KYC Policy Template: A Fintech Practitioner's Guide to Customer Due Diligence

TL;DR

• KYC is not just identity verification at onboarding. A complete KYC program covers four pillars: customer identification (CIP), risk rating, beneficial ownership, and ongoing monitoring throughout the relationship.
• Block/Cash App paid $80 million to 48 state regulators in January 2025. The core finding: no formal KYC refresh process, SAR alert backlog that grew from 18,000 to 169,000 unresolved items, and monitoring rules out of step with customer risk.
• OKX paid $504 million to the DOJ in February 2025 — employees were actively advising US customers to falsify KYC information. That is the extreme version of what happens when your culture doesn’t match your policy.
• FinCEN’s February 2026 exceptive relief order (FIN-2026-R001) removed the requirement to re-verify beneficial owners at every new account opening. You still verify at first account opening and when facts change.

Block’s $80 million AML settlement with 48 state regulators and OKX’s $504 million DOJ plea agreement dropped within weeks of each other in early 2025. Both involved KYC failures. Neither was a case of missing the regulation — both companies had KYC policies. The problem was the gap between what the policy said and what actually happened.

Block let a SAR alert backlog grow from 18,000 to over 169,000 unresolved items between 2018 and 2021. The consent order noted explicitly that Block had no formal KYC refresh process to identify changes in a customer’s risk profile after onboarding. Meanwhile, OKX employees were reportedly telling US customers to input random countries and ID numbers to bypass identity checks — a “growth at all costs” mentality that the DOJ documented in detail.

If you are a fintech compliance officer, these aren’t horror stories about bad actors. They are the blueprint for what examiners look for when they open your KYC program file. This is the practitioner walkthrough of what a defensible KYC policy needs to cover, what the 2026 regulatory updates change, and where most programs quietly fall apart.

What a KYC Program Actually Covers

KYC is not synonymous with CIP. Customer Identification Program is one component — the identity verification step at account opening governed by 31 CFR 1020.220. A complete KYC program under FinCEN’s CDD Rule (31 CFR 1010.230) has four pillars:

1. Customer identification and verification — the CIP layer
2. Customer risk rating — assigning a risk tier based on customer type, geography, transaction profile, and expected activity
3. Beneficial ownership — identifying and verifying the natural persons who own or control legal entity customers
4. Ongoing monitoring — continuous or periodic review of transaction activity and customer information to detect changes in risk

Your KYC policy is the governing document that ties all four together. It tells your team how to execute each pillar, what thresholds trigger escalation, and what records to retain. If your “KYC policy” only covers onboarding identity checks, it’s a CIP procedure — not a KYC policy.

Pillar 1: Customer Identification (CIP)

For the CIP layer, the mechanics are covered in detail in our CIP template guide. The key requirement under 31 CFR 1020.220: collect name, date of birth, address, and ID number before or at account opening, and verify within a reasonable time. The June 2025 FinCEN TIN exemption order allows banks to pull Social Security Numbers from third parties (relevant for BaaS-sponsored fintechs), but verification obligations remain.

Your KYC policy should specify: what documents you accept for documentary verification, what non-documentary methods you use when documents aren’t available, and what happens when verification fails or is inconclusive. “We will try to verify” is not a procedure. “We will collect government-issued photo ID, verify against [system], and escalate to Compliance within 24 hours if verification cannot be completed” is.

Pillar 2: Customer Risk Rating

Every customer should have a risk rating assigned at onboarding and updated throughout the relationship. At minimum, your methodology should consider:

• Customer type: Is this a retail consumer, a small business, or a complex legal entity? MSBs, cash-intensive businesses, and legal services firms are inherently higher risk.
• Geography: High-risk jurisdictions per FATF, your own internal list, or OFAC designations.
• Expected transaction profile: Volume, frequency, and types of expected activity documented at onboarding.
• Adverse screening results: Negative news, sanctions hits, PEP status.

Document the scoring methodology in the policy — not just “we assign Low, Medium, or High” but specifically what inputs drive each rating. Examiners will ask for your methodology and then pull a sample of customer files to verify the ratings match the facts.

Pillar 3: Beneficial Ownership

The CDD Rule requires covered financial institutions to identify and verify the beneficial owners of legal entity customers: the natural persons who own 25% or more of the entity, plus one person with significant managerial control (the “control prong”).

What the February 2026 FinCEN Order Changed

On February 13, 2026, FinCEN issued FIN-2026-R001, granting exceptive relief from the requirement to re-collect and re-verify beneficial ownership at every new account opening for the same legal entity customer. Under the prior rule, if an existing business customer opened a second account, you had to go through the full beneficial ownership process again. That’s now gone.

Under the relief, you verify beneficial owners at the first account opening. After that, you re-verify only if: (1) you become aware of facts that call prior information into question, or (2) your own risk-based procedures require it. The relief reduces paperwork friction for low-risk repeat-account openings, but it does not eliminate beneficial ownership obligations. Fintechs with BaaS sponsors need to confirm how the sponsor’s procedures incorporate this relief.

The underlying obligation — understand who you’re doing business with — hasn’t changed. Your policy should still document what you do when a legal entity discloses a complex ownership structure, how you handle ownership changes mid-relationship, and when you escalate to legal or Compliance.

