KYC refresh why the bank is requesting the company s documents again and how to complete the process

Nikita Veremeev

07.03.2026 | 6 min read

Updated: 07.03.2026

I’m regularly asked: why does the bank request the company’s documents again a year after opening the account if nothing “has changed”? The answer is simple: a KYC refresh is not a one-time check, but a mandatory part of the lifecycle of the bank-client relationship. Banks operate within the framework of FATF recommendations, the EU’s 5th and 6th Anti-Money Laundering Directives (AMLD5, AMLD6), local AML rules and sanctions compliance rules. These standards require periodic customer reviews (periodic KYC), as well as ad-hoc data updates when there are material changes in the business.

There is another important factor: the GDPR and requirements for transparency in the processing of personal data. Banks are required to request only necessary information, store it in accordance with a data retention policy, and for international transfers — use legal mechanisms such as Standard Contractual Clauses (SCC). As a result, requests have become more specific but also more frequent: selective, targeted client data updates (KYC) are the new norm, not the exception.

What the bank checks during a KYC refresh

At the heart of a KYC refresh is CDD: Customer Due Diligence, that is the identification and verification of the company (KYB: Know Your Business), its directors, shareholders and ultimate beneficial owners (UBO: Ultimate Beneficial Owner). The review covers the ownership structure, data from the shareholder register (shareholder register) and, where available, trust deed and other documents relating to trust structures. The bank compares the information with the corporate ownership chart (ownership chart), verifies the data through government company registers (for example, Companies House and equivalents in the EU) and registers of beneficial ownership transparency (beneficial ownership register, corporate transparency register).

A mandatory element is sanctions screening — checking against OFAC, EU and UN sanctions lists, as well as PEP screening (Politically Exposed Persons) and adverse media screening. At the same time the bank analyzes transactions: conformity of flows with the stated activity, threshold values for transaction monitoring, alarm rules in the TMS (Transaction Monitoring System), and cases of filing suspicious activity reports (SAR, Suspicious Activity Reports).

Triggers for KYC refresh

Triggers for KYC refresh are events the bank must detect and verify. Key examples: change of owner or UBO, update of directors or secretary, issuance of new shares or change of shareholdings, restructuring, emergence of nominee arrangements, dealings with bearer shares in historical structures, opening foreign branches, entering new markets.

KYC refresh in the EU, Asia and the CIS

KYC refresh in EU banks is characterized by a strong reliance on AMLD5/AMLD6, disclosure of UBOs through public or semi-open registers, use of eIDAS for electronic identification and active digitization of eKYC processes. In some jurisdictions (for example, Estonia, Cyprus) banks request certified translations and an apostille, and also thoroughly check GDPR compliance, including DPIA (data protection impact assessment) for complex cases.

In Asia the picture is uneven. Singapore (MAS) and Hong Kong (HKMA) maintain high standards, but widely adopt digital onboarding, biometric verification and API integrations with government registers. In Southeast Asian countries banks more actively work with identity and verification providers, implement OCR and automatic document checks, but require detailed economic rationale for payments. The COREDO team has implemented several eKYC projects in Singapore and sees a growing emphasis on continuous monitoring and reducing false positives in TMS.

In the CIS countries the approach depends on the specific jurisdiction and correspondent bank. Often due diligence within correspondent banking plays a key role: European or Asian partners require heightened controls from local banks. Because of this KYC refresh may include additional confirmations of business activity, in-depth analysis of the ownership chain and sanctions filters at the level of international payments. Here the solution developed at COREDO,, ready document packages for correspondents and clear ownership charts – significantly reduces friction.

Preparation of documents for KYC refresh

The list of documents for a KYC refresh depends on the risk profile and jurisdiction. As a rule, the bank will request:

• founding documents, certificate of incorporation and a current certificate of incumbency;
• articles of association, corporate resolutions and powers of attorney (power of attorney), shareholder register and minutes of amendments;
• UBO confirmation and disclosure of the ownership chain, including nominee agreements, trust deed and information about trustees/protectors;
• a corporate ownership diagram with percentages and jurisdictions, as well as an explanatory note on the structure;
• documents evidencing economic activity: key contracts, invoices, transport documents, description of the business model and unit economics;
• proof of address and substance: office leases, payroll data, information about employees and directors;
• bank reference letter (bank reference) if requested, auditor reports, tax returns;
• certified translations and apostille/notarisation, if required by the bank;
• AML/CFT policy, description of the transaction monitoring system (if you are a financial company), rule thresholds, SAR procedures.

