Know Your Customer (KYC)

Every bank runs Know Your Customer (KYC) checks, but how many are still reviewing identities manually every one to three years while transaction patterns shift daily? Perpetual KYC is replacing the periodic review cycle, and AI is what makes continuous verification practical at scale.

What is KYC?

KYC is the regulatory obligation to verify a customer's identity, understand the nature of their activities, and assess their risk profile before and during a business relationship. In practice, it means collecting identification documents, screening against sanctions and politically exposed persons lists, and making a judgement about whether the customer is who they claim to be.

The challenge is not the initial check. Most banks can onboard a retail customer in hours. The problem is what comes after. Regulations require ongoing monitoring and periodic reviews, typically every one, three, or five years depending on risk tier. For a mid-sized bank with two million customers, that means hundreds of thousands of reviews cycling through compliance teams perpetually. Each review touches multiple data sources, requires human judgement, and generates documentation for the audit trail.

False positive rates on identity verification screening run between 10 and 20 per cent in most institutions. That means for every genuine match against a sanctions list, there are five to nine cases where a compliance analyst must investigate, confirm the customer is not the sanctioned individual, and document the decision. This is the real cost of KYC: not the technology, but the human time consumed by noise.

The landscape

The regulatory environment is fragmenting and consolidating simultaneously. The EU's Anti-Money Laundering Authority (AMLA), operational from mid-2025, introduces a single supervisory body and a harmonised rulebook across member states. The UK's FCA continues to sharpen its risk-based approach post-Brexit, with increasing scrutiny on how firms evidence their ongoing monitoring obligations.

Cross-border interoperability is the emerging battleground. Singapore's MyInfo, Australia's ConnectID, and the EU's digital identity wallet (eIDAS 2.0) each promise government-backed digital identities that could simplify verification. But interoperability between these schemes remains theoretical. A bank operating across five jurisdictions still maintains five different verification processes with five different regulatory expectations.

Corporate KYC is where the real complexity lives. Verifying beneficial ownership through layered corporate structures, often spanning multiple jurisdictions with different disclosure requirements, remains largely manual. The UK's Companies House reforms and the EU's beneficial ownership registers have improved transparency, but the data quality in these registers varies significantly. AI systems that rely on registry data inherit that inconsistency.

How AI changes this

The most mature application is document verification: extracting data from identity documents, validating their authenticity, and matching them against the customer's declared information. This is production-ready and widely deployed. Processing times drop from hours to seconds, and accuracy on well-formatted documents exceeds 95 per cent.

The shift from periodic to perpetual KYC is where AI creates genuine operational change. Rather than reviewing a customer every three years, AI systems continuously monitor transaction behaviour, adverse media, and registry changes, triggering a review only when something material changes. This is not futuristic: several Tier 1 banks have moved to event-driven KYC for their highest-risk segments.

Network analysis is emerging but not yet mainstream. Graph-based models map relationships between entities, identifying connections that linear screening would miss. A customer may pass individual screening but sit at the centre of a network that collectively raises concerns. This capability exists in anti-money laundering platforms but is increasingly being pulled upstream into KYC risk assessment.

Natural language processing reduces the cost of adverse media screening, parsing news sources in multiple languages and distinguishing between a customer who shares a name with a sanctioned individual and one who is genuinely connected to illicit activity. The false positive reduction here is substantial, often halving the volume that reaches human reviewers.

What to know before you start

Data quality is the prerequisite that derails the most KYC automation projects. If your customer master data has inconsistent name formats, outdated addresses, and missing nationality fields, no AI system will compensate. Clean the data first, or budget for cleaning it as part of the programme.

Perpetual KYC requires event-driven architecture. If your core banking system cannot emit events when customer attributes change, you are building a polling system that will not scale. Assess your integration layer honestly before committing to continuous monitoring.

Regulators expect explainability. A model that flags a customer as high risk must be able to articulate why. Black-box risk scores are increasingly challenged during supervisory reviews. Favour models that produce interpretable outputs over those that optimise purely for accuracy. The FCA's expectations on AI explainability, published in their 2024 feedback statement, are worth reading before selecting a vendor.

Start with the segment that costs you the most: typically high-risk corporate customers with complex ownership structures. The ROI is clearest here, and the compliance benefit is most visible to the regulator. Retail KYC improvements, while valuable, are harder to distinguish from existing vendor solutions and less likely to earn internal sponsorship for the budget required.

Finally, involve your fraud detection team from the outset. KYC and fraud share data sources, screening infrastructure, and often the same customers of concern. Building these as separate programmes doubles the integration cost and misses the intelligence that comes from a unified view. The same applies to credit scoring and regulatory reporting, which rely on the same customer data foundations. For a broader view of how enterprise AI fits into a bank's operations, our leadership guide covers strategy, architecture, and returns.