If you onboard clients in regulated industries, you can’t skip Know Your Customer (KYC) verification. The challenge isn’t knowing that you need it — it’s knowing exactly which documents to ask for, in what order, and how to keep track of them once they arrive.
This article gives you the full KYC document checklist: a base list that applies to nearly every regulated business, then industry-specific add-ons for fintechs, real estate, financial advisors, accountants, and crypto exchanges.
The core KYC document checklist
Most regulators (FinCEN in the US, FCA in the UK, AMF in France, MAS in Singapore) expect you to verify three things: who the client is, where they live, and where their money comes from. The document set below covers all three.
| # | Document | Purpose | Validity |
|---|---|---|---|
| 1 | Government-issued photo ID (passport, national ID, driver’s license) | Identity verification | Must not be expired |
| 2 | Proof of address (utility bill, bank statement, lease) | Residence verification | Issued within the last 3 months |
| 3 | Selfie or live video with ID | Liveness check / anti-spoofing | At time of onboarding |
| 4 | Tax identification number (SSN, NIN, NIF, etc.) | Tax reporting and reference | Lifetime |
| 5 | Source of funds declaration | AML compliance | Updated annually for high-risk clients |
| 6 | Bank statement or proof of account ownership | Linking transactions to a verified account | Last 3 months |
| 7 | Sanctions and PEP screening result | Risk scoring | Refresh every 6-12 months |
For corporate clients, add the documents in the next section.
KYB: the corporate equivalent
When the client is a business, individual KYC isn’t enough. You need Know Your Business (KYB) verification on the entity itself, plus KYC on every beneficial owner above the threshold (typically 25%).
| Document | What it proves |
|---|---|
| Certificate of incorporation or business registration | The company legally exists |
| Articles of association / bylaws | Who can act on behalf of the company |
| Proof of registered address | Where the business operates |
| Shareholder registry / cap table | Who owns the company |
| List of ultimate beneficial owners (UBOs) with KYC documents | Who really controls the company |
| Director and officer list with IDs | Who signs and decides |
| Bank account proof (e.g., RIB or voided check) | Where transactions go |
| Latest financial statements or tax return | Financial standing |
| Operating license or industry-specific permit | Right to operate in regulated sectors |
For French companies, you can shortcut several of these by pulling a KBIS extract and SIRET-linked data — Superdocu fetches this automatically from INSEE and INPI when you enter a SIRET number.
Industry-specific KYC checklists
The base list covers most cases, but each industry layers on its own document requirements.
Banks and lenders
- Full KYC + KYB as above
- Source of wealth statement for high-net-worth clients
- Last two years of tax returns
- Pay stubs or proof of income (last 3 months)
- Credit report authorization
- W-9 or W-8BEN (US tax classification)
- FATCA / CRS self-certification
Fintechs and neobanks
- Full digital KYC with liveness
- Phone number and email verification
- Device fingerprint and IP geolocation log
- Source of funds + intended use of account
- Sanctions, PEP, and adverse media screening (refreshed every 6 months)
- Risk-based EDD pack for high-volume or cross-border accounts
Crypto exchanges and Web3 platforms
- Full KYC tier-based on transaction limits
- Wallet address attestation (signed message)
- Source of crypto funds (exchange withdrawal proof, mining income, etc.)
- Travel Rule compliance documents for transfers above the threshold
- Enhanced due diligence for clients in high-risk jurisdictions
Financial advisors, asset managers, and wealth firms
- Full KYC + KYB
- Investor classification questionnaire (retail, professional, eligible counterparty under MiFID II)
- Risk profile and suitability questionnaire
- Source of wealth narrative
- Investment policy statement signed by client
- Power of attorney if a third party manages the account
Real estate and property managers
- Government ID + proof of address (standard KYC)
- Proof of funds for the deposit and balance
- Source of funds (mortgage agreement, savings statement, sale of previous property)
- Bank reference letter for cash buyers
- For corporate buyers: full KYB + UBO docs
- AML declaration if the transaction exceeds the local threshold (€10,000 in the EU, $10,000 in the US)
Accounting firms and tax advisors
- Government ID + proof of address
- Tax identification number
- Engagement letter signed
- Authorization to access tax filings (Form 8821 in the US, mandate in France)
- Beneficial ownership declaration for incorporated clients
- Last filed tax return
Insurance companies
- KYC for the policyholder and any named beneficiaries
- Proof of insurable interest
- Source of premium funds for large policies
- Medical questionnaire or report (life and health products)
- AML screening for single-premium policies above the threshold
Common mistakes that fail audits
Regulators don’t fail you for missing one document. They fail you for patterns: stale data, inconsistent collection, and gaps in the audit trail.
