COREDO – EU Legal & Compliance Services Expert legal consulting, financial licensing (EMI, PSP, CASP under MiCA), and AML/CFT compliance across the European Union. Headquartered in Prague, we provide seamless regulatory solutions in Germany, Poland, Lithuania, and all 27 EU member states.
Nikita Veremeev
07.03.2026 | 6 min read
Updated: 07.03.2026
I’m regularly asked: why does the bank request the company’s documents again a year after opening the account if nothing “has changed”? The answer is simple: a KYC refresh is not a one-time check, but a mandatory part of the lifecycle of the bank-client relationship. Banks operate within the framework of FATF recommendations, the EU’s 5th and 6th Anti-Money Laundering Directives (AMLD5, AMLD6), local AML rules and sanctions compliance rules. These standards require periodic customer reviews (periodic KYC), as well as ad-hoc data updates when there are material changes in the business.
Our experience at COREDO shows that regulators encourage banks to strengthen controls through a risk-based approach (RBA) — an approach based on risk. Under the RBA, clients are assigned a risk-rating model that determines the depth of checks and the frequency of KYC updates. For low-risk companies the periodicity can be once every 2–3 years (biennial); for higher-risk: annually (annual) or upon each material change (trigger-based).
There is another important factor: the GDPR and requirements for transparency in the processing of personal data. Banks are required to request only necessary information, store it in accordance with a data retention policy, and for international transfers — use legal mechanisms such as Standard Contractual Clauses (SCC). As a result, requests have become more specific but also more frequent: selective, targeted client data updates (KYC) are the new norm, not the exception.
What the bank checks during a KYC refresh
At the heart of a KYC refresh is CDD: Customer Due Diligence, that is the identification and verification of the company (KYB: Know Your Business), its directors, shareholders and ultimate beneficial owners (UBO: Ultimate Beneficial Owner). The review covers the ownership structure, data from the shareholder register (shareholder register) and, where available, trust deed and other documents relating to trust structures. The bank compares the information with the corporate ownership chart (ownership chart), verifies the data through government company registers (for example, Companies House and equivalents in the EU) and registers of beneficial ownership transparency (beneficial ownership register, corporate transparency register).
A mandatory element is sanctions screening — checking against OFAC, EU and UN sanctions lists, as well as PEP screening (Politically Exposed Persons) and adverse media screening. At the same time the bank analyzes transactions: conformity of flows with the stated activity, threshold values for transaction monitoring, alarm rules in the TMS (Transaction Monitoring System), and cases of filing suspicious activity reports (SAR, Suspicious Activity Reports).
If elevated risk is identified: EDD (Enhanced Due Diligence) is initiated. The in-depth review may include forensic due diligence, background checks, forensic accounting, source of funds analysis and source of wealth analysis, as well as verification of contracts and invoices, explanations of counterparties and the logic of payment routing. COREDO’s practice confirms: proper preparation for EDD saves companies months of time and reduces the likelihood of “de-risking”, the bank’s refusal to serve a client due to excessive risk.
Triggers for KYC refresh
Triggers for KYC refresh are events the bank must detect and verify. Key examples: change of owner or UBO, update of directors or secretary, issuance of new shares or change of shareholdings, restructuring, emergence of nominee arrangements, dealings with bearer shares in historical structures, opening foreign branches, entering new markets.
Transactional triggers include anomalous payments, spikes in turnover, new geography of counterparties, operations in sanctions-sensitive jurisdictions or with sensitive goods. Additional signals are a significant discrepancy between the declared economic activity and actual flows, frequent corrections of payment references, unexpected cash transactions in offline channels. At COREDO we recommend formalize “material change reporting”: an internal procedure for notifying the bank and documenting changes to prevent unexpected escalations.
KYC refresh in the EU, Asia and the CIS
KYC refresh in EU banks is characterized by a strong reliance on AMLD5/AMLD6, disclosure of UBOs through public or semi-open registers, use of eIDAS for electronic identification and active digitization of eKYC processes. In some jurisdictions (for example, Estonia, Cyprus) banks request certified translations and an apostille, and also thoroughly check GDPR compliance, including DPIA (data protection impact assessment) for complex cases.
