some.im
开始使用

draft-kyc-procedure

Category: Coding Risk: High risk ★ 3.9 · Rating 3.9/5 (8) sboghossian/mini-claude-for-legal MIT

Rating is derived from the repo's GitHub stars and shown for reference.

shell_executionautomation_control
Download zip View source

name: draft-kyc-procedure
description: Use when drafting or reviewing a Know Your Customer (KYC) procedure for a financial institution, fintech, law firm, or regulated business operating under AML/CFT obligations. Covers the full customer due diligence lifecycle — identification, verification, beneficial ownership, risk classification, sanctions screening, PEP checks, and periodic refresh — with specific attention to MENA regulatory frameworks (UAE CBUAE, KSA SAMA, Lebanon SIC, DIFC/ADGM, FATF). Triggers on "kyc", "customer due diligence", "cdd", "aml procedure", or "onboarding compliance" requests.
license: MIT
metadata:
id: draft.KYC-procedure
category: draft
practice_area: financial-crime
jurisdictions: [UAE, DIFC, ADGM, KSA, LB, EG, GCC, EU, FATF]
priority: P1
intent: [kyc, customer due diligence, cdd, aml, sanctions screening, beneficial ownership]
related: [draft-aml-policy, review-aml-compliance, draft-privacy-policy, draft-dpa-gdpr]
source: Louis — HAQQ Legal AI (github.com/sboghossian/mini-claude-for-legal)
version: "1.0"

KYC / Customer Due Diligence Procedure

When to use this

Use this skill when:

  • Drafting a new KYC/CDD procedure from scratch for a regulated entity
  • Revising an existing procedure to reflect regulatory updates (FATF mutual evaluations, new national AML laws)
  • Onboarding documentation for a specific customer type (individual, corporate, PEP, high-risk)
  • Training and compliance-awareness material for staff

KYC procedures are legally mandated for financial institutions, money service businesses, designated non-financial businesses and professions (DNFBPs — lawyers, accountants, real estate agents above thresholds), and increasingly fintech platforms in all MENA jurisdictions.

Inputs

  • Entity type and regulatory license category (bank, exchange house, fintech, DNFBP)
  • Applicable jurisdiction(s) and regulator(s)
  • Customer segments to be covered (retail individual, corporate, high-net-worth, correspondent institution)
  • Existing risk appetite and risk-scoring model (if any)
  • Whether procedure must comply with FATF Recommendations, or a specific jurisdiction's AML law

The eight-step KYC procedure

Step 1 — Customer identification

Collect sufficient information to establish the customer's identity before the business relationship begins.

Individual customers — collect at minimum:

  • Full legal name (as per government ID)
  • Date of birth
  • Nationality and country of residence
  • Residential address (physical — not PO box)
  • Government-issued photo ID (passport, national ID, driving licence)
  • Taxpayer identification number (where required)
  • Source of income / wealth (for enhanced due diligence customers)

Corporate customers — collect at minimum:

  • Full legal name + trading name
  • Company registration number + jurisdiction
  • Registered address + principal place of business
  • Memorandum and Articles of Association (or equivalent)
  • Certificate of Incorporation / Trade Licence
  • Ownership structure chart (all layers to ultimate beneficial owner)
  • Directors / authorized signatories list with ID for each

Simplified due diligence (SDD) is available in most jurisdictions for low-risk customer categories (listed companies, public authorities, regulated financial institutions in equivalent jurisdictions) — document the basis for SDD.

Step 2 — Independent verification

The identity information collected must be verified against independent, reliable sources. "Reliable" means:

  • Government-issued documents (not photocopies of photocopies)
  • Official registries (company registry, land registry)
  • Regulated data providers (e.g., commercial databases) for corporate structure verification
  • Face-to-face verification or certified equivalent (video KYC where allowed)

For remote onboarding (digital / eKYC): most MENA regulators now accept eKYC using document verification + liveness check, provided the solution meets the regulator's prescribed standards. CBUAE AML Standards 2021 and DIFC AML Module permit this.

Step 3 — Beneficial ownership (BO) mapping

Threshold: 25% ownership or control is the FATF-recommended threshold; some regulators use 10% for financial institutions.

For every corporate customer:

  1. Map the ownership chain layer by layer until you reach natural persons who own ≥25% OR exercise control
  2. If no natural person owns ≥25%, identify the natural person who exercises control by other means (board majority, veto rights, contractual control)
  3. Where ownership is through a trust: identify settlor, trustees, and beneficiaries (or class of beneficiaries)
  4. Verify BO identity to the same standard as the customer itself

Document the BO mapping with a signed declaration from an authorized officer of the customer. For complex structures (layers of holding companies, nominees), escalate to Enhanced Due Diligence.

Step 4 — Purpose and nature of relationship

Before opening the account / starting the relationship:

  • Understand the intended purpose (trading account, investment, custody, financing)
  • Expected transaction profile (volume, frequency, typical counterparties, geographic scope)
  • Expected funding sources

Document these expectations in the customer profile. Transactions that deviate materially from the expected profile are a trigger for review.

Step 5 — Source of funds and source of wealth (high-risk customers)

Source of funds (SoF): Where do the funds for this specific transaction come from? Required for all transactions above thresholds and for high-risk customers.

