4 Process Initiation

The KYC process must precede any new business relationship §4.1, and the onboarding decision must be made prior to the account opening or the conclusion of the first transaction. The only exceptions are:

  • First entry of funds for companies in formation.
  • Small initial deposits from individual clients, not exceeding €300 or less as may be defined by Compliance, provided a four-eye check is in place or the deposit is transferred from a bank located in a Recognized Equivalent Country (§5.5.4), no payment means are delivered, and the depositor is identified.
  • Test transactions when setting up a cash management arrangement, provided their amount is minimal.

In such cases, the client must not be able to initiate any other kind of transaction.

In the course of the business relationship, the KYC file must be updated with any new information §4.2. The business relationship must be recertified in case of specific events that may impact the risk level and that require a new decision making §4.3, and, at the latest, according to a predefined frequency §4.4 – with some exceptions. The termination of a business relationship requires specific due diligence measures §4.5.

Any event may lead the Business or Compliance to initiate a targeted file update, a recertification upon trigger event or to anticipate the entire recertification of the file.

In any instance, special consideration must be given to multi-site clients §4.6 or clients belonging to a business group §4.7.

4.1 New business relationship

Any business relationship must be assigned to an RM or to a duly appointed department in the Businesses where client management is not individualized. Assignment changes must be anticipated so that no business relationship is left unassigned at any time.

The client must be allocated to a segment according to the available information, in order to determine the applicable due diligence measures. In case of doubt, Compliance must be consulted.

In case of a client’s first relationship with BNPP, when required by the segment policies, the RM must not only document the expected product usage in the short term, but also anticipate the relationship development over time (a 5-year plan is recommended), in terms of overall purpose, product usage and places of business, i.e. any other BNPP BU that may become involved in the relationship.

If the client is expected to enter into a relationship with other BUs in the foreseeable future, the KYC process must include any recognized local regulatory requirements* related to the countries where these BUs are located. This allows for a more efficient onboarding process in these BUs.

* The KYC Domain maintains the list of recognized local regulatory requirements.

The relationship development plan must be regularly updated, at least at recertification.

4.2 Targeted file update

The ongoing due diligence principle requires that KYC files be maintained up to date on a permanent basis. In particular, some events or new information must trigger a targeted file update and possibly a reassessment of the risk level. Such events must be analyzed and documented. The following list is not restrictive and may be complemented by Compliance at the OP or Business level.


When a targeted file update results in the risk level being raised to High Risk, or a change in the client segment, the recertification process must be initiated (§4.3).

If the targeted update does not lead to the client’s recertification, the next periodic recertification date remains unchanged, unless the risk level is downgraded.

See also Business Groups §4.7.

4.3 Recertification upon trigger event

Some events require the client’s recertification.

This recertification consists in a targeted file update, with an analysis and documentation of the event, possibly a reassessment of the risk level and a new decision making. If the recertification leads to a downgraded risk level, the next periodic recertification date must be adjusted accordingly.

In order to ensure an informed and risk-based decision, the client’s file must be up to date. When the file has been properly updated since the previous recertification (§4.2), no further information or documentation review should be necessary, beyond the event considered. The recertification decision making on pursuing the business relationship must still be documented.

The table below details the minimum requirements, including the possible consequence of a change in the risk level to High Risk.


See also Multi-site Clients §4.6.

4.4 Scheduled recertification

The recertification frequency mainly depends on the client segment and the client risk level.

The recertification process must be initiated sufficiently in advance of the file’s due date to ensure that it is complete on or before the due date. The time needed to complete the process will vary depending on such factors as the business’ organization and information systems, the complexity of the file and the amount of information that must be updated, the client’s risk level, and whether Compliance involvement in the decision process or a CAC is required.

The required due diligence measures are similar to the ones required for a new client onboarding, except that:

  • The file already exists and must be updated.
  • The current risk level determines the initial level of due diligence.
  • The actual business relationship history must be compared with the intended purpose and the expected transactional profile (as the case may be).

4.5 Termination of a business relationships

The end of a business relationship may result from:

  • The client’s decision.
  • The BU’s decision, for business reasons such as the client’s profitability or credit worthiness, or the Business’ overall strategy.
  • The BU’s or Compliance’s decision, for compliance reasons such as the level of financial security risks posed by the relationship, the non-compliant or overdue status of the KYC file, or certain Financial Security incidents (§10) – termination is mandatory within the 6-month period after a file was found non-compliant or overdue (§8).

A contract or product coming to maturity or the full repayment of a loan is not considered a termination, unless such decision is made. However, early repayments may trigger a targeted file update in order to analyze the rationale and the source of funds (§4.2).

4.5.1 Due diligence measures applicable to all terminations

  • The ability to update the file may be limited in some cases such as litigation, termination for compliance reasons, client’s profitability or credit worthiness, especially when the termination is motivated by a lack of information. However, the following key information must be chased on a best effort basis if missing or obsolete: client identification, UBO identification, activity in MSCs, source of funds, and FATCA/AEOI/QI documentation.
  • By exception, the file update is not required for LR files, clients in liquidation and inactive accounts with low cash balances, the balance threshold being validated by Compliance.
  • The termination rationale must be documented: client or BU decision, inactive or dormant relationship, business or compliance reason, mass termination…
  • In case of termination as a result of an operational risk incident or a client complaint, the relevant reporting must have been done according to the applicable policies.
  • Any outstanding alert related to PEPs, sanctions and transaction monitoring must be investigated.
  • The destination of funds must be documented and analyzed, if any.
  • Any termination proposal related to a HR client, or to a file where required key information is missing, must be submitted to Compliance, which may require additional measures if the risk analysis is deemed insufficient.
  • Any termination of an HR PEP or a client with a HR PEP as related person must be notified to GFS.

