How to Build a KYC/AML Process Flow: From Identity Verification to STR, Diagrammed
"How does our KYC actually work right now?"—at financial institutions and crypto exchanges, when someone suddenly asks you to walk through the identity-verification or anti-money-laundering steps, it is surprisingly hard to answer on the spot. Each staff member does things a little differently, and the handling of exceptions lives only inside one person's head. You are running it diligently, yet when you try to show the whole picture, the words just do not come. Sound familiar?
KYC/AML (identity verification and anti-money-laundering controls) involves many departments and many decision points—too complex to share through verbal or text-based manuals alone. That is exactly why it pays to capture the entire flow in a single process diagram and make it "clear to anyone who looks at it." The moment you draw it, the gaps and the over-reliance on individuals that you could not see before come sharply into focus.
In this article, we walk through the full sequence—customer intake, identity verification (including eKYC), customer due diligence, risk assessment, ongoing monitoring, and suspicious transaction reporting (STR)—step by step, alongside real process diagrams. By the time you finish reading, you should have a clear path for how to organize your own KYC/AML flow.
What you will learn
- Why visualizing KYC/AML as a process diagram matters, and the 4 benefits it brings
- The big picture: intake -> identity verification -> CDD -> risk assessment -> monitoring -> STR
- How to draw a flow that incorporates eKYC (online identity verification) and what to check
- How risk assessment and ongoing monitoring work under a risk-based approach
- Tips for layering the flow into a hierarchy and drafting it quickly with AI
Why Visualize KYC/AML Work as a Process Diagram
KYC (Know Your Customer) and AML (Anti-Money Laundering) are unavoidable practices for many businesses, starting with financial institutions and crypto-asset exchanges. From customer intake through transactions and ongoing surveillance, multiple departments and decisions are intertwined—a textbook example of "complex work."
Because of this complexity, when the procedures exist only as a text manual, it becomes hard to convey "where, exactly, do we check what." Turn it into a process diagram, and the timing of each check and every branch becomes visible at a glance—making everything from training new staff and handling audits to planning systemization far easier.
Four benefits of using a process diagram
- Smoother training and handover: you can convey identity-verification and CDD steps reliably while looking at the diagram
- Prevents gaps and over-reliance on individuals: eliminate the "only that person can decide" state and make checkpoints a shared organizational asset
- Stronger for audits and inspections: when procedures are visualized, explaining them in internal audits or regulatory inspections goes smoothly
- A foundation for systemization and automation: once the current flow is organized, defining requirements for eKYC tools or transaction-monitoring systems becomes easier
Minami
Process improvement lead
KYC ends up being done differently depending on who's handling it, and every time I train someone new it's like, "wait, what do we do in this case again?"...
Spark
DrillSpark consultant
That's exactly the sign it's worth diagramming. Draw the decision forks on a single sheet, and anyone can follow "in this case, go this way." You cut both the variability and the training cost dramatically.
The Big Picture of the KYC/AML Process (6 Steps)
First, let's grasp the big picture. KYC/AML work is easier to organize when you view it as roughly the following six steps. Keeping this flow in mind before diving into individual checks will keep you from getting lost.
- Customer intake: the entry point that accepts account-opening or transaction applications
- Identity verification (KYC): confirm the customer's identity using ID documents or eKYC
- Customer due diligence (CDD): confirm the purpose of the transaction, occupation, beneficial owner, and so on
- Risk assessment: judge the risk of the customer or transaction and decide the response level
- Ongoing monitoring: monitor transactions and detect abnormal movements
- Suspicious transaction reporting (STR): file a report as needed
Turning these six steps into a single process diagram looks like the following. Pay attention to the decision (diamond) branches, and you start to see where the processing forks.
Customer Intake and Identity Verification (Including eKYC)
The first step is customer intake and identity verification (KYC). This is the entry point of the entire flow, and a crucial stage where the quality of verification affects everything that follows. When intake channels are multiple—in person, by mail, online—the verification method differs for each, so be sure to draw the branches clearly.
Incorporating eKYC (online identity verification)
In recent years, eKYC (electronic identity verification) that completes entirely on a smartphone is becoming mainstream. Methods include capturing and matching an image of the ID document against the person's face (a selfie). Compared with in-person verification, the burden on the customer is smaller, but a mechanism to detect impersonation and image forgery is indispensable. In the diagram, the key is to draw both the route that completes via eKYC and the route that fails and is sent to additional verification.
Don't forget to record the verification result
Identity verification is not "check and done." Keeping a record of when, who, and with which document the verification was performed is important for later audits and traceability. Storing records in a searchable form rather than paper files eliminates the waste of hunting around every time you handle an inspection or a customer inquiry. Explicitly showing "save record" as a single step in the diagram helps prevent omissions on the ground.
Minami
Process improvement lead
eKYC is convenient, but the flow when it fails is always vague, so I end up just deciding on the spot...
Spark
DrillSpark consultant
That's where a diagram pays off. Draw it so that "if the match fails, request additional documents and go back to the start," loop included, and anyone handling it reaches the same conclusion. Exceptions are precisely what's worth diagramming.
Customer Due Diligence and the Risk-Based Approach
Once identity verification is done, customer due diligence (CDD) comes next. Whereas identity verification confirms "who" someone is, this stage is easier to grasp as confirming "what kind of transaction, and for what purpose." Representative items to confirm include the following.
| Verification aspect | Example of what to confirm | Treatment in the flow |
|---|---|---|
| Transaction purpose | Purpose and intended use of the account or transaction | Interview and record at intake |
| Occupation / business | The customer's occupation or the entity's line of business | Confirm and record the declared content |
| Beneficial owner | The beneficial owner in the case of a legal entity | Confirm at the corporate-transaction branch |
| Assets / income status | Source of funds commensurate with transaction size | Dig deeper when high risk |
Vary the response level with a risk-based approach
Applying the same depth of verification to every customer is inefficient. That is why the "risk-based approach" is commonly used. You assess risk based on the customer's attributes and the nature of the transaction, and vary the response level: standard verification when risk is low, and more in-depth verification (EDD: Enhanced Due Diligence) when risk is high.
