2 General Overview

2.1 Process characteristics

2.1.1 A global process

The KYC process is an essential risk management feature, contributing to:

  • the prevention of money laundering and the financing of terrorism;
  • compliance with sanctions;
  • compliance with anti-corruption laws and regulations;
  • compliance with tax-related laws and regulations;
  • protecting client interest;
  • corporate and social responsibility (CSR);
  • respecting markets integrity;
  • preserving the Group’s reputation.

2.1.2 A recurrent process

The KYC process must be initiated §4:

  • prior to entering into a new business relationship;
  • according to the scheduled recertification date, as the case may be;
  • when specific events occur that require a targeted file update or the client’s recertification;
  • prior to terminating a business relationship.

2.1.3 A three-step process

The KYC process is performed in three steps:

  • The collection of information and supporting documents from the client or other sources §5.
  • The assessment of the AML, CFT, corruption and sanctions risks, as well as other regulatory and reputational risks §6.
  • The positive or negative decision to enter into, or continue a business relationship, possibly with conditions or restrictions §7.

2.2 Guiding principles

2.2.1 Segmentation

All clients are assigned to precisely defined segments. Each segment is governed by a specific KYC policy. This segmentation allows for process homogeneity in all the Group’s Businesses. It contributes to the risk-based approach by defining due diligence measures that are adapted to the risk profile presented by each segment.

2.2.2 Permanent vigilance

Risk control requires permanent vigilance in order to detect and record in the KYC file any event that may impact the risk level. That is why the KYC process applies not only to new business relationships, but also to existing relationships, at a predefined frequency or in case of events that may impact the risk level.

No client file with an assigned recertification due date should become overdue. Therefore, stringent rules apply to non-compliant or overdue files (§8).

2.2.3 Risk-based approach

This policy presents the general principles governing regular, enhanced and simplified due diligence measures.

The nature and extent of due diligence measures depend on the client’s risk level, as well as a variety of other factors, as may be detected during the KYC process.

  • Higher risk factors require enhanced due diligence measures related to the nature of information and documents to be collected, the qualitative risk assessment, the decision process or the recertification frequency.
  • Lower risk factors may allow for simplified due diligence measures, to the extent permitted by regulation.

Each client segment policy details the risk factors and the corresponding due diligence measures.

2.2.4 Segregation of duties

The roles of the process stakeholders are defined in such a way as to ensure the integrity of information, the reliability of risk assessment, and an unbiased decision §3.

2.2.5 Homogeneity

The KYC process and due diligence measures are homogeneous in all the Group’s Businesses and BUs, for a given client segment. This homogeneity ensures the consistency of risk management principles.

2.2.6 Reliance

Due to BNPP’s international dimension and cross-selling strategies, business relationships are frequently shared between several BUs. These BUs may be located in different countries, and/or belong to different Businesses. In such cases, redundant work and repetitive requests to the client must be avoided. In addition, the consistency of the client risk level must be maintained, and reciprocal information exchanges including supporting analysis must be implemented.

The reliance principle means that a BU may rely upon due diligence performed by another BU when onboarding or recertifying a client, subject to certain conditions:

  • The client must have been onboarded or recertified in compliance with the Group policies defining the due diligence measures applicable to the client’s segment.
  • When required by local regulation, the client must have provided a signed waiver.

The reliance principle does not imply automatic acceptance. Each BU is ultimately accountable for the decision to onboard or recertify the client.

2.3 Scope of application

2.3.1 Clients and business relationships

Client: Any natural person or entity* that has entered into a business relationship with a BU for the purpose of obtaining products or services from the BU.

Business relationship: Any relationship consisting of the provision by a BU of financial or non-financial services, and which is expected, at the time when the contact is established, to have an element of duration. An established business relationship translates into contractual agreements between the client and the BU, with or without financial flows.
* In this policy, “entity” refers to any organization, legally formed or not, that has an identity separate from those of its members.

