Реальный KYC против формального KYC: когда внутренней политики уже недостаточно

In many companies, AML/KYC compliance starts correctly and stops too early. An internal policy is approved, standard templates are adopted, a customer file is drawn up and, formally, it seems that the obligations have been met. In reality, however, the difference between a formal KYC and a real KYC is essential. A formal system produces documents. A real system produces control, traceability and the ability to demonstrate why a customer was accepted, how the risk was assessed and what was done when red flags appeared.

This distinction is not only one of good practice, but also results from the logic of Law no. 308/2017 on the prevention and combating of money laundering and terrorist financing. The legal regime is built on a risk-based approach, and reporting entities are obliged to identify and assess their own money laundering and terrorist financing risks.

In practice, a formal KYC is quite easy to recognize. The company has a general internal policy, sometimes copied from other areas or jurisdictions, without adaptation to the concrete activity. Identification forms are filled out mechanically. The beneficial owner is indicated without a real verification of the ownership and control structure. The client file is created at the beginning of the relationship, but is not updated. Transactions are executed, but without continuous monitoring of the consistency between the client profile, the declared activity and the actual behavior.

A real KYC works differently. The process starts with a correct identification of the customer and the beneficial owner, but it does not stop there. It continues with risk assessment, establishing the applicable level of diligence, periodically updating information, monitoring transactions and keeping evidence that justifies internal decisions.

This is where one of the most common confusions in practice arises: companies believe that they have solved AML compliance the moment they have collected a copy of the ID card and a signed standard form. In reality, these are just the starting points. The relevant legal question is another: can the company demonstrate, in a possible control, why it considered the customer acceptable, how it identified the beneficial owner, what risk factors it analyzed and what it subsequently did to ensure that the data remains current and the business relationship does not become problematic?

The beneficial owner is one of the most sensitive points of this difference between formal and real. Declaring or noting on a form is not enough if the reporting entity does not effectively understand who ultimately controls the customer or in whose interest the activity or transaction is being carried out. That is why verification of the beneficial owner should be seen not as a bureaucratic formality, but as a central tool for understanding risk.

Equally important is data update. A formal KYC treats customer information as something “collected once and enough”. A real KYC starts from the idea that the customer profile can change: the ownership structure, administrators, the activity carried out, the jurisdictions involved, the transactional behavior or the source of funds. Without a periodic or event-based update, the customer file quickly becomes useless from a compliance point of view.

Continuous monitoring is another criterion that separates the two models. If a company does not track whether the customer’s transactions and behavior are compatible with the initially declared profile, then its KYC remains only a declarative one. On the other hand, when there are internal controls, red flags, internal escalation and evidence of the checks carried out, we can talk about a functional compliance system.

Ultimately, the difference between formal KYC and real KYC is the difference between ticking an obligation and managing a risk. In 2026, for reporting entities and companies exposed to AML requirements, the mere existence of internal policies is no longer enough. What matters is whether these policies live in the company's daily procedures, are consistently applied, and can be demonstrated through documentation, analysis, and clear internal decision traces.