In the diagram, the trick is to draw this risk-category branch clearly. By separating the "standard" and "high risk" routes, the team can return to the diagram whenever they are unsure how to judge.
Ongoing Monitoring and Suspicious Transaction Reporting (STR)
KYC/AML does not end at the point of account opening or transaction start. Even after transactions begin, "ongoing monitoring"—continuously watching transactions—is indispensable. In fact, signs of money laundering often appear after transactions have started, so this is arguably the heart of the controls.
The flow of ongoing monitoring
In monitoring, you watch patterns such as transaction amounts, frequency, and remittance destinations, and detect movements that differ from the norm (alerts). A two-tier setup—first confirming in a primary investigation whether the alert "can be explained," then sending the unexplained ones to a secondary investigation—keeps you from being overwhelmed by over-detection.
Suspicious transaction reporting (STR)
Transactions judged suspicious as a result of investigation become subject to a suspicious transaction report (STR). The decision to file tends to rely on experience and intuition, making it a stage prone to over-reliance on individuals. That is exactly why mapping the approval line—"who makes the primary judgment, and who gives final approval"—into the process diagram helps curb inconsistency in judgment and lets you keep running on the same criteria even when staff change.
Spark
DrillSpark consultant
The knack of monitoring is to treat alerts as "over-detection included." Draw the two-tier primary/secondary investigation in the diagram, and you get closer to a just-right operation—neither suspecting everything nor overlooking everything.
Break Large Flows into Layers with Drill-Down
As we have seen, the KYC/AML process has many verification items and branches, and cramming it all onto one sheet tends to produce a giant diagram no one reads. The rule of thumb is to keep each sheet to about 20 processes at most, splitting into an overview flow and detail flows.
Our recommendation is to prepare the big picture (the six steps as in Figure 1) as the overview flow, then drill each step—such as identity verification or monitoring—down into its own separate detail flow. With this structure, both those who want the whole picture and those who want to understand a specific stage deeply can reach the right level of granularity without getting lost.
Organize it with DrillSpark's drill-down
DrillSpark has a drill-down feature that lets you layer flows and dig deeper. Because you can directly express the structure of drilling from an overview-flow step into a detail flow, even large operations like KYC/AML become easier to organize. Diagrams can be exported in Mermaid format, which pairs well with pasting into internal documents and with version control.
| Layer | Diagram content | Primary readers |
|---|---|---|
| Overview flow | The six steps from intake to STR | Executives, audit, new staff |
| Detail flow (identity verification) | eKYC success/failure branches and record saving | Intake and verification staff |
| Detail flow (monitoring) | Alert detection and primary/secondary investigation | Monitoring and compliance staff |
Draft It in 3 Seconds by Brainstorming with AI
You can build process diagrams in Excel or PowerPoint, too. But in a diagram with many branches like KYC/AML, shifting a single arrow breaks the shapes, and you lose time redoing the alignment. This "pain of editing" is the biggest reason diagrams stop getting updated.
With DrillSpark, you just describe the work in plain language. The AI generates a draft flowchart in about 3 seconds. Brainstorm with the AI—"draw the flow from customer intake through identity verification, CDD, monitoring, and STR"—and a starting point takes shape in an instant. From there, just look at the generated diagram and refine it interactively to match your actual operations.
The generated diagram can be edited on the spot, and you can also start from a related template. Leave the layout adjustments to the tool, and you can concentrate on the substance of the work—"the timing of checks and the branches."
Minami
Process improvement lead
Drawing a complex KYC flow from a blank sheet is honestly draining... I never know where to start.
Spark
DrillSpark consultant
That's exactly when brainstorming with AI shines. First talk to it to get a starting point, then fix it from there. Marking up a finished diagram is far easier and faster than drawing lines from scratch.
Summary | Start by Drawing One Big-Picture Diagram
Summary of this article
- KYC/AML is complex work with many branches. Visualizing it as a process diagram makes training, audits, and systemization easier
- Grasp the big picture as the six steps: intake -> identity verification -> CDD -> risk assessment -> monitoring -> STR
- For eKYC, draw the success/failure branch and record saving. Exceptions are exactly what's worth diagramming
- Vary the response level with a risk-based approach, and make monitoring a two-tier primary/secondary setup
- Layer large flows with drill-down, and draft them quickly by brainstorming with AI
What matters in organizing a KYC/AML process flow is not aiming for perfection from the start. Rather than trying to draw every step in detail at once, begin by drawing one big-picture diagram like Figure 1 and aligning everyone on "this is how our flow works." Once you have that, detailing each step becomes far easier to push forward.
Procedures that exist only in someone's head or personal way of doing things reveal their gaps and over-reliance on individuals the moment you diagram them. That said, drawing a complex flow from a blank sheet is hard work. That is exactly when DrillSpark comes in.
Just describe the work you want to capture in plain language, and the AI creates a draft flowchart in about 3 seconds. Refine the parts that catch your eye through dialogue on the spot, organize layers with drill-down, and export in Mermaid format. No credit card required—you can start for free.
Start by describing your own KYC/AML big picture to DrillSpark and turning it into a single diagram. Once you take that first step, the rest of the organizing proceeds surprisingly smoothly.