KYC
What Is KYC in Payments? Definition and How It Works
Definition
KYC (Know Your Customer) in payments is the identity verification and due diligence process conducted by payment companies and regulated entities at customer or merchant onboarding to confirm identity, assess risk, and satisfy regulatory obligations before establishing a payment relationship.
How it works
KYC involves collecting, verifying, and recording information about the entity being onboarded. For individual cardholders, this may be limited to identity document verification and address confirmation. For merchants or businesses, KYC typically includes business registration verification, beneficial ownership identification (confirming who ultimately controls the business), industry and MCC assessment, expected transaction volume and profile documentation, and adverse media screening.
Identity verification in KYC can be performed through documentary checks (passports, national ID, company registration documents) or electronic verification (matching submitted details against credit bureau data, government registries, or digital identity services). Document-based verification is the most common approach at higher risk levels.
KYC risk-rating determines the depth of due diligence applied. Standard due diligence (SDD) applies to lower-risk relationships. Enhanced due diligence (EDD) applies to higher-risk entities, politically exposed persons (PEPs), businesses in high-risk categories, or entities with connections to high-risk jurisdictions. Simplified due diligence (SiDD) applies to very low-risk relationships where the regulatory framework permits reduced verification.
Ongoing KYC (sometimes called periodic review or customer due diligence refresh) requires payment companies to periodically re-verify customer information and re-assess risk, rather than treating the onboarding check as a permanent verification. The frequency of ongoing KYC is risk-based: higher-risk relationships are reviewed more frequently.
Why it matters
Merchant onboarding speed is directly affected by KYC: more extensive due diligence requirements lengthen onboarding timelines. Payment providers with automated KYC processes (electronic verification, risk-based tiering) onboard merchants faster than those relying entirely on manual document review.
Beneficial ownership identification is mandatory for corporate merchants: regulators require identification of natural persons with ultimate control or significant ownership of a legal entity. For merchants with complex corporate structures, this requires tracing ownership up to the natural person level, which can be time-consuming.
KYC data has a GDPR dimension: the personal data collected during KYC is subject to GDPR obligations, lawful basis (legal obligation, Article 6(1)(c)), retention period (AML 5-year minimum), and data subject rights. The interaction between AML retention requirements and GDPR right-to-erasure requests requires documented handling procedures.
PayFacs must conduct KYC on sub-merchants: a merchant operating as a PayFac has direct KYC obligations for each sub-merchant it onboards. The depth of KYC required by card schemes for sub-merchants varies by transaction volume and merchant category, with higher-risk categories requiring more extensive verification.
With PXP
PXP conducts AML-compliant KYC due diligence on all merchant onboardings. KYC processes are risk-tiered, with standard, enhanced, and simplified due diligence applied based on merchant risk profile. PXP's onboarding documentation requirements are available in the merchant onboarding guide.
Frequently asked questions
What information is typically required for merchant KYC?
Standard merchant KYC requires: business registration documentation; beneficial ownership information (identifying natural persons with 25%+ ownership or control); identity documents for directors and significant owners; business bank account details; description of business model and expected transaction volumes; MCC classification; and any relevant licences (for regulated categories like gambling or financial services). Higher-risk merchants may also require proof of address, audited accounts, or site visits.
What is enhanced due diligence and when does it apply?
Enhanced due diligence (EDD) is a more thorough level of KYC applied to higher-risk relationships. It applies to politically exposed persons (PEPs) and their associates, merchants in high-risk categories (gambling, crypto, adult content, pawn), businesses with connections to high-risk jurisdictions identified by FATF, and relationships with complex or opaque ownership structures. EDD involves more extensive document collection, source of funds verification, and senior management approval.
How does ongoing KYC work in practice?
Ongoing KYC requires payment companies to periodically re-verify customer information to ensure it remains accurate and the risk assessment remains current. In practice, this means scheduled review cycles based on risk rating (high-risk customers reviewed annually; low-risk customers every 3-5 years), plus event-triggered reviews when significant changes occur (ownership change, new business activity, adverse media alerts). Automated monitoring tools flag accounts for review when trigger events occur.
What is the difference between KYC and CDD?
KYC and CDD (Customer Due Diligence) are used interchangeably in many contexts. Strictly speaking, KYC refers to the identity verification component, confirming who the customer is. CDD is the broader concept that encompasses KYC plus ongoing risk assessment and monitoring. In regulatory frameworks (particularly EU AML directives), CDD is the formal term for the complete due diligence obligation, of which identity verification is one component.
Revolutionize your business with PXP
Take complete control of your commerce and payments with one platform.
Get Started