In Asia the picture is uneven. Singapore (MAS) and Hong Kong (HKMA) maintain high standards, but widely adopt digital onboarding, biometric verification and API integrations with government registers. In Southeast Asian countries banks more actively work with identity and verification providers, implement OCR and automatic document checks, but require detailed economic rationale for payments. The COREDO team has implemented several eKYC projects in Singapore and sees a growing emphasis on continuous monitoring and reducing false positives in TMS.
In the CIS countries the approach depends on the specific jurisdiction and correspondent bank. Often due diligence within correspondent banking plays a key role: European or Asian partners require heightened controls from local banks. Because of this KYC refresh may include additional confirmations of business activity, in-depth analysis of the ownership chain and sanctions filters at the level of international payments. Here the solution developed at COREDO,, ready document packages for correspondents and clear ownership charts – significantly reduces friction.
Preparation of documents for KYC refresh
The list of documents for a KYC refresh depends on the risk profile and jurisdiction. As a rule, the bank will request:
- founding documents, certificate of incorporation and a current certificate of incumbency;
- articles of association, corporate resolutions and powers of attorney (power of attorney), shareholder register and minutes of amendments;
- UBO confirmation and disclosure of the ownership chain, including nominee agreements, trust deed and information about trustees/protectors;
- a corporate ownership diagram with percentages and jurisdictions, as well as an explanatory note on the structure;
- documents evidencing economic activity: key contracts, invoices, transport documents, description of the business model and unit economics;
- proof of address and substance: office leases, payroll data, information about employees and directors;
- bank reference letter (bank reference) if requested, auditor reports, tax returns;
- certified translations and apostille/notarisation, if required by the bank;
- AML/CFT policy, description of the transaction monitoring system (if you are a financial company), rule thresholds, SAR procedures.
It is important to consider GDPR and international data transfers during a KYC refresh. If the bank or provider is outside the EU, you should pre-agree SCCs and describe the data retention and access policies, the audit trail and the mechanisms for fulfilling data subject access requests (DSAR). At COREDO we prepare a separate privacy governance package so the bank’s compliance team does not return the case for revision over formalities.
How to complete a KYC refresh at the bank
I recommend starting with proactive contact with the relationship manager. Agree on the data transfer format, the SLA for review and the channels of interaction. If the structure is complex: prepare a short “narrative note” that explains step by step the business model, payment routing and the role of each ownership link. Our experience at COREDO has shown that one page of clear explanations saves weeks of approvals.
Next: check documents for formal requirements: the currency of certificates, apostille validity periods, consistency of names and addresses across all sources, the logic of the ownership chart and the absence of ‘breaks’ in the links. A good practice is to export a case management report: list of attachments, version of each file, update date, who prepared them. This increases the compliance officer’s confidence and speeds up the work.
Finally, prepare answers to standard questions: sources of funds and wealth, reasons for atypical transactions, the role of counterparties, explanations of pricing anomalies. If the bank launches EDD, agree the boundaries so as not to waste resources on excessive requests. The COREDO team helps set the ‘bounds’ of the review and negotiate concrete completion criteria.
KYC checklist for the manager
- Clarify the frequency of checks: annual, biennial, trigger-based and the criteria risk-based approach.
- Update the KYC profile: directors, shareholders, UBO, addresses, substance, contact persons.
- Prepare the ownership chart and narrative note on the business model and transactions.
- Check sanctions and PEP risks for key persons; conduct adverse media screening.
- Reconcile TMS threshold values and rules, describe SAR procedures and case management.
- Ensure certified translations and apostilles where necessary.
- Agree on GDPR/SCC, data retention and access policies, audit trail.
- Work out “material changes” and the bank notification mechanisms (material change reporting).
- Clear outstanding items from previous bank requests and agree the SLA for the current round.
Common mistakes: how to avoid them
The main mistake is underestimating the “small things”: mismatches in addresses, spelling discrepancies in names, outdated resolutions. These details create a sense of lack of control for the bank and increase risk. The second mistake is attempting to “pass on” the explanation of a complex structure to the compliance officer: without a clear diagram and explanations the case goes into a long backlog and manual remediation.
The third mistake is ignoring privacy requirements and international data transfer rules. Unagreed SCCs or the absence of a DPIA for sensitive processes cause returns at the bank’s legal department level. At COREDO we mitigate these risks in advance: we prepare a visualization of the ownership chain and entity resolution, validate documents via OCR and control rules, check sanctions and PEP flags and provide explanations for adverse media.
