AML and KYC Investigations: From Customer Onboarding to Ongoing Due Dilligence

Introduction

Where previous articles in this series primarily focused on investigations into incidents, reports, or specific transactions, AML and KYC investigations are centred on the front end of the relationship. The objective is not primarily to determine after the fact what went wrong, but to assess — before and during the relationship — who the organisation is doing business with, what risks are involved, and whether its services could be misused for money laundering, terrorist financing, or sanctions evasion. In a world where armed conflicts and geopolitical tensions directly impact trade flows, payment systems, and ownership structures, that is more relevant than ever. 

That makes AML and KYC investigations fundamentally different from many other compliance investigations. They are not one-off exercises, but ongoing in nature. Client due diligence starts during onboarding, but it does not end there. The relationship, transactions, and risk profile must be monitored throughout the entire client lifecycle and reassessed where necessary. 

 

Why AML and KYC Investigations Are About More Than Onboarding

In practice, KYC is still often treated as a mandatory part of client onboarding: collect identification documents, establish the UBO, screen sanctions lists, and close the file. That approach does not do justice to the structure and intent of anti-money laundering legislation. The law requires regulated institutions to apply a risk-based approach, looking not only at who the client is, but also at the purpose of the relationship, the nature of the services provided, the origin of funds, and the expected transaction profile. 

As a result, the focus of the investigation shifts. The question is no longer simply: “Who is this client?” but rather: “Does this client — with this structure, these activities, and these financial flows — fit within the organisation’s integrity and risk framework?” 

That requires analysis, interpretation, and periodic reassessment, not just document collection.

 

The Foundation: AML, CDD, and KYC 

AML is the broader anti-money laundering framework. KYC sits within that framework as the process of “knowing your customer,” while CDD — customer due diligence — is the practical investigation through which that process is carried out. In the Netherlands, this is legally embedded in anti-money laundering legislation. Regulated entities are required, among other things, to identify and verify clients, establish ultimate beneficial owners, understand the purpose and intended nature of the business relationship, monitor transactions, and report unusual transactions. 

On paper, that may sound straightforward. In practice, however, the real investigation often only begins once the structure behind the client turns out to be more complex than initially visible. Behind a corporate entity may sit foreign holding companies, foundations, nominee arrangements, trusts, or UBOs that are only indirectly visible. It is precisely in these types of files that AML and KYC reveal themselves as more than administrative processes and become investigative disciplines in their own right. 

 

KYC Beyond Regulated Sectors: The Shifted Compliance Pressure from Banks 

The importance of KYC is not always fully recognised by non-regulated businesses. In international trade especially, there is still sometimes an assumption that KYC is primarily a matter for banks, payment service providers, and other regulated institutions. Formally, that distinction may be correct, but in practice the reality has changed significantly. Banks increasingly shift part of their compliance pressure onto their clients. They are held accountable for the risks within their own portfolios.

As a result, even non-regulated companies are increasingly confronted with questions about their customer base, trade flows, UBO structures, source of funds, involved jurisdictions, and internal controls. This is particularly visible in internationally operating trading companies, import-export structures, and businesses with complex supply chains. In those cases, banks may request additional information or expect the company itself to have implemented at least a basic compliance or KYC framework. 

For many organisations, the urgency only becomes real once the bank starts asking difficult questions and signals that the existing documentation is insufficient. At that point, KYC shifts from an abstract compliance topic to an operational issue with immediate consequences. Banks may impose additional requirements, insist on the implementation of a compliance framework, apply stricter transaction monitoring, or in the most severe cases put the relationship under pressure through de-risking or offboarding. 

That is precisely why non-regulated businesses should not wait until a bank forces the issue, but should proactively consider how they assess and document their customers, trade flows, and counterparties. 