How to complete a KYC refresh at the bank

I recommend starting with proactive contact with the relationship manager. Agree on the data transfer format, the SLA for review and the channels of interaction. If the structure is complex: prepare a short “narrative note” that explains step by step the business model, payment routing and the role of each ownership link. Our experience at COREDO has shown that one page of clear explanations saves weeks of approvals.

Next: check documents for formal requirements: the currency of certificates, apostille validity periods, consistency of names and addresses across all sources, the logic of the ownership chart and the absence of ‘breaks’ in the links. A good practice is to export a case management report: list of attachments, version of each file, update date, who prepared them. This increases the compliance officer’s confidence and speeds up the work.

Finally, prepare answers to standard questions: sources of funds and wealth, reasons for atypical transactions, the role of counterparties, explanations of pricing anomalies. If the bank launches EDD, agree the boundaries so as not to waste resources on excessive requests. The COREDO team helps set the ‘bounds’ of the review and negotiate concrete completion criteria.

KYC checklist for the manager

• Clarify the frequency of checks: annual, biennial, trigger-based and the criteria risk-based approach.
• Update the KYC profile: directors, shareholders, UBO, addresses, substance, contact persons.
• Prepare the ownership chart and narrative note on the business model and transactions.
• Check sanctions and PEP risks for key persons; conduct adverse media screening.
• Reconcile TMS threshold values and rules, describe SAR procedures and case management.
• Ensure certified translations and apostilles where necessary.
• Agree on GDPR/SCC, data retention and access policies, audit trail.
• Work out “material changes” and the bank notification mechanisms (material change reporting).
• Clear outstanding items from previous bank requests and agree the SLA for the current round.

Common mistakes: how to avoid them

The third mistake is ignoring privacy requirements and international data transfer rules. Unagreed SCCs or the absence of a DPIA for sensitive processes cause returns at the bank’s legal department level. At COREDO we mitigate these risks in advance: we prepare a visualization of the ownership chain and entity resolution, validate documents via OCR and control rules, check sanctions and PEP flags and provide explanations for adverse media.

When EDD is required and how to pass the review

Enhanced client due diligence (EDD) is triggered by a high risk rating, a complex multi-jurisdictional structure, the presence of trust elements, nominee arrangements or histories with bearer shares. Triggers also include connections to sanctions-sensitive industries, atypical payment routes, operating in multiple regulatory jurisdictions, and requests from correspondent banks.

AML, sanctions and compliance in practice

A strong compliance program for regular KYC refresh relies on RBA, a clear client risk-rating model, the frequency of checks and continuous monitoring. I insist on regular testing of sanctions filters (OFAC/EU/UN), up-to-date PEP sources, configuring adverse media aimed at reducing false positives and transparent case escalation.

From a process perspective, the following are important:

• documented data retention policy and DSAR mechanism;
• clear audit trail and change log;
• SAR rules and lines of responsibility;
• readiness for regulatory inspections and control activities;
• team training and procedures for trigger-based updates.

For fintech companies I recommend keeping materials on suptech trends and regulatory expectations at hand, as well as maintaining a dialogue with the bank about calibrating TMS thresholds and reducing false positives. Such openness strengthens trust and reduces the likelihood of unexpected blocks.

ROI from KYC automation

Digital onboarding and eKYC have already become standard in the EU and Asia. Identity providers offer biometric verification, OCR and automatic document checks, API integrations with company registries and beneficial ownership register, as well as blockchain solutions for verification of record immutability. At COREDO we configure case management, rules engines for automated rules, a notification system and transparent communication with clients.

Remote document verification is comparable in reliability to in-person verification if multifactor checks are present and risk rules are configured correctly. When necessary we mix approaches: eKYC for most cases and in-person interviews for EDD. Such a hybrid helps balance customer experience and compliance.

