Know Your Customer (KYC)

What is "Know-Your-Customer (KYC)"?

Know-Your-Customer (KYC) refers to the identification of customers. Identification involves extensive research and is generally known as "Know Your Customer" (KYC).

This includes the following steps in identification:

  • Identification and verification of all contractual partners
  • Identification of beneficial owners
  • Sanctions list comparison
  • PeP check (comparison with lists of politically exposed persons)
  • Adverse media check (comparison of publications by various media to assess reputational risk recommended)

In addition, there is an obligation to document the collected data and to keep it for five years in compliance with the German Data Protection Regulation (DSGVO).

What is the legal basis for KYC?

The identification of the contracting party - commonly known as "Know Your Customer" checks - is part of the general due diligence obligations under Article 10 of the AMLA.

Legally, Know Your Customer checks are further defined in Articles §11 and §12 of the AMLA. Accordingly, "Obligated persons (...) shall identify contracting partners, any persons acting on their behalf and beneficial owners before establishing the business relationship or before carrying out the transaction." (§11 GwG para. 1 sentence 1). However, it should be noted that different obligated parties - such as brokers - may also have to comply with sector-specific requirements for customer identification, which result from the following sections.

Exceptions to the identification of contractual partners are only permitted if the person to be identified has already been identified on previous occasions and there is no doubt that the information collected has not changed since then (§11 GwG. Para. 3).

Section 12 AMLA primarily regulates how obligated persons must verify the identity of contractual partners. In this context, the differences in the identification of natural persons (Section 12 AMLA Para. 1) and companies (legal persons) (Section 12 AMLA Para. 2) must be taken into account.

When is the identification obligation under the Money Laundering Act?

KYC checks must be carried out by all obligated parties according to the German Money Laundering Act if the specific requirements for their respective industry are met.

Real estate agents, for example, are only required to identify their clients if they broker rental contracts of 10,000 euros or more per month and/or purchase contracts. Car dealers are only obliged to do so from cash transactions of 10,000 euros. In the gaming sector, the limit for stakes or winnings is already 2,000 euros. These specifications are regulated in §10 GwG.

Irrespective of the above-mentioned thresholds, however, obligated parties are always obliged under the Money Laundering Act to comply with the general due diligence obligations vis-à-vis their contractual partners - i.e. also to conduct KYC checks - if there are facts indicating that the assets are related to terrorist financing or money laundering. Due diligence obligations must also be observed if there are doubts regarding the accuracy of the information on the identity of the parties involved in the transaction. This is regulated by §10 par. 3 nos. 3 and 4.

KYC check: What data has to be collected?

If the contractual partner to be identified is a natural person, then data must be collected in accordance with Section 11 GwG Paragraph 4 No. 1. These are:

  • First name and surname
  • Place of birth
  • Date of birth
  • Nationality
  • A residential address;

Changes in the contracting parties during a business relationship must also be documented by the obligated parties according to Section 11 AMLA Paragraph 6.

What data must be collected to identify companies?

If the contractual partner to be identified is a company - i.e. a legal entity - then data must be recorded in accordance with §11 GwG para. 4 no. 2. These are:

  • Company name, name or designation
  • Legal form
  • Registration number, if available
  • address of the registered office or principal place of business
  • the names of the members of the representative / representative body.

For the identification of beneficial owners, further information is required according to §11 GwG para. 5. In some cases, this also includes extracts from the transparency register.

Changes in the contracting parties during a business relationship must also be documented by the obligated parties according to Section 11 AMLA Paragraph 6.

What documents are required for the KYC exam?

In general, Kerberos requires the following documents for a KYC check:

If the contract partner to be identified is a natural person, a copy of a valid identification document* (ID) is sufficient.

For the identification of companies - i.e. legal entities - Kerberos requires the following documents:

  • Name of the company,
  • Registration (in Germany: commercial register number + register court; for foreign companies: an equivalent register number),
  • registered office (street, house number, postcode, city),
  • Copy of a valid identity document* (ID) of the appearing person (the person with whom you are conducting negotiations or who is your contact person),
  • Surname and first name of the beneficial owner of the company.

*Valid identity documents are in particular:

  • German identity card,
  • EU identity card incl. proof of address (registration confirmation or a recurring consumption bill (telephone, gas, water, electricity, etc.)),
  • Passport incl. proof of address (see above).

What is Due Diligence?

Due diligence is generally understood to be an extended Know Your Customer check - i.e. an in-depth check of the identity of business partners and customers. While due diligence is generally always recommended, it is only mandatory in certain cases - namely when there is an increased risk of money laundering or terrorist financing.

What exactly is meant by "enhanced" due diligence is only vaguely defined in Section 15 AMLA on enhanced due diligence obligations. Among other things, it states that "appropriate measures" must be taken to identify assets (Section 15 (4) AMLA). Likewise, in certain cases, "additional information" must be obtained about contracting partners and beneficial owners, without a more precise definition of where the information is to be retrieved and how much there should be. Within Europe, there are still different standards with regard to these checks, which sometimes makes the cross-border prosecution of money launderers more difficult.

You can find out more about the due diligence process with Kerberos here on our solutions page.