Pillar 4: Ongoing Monitoring

This is where Block fell apart. Having good KYC at onboarding is table stakes. The ongoing monitoring obligation means you’re continuously watching for:

• Transactions that don’t match the expected activity profile documented at onboarding
• Changes in customer behavior suggesting escalating risk
• Adverse news, sanctions hits, or PEP status changes
• Account activity patterns suggesting structuring, layering, or other typologies

Your policy needs to specify the monitoring mechanism (automated rule-based alerts, enhanced review queues, periodic refresh) and the escalation path when alerts fire. A backlog of 169,000 unresolved SAR alerts is not a monitoring program — it’s evidence that the monitoring system generated alerts the team couldn’t process.

What Your KYC Policy Document Must Contain

Every KYC policy should include these sections. If a section is missing, examiners will ask why.

1. Scope and Applicability

Which customer types and product lines does this policy cover? BaaS relationships, crypto products, and business accounts may each have separate annexes.

2. Risk-Based Approach Statement

A written statement that your program is risk-based — you allocate more scrutiny to higher-risk customers, not blanket identical treatment. This is what the CDD Rule calls for and what examiners expect to see articulated at the top of the policy.

3. Customer Acceptance Criteria

Which customer types will you accept and which are prohibited? Prohibited categories might include shell companies without identifiable beneficial owners, customers in comprehensively sanctioned jurisdictions, or anonymous accounts. Documented limits on what business you’ll take is a control, not just a business decision.

4. Risk Rating Methodology

The methodology — not just the tiers. What factors, what weighting, and what tier results from what score combination. Attach a risk rating matrix or scoring model as an appendix.

5. EDD Triggers and Procedures

What customer characteristics or events require Enhanced Due Diligence? Common triggers: PEP status, high-risk jurisdiction, adverse news, MSB designation, complex legal structure with opaque ownership. EDD procedures should include: what additional information is collected, who reviews it, and how often.

6. KYC Refresh Schedule by Risk Tier

This is the section that Block’s program was missing. Document frequency:

Also document event-based refresh triggers: ownership change, material transaction pattern shift, adverse news, or product/relationship changes.

7. Monitoring Methodology

How alerts are generated, by whom, and the escalation path. How many business days do you have to resolve an alert before it becomes a deficiency? Who approves SAR filing? What’s the documentation standard for a dismissed alert?

8. Record Retention

Five years after the account is closed for CDD records. Align with your CIP retention obligations and any state-level requirements.

Common Exam Findings — and What They Actually Mean

Finding: No KYC refresh process Block didn’t have one. Examiners pulled customer files and found that risk ratings assigned at onboarding in 2019 were still in place in 2024 with no review, despite customers showing materially changed transaction patterns. The fix: a documented refresh schedule, a workflow to execute it, and evidence the reviews actually happened.

Finding: Monitoring rules not calibrated to customer risk profile The monitoring rules generating alerts have to match the expected activity profiles you documented at onboarding. If you onboarded a small business expecting $5,000/month in transactions and they’re running $500,000/month and no alert has fired, that’s a monitoring design failure. OKX’s monitoring was misconfigured to such a degree that billions in suspicious transactions passed without flagging.

Finding: SAR alert backlog Examiners will pull your alert queue. If there are unresolved alerts older than 30–60 days without a documented disposition, that’s a finding. Set SLAs for alert resolution, document them in the policy, and report queue aging to Compliance leadership monthly.

Finding: Beneficial ownership not refreshed on known ownership changes When a corporate customer tells you they brought on a new majority investor, that’s a beneficial ownership refresh trigger. Many programs don’t have a mechanism to capture this. The fix is a field on the relationship management system that flags ownership disclosures and routes them to a KYC refresh workflow.

The FinCEN BSA Reform NPRM: What’s Coming

The 2026 FinCEN BSA Program NPRM signals a shift from paper compliance to demonstrated effectiveness. The proposed rule would require BSA programs to show that their KYC controls actually work — not just that policies exist. For KYC programs, this likely means more rigorous testing of monitoring rule effectiveness, documented evidence of risk-based calibration decisions, and annual program effectiveness reviews that go beyond checking whether procedures are in place. If your KYC policy hasn’t been tested against actual customer data in the last 12 months, that gap will widen as the new rule takes effect.

Our AML Risk Assessment methodology covers how to structure the risk-rating framework that feeds into your KYC program design — start there if your inherent risk scoring is underdeveloped.

So What? Building the Policy That Survives an Exam

Block and OKX didn’t fail because they had no KYC policy. They failed because their programs couldn’t demonstrate effectiveness — either the monitoring wasn’t calibrated, the refresh wasn’t happening, or the culture actively undermined the policy. Examiners will look past your written document to: evidence that reviews happened on schedule, alert resolution records that show real analysis (not rubber-stamp dismissals), SAR filing documentation, and training records for staff with KYC responsibilities.

The KYC policy template you build from this guide should be a living operating document, not a file that lives in a SharePoint folder and gets referenced once a year during audit. Staff should use it. Workflows should reference it. And your testing program should regularly check whether what the policy says and what actually happens match.

If you’re building a KYC program from scratch or auditing an existing one, the Compliance Essentials Bundle includes a structured template library with the risk rating matrix, customer acceptance criteria framework, and ongoing monitoring documentation your program needs.

Sources

• FinCEN CDD Final Rule
• FinCEN FIN-2026-R001 Exceptive Relief Order
• DOJ — OKX Pleads Guilty to AML Violations, $504M+ in Penalties
• CSBS — State Regulators Issue $80 Million Penalty to Block, Inc.
• FinCEN CDD Rule FAQs