 

Source Selection: Data Providers Versus Local Registrers 

An important — but often underestimated — aspect of AML and KYC investigations is the question of where client information originates. In practice, many organisations rely on international commercial data providers such as Dun & Bradstreet or Bureau van Dijk/Moody’s because they offer fast, scalable, and user-friendly access to information on companies, shareholder structures, and group relationships. Especially in international investigations, these tools are valuable because they consolidate data from multiple jurisdictions into one environment. 

At the same time, there is an important consideration here. In many cases, these databases are derived from underlying primary sources such as local trade registers, publication registers, or other official records. This means there may be a delay between a change in the local register and its appearance in a commercial database. That difference can become highly relevant in cases involving changes in management, ownership structures, registered offices, or ultimate beneficial ownership. 

For institutions with a higher risk appetite, relying on a data provider may be a defensible choice. This is especially true in low-risk and large-scale onboarding environments with many new clients. In these cases, speed, scalability, and operational efficiency often carry significant weight. However, as risk levels increase, organisations should rely more on primary sources. These sources include local trade registers or other official registries in the relevant jurisdiction. Those sources often contain the most current and legally authoritative information, even if they are less user-friendly to access. 

The core question is not whether data providers are “good” or “bad.” The key issue is whether the chosen source fits the client’s risk profile and the organisation’s risk appetite. In low-risk processes, relying on a reliable data provider may be entirely proportionate. In complex, international, or high-risk files, additional verification is often advisable. In some cases, it may even be necessary to verify commercial data against local registers or other primary documentation.

 

From Identification to Risk Assessment 

A proper AML or KYC investigation does not consist of a single action, but of a sequence of investigative steps. First, the client is identified and verified. After that, the organisation assesses who acts on behalf of the client, who the ultimate beneficial owners are, whether PEPs, sanctions risks, or heightened geographical risks are involved, and how the services are expected to be used. 

Ultimately, this results in a risk assessment. Not every client requires the same level of scrutiny. A local company with a straightforward structure and predictable activities presents a very different profile from an internationally active group with layered ownership structures, cross-border financial flows, and exposure to high-risk jurisdictions. That is precisely why AML and KYC operate on a risk-based approach: the higher the risk, the deeper the investigation and the stronger the justification required. 

In practice, however, the question from clients or internal stakeholders rarely stops there. They do not only want to know whether a party should be classified as green, orange, or red; they primarily want to understand what that classification means for the business decision itself. In other words: can — or should — we still do business with this party? That is an understandable question, but not a purely technical exercise. 

A risk classification is not an automatic go/no-go decision. It forms the basis for a broader assessment in which compliance, business teams, legal, and sometimes senior management must determine whether a risk is acceptable, under what conditions, and which mitigating measures may be required.

This is often where a strong KYC investigation provides its greatest value. Not merely by identifying elevated risks, but by helping organisations understand the practical consequences. In some cases, this may lead to enhanced monitoring, additional documentation, or stricter contractual safeguards. In others, the conclusion may be that the relationship falls outside the organisation’s risk appetite or creates too much pressure on its banking relationships, licences, or reputation to proceed responsibly.

 

Ongoing Monitoring and Transactions 

One of the biggest misconceptions in KYC is that the process ends after onboarding. In reality, that is only the beginning of the second phase. Anti-money laundering legislation requires organisations to continuously monitor both the business relationship and transactions against the profile established during onboarding. If a client suddenly begins operating in different jurisdictions, processing unusual transaction volumes, or carrying out activities inconsistent with its known business profile, that should trigger reassessment.

Within AML and KYC investigations, sanctions screening now deserves particular attention. Due to current geopolitical tensions and armed conflicts, sanctions regimes are changing more rapidly, sanctions lists are updated more frequently, and attention for circumvention structures involving third countries, intermediaries, and complex trade chains has increased significantly. As a result, it is no longer sufficient to perform a one-time sanctions screening during onboarding. Particularly where international clients, trade flows, or payments involving high-risk jurisdictions are concerned, organisations must remain continuously alert to changes involving counterparties, countries, goods flows, and ultimate beneficial ownership. 