When EDD is required and how to pass the review
Enhanced client due diligence (EDD) is triggered by a high risk rating, a complex multi-jurisdictional structure, the presence of trust elements, nominee arrangements or histories with bearer shares. Triggers also include connections to sanctions-sensitive industries, atypical payment routes, operating in multiple regulatory jurisdictions, and requests from correspondent banks.
The right EDD strategy and a precise justification of the economic rationale for the structure and payments, supported by contracts, logistics, tax and audit confirmations. Where forensic accounting or background checks are needed, I involve COREDO’s specialized team to provide the bank with a clear, verifiable history of transactions and sources of funds. This removes internal compliance questions and shortens timelines.
AML, sanctions and compliance in practice
A strong compliance program for regular KYC refresh relies on RBA, a clear client risk-rating model, the frequency of checks and continuous monitoring. I insist on regular testing of sanctions filters (OFAC/EU/UN), up-to-date PEP sources, configuring adverse media aimed at reducing false positives and transparent case escalation.
From a process perspective, the following are important:
- documented data retention policy and DSAR mechanism;
- clear audit trail and change log;
- SAR rules and lines of responsibility;
- readiness for regulatory inspections and control activities;
- team training and procedures for trigger-based updates.
For fintech companies I recommend keeping materials on suptech trends and regulatory expectations at hand, as well as maintaining a dialogue with the bank about calibrating TMS thresholds and reducing false positives. Such openness strengthens trust and reduces the likelihood of unexpected blocks.
ROI from KYC automation
Digital onboarding and eKYC have already become standard in the EU and Asia. Identity providers offer biometric verification, OCR and automatic document checks, API integrations with company registries and beneficial ownership register, as well as blockchain solutions for verification of record immutability. At COREDO we configure case management, rules engines for automated rules, a notification system and transparent communication with clients.
The economic effect is noticeable. KYC performance metrics — SLA and time-to-onboard — improve by 20–40%, and the cost per KYC (cost per KYC) decreases due to automation of data collection and reuse of verified elements. This positively affects customer retention (churn) and the scalability of KYC processes for fintechs. In some projects we used KYC outsourcing and reliance on third parties, while maintaining quality control through KPIs and regular audits.
Remote document verification is comparable in reliability to in-person verification if multifactor checks are present and risk rules are configured correctly. When necessary we mix approaches: eKYC for most cases and in-person interviews for EDD. Such a hybrid helps balance customer experience and compliance.
COREDO Case Studies
- Payment company in the EU. The client was expanding operations into two new markets, and the bank initiated a KYC refresh with EDD. The COREDO team prepared an ownership chart with jurisdiction-level detail, a narrative on the business model, set up a package of confirmations for TMS thresholds and SAR procedures. We provided certified translations and apostilles for some documents, synchronized GDPR/SCC for data transfer to a provider in a third country. Result: closure of the review in 19 business days instead of the projected 8 weeks.
- Fintech in Singapore with a crypto license. The bank requested re-confirmation of the UBO and an explanation of a complex trust structure. The solution developed by COREDO included forensic due diligence on sources of funds, background checks of key individuals, as well as visualization of the ownership chain and entity resolution. We adjusted sanctions and PEP filter settings, reduced false positives by 32% and helped the bank agree on a new continuous monitoring regime without increasing the client’s operational costs.
- Manufacturing group from the CIS with an operational center in the Czech Republic. The bank required documents to confirm economic activity, a supply chain check and GDPR compliance for transferring data backups to the cloud. COREDO’s practice confirmed: a clear set of contracts, waybills and explanations of logistics combined with a DPIA and SCC address the issues. The review was completed on time, the risk of refusal was removed, and the bank abandoned “de-risking”.
Managing expectations: cost/timelines/risks
Timelines for a KYC refresh depend on the risk class: from 10–15 business days for standard cases up to 6–8 weeks for EDD. Complex multi-jurisdictional structures and correspondent approvals can lengthen the process. To speed things up, I recommend pre-agreeing the checklist, SLA, file formats, document certification and access to registries.
The cost of undergoing KYC for business consists of the team’s internal time, translation fees, apostille and, if necessary, external identity providers, adverse media and sanctions monitoring. With automation, ROI metrics from KYC initiatives look convincing: less manual remediation, lower cost per KYC, a stable SLA and reduced churn due to a predictable customer experience.
