← Back to news
Regulation

KYC, KYB and AML Explained: Fintech's Compliance Backbone

Every fintech that touches money has to answer three questions about its customers: who are you, what is your business, and are you laundering money? The answers determine whether the firm operates or gets shut down.

11 min read

KYC, KYB, and AML are three distinct legal obligations, and conflating them is one of the more reliable signs that a compliance programme has been designed by someone who has never filed a SAR or sat through an FCA supervisory visit. They share a purpose — preventing financial crime — but they operate at different points in the customer lifecycle, target different types of counterparty, and carry different regulatory consequences when they fail.

KYC is about establishing and periodically reconfirming who an individual customer is. KYB applies equivalent scrutiny to corporate customers, which turns out to be considerably harder. AML is neither a check nor a one-time event — it is a continuous obligation to monitor transactions and report suspicions to the relevant authority. All three sit on the same regulatory foundations, but each has its own technical requirements, vendor market, and failure modes. Working through them in order is the clearest way to see how they fit together.

Defining the Three Terms Precisely

Know Your Customer (KYC) is the obligation on a regulated firm to verify the identity of individual customers before establishing a business relationship, and to maintain that verification throughout. The core components are straightforward to list but not always straightforward to execute: collection of personal data (full name, date of birth, residential address), verification of a government-issued identity document (passport, national identity card, or driving licence), a biometric liveness check to confirm that the person presenting the document is physically present, and screening against sanctions lists and Politically Exposed Person (PEP) databases. CDD — Customer Due Diligence — is the standard tier. Enhanced Due Diligence (EDD) is required for higher-risk relationships: PEPs, their family members and close associates, high-value customers, and individuals from jurisdictions identified as high-risk by FATF.

Know Your Business (KYB) applies the same underlying principle — understand who you are dealing with — to corporate customers, and immediately the complexity increases. A company does not have a face or a passport. Verifying that a business legally exists requires checking its registration in the relevant national registry. Identifying who controls it requires tracing through potentially layered ownership structures to find the Ultimate Beneficial Owners: the natural persons who ultimately own or control the entity, defined under both EU and UK rules as individuals holding more than 25% of shares or voting rights, or who exercise effective control by other means. Corporate structures are sometimes deliberately opaque, and KYB is where that opacity becomes a regulatory and financial-crime risk.

Anti-Money Laundering (AML) is not a check. It is an ongoing programme — a combination of policies, controls, transaction monitoring, staff training, and reporting obligations — designed to detect, investigate, and report suspicious activity. The legal obligation is continuous. A firm that completes perfect KYC at onboarding and then ignores what its customers do with their accounts for the next three years has not discharged its AML duty. The ultimate output of a functioning AML programme, when suspicious activity cannot be resolved, is a Suspicious Activity Report (SAR) filed with the relevant Financial Intelligence Unit. In the UK, that is the National Crime Agency's UK Financial Intelligence Unit (UKFIU).

The Regulatory Foundations

The global framework comes from the Financial Action Task Force, an intergovernmental body whose 40 Recommendations set the baseline that national regulators are expected to implement. FATF membership carries mutual evaluation obligations: member jurisdictions are periodically assessed on whether their legal frameworks and actual supervision meet the Recommendations. Being greylisted — placed on FATF's list of jurisdictions under increased monitoring — has material consequences for any financial firm operating in or through that country.

In the European Union, the AML framework has been progressively tightened through a series of directives. The 4th Anti-Money Laundering Directive (2015) introduced mandatory UBO registers and risk-based CDD requirements. The 5th (2018) extended the scope to cryptocurrency exchanges and custodian wallet providers, enhanced access to UBO registers, and added further requirements for high-risk third countries. Directive (EU) 2018/1673 — commonly called 6AMLD and adopted in 2018 — focused on criminal liability: it harmonised the definition of money laundering across member states, set out 22 categories of predicate offences, and covered aiding, abetting, inciting and attempting money laundering. Member states implemented it through national criminal law after adoption.

In the UK, the primary statutory vehicle is the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, which transposed the 4th AMLD into domestic law. The MLRs were subsequently amended to bring in elements of the 5th AMLD after Brexit. Post-Brexit divergence from EU AML rules is possible — and is now actively being discussed — but the practical reality is that any UK firm with EU clients or EU correspondent banking relationships must still be cognisant of EU requirements. The Proceeds of Crime Act 2002 and the Terrorism Act 2000 provide the underlying criminal law framework for SAR obligations and the offence of tipping off.

These are not guidance documents. Firms found to have inadequate controls face FCA enforcement action and, under the Senior Managers and Certification Regime (SMCR), personal liability for the designated Money Laundering Reporting Officer (MLRO) and other senior managers who held the relevant controlled functions. The FCA has been willing to use that lever — several enforcement actions have resulted in personal fines and bans alongside firm-level penalties.

How KYC Works in Practice

The standard identity verification flow starts with data collection: the customer provides name, date of birth, and residential address. They then upload or photograph a government-issued identity document. At this point, automated document authenticity checks begin — examining security features, detecting manipulation, cross-referencing document templates from the issuing country. The dominant vendors in this space — Onfido, Jumio, Sumsub, and Veriff — all provide document verification as a commodity, differentiated largely by the depth of their country coverage, false positive rates, and integration flexibility.