4.5.2 Additional due diligence measures applicable to terminations for compliance reasons

  • During the period between the termination decision and the actual termination, the client must be classified as HR and the business relationship must be restricted: no further business development, no subscription to new products or services, no new investments or large deposit. In addition, Compliance may require specific monitoring measures.
  • An unusual activity report must be initiated in case of any suspicion related to the relationship history or the destination of the client’s funds. If the destination of funds is suspicious, the outgoing payment should be suspended and Compliance should be contacted immediately for further action.
  • The termination proposal must be submitted to Compliance, which may require additional measures if the risk analysis is deemed insufficient.
  • In case of unusual activity report, the termination must be reported to GFS (unless already reported as a suspicious activity report or an attempt to circumvent – CG0236).

4.6 Multi-site clients

As an objective, the time needed to onboard a client of a BU in another BU should not exceed one month, and the tasks to be undertaken should be planned accordingly.

4.6.1 Process planning

When a client is known to have, or is expected to enter into, a business relationship with two or more BUs, the onboarding or recertification process must be carefully coordinated in order to optimize lead times:

  • The Primary Site must be clearly identified and agreed upon.
  • A coordinated project must be launched between the BUs concerned. By default, the project should be managed by the RM in the Primary Site, but this role may be delegated to another person with the appropriate authority.
  • The project manager must inform stakeholders (RMs, KYC Operations teams and Compliance) in all BUs concerned, plan the tasks to be performed, monitor the overall progress and alert his Management in case of delay.
  • The comprehensive list of information to be collected and shared must be prepared at the outset.
  • A joint CAC must be planned with representatives of the Business and Compliance from the BUs concerned, as the case may be.

Wherever client information is protected by banking or professional secrecy and/or personal data protection law, information sharing is subject to obtaining the appropriate waiver from the client.

Wherever required by regulation, a reliance agreement must be formalized between the BUs concerned.

4.6.2 Information sharing Primary Site

The Primary Site is responsible for collecting information and supporting documents from the client, internal sources or public sources, performing adverse information searches when required, and assessing the client risk.

The Primary Site must prepare the sharing of the following elements with the Secondary Sites concerned:

  • All collected information.
  • An updated check against sanctions and PEP lists and any other applicable lists, as well as any related analysis.
  • An updated adverse information search and analysis if the last search was performed more than 3 months ago.
  • The scoring result and details.
  • The final risk assessment after taking into account qualitative elements, as the case may be.
  • The RM Assessment, when required.
  • The 1st-level control result (§9.1.1).
  • A confirmation in English that the file is complete and compliant with the KYC policies and that any risk-impacting event has been considered.

Documentation should be provided in – or translated into – English where possible. Where not possible, supporting documents must at least be identifiable. Therefore, their nature, reason for inclusion in the KYC file and appropriate parts (i.e. headline and material content) must be translated into English in order to provide sufficient information to understand their purpose and any key information required for risk assessment.

The Primary Site makes the supporting documentation available upon request from the Secondary Sites*.

* Some regulators require subject institutions to ensure that they can obtain the full file under very short notice – e.g. two days in the UK. Secondary Site

The Secondary Site relies on the due diligence performed by the Primary Site.

In case of additional regulatory requirements or incomplete file, the Secondary Site may:

  • Ask the Primary Site to collect additional information and/or supporting documents from the client (e.g. when local UBO identification threshold is lower than the standard).
  • Collect additional information and/or supporting documents itself from sources that are not available to the Primary Site.
  • Perform supplemental adverse information searches using additional sources or languages, when appropriate.

The Secondary Site shares the additional collected information and documents with the Primary Site.

4.6.3 Event-triggered recertification

In addition to the standard list of events (§4.3), the termination of a business relationship for compliance reasons or the client becoming HR in any Site must also trigger a recertification, to be initiated by the Primary Site.

4.6.4 Scheduled recertification

Recertification dates should be aligned between the Primary and Secondary Sites. If, for any reason, and particularly during the implementation phase of this policy, recertification dates are different, the following provisions apply:

HR files MR or LR files
File comes due first in Primary Site The Primary Site initiates the process in liaison with all Secondary Sites.
File comes due first in Secondary Site The Secondary Site requires the Primary Site to initiate the process.

By exception, if the file has been recertified by the Primary Site less than one year ago, the Secondary Site changes its due date into the Primary Site’s due date.
The Secondary Site changes the due date into the Primary Site’s due date.

Any exception must be submitted to Compliance.

4.6.5 Termination

The termination must be reported to the other BUs having a business relationship with the client.

4.7 Business groups

An independent KYC process is required for each entity client within a business group. However, information and documentation that is already available at the parent company’s level can be leveraged upon, subject to regulations on banking secrecy and personal data protection, such as:

  • The parent company’s MSCQ when covering the client subsidiary.
  • Identification of common related persons such as UBOs, and in some cases Senior Managing Officials and Directors.
  • Material adverse information related to the parent companies or the client’s related persons.

4.7.1 Targeted file update

The following events must be shared with the BUs having a relationship with a direct parent company or subsidiary of the client, in order to trigger a targeted file update and possibly a change in the risk level:

  • The assignment of a HR risk level to an immediate parent company or a subsidiary of the client.
  • The rejection or termination of the business relationship with an immediate parent company or a subsidiary of the client for compliance reasons.

4.7.2 Scheduled recertification

The alignment of recertification dates is recommended, as far as deemed practical with regard to the size of the business group and the number of business relationships involved, and without prejudice to the different frequencies resulting from the risk level of each entity concerned.

4.7.3 Termination

Termination must be reported to the BU having a business relationship with the client’s parent company.