The risk assessment provides information on whether a business relationship should be maintained or terminated and provides a solid basis for decision-making. For this purpose, various databases are used to disclose as many connections to business partners, service providers and other third parties as possible.

Who needs due diligence?

On the one hand, due diligence can be used to comply with the identification obligation under money laundering law. In addition, it is also useful for any company that wants to know who it is doing business with. It is "smart business", so to speak, to know who you are doing business with.

Why do companies and organizations need due diligence?

Due diligence is an in-depth and intensive examination of business partners to identify any anomalies. This can involve all kinds of issues. From bad press, to actual criminal matters, to organized crime. But also general, extended information about a business partner, such as licenses or the countries in which a business partner is active, can be useful for a business decision.

A due diligence check can be used as a follow-up check to the identification of a business partner under money laundering law. This is because, on the one hand, there is a legal obligation to conduct extended investigations in accordance with the German Money Laundering Act if an increased risk arises in connection with a business partner. Furthermore, it is also useful overall to be informed about risks in connection with business partners in order to reduce one's own reputational or criminal risk.

What and who are beneficial owners?

The beneficial owner is the natural person who owns or controls the contracting party or at whose instigation a transaction is carried out or a business relationship is established.

According to this definition, beneficial owners include any natural person who indirectly (e.g. through shares in a company) or directly (e.g. as a private individual) owns more than 25% of the capital shares and/or more than 25% of the voting rights. In practice, however, the situation is complicated.

For example, start-ups are often financed through different sources, so that private investors and companies sometimes hold equal stakes in these companies and each own more than 25% of the voting rights or capital shares.

In the case of multi-level shareholding structures, the natural persons - possibly also through several legal entities - who exercise control over the contracting party according to the above standard must be determined. If, for example, a natural person directly owns 30% of a company while a legal partnership holds the remaining 70%, the beneficial owners of the legal partnership must also be indicated as indirect beneficial owners.

This assessment is based on legal information from the Federal Office of Administration on the obligation to report beneficial owners in the transparency register. According to this, persons who can prevent fundamental decisions via a blocking minority also count as beneficial owners. Thus, if two natural persons each hold 50% of the voting shares of a company, both are considered beneficial owners of this company. Thus, if two natural persons each hold 50% of the voting shares of a company, they are both deemed to be beneficial owners of that company.

Since 2017, beneficial owners must be entered in the transparency register. In this register, the beneficial owners of legal entities, companies and associations are to be centrally recorded and made publicly accessible.

What are "FIU suspicious transaction reports" and what must be observed when complying with reporting obligations?

One of the obligations of the AMLA is to report suspicious transactions to the FIU (Financial Intelligence Unit) via the goAML portal. Obligated persons must register with this portal for this purpose. Violations of this obligation can be punished with fines.

The report includes answers to the following four basic questions - but should be enriched with further information:

  • Who is it about?
  • What was purchased?
  • What was suspicious?
  • Additional conspicuous features

A non-exhaustive - but further-reaching list of information to be included in SARs can be found here. After the examination of SARs, the FIU sends the reporters corresponding requests for action.

Why are countries on the FATF risk lists?

The FATF (Financial Action Task Force) consists of 39 member states. It establishes international criteria to combat and prevent money laundering, terrorist financing and proliferation financing and verifies their worldwide compliance. The advantage of compliance is that countries receive a kind of seal of approval that facilitates access to the international market. If no strategic deficit is identified in an FATF audit, other countries do not have to comply with special security measures in trade with these very countries. If countries are on the so-called "grey list", they show (according to the FATF) strategic deficits in the implementation of international requirements or, as in the case of Syria, have not been able to be audited by the international organisation for a long time. International trade can adjust to the particular risks associated with the FATF's assessment and exercise special caution. The naming of a country on the "black list", as is currently the case only with Iran and North Korea, is explicitly linked by the FATF with the recommendation not only to exercise special caution, but also to immediately impose sanctions to protect the international market. A complete overview of the lists can be found here.

What is a "sanctions list check" and a "PeP check"?

According to the Money Laundering Act, contracting partners must be checked to see if they are politically exposed persons. This means that it is checked whether they hold or have held political office. This would result in stricter due diligence requirements.

In addition, it is advisable to check whether contractual partners are on sanctions lists.

In this process, it makes a difference whether it is a natural or legal person - especially with regard to their beneficial owners. In particular, persons against whom international sanctions have been imposed often use company networks that conceal the identity of the beneficial owners. Under certain circumstances, sanctions can be circumvented in this way. The identification of the actual beneficial owners and their comparison with sanctions lists are accordingly important components of the KYC process.

KYC checks therefore also help to comply with international sanctions and prevent corruption. If the authorities determine that there are avoidable illegal business transactions due to structural deficits in compliance with customer due diligence obligations, there is sometimes not only the threat of fines. There is also the risk of high reputational damage and the possibility that countries such as the USA could initiate further legal action.

More information

Back to the overview


You have further questions?

Contact us now!

An unexpected error has occurred. Please try again or write to

Please fill in all required fields.

Thank you. We will contact you soon.

In a hurry? Call us!

Our support staff is available on weekdays from 09:00 - 17:30.

+49 221 650 88 92 – 0