The biometric liveness check follows: the customer is asked to perform an action (look at the camera, turn their head, blink) to confirm they are physically present rather than presenting a photograph or using a deepfake. Liveness detection has become a meaningful technical battleground as presentation attacks have grown more sophisticated. Major vendors now offer passive liveness — detecting whether a face is live without requiring any deliberate action from the customer — as the attacks against active liveness (instructed actions) have matured.

Parallel to document and biometric verification runs sanctions and PEP screening. Every customer's name is checked against multiple consolidated sanctions lists — OFAC (US), UN Security Council, EU, HMRC/OFSI (UK) — as well as commercial PEP databases maintained by providers such as ComplyAdvantage, Refinitiv World-Check, and Dow Jones. PEP classification is not binary: a PEP is any individual who holds or has held a prominent public function, and the definition extends to family members and known close associates. The risk level associated with a PEP varies significantly: a local councillor in a low-corruption jurisdiction is not equivalent to a minister in a state with high corruption indices.

Customer Risk Assessment (CRA) aggregates these signals to assign a risk rating that determines the CDD tier applied and the refresh frequency. Standard CDD for a low-risk retail customer; EDD — which requires documented evidence of the source of wealth and source of funds, alongside senior management sign-off — for PEPs, high-value customers, and those from FATF high-risk jurisdictions.

How KYB Works in Practice

Corporate verification starts with establishing that the entity legally exists in the jurisdiction it claims to be registered in. In the UK, that means a Companies House lookup — verifying registered name, company number, registered address, and current status (active, not struck off). Across the EU, equivalent registries exist at member-state level: the Registro Mercantil in Spain, the Handelsregister in Germany, the Greffe du Tribunal de Commerce in France. Data quality varies considerably between jurisdictions.

Director verification then requires running the standard KYC flow for every director named in the registry filing. This is not optional — a firm that verifies the entity but not the natural persons controlling it has not completed KYC on the relationship. Director lists change; companies fail to update their registry filings; recently-appointed directors may not yet appear in the registry. Ongoing monitoring to catch these changes is part of a functioning KYB programme.

UBO identification is where most KYB failures occur. The requirement is to identify every natural person who ultimately holds 25% or more of shares or voting rights, or who exercises effective control. Where a company is 100% owned by another company, which is 100% owned by a holding vehicle in another jurisdiction, the firm must trace through every layer until it reaches a natural person — or concludes that no natural person holds the threshold and the entity is therefore controlled by other means, which itself requires explanation. EU member states maintain national UBO registers as required under the 4th AMLD, but quality and accessibility vary: some registers are incomplete, some charge for access, and a number of structures — trusts, foundations, nominee arrangements — have historically provided routes around the requirement. The European Court of Justice's 2022 ruling restricting public access to UBO registers for privacy reasons introduced a further layer of complexity for firms that had integrated public register data into their automated KYB flows.

Ongoing monitoring of corporate customers matters more than most firms' practices reflect. Ownership structures change. Directors resign and are replaced. Companies move their registered office to a different jurisdiction. A customer whose UBO structure was unproblematic at onboarding may, two years later, have a beneficial owner who has been sanctioned. Point-in-time KYB treats that risk as resolved; perpetual KYB treats it as continuously open.

Transaction Monitoring and SAR Filing

AML transaction monitoring starts from a baseline: what does normal look like for this customer, given their stated profile, their account type, and their peer group? Deviation from that baseline — in volume, frequency, geography, counterparty, or transaction type — generates an alert for review.

Rules-based monitoring engines flag specific patterns: unusually large cash transactions inconsistent with the customer's stated profile, structuring (a pattern of transactions broken into smaller amounts that suggests deliberate avoidance of scrutiny), rapid round-trip transactions, payments to or from sanctioned countries, or activity sharply inconsistent with a customer's stated business purpose. Machine learning-based monitoring systems — offered by vendors such as ThetaRay, Featurespace, and NICE Actimize — add behavioural anomaly detection on top of static rules, reducing false positive rates by clustering peer groups more accurately and identifying novel laundering typologies that rules libraries have not yet caught.

When a transaction or pattern of transactions is flagged, a compliance analyst performs alert triage. The analyst's job is to determine whether the activity can be explained with reference to known information about the customer, or whether the suspicion remains after review. If it remains, a SAR is filed with the UKFIU (in the UK) via the NCA's reporting portal. Filing is a legal obligation — a firm that identifies suspicious activity and fails to report it is not merely non-compliant, it risks committing the principal offence of money laundering itself. Equally, once a SAR has been filed, the firm commits an offence if it tips off the customer — directly or indirectly — that a report has been made or that an investigation is under way. Compliance staff must navigate that constraint even when the customer asks why their transaction has been delayed.

SAR quality is a recurring FCA concern. Filing volumes are not a proxy for programme quality. A SAR that mechanically describes a transaction without articulating why it is suspicious, without providing contextual detail about the customer's known profile and the specific deviation from it, and without capturing the analyst's reasoning, provides limited intelligence value to the NCA and provides limited evidence of genuