The KYC process is the four-stage discipline financial institutions follow to verify customer identity and manage financial-crime risk through the full customer lifecycle. The stages are: Customer Identification Programme (CIP) at onboarding, Customer Due Diligence (CDD) for risk profiling, Enhanced Due Diligence (EDD) for high-risk relationships, and ongoing monitoring with re-verification. The framework is grounded in FATF Recommendations 10 to 12 and operationalised under jurisdiction-specific rules: the BSA in the United States, AMLD-series directives in the European Union, and the RBI Master Direction on KYC in India.
A written process is not a working programme. The gap between the two shows up in per-stage timing, failure modes, sector variants, the India-specific RBI process layer, and the operational metrics teams use to know whether the process is actually doing its job. Adjacent disciplines fill in the rest: the explainer of what KYC compliance involves, customer due diligence, enhanced due diligence, and KYC best practices.
What the KYC process is: the 4 stages in 60 seconds
Every working KYC process moves through the same four stages, regardless of jurisdiction or sector. The names and acronyms vary across regulators, but the underlying flow is consistent.
The 4 stages at a glance
Stage 1: Customer Identification Programme (CIP). Capture customer data and verify identity through documents, biometrics, and authoritative-database checks.
Stage 2: Customer Due Diligence (CDD). Assign a risk tier based on identity, geography, occupation, source of funds, and product mix. Identify beneficial owners for legal-entity customers.
Stage 3: Enhanced Due Diligence (EDD). Apply deeper diligence to high-risk customers, politically exposed persons, customers from FATF-monitored jurisdictions, and complex ownership structures.
Stage 4: Ongoing monitoring + re-verification. Continuously re-screen against sanctions, PEP, and adverse media data. Monitor transactions for behavioural anomalies. Refresh KYC on a risk-tier-based cadence.
Why the process exists
KYC exists to prevent fraud, comply with AML and CFT obligations, and meet regulator requirements that span FATF Recommendations, the Bank Secrecy Act, the USA PATRIOT Act, the EU AMLD/AMLR series, and the PMLA. The stakes are visible in the headlines: enforcement actions in the hundreds of millions of dollars, license risk, and reputational damage that compounds across years.
The KYC process: visual workflow
The process is easier to grasp as a flow, including the full path from data capture through to ongoing monitoring, with the EDD branch where high-risk customers are routed.
The full 5-step workflow
In production, the four stages decompose into five operational steps:
- Data capture: the customer enters identity attributes through the onboarding flow.
- ID and address verification: documents are validated against authoritative databases, and address is cross-checked.
- Biometric and liveness check: face match against the document photo, with passive single-image liveness to detect spoof attempts.
- Risk scoring + CDD/EDD: a risk tier is assigned. Low and medium-risk customers proceed; high-risk customers branch into EDD.
- Ongoing monitoring: sanctions and adverse media re-screening, transaction monitoring, and periodic refresh.
How the process changes for digital vs in-person
Digital onboarding compresses the first three steps into a single session. V-CIP or eKYC orchestrates document capture, OCR, biometric matching, and liveness detection in minutes. In-person onboarding extends the same three steps across days, with physical OVDs, signed declarations, and branch verification at the institution’s pace. The compliance content is identical; only the operational shape differs.
Stage 1: Customer Identification Programme (CIP)
CIP is the first stage and the gateway to everything that follows. Most regulatory enforcement actions point back to a CIP failure where the institution did not establish identity to the required standard.
Required identity attributes
The standard attribute set is full name, date of birth, address, government-issued identification number, and contact details. For Indian customers, PAN and Aadhaar are the dominant pairing. PAN is mandatory for any account that will see meaningful transaction volumes, and Aadhaar is the entry point to the eKYC channel.
Document verification methods
OCR plus template matching extracts data from the identity document. Issuing-authority API checks then validate the document against authoritative databases: Aadhaar against UIDAI, PAN against the Income Tax department, Voter ID against the Election Commission. Cross-reference against sanctions and watchlist sources runs in parallel, surfacing any matches that need human review. The list of officially valid documents sets the document set institutions accept.
Biometric and liveness as part of CIP
Modern CIP layers biometric checks on top of document verification. Face match runs between the customer’s live capture and the photo on the identity document. Passive single-image liveness, certified at iBeta PAD Level 1 or 2, detects printed photos, screen replays, and synthetic media. Deepfake detection sits alongside, identifying patterns synthetic media leaves behind. The video KYC reference covers the V-CIP channel in operational depth.
Stage 2: Customer Due Diligence (CDD)
CDD is the risk-profiling stage. Where CIP establishes identity, CDD establishes the kind of relationship the institution is signing up for.
Standard CDD components
CDD has three core components. Source-of-funds verification is performed at a depth proportionate to the risk tier. Beneficial-ownership identification applies to legal-entity customers, typically anyone controlling more than 25% of the entity. Customer risk rating combines identity attributes, geography, occupation, product mix, and behaviour into a low / medium / high tier.
When CDD escalates to EDD
Several triggers escalate a customer from standard CDD to EDD. PEP detection fires when the customer or a related party is a politically exposed person. Adverse media hits where the underlying coverage suggests financial-crime risk also escalate. So does high-risk geography (a customer connected to a FATF-monitored jurisdiction) and high-risk industry (cash-intensive business, gambling, certain crypto activities).
Risk scoring models
Two model families dominate. Rules-based models use explicit thresholds defined by the compliance policy; they are simple to audit and explain. Machine-learning-based models learn patterns from historical data; they are more nuanced but harder to defend in audit unless the model design and training data are well documented. Most production systems combine both: rules-based for the high-stakes and high-explainability decisions, and ML for the pattern-recognition layer.
Stage 3: Enhanced Due Diligence (EDD)
EDD is the discipline applied to relationships where standard CDD is not enough. It adds documentation depth and senior management accountability that the standard tier does not require.
EDD documentation requirements
EDD adds source-of-wealth documentation: proof of how the customer accumulated their assets, not just where the current funds came from. Senior management approval is required for the relationship to proceed. Re-screening cadence is more frequent than the standard CDD tier requires. The enhanced due diligence reference covers the operational layer in detail.
Common EDD triggers in practice
The trigger list is fairly stable across institutions. PEP relationships, including domestic and foreign PEPs, family members, and close associates. Cash-intensive businesses, money service businesses, and certain hospitality and entertainment categories. High-risk jurisdiction onboarding, including FATF-monitored countries and sanctions-adjacent geographies. Layered ownership structures, where the beneficial-owner walk runs through multiple jurisdictions.
Stage 4: Ongoing monitoring + re-verification
This is the stage most articles treat as an afterthought. In practice, it is where most of the financial-crime detection actually happens.
Transaction monitoring vs identity monitoring
There are two parallel disciplines here, and both are required. Transaction monitoring watches for behavioural anomalies in the customer’s transaction patterns: sudden volume changes, unusual counterparties, structuring patterns. Identity monitoring watches the customer’s identity attributes for change: document expiry, biometric drift across re-authentication events, contact-detail changes. The AML red-flags reference covers the pattern set both disciplines look for.
Periodic re-KYC obligations
Per Q22 of the RBI FAQ on the Master Direction on KYC, India mandates periodic updation at least once every two years for high-risk customers, eight years for medium-risk, and ten years for low-risk. Globally, cadences typically run shorter: one to three years for high-risk, three to five years for medium, five years for low. The actual cadence is policy-defined within regulator-set ceilings.
Perpetual KYC (pKYC): the next frontier
pKYC is the shift from scheduled refresh cycles to event-driven continuous re-assessment. Sanctions list changes, adverse media patterns, address-change signals, and risk-rating recalculations drive targeted updates instead of blanket periodic refreshes. The KYC best practices reference covers the implementation pattern.
Per-stage timing benchmarks
The actual time each stage takes in production varies by channel, complexity, and queue depth. The ranges below are typical envelopes rather than guarantees.
How long each stage actually takes
Stage 1 (CIP): 30 seconds to 5 minutes for digital channels with Aadhaar OTP eKYC or DigiLocker pulls; one to three business days for branch-only manual onboarding.
Stage 2 (CDD): five minutes to two hours for automated risk scoring on standard customers; one to seven business days when manual review is needed for source-of-funds documentation or non-standard ownership structures.
Stage 3 (EDD): one to fourteen business days, depending on the depth of source-of-wealth documentation and the number of senior management sign-offs required.
Stage 4 (Ongoing monitoring): real-time for event-driven sanctions screening; minutes to hours for transaction-monitoring alerts; weekly or daily batch processes for periodic adverse media re-screens, depending on the underlying tooling.
What slows the process down
The slowdowns cluster in predictable places. Manual review backlogs build up in the CDD and EDD stages. Document quality issues defeat OCR and force re-submission. Sanctions screening false-positive volumes consume analyst capacity faster than alert resolution can keep up. Customer-side friction adds its own tax: V-CIP slot wait times, document upload failures, and liveness rejections.
Failure modes: where KYC processes actually break
The patterns are consistent across institutions. Almost every audit finding maps to one of three buckets, and reading them in order is useful because each one tends to expose the next.
Onboarding drop-off
This is the single biggest operational failure. The common drop-off points are familiar: liveness check rejection that misclassifies real customers as spoofs, document upload friction driven by image quality requirements, and V-CIP wait times that frustrate customers into abandonment. The Aadhaar eKYC channel has been the most effective drop-off-reduction lever in India because it removes both the document-upload and the V-CIP-wait failure modes.
False positives in screening
Sanctions and PEP name collisions where the underlying name is common across the population are the second pattern. The cost of manual review escalation compounds at scale; each cleared alert has a real-money cost. Tuning the false-positive rate down to a sustainable level (typically 3 to 5% for mature programmes) is one of the highest-leverage disciplines in compliance operations. The sanctions screening reference covers the design choices that decide the rate.
Stale risk ratings
The risk tier assigned at onboarding never gets updated even when the underlying behaviour shifts. Auditors look for this pattern explicitly because it indicates the ongoing-monitoring discipline has failed. Programmes moving toward perpetual KYC reduce stale-rating exposure because risk ratings are recalculated continuously.
India-specific KYC process
The Indian process maps to the global four-stage framework but adds intermediate steps that institutions operating under the RBI Master Direction must follow. The differences are operational rather than philosophical.
RBI Master Direction stages
The Indian flow runs through five named stages. Pre-KYC covers application and initial data capture. In-principle account opening allows limited operations while full KYC is in progress, where permitted. Full KYC covers verification and biometric capture. Periodic updation runs the 2/8/10-year cadence per Q22 of the RBI FAQ. Re-KYC is triggered by risk-tier change, suspicious-transaction signal, or sanctions/PEP list update. The breakdown of recent RBI Master Direction amendments covers how the process has evolved through 2025.
V-CIP / Video KYC as a process variant
Per Q19 of the RBI FAQ, V-CIP is treated on par with face-to-face customer identification. It is permitted for new customer onboarding, for converting Aadhaar OTP-based eKYC accounts to full-KYC, and for periodic updation. Recording, geo-tag capture, and live agent verification are required. The V-CIP in banks reference covers the bank-specific implementation.
CKYCR record upload obligation
Reporting entities under the PML Rules upload customer KYC data to the Central KYC Records Registry, operated by CERSAI. Per Q14 of the RBI FAQ, the CKYCR assigns a unique KYC Identifier per customer that can be reused across regulated entities on consent.
Sector variants: how the process differs by industry
The four-stage framework is universal. The operational shape depends heavily on the sector, and treating one sector’s playbook as universal is one of the more common ways programmes fail.
Banks and NBFCs
Banks and NBFCs sit under primary RBI oversight via the Master Direction. They run the standard four-stage process with a CKYCR upload obligation for new accounts. The most resourced compliance programmes typically sit here. V-CIP is the dominant non-face-to-face channel.
Fintech (lending, payments, wealth)
Fintech often operates under a partner-bank pass-through model, where the fintech captures KYC and the partner bank holds it under its own RBI obligations. API-first integration is the norm. Drop-off sensitivity is the highest of any banking-adjacent sector because customer acquisition cost is high.
Gaming (real-money, fantasy)
Gaming carries an age-verification overlay on every onboarding. The onboarding speed pressure is higher than any other sector, and drop-off sensitivity is brutal. MeitY rules from July 2023 added a verification overlay specific to online real-money gaming. State-level variance across India adds geo-routing complexity on top of the verification flow.
Crypto and VASPs
The PMLA expansion to Virtual Asset Service Providers since March 2023 brought crypto exchanges under reporting-entity obligations. Travel rule and on-chain transaction monitoring overlay sit alongside the standard four stages. The cryptocurrency AML reference covers the wider context.
Insurance
Insurance carries an IRDAI overlay on top of the underlying RBI/SEBI baseline. Agent-distributed KYC adds intermediary risk that pure direct-to-customer flows do not have, since the human in the middle becomes part of the control surface. The IRDAI insurance KYC reference covers the sector-specific differences.
Metrics: what to measure on a live KYC process
A working KYC process is observable. The metrics below are the ones programmes track to know whether the process is healthy or quietly degrading.
Conversion + drop-off rates
Per-stage drop-off captures the percentage of customers who start a stage and do not complete it. Concentration above 30% at any single stage suggests friction worth investigating. Auto-approval rate captures the share of submissions that complete without manual intervention. Higher is generally better, but only if the false-negative rate (customers wrongly cleared) stays low.
Compliance + accuracy metrics
The compliance side has four anchor metrics. False-positive rate on sanctions and PEP screening tracks the share of alerts that prove not to be real matches. Manual-review queue depth tracks how many cases are waiting for analyst attention. Time-to-verify (median and 95th percentile from data capture to decision) reveals the long tail that customer-experience teams hear about first. Re-KYC completion rate tracks the share of customers due for periodic refresh who complete it before the regulatory ceiling.