Sanctions screening therefore extends beyond the question of whether a name appears on a sanctions list. Increasingly, the issue is whether transactions, counterparties, or structures indicate an elevated risk of sanctions evasion. In sectors involving international trade, logistics, commodities, or complex supply chains, this can have major implications for both transaction assessments and overall client acceptance.

That makes AML and KYC investigations inherently dynamic. New directors, changes in ownership structures, amended sanctions regimes, or adverse media can all justify reopening a file. A client initially classified as low risk may present a completely different profile a year later.

At that point, client due diligence begins to overlap with transaction monitoring and, in some cases, reporting obligations. Where irregularities cannot be adequately explained, or where transactions qualify as unusual, the investigation may shift from routine compliance management into a more in-depth integrity or AML investigation.

 

Common Challenges in Practice

In many organisations, the greatest challenge lies not in the rules themselves, but in their execution. Files are incomplete, information from different systems does not align, commercial pressure conflicts with compliance requirements, and periodic reviews are postponed. Clients themselves frequently experience questions about source of wealth, ownership structures, or foreign entities as burdensome or difficult to understand. This is especially true when additional information is requested repeatedly.

Another recurring issue is that KYC is sometimes designed too much as an administrative process. As a result, the investigation deteriorates into document collection, while the real value should lie in the analysis itself. A file is only truly robust if it demonstrates not merely that documents are present, but also why a client was considered acceptable or unacceptable and how that conclusion aligns with the identified risks. 

Source usage also plays an important role here. Organisations that rely blindly on a single data provider or screening tool risk incorporating outdated or incomplete information into their files. Particularly in international investigations, the difference between a commercial database and a local register may determine whether a file remains sufficiently current and reliable.

The Role of Compliance, Business, and External Parties 

AML and KYC investigations are not owned exclusively by compliance departments. The business understands the client, sales teams and relationship managers often identify irregularities first, compliance establishes the framework and second-line controls, and onboarding or operations teams process and verify documentation. 

In complex investigations, organisations increasingly rely on external data providers, screening tools, legal specialists, and investigative firms. This is particularly common in cases involving international structures, sanctions risks, or escalations surrounding account closures.

Because AML and KYC continue throughout the entire client relationship, collaboration is essential. A strong file is not created through one successful onboarding exercise, but through consistent documentation, periodic reassessment, and timely escalation whenever signals no longer fit the client profile. That applies not only to regulated institutions, but increasingly also to companies confronted with indirect compliance pressure from banks, financiers, or commercial partners.

 

Conclusion

and Looking Ahead: From Client Investigations to Compliance Audits 

In many ways, AML and KYC investigations represent the operational day-to-day equivalent of the due diligence and integrity investigations discussed earlier in this series. At their core, they revolve around the same fundamental question: who are we doing business with, and what risks does that create? The objective is to prevent the organisation from becoming part of a larger integrity issue.

Where due diligence often focuses on a one-time decision-making moment, AML and KYC are about continuous vigilance. This places AML and KYC at the intersection of prevention and detection: from client acceptance to transaction monitoring, from file management to potential reporting obligations, and sometimes ultimately to more in-depth internal investigations. 

In the next — and final — article in this series, the focus shifts to compliance audits. AML and KYC investigations focus on individual clients, files, and transactions. Compliance audits assess the design, operation, and effectiveness of the overall compliance framework. That final article therefore forms the logical conclusion of this series: from incidents and files to systems and control. 

 

Invitation to Consult

If this article has raised questions or topics you would like to discuss further, we welcome you to reach out. If you have a specific case you would like to explore, we are happy to arrange an informal introductory conversation. Our contact details can be found on our website.

Next Article

In the next article, we examine an uncomfortable truth: Internal Audit versus Business. Why audit teams are so often seen as a brake on progress — and how to change that. 

 

Get in touch

Dennis van der Meer | +31618948848 | dennis.van.der.meer@compliancechamps.com

Boy Custers | +31649935735 | boy.custers@compliancechamps.com