The business relationship may take different forms depending on the Business concerned, for example:

  • Current account, usage of means of payment, deposits, individual or syndicated credits, correspondent banking.
  • Issuance of financial instruments and other operations on equity and debt.
  • Counterparty* in financial market transactions, ALM/Treasury transactions.
  • Advised or delegated asset management, management and distribution of funds, investment advice, execution services, administration, custody and safe-keeping of securities and other financial instruments.
  • Casualty and life insurance.
  • Transaction, management, rental and administration of non-financial assets (e.g. real estate, vehicles).
  • Provision of advisory and expertise services.
* A counterparty should be understood as the person who has a contractual commitment with BNPP and should be subject to a full KYC process. However, no due diligence is required on the issuer of the underlying securities.

The KYC process is mandatory for all clients, whether the business relationship is active or inactive (except dormant accounts §2.3.2. For the purpose of this policy, a business relationship is considered inactive when the client (or the BU acting on behalf of the client) has neither carried out any transaction on any account, nor subscribed to any product or service, nor entered into any contractual commitment during the last twelve months.

Clients in liquidation and clients in legal dispute with the BU remain subject to the KYC process.

2.3.2 Exceptions

The KYC process is not required for:

  • Natural persons or entities that are still identified as clients in the BU’s records, but without any established business relationship (i.e. no client account, no current contractual agreement and no financial flows of any kind). Proper restriction measures must be put in place to prevent any business with such persons.
  • Clients whose all accounts and/or assets are considered unclaimed, dormant, or subject to escheat under local regulation.

A specific process applies in case of termination (§4.5.1).

2.3.3 Related persons

The KYC process includes due diligence on the persons related to the client. Depending on the client segment, related persons may include: Ultimate Beneficial Owners (UBO – §5.1.2), Senior Managing Officials (SMO), directors, parent companies, legal representatives, authorized signatories, guarantors, beneficiaries of life insurance policies (§5.1.3). Other types of related persons may need to be identified, as specified in the segment policies.

2.3.4 Occasional clients

Whenever known, clients shared between several BNPP businesses and/or locations are a common occurrence, especially in the Commercial Corporates and Financial Institutions segments. This policy provides with specific requirements in order to ensure a coordinated KYC process in terms of information sharing, risk assessment and decision making.

2.3.6 Business groups

Business group: A set of legal entities related through shareholding links, as usually defined in the “Référentiel Mondial des Personnes Morales” (RMPM) database.

As defined in this policy and the segment policies, the parent companies and/or subsidiaries of a client are considered in the information collection and risk assessment processes.

Therefore, the client’s BU must identify and locate the existing business relationships with parent companies and subsidiaries on a best effort basis, and collect relevant information from the BUs involved.

2.4 Client segments

Every client must be allocated to one segment, and this allocation is meant to be durable. A change in the client allocation triggers a recertification (§4.3). Therefore, where the segment is determined by a threshold (e.g. the revenues of a corporate), temporary or moderate threshold overruns (under 25%) should not systematically result in a segment change.

The COMPENDIUM and segment policies provide with comprehensive definitions of the segments:

Commercial Corporates & Nonprofit Commercial Corporates
Small Businesses
Nonprofit Private Entities
Financial Institutions Banks
Insurance Companies
Funds & Asset Management Entities
Other Financial Institutions
Public Sector States & Local Authorities
Central Banks
Public Services
Supranational Administrations
Sovereign Funds
Natural Persons & Private Investment Vehicles Wealth Management
Private Banking
Retail Markets
Private Investment Vehicles

2.5 Prohibited business relationships

It is forbidden to enter into or maintain a business relationship involving the following types of clients, products or situations. In the cases of existing relationships or products, the client activity must be blocked or otherwise restricted, until the relationship is terminated.

Businesses may complement the following list with additional, specific prohibitions or restrictions.


In addition, it is forbidden to enter into a business relationship with prospective clients in case of any suspicion related to money laundering, terrorism financing or sanctions, or when the BU cannot meet its due diligence obligations.