Source of wealth (SoW): How did the customer accumulate their overall net worth? Required for Enhanced Due Diligence customers (PEPs, high-net-worth individuals, customers from high-risk jurisdictions).

Acceptable evidence: audited financial statements, employment contracts / payslips, property sale documents, inheritance records, company ownership proof. Verbal assertions with no documentary support are insufficient for EDD.

Step 6 — Sanctions screening

Screen all parties (customer, beneficial owners, authorized signatories, connected parties) against:

  • UN Security Council consolidated list — mandatory globally
  • OFAC SDN list (US) — mandatory for USD-clearing institutions and US-nexus transactions
  • EU Consolidated Sanctions List — mandatory for EU-connected business
  • UK HMT Financial Sanctions List
  • Local lists: UAE CBUAE List, KSA SAMA List, Lebanon SIC Designated List

Screening must be:

  • Performed at onboarding
  • Re-screened at every material transaction
  • Rescreened whenever lists are updated (automated real-time screening is best practice)
  • Applied to all names, aliases, and transliterations (Arabic transliterations of names require fuzzy matching)

A sanctions hit requires immediate freezing and reporting to the relevant Financial Intelligence Unit (FIU). Do not alert the customer (tipping-off prohibition).

Step 7 — PEP screening and adverse media

Politically Exposed Persons (PEPs): individuals who hold or have held prominent public functions, their family members, and close associates.

FATF Recommendations require enhanced scrutiny of PEPs. "Foreign PEPs" (PEPs in another country) require EDD; "domestic PEPs" in many jurisdictions also require EDD.

For PEPs:

  • Seek senior management approval before establishing the relationship
  • Document the source of wealth to a higher standard
  • Apply continuous monitoring (not just periodic refresh)

Adverse media screening: Search for negative news linking the customer to financial crime, bribery, corruption, terrorism, tax evasion, or fraud. Commercial adverse media screening tools should be used; manual Google searches are insufficient for regulated entities at scale.

Step 8 — Periodic review / refresh

The customer file must be kept current:

Risk category Refresh frequency
Low risk Every 3-5 years
Medium risk Every 2 years
High risk / PEP Annually or more frequently
Trigger-based On significant change (new BO, new business line, large unusual transaction)

Refresh includes: re-verification of expired IDs, re-screening against sanctions and PEP lists, review of transaction history for consistency with expected profile.

Enhanced Due Diligence (EDD) triggers

EDD (deeper investigation, senior management approval) is required when:

  • Customer is a PEP, PEP family member, or PEP associate
  • Customer is from or transacts with a FATF high-risk or monitored jurisdiction
  • Business is conducted non-face-to-face with unusual complexity
  • Transaction has no apparent economic rationale
  • Customer is a shell company or nominee structure without clear business purpose
  • Politically or reputationally exposed transactions (government contracts, gaming, defense)

Risk-scoring framework

Assign each customer a composite risk score based on:

  • Customer risk factors: type (individual/corporate), PEP status, adverse media, industry
  • Geographic risk factors: nationality, country of incorporation, country of operations (FATF high-risk list)
  • Product/service risk factors: cash-intensive, cross-border, high-value, anonymity potential
  • Channel risk factors: non-face-to-face onboarding, intermediary introduced

Document the risk score in the customer file and review it at each periodic refresh.

Jurisdictional notes

Jurisdiction Primary regulatory framework
UAE (federal) Federal Decree-Law 20/2018 (AML Law); Cabinet Decision 10/2019 (AML Executive Regulation); CBUAE AML Standards 2021
DIFC DFSA Rulebook AML Module (AMI); mirrors FATF with common-law overlay
ADGM FSRA AML and Sanctions Rules; similar to DFSA; periodic guidance notices
KSA AML Law (Royal Decree M/39/2003 as amended); SAMA AML Guidance for Banks; SAMA Crypto AML Rules
LB Law 44/2015 (AML Law); Special Investigation Commission (SIC) is the FIU; CBA Circular 83 and subsequent circulars on CDD
EG Law 80/2002 and its amendments; EFSA AML Guidelines; Central Bank AML instructions
FATF 40 Recommendations (2012, updated 2023); Guidance on Beneficial Ownership, Guidance on Virtual Assets

Output format

A KYC procedure document should include:

  1. Policy statement — commitment to AML/CFT compliance, regulatory basis, scope of application
  2. Customer risk classification matrix — scored table
  3. CDD checklist per customer type (individual / corporate / PEP / correspondent)
  4. EDD checklist
  5. Screening procedure — lists used, frequency, escalation on hit
  6. Periodic review calendar and triggers
  7. Record-keeping requirements — retention period (5 years minimum under FATF; 10 years in some jurisdictions)
  8. Escalation and reporting chain — to Compliance Officer, then to FIU if applicable
  9. Staff responsibility matrix — who does what at each step

Limits and escalation

  • This skill assists with procedure drafting; final compliance sign-off requires a qualified AML compliance officer
  • Sanctions hit handling and STR/SAR filing require legal and compliance review before action
  • Cross-border KYC requirements may interact — engage local counsel in each jurisdiction
  • Laws and regulatory guidance change frequently; verify currency of all regulatory references before publishing the procedure
  • [[draft-aml-policy]]
  • [[review-aml-compliance]]
  • [[draft-privacy-policy]]
  • [[draft-dpa-gdpr]]
  • [[draft-dpa-ksa-pdpl]]