple vendors, helping reduce friction for clients while improving first-time pass rates and operational efficiency.  

Book a demo with KYC360 today, to discuss how we can help you streamline complex onboarding or read our guide to solving the challenges of complex onboarding.