See how HyperVerge runs the full KYC process for banks, fintechs, and gaming platforms
If you are building or refreshing a KYC process at a bank, NBFC, fintech, insurance carrier, gaming operator, or crypto exchange, and you want to see how the four stages, V-CIP, CKYCR coordination, and ongoing monitoring come together in production, book a walkthrough with our team. The AML compliance reference covers the related discipline that runs alongside KYC.
FAQs
What is the KYC process?
The KYC process is a four-stage discipline financial institutions follow to verify customer identity and manage financial-crime risk. The stages are: Customer Identification Programme (CIP) at onboarding, Customer Due Diligence (CDD) for risk profiling, Enhanced Due Diligence (EDD) for high-risk relationships, and ongoing monitoring with re-verification.
What are the 4 steps of KYC?
The four steps are: capture customer data through CIP, verify identity and address through document and biometric checks, risk-profile the customer through CDD, and monitor the relationship continuously with re-screening and periodic updation. EDD applies to high-risk relationships as a deeper layer within CDD.
What are the 3 components of KYC?
The three components recognised under FATF Recommendations 10 to 12 are Customer Identification Programme (CIP), Customer Due Diligence (CDD), and ongoing monitoring. Some treatments add Enhanced Due Diligence as a fourth component or as a sub-component of CDD.
How long does the KYC process take?
Aadhaar OTP-based eKYC clears in real time. V-CIP completes in minutes to hours. Aadhaar offline XML eKYC clears same-day. Branch KYC takes one to three business days for standard customers. EDD-flagged customers can take one to fourteen business days depending on documentation depth.
What is the difference between KYC and AML?
KYC focuses on customer identification and due diligence: verifying who the customer is at onboarding and on refresh. AML is the broader anti-money-laundering discipline that includes KYC, transaction monitoring, suspicious-transaction reporting, sanctions screening, and the institutional posture against financial crime. KYC sits inside AML as one component.
What documents are needed for the KYC process?
The document set is regulator-defined. In India, the RBI Master Direction lists six OVDs (Aadhaar, PAN, Passport, Driving Licence, Voter ID, and NREGA job card), with PAN required in addition to the chosen OVD. Globally, jurisdictions require identity proof, address proof, and beneficial-ownership documentation for legal entities.
What is eKYC?
eKYC, or electronic KYC, is the digital execution of the KYC process. In India, the eKYC channels include Aadhaar OTP-based authentication, biometric-based authentication, offline Aadhaar XML, DigiLocker pulls, and V-CIP. The compliance obligation is identical to physical KYC; only the channel differs.
What is Customer Due Diligence (CDD) in KYC?
CDD is the second stage of the KYC process. It assigns a customer risk tier based on identity, geography, occupation, source of funds, product mix, and behaviour. For legal-entity customers, CDD includes beneficial-ownership identification. CDD escalates to Enhanced Due Diligence for high-risk relationships.
What is V-CIP in KYC?
V-CIP, or Video-based Customer Identification Process, is a live, secure, consent-based audio-visual interaction between a customer and an authorised institution employee, used as a digital equivalent of in-person verification. Per the RBI FAQ, V-CIP is treated on par with face-to-face customer identification.
What is CKYC?
CKYC, or Central KYC, refers to the Central KYC Records Registry operated by CERSAI under the Department of Economic Affairs. Reporting entities upload customer KYC data to the registry, which assigns a unique KYC Identifier per customer that can be reused across regulated entities on consent.
What is re-KYC?
Re-KYC is the periodic refresh of customer KYC. In India, the RBI mandates re-KYC at least once every two years for high-risk customers, eight years for medium-risk, and ten years for low-risk. Re-KYC can also be triggered by risk-tier change, suspicious-transaction signals, or sanctions/PEP list updates outside the periodic cycle.
What is perpetual KYC (pKYC)?
Perpetual KYC is the practice of continuously re-screening and re-verifying customer information based on event triggers (sanctions hits, adverse media patterns, address changes, risk-rating recalculations) rather than fixed refresh cycles. It is increasingly the default operating model for mature compliance programmes.
How does KYC work for crypto exchanges?
Crypto exchanges in India have been reporting entities under PMLA since March 2023, requiring registration with FIU-IND. The KYC process follows the standard four-stage framework with travel rule and on-chain transaction monitoring overlays. Continuous sanctions screening is non-negotiable.
How does KYC work for online gaming?
Online real-money gaming operators in India operate under MeitY rules introduced in July 2023, with verification overlays specific to the sector. Age verification is mandatory on every onboarding. State-level variance across India adds geo-routing complexity. Drop-off sensitivity is the highest of any sector.
What is the cost of running a KYC process?
Direct costs include vendor fees per verification, the technology stack, and internal headcount. Indirect costs include onboarding drop-off, audit remediation, and enforcement action exposure. The total varies enormously by institution size, sector, and customer mix.