COREDO Case Studies

• Payment company in the EU. The client was expanding operations into two new markets, and the bank initiated a KYC refresh with EDD. The COREDO team prepared an ownership chart with jurisdiction-level detail, a narrative on the business model, set up a package of confirmations for TMS thresholds and SAR procedures. We provided certified translations and apostilles for some documents, synchronized GDPR/SCC for data transfer to a provider in a third country. Result: closure of the review in 19 business days instead of the projected 8 weeks.
• Fintech in Singapore with a crypto license. The bank requested re-confirmation of the UBO and an explanation of a complex trust structure. The solution developed by COREDO included forensic due diligence on sources of funds, background checks of key individuals, as well as visualization of the ownership chain and entity resolution. We adjusted sanctions and PEP filter settings, reduced false positives by 32% and helped the bank agree on a new continuous monitoring regime without increasing the client’s operational costs.
• Manufacturing group from the CIS with an operational center in the Czech Republic. The bank required documents to confirm economic activity, a supply chain check and GDPR compliance for transferring data backups to the cloud. COREDO’s practice confirmed: a clear set of contracts, waybills and explanations of logistics combined with a DPIA and SCC address the issues. The review was completed on time, the risk of refusal was removed, and the bank abandoned “de-risking”.

Managing expectations: cost/timelines/risks

Timelines for a KYC refresh depend on the risk class: from 10–15 business days for standard cases up to 6–8 weeks for EDD. Complex multi-jurisdictional structures and correspondent approvals can lengthen the process. To speed things up, I recommend pre-agreeing the checklist, SLA, file formats, document certification and access to registries.

The consequences of refusing a KYC refresh are unpleasant: frozen operations, lengthy negotiations with correspondents, and in extreme cases — account closure. In such situations COREDO builds remediation programs: we adjust the structure, update UBO disclosure, reassemble compliance documents, set up case management and negotiate with the bank until normal servicing is restored.

How COREDO structures its support

Since 2016 COREDO has been supporting the registration of legal entities in the EU, Czech Republic, Slovakia, Cyprus, Estonia, the United Kingdom, Singapore and Dubai, obtaining financial licenses (crypto, payments, forex, banking), AML consulting and comprehensive business support. In KYC refresh projects I form cross-functional teams: legal unit, AML/sanctions, transaction analytics, data privacy and local jurisdictional consultants.

For startups and fast-growing fintechs COREDO implements KYC-as-a-Service and regtech solutions: eKYC, API integrations with registries, OCR, biometrics, a rules engine for automated checks and case management, as well as techniques to reduce false positives. Such an architecture provides scalability, reduces operational risks and speeds up KYC updates without compromising control.

How to explain a complex structure to a bank

I always start by creating a simple corporate diagram: ownership tiers, percentages, jurisdictions and roles. Then I prepare an explanatory note with three sections: the business model; the logic of cash flows and geography; and substance and the operating team. If the structure includes trust elements, I disclose the trust deed, the functions of the trustee and protector, tax aspects and the reasons for choosing the arrangement.

If the company deals with multiple banks or correspondents, I align terminology and formats. This reduces the likelihood of inconsistencies and speeds up approvals. When it comes to standard questions—UBO, nominee arrangements, bearer shares in the past—we prepare alternative phrasings and legal references in advance to give the bank a clear legal basis.

Transaction monitoring during KYC updates

The bank verifies that actual transactions match the declared model. Areas of focus include threshold values for TMS rules, transaction frequency and average transaction amount, counterparties’ geography, intra-group links, and explanations for new lines of business. The presence of documented SAR procedures and a case review log demonstrates that processes are well-managed.

GDPR and international data transfers

KYC refresh in cross-border projects inevitably involves international data transfers. I recommend agreeing SCC in advance, conducting a DPIA for high-risk processes, and describing the data retention policy and deletion timelines. Don’t forget client notification mechanisms and process transparency: when, which data and why are requested, who has access to them, and how DSAR requests are handled.

Scaling KYC processes for startups

Startups need to be prepared for a bank’s re-check from day one: record corporate decisions, carefully maintain a shareholder register, store signed contracts and invoices, and have a ready narrative about the business model. The scalability of KYC processes starts with simple things: unified document templates, case management, clear SLAs within the team, and rules for material change reporting.

The COREDO team helps build a KYC policy for multi-jurisdictional operations, integrate identity providers, and create a system that will survive x10 growth without an avalanche of manual remediation and a backlog of cases. This has a direct impact on ROI and the cost of compliance.

Key takeaways

KYC refresh is not a bureaucratic formality but a managed process that can be predicted, accelerated and turned into a competitive advantage. When ownership structure is transparent, documents are verified, transaction monitoring is calibrated, and privacy processes comply with GDPR, the bank sees a reliable partner, not a source of operational risk.