The consequences of refusing a KYC refresh are unpleasant: frozen operations, lengthy negotiations with correspondents, and in extreme cases — account closure. In such situations COREDO builds remediation programs: we adjust the structure, update UBO disclosure, reassemble compliance documents, set up case management and negotiate with the bank until normal servicing is restored.
How COREDO structures its support
Since 2016 COREDO has been supporting the registration of legal entities in the EU, Czech Republic, Slovakia, Cyprus, Estonia, the United Kingdom, Singapore and Dubai, obtaining financial licenses (crypto, payments, forex, banking), AML consulting and comprehensive business support. In KYC refresh projects I form cross-functional teams: legal unit, AML/sanctions, transaction analytics, data privacy and local jurisdictional consultants.
I pay special attention to communication with the relationship manager: we have working package templates, checklists and standards for visualizing the ownership chart. We arrange certified translations, apostille and notarizations, conduct preliminary sanctions and PEP screening, adverse media screening, prepare explanations on TMS thresholds and SAR procedures. For international data transfers we apply SCCs and set up access policies, maintain an audit trail and help prepare for regulatory inspections.
For startups and fast-growing fintechs COREDO implements KYC-as-a-Service and regtech solutions: eKYC, API integrations with registries, OCR, biometrics, a rules engine for automated checks and case management, as well as techniques to reduce false positives. Such an architecture provides scalability, reduces operational risks and speeds up KYC updates without compromising control.
How to explain a complex structure to a bank
I always start by creating a simple corporate diagram: ownership tiers, percentages, jurisdictions and roles. Then I prepare an explanatory note with three sections: the business model; the logic of cash flows and geography; and substance and the operating team. If the structure includes trust elements, I disclose the trust deed, the functions of the trustee and protector, tax aspects and the reasons for choosing the arrangement.
If the company deals with multiple banks or correspondents, I align terminology and formats. This reduces the likelihood of inconsistencies and speeds up approvals. When it comes to standard questions—UBO, nominee arrangements, bearer shares in the past—we prepare alternative phrasings and legal references in advance to give the bank a clear legal basis.
Transaction monitoring during KYC updates
The bank verifies that actual transactions match the declared model. Areas of focus include threshold values for TMS rules, transaction frequency and average transaction amount, counterparties’ geography, intra-group links, and explanations for new lines of business. The presence of documented SAR procedures and a case review log demonstrates that processes are well-managed.
It’s useful to show how you reduce false positives: rule calibration, risk scoring of counterparties, adjustment of dictionaries for adverse media, and regular performance reporting. At COREDO we configure metrics and dashboards that are clear to the bank’s compliance team and preempt pain points before they arise.
GDPR and international data transfers
KYC refresh in cross-border projects inevitably involves international data transfers. I recommend agreeing SCC in advance, conducting a DPIA for high-risk processes, and describing the data retention policy and deletion timelines. Don’t forget client notification mechanisms and process transparency: when, which data and why are requested, who has access to them, and how DSAR requests are handled.
This openness increases trust and simplifies dialogue with the bank. In COREDO’s practice such materials often become a “bridge” between the bank’s legal and compliance units, removing formal objections and speeding up case closure.
Scaling KYC processes for startups
Startups need to be prepared for a bank’s re-check from day one: record corporate decisions, carefully maintain a shareholder register, store signed contracts and invoices, and have a ready narrative about the business model. The scalability of KYC processes starts with simple things: unified document templates, case management, clear SLAs within the team, and rules for material change reporting.
The COREDO team helps build a KYC policy for multi-jurisdictional operations, integrate identity providers, and create a system that will survive x10 growth without an avalanche of manual remediation and a backlog of cases. This has a direct impact on ROI and the cost of compliance.
Key takeaways
KYC refresh is not a bureaucratic formality but a managed process that can be predicted, accelerated and turned into a competitive advantage. When ownership structure is transparent, documents are verified, transaction monitoring is calibrated, and privacy processes comply with GDPR, the bank sees a reliable partner, not a source of operational risk.
Over years of work COREDO has developed an approach that combines strategy and practice: precise terminology and regulatory frameworks, clear documentation and visualization, technological tools and competent communications with the bank. If you want to go through a KYC refresh in the EU, Asia or CIS countries without missed deadlines and with clear economics, my team will step in where needed: from the checklist and UBO verification to EDD and remediation after rejection. Compliance: it’s a discipline, and discipline pays off.