What is the Difference between AML/CFT and KYC?

Page Contents

The short answer: KYC is one component of AML/CFT, not a synonym for it.
KYC is the process of collecting, verifying, analysing, and recording customer information, while AML/CFT is the wider legal and operational regime that requires KYC plus transaction monitoring, sanctions screening, reporting, governance, and record-keeping.

What AML/CFT Tries to Achieve

AML/CFT rules force financial institutions and other reporting entities to confirm who their customers are, understand how they behave, and escalate anything unusual. The system exists to:

Stop criminals entering the financial system by preventing onboarding without verified KYC data.
Deter ML/TF activity by making anonymity difficult, even for people using offshore structures, nominee ownership, cash, or crypto.
Outsource surveillance to the private sector, allowing FIUs to receive STR/SAR/PTR data backed by KYC records.
Support investigations, since KYC profiles, transaction histories, and monitoring notes can be reviewed years later.

KYC is therefore only one pillar of AML/CFT. AML/CFT is broader, deeper, and continues throughout the entire lifecycle of the customer.

What KYC Actually Is

KYC (“Know Your Customer/Client”) is the obligation to collect and verify enough information to comply with all relevant laws and internal requirements - not just AML/CFT.
KYC supports:

AML/CFT
FATCA/CRS
Licensing rules (e.g., derivatives knowledge tests, suitability questions)
Internal risk appetite
External audit
Financial crime prevention

KYC is not optional, and it is not limited to AML checks. A tax residency self-certification or a derivatives knowledge questionnaire is still KYC, even though it has nothing to do with ML/TF.

Unlicensed financial institutions dealing with wholesale/accredited clients rely on KYC to confirm eligibility. Without the correct KYC data, the activity becomes illegal, even if AML/CFT procedures were technically followed.

What the KYC Procedure Covers

KYC starts at onboarding and continues throughout the relationship. Core components include:

Identity verification (individual and corporate)
Address verification
Nature and purpose of the business relationship
PEP, sanctions, and adverse media screening
Building a customer risk profile based on ML/TF indicators
Updating information over time (“ongoing KYC”)

KYC feeds directly into AML/CFT because the risk rating, expected behaviour, and red-flag parameters rely on verified customer information.

AML Checks and KYC Requirements

Initial KYC sits inside CDD or EDD, depending on customer risk or specific legal triggers.
However, KYC does not end after onboarding. Ongoing AML checks depend on current KYC data:

Detecting large, complex, unusual, or suspicious transactions
Identifying material changes (ownership, PEP status, jurisdiction changes)
Conducting ongoing PEP and sanctions screening
Running EDD when transaction monitoring alerts trigger it

Examples:

A large transaction triggers EDD → SOF checks rely on existing SOW and behavioural data.
A corporate client’s new beneficial owner is a PEP → uplift risk level depending on involvement, jurisdiction, and control.

KYC vs AML/CFT: Additional Practical Differences

Risk Appetite

Businesses often prohibit certain customer types or products, regardless of AML/CFT rules.
KYC information tells the risk officer whether the business is drifting outside its risk appetite.

Example: High-risk customers (trusts, crypto institutions) increase. If the entity has zero tolerance for AML breaches, it may need more resources or must stop onboarding this cohort.