Each new customer is therefore identified and associated with a risk level. From this, KYC (Know Your Customer) procedures depend, which can be simplified or much more in-depth depending on the type of customer, the nature of the relationship, and the amount of the transactions.
When we talk about anti-money laundering, we refer to the set of rules, regulations, and activities dedicated to preventing and combating phenomena such as money laundering and terrorist financing.
Legislative Decree 231/2007, the regulatory reference in Italy regarding AML (Anti-Money Laundering), defines the obligations and tools of anti-money laundering: in practice, banks, real estate operators, and professionals in various sectors are required to perform customer due diligence, monitor customer relationships, and report suspicious transactions to the Financial Intelligence Unit (UIF). The ban on using cash for payments exceeding 5,000 euros also falls within AML.
Customer due diligence (KYC - Know Your Customer) is a key component of anti-money laundering: before establishing an ongoing relationship or granting a professional mandate, it is necessary to collect information about the client in order to minimize the risk of introducing resources linked to criminal activities into the system. Afterwards, based on the risk profile assigned to the client, their “movements” must be monitored to ensure they are consistent with the nature of the relationship and the client’s profile (the most common example of a suspicious transaction is unusually large payments or deposits).
The list of entities required to follow the practices indicated in Legislative Decree 231/2007 does not include only banks and financial institutions. Over the years, in fact, the list of obligated entities has expanded to new categories. Today it includes:
- Banking, financial, and insurance intermediaries;
- Professionals (notaries, lawyers, accountants, auditors, and auditing firms);
- Non-financial operators such as service providers related to companies and trusts, traders of antiques, gold and works of art, and real estate agents (for transactions over 10,000 euros);
- Service providers connected to cryptocurrencies and digital wallets.
For banks, financial intermediaries, and payment and electronic money institutions, the obligations also extend to foreign entities based in Italy.
Customer due diligence, with possible reporting of suspicious transactions, must be performed whenever:
- A new ongoing relationship is established (e.g. current account, mortgage, safe deposit box);
- A one-off transaction of 15,000 euros or more is carried out;
- A transfer of funds exceeding 1,000 euros occurs;
- There is suspicion of money laundering or financing of illegal activities (regardless of amounts);
- There are doubts about the truthfulness or adequacy of the data obtained during identification (for example, if a customer starts spending much more than usual, it may be necessary to update information about their income).
When one of these situations occurs, the KYC process must be activated, ensuring access to verifiable and updated data about the customer in order to rule out that the funds involved come from illegal activities.
Customer due diligence is based on three key components:
- CIP (Customer Identification Program): involves collecting and verifying information and documents to confirm the customer’s identity;
- CDD (Customer Due Diligence): after identifying the customer with certainty, it is necessary to obtain and analyze further information to build a risk profile othe customer (for example, whether they are a Politically Exposed Person, and their income situation and financial background). Continuous monitoring of operations also falls within the CDD;
- EDD (Enhanced Due Diligence): if the customer is classified as “high risk,” a more in-depth analysis of their activities is required, determining the origin of their funds and investigating their reputation.
The purpose of these KYC procedures is simple: to identify the customer with certainty and ensure over time that their activities are not fraudulent.
As mentioned, anti-money laundering follows a risk-based approach (RBA): rather than applying generic measures for everyone, this approach focuses on the most “critical” areas, establishing rules and requirements proportional to the level of risk.
The type of protection to be applied therefore depends on the nature of the relationship, the identity of the customer, and the context.
There are three levels of Due Diligence:
- Simplified Due Diligence: intended for low-risk activities, involves simply collecting identity documents without special checks;
- Basic Due Diligence: for medium risk, the customer’s identity must be verified through reliable and independent sources such as official databases. If the customer is a company, it is also necessary to verify the activity, the beneficial owner, and the origin of the funds;
- Enhanced Due Diligence: if the customer is classified as high-risk, for example, a PEP or from a high-risk country, stricter checks must be carried out, collecting additional information on their activities and the origin of their funds.
When the customer is a legal entity, basic Due Diligence generally applies: in addition to business information, data and documents on beneficial ownership, company accounts, and all individuals in control positions within the enterprise are collected.
Regardless of its level of detail, anti-money laundering due diligence must rely on reliable and independent documents that certify personal data, income information, and, if applicable, company data.
To verify the identity of a natural person, an ID card or passport is usually required, while for companies, the business registry extract is used, which includes all company data, filed financial statements, and the names of individuals holding beneficial ownership.
Bank statements, payslips, utility bills, lease agreements, and tax returns may also be requested during onboarding or later.
These data are obtained by banks and intermediaries autonomously and independently: even the information provided directly by the customer must be cross-checked with official documents and databases.
More and more often, therefore, obligated entities use specialized services that allow them to acquire thousands of official and up-to-date pieces of information through APIs dedicated to KYC and KYB (Know Your Business).
Openapi’s Know Your Customer API services, for example, make it possible to identify PEPs in real time and monitor negative news related to the customer simply by entering their name and surname.
As we have seen, anti-money laundering obligations mainly concern the banking, financial, insurance, and real estate sectors. However, customer due diligence has also been widely adopted by companies not required to comply with AML obligations, especially those operating exclusively online.
KYC can in fact be applied to suppliers and business partners to protect one’s company and help combat financial crimes, particularly in cases where there is no direct contact with counterparties.
A minimum level of Due Diligence also enables more accurate and timely control over one’s marketplace and allows the creation of useful statistics to improve business operations.
For e-commerce customers and services that involve online payments, even minimal identity checks may seem inconvenient, but they help build greater user trust and significantly strengthen the company’s reliability—regardless of the sector in which it operates.
Low CO2