Letting documents expire without re-collecting them. Passports expire. Utility bills go stale within 90 days. Sanctions lists update weekly. If you collect once and never refresh, your file is out of date by month four. Document expiration tracking handles this automatically.
Accepting documents over email. Email creates GDPR and security exposure (sensitive personal data sitting in inboxes), no audit trail of who uploaded what, and no version history when the client sends a corrected file. There are better methods for collecting documents from clients.
Skipping the rejection feedback loop. When a document is illegible or the wrong type, telling the client by phone leaves no record. The next reviewer doesn’t know why a document was re-uploaded. Keep rejection reasons in writing inside the file.
Using the same checklist for every risk tier. Standard due diligence works for low-risk retail clients. High-risk clients (PEPs, high-value, cross-border) need enhanced due diligence with extra source-of-wealth documentation. One checklist for everyone is a flag during an audit.
No central view of what’s been collected. If half the documents are in your CRM, half in a shared drive, and half in email, your compliance officer can’t tell at a glance which files are complete. A document collection platform gives you one status per client.
How to automate KYC document collection
Manual KYC takes hours per client: drafting the request email, chasing missing files, reviewing each document, recording decisions, and refreshing data on schedule. Most of that work can be automated.
A modern KYC workflow looks like this:
- Build a reusable KYC workflow with the documents and forms you need, broken into steps the client completes in sequence.
- Send the client a magic link — no password, no account creation. They open the link on any device and start uploading.
- Auto-validate what you can. French KBIS, URSSAF certificates, and transport licenses can be verified automatically against government registries. ID documents can be parsed for name, date of birth, and expiration date.
- Set expiration dates on every document so the system reminds the client before a passport, utility bill, or certificate goes stale.
- Sign the engagement letter or terms inside the same flow with built-in DocuSign integration — no separate tool to chase a signature.
- Approve, reject with feedback, or batch-approve documents from a single dashboard, with a full audit trail of who did what and when.
- Re-run the workflow on a schedule for periodic reviews. Repeatable workflows handle annual KYC refresh automatically.
Superdocu does all of this in one platform, hosted in Europe, GDPR-compliant by default. Workflows can be generated automatically with AI — describe your KYC process in plain language and a complete multi-step workflow appears, ready to customize.
For French firms specifically, the SIRET integration alone saves about 15 minutes per corporate file: enter the number, and company name, address, legal form, beneficial owners, and KBIS validity come back automatically.
Frequently asked questions
What is the difference between KYC and KYB?
KYC (Know Your Customer) verifies an individual: ID, address, source of funds. KYB (Know Your Business) verifies a company: incorporation documents, ownership structure, beneficial owners. KYB always includes KYC on every UBO above the ownership threshold (usually 25%).
How often should I refresh KYC documents?
Low-risk clients: every 24-36 months. Medium-risk: every 12-18 months. High-risk (PEPs, high-value, cross-border): every 6-12 months, with sanctions screening refreshed continuously. Specific frequencies depend on your local regulator.
Can I accept digital copies or do I need originals?
Digital copies are accepted in nearly every major jurisdiction (FinCEN, FCA, AMF, MAS, ASIC) provided the file is legible, captured during onboarding with a liveness check or video call, and stored with a clear audit trail. Some regulators require certified copies for higher-risk products.
What happens if a client refuses to provide a KYC document?
You cannot onboard them. Under most AML regimes, missing required documents means the relationship can’t begin or must be terminated. Document the refusal, file a Suspicious Activity Report if circumstances warrant it, and escalate to your compliance officer.
How long do I need to keep KYC records?
Most jurisdictions require retention for at least 5 years after the end of the business relationship (FATF standard). Some go to 7 or 10 years. Store records in an auditable system with timestamps and user attribution.
Is collecting KYC over email GDPR-compliant?
Generally no. Email transmits personal data unencrypted by default and stores it indefinitely in multiple inboxes. GDPR requires data minimization, security, and a clear legal basis. A purpose-built portal with encryption at rest and in transit, role-based access, and EU hosting is the safer route.
Next step
Manual KYC chases dozens of documents per client across email, spreadsheets, and shared drives. A purpose-built portal collects them in one branded flow, validates what it can automatically, and tracks expirations so files never go stale.
Start a free 7-day trial of Superdocu — no credit card required. Build your first KYC workflow in under 10 minutes with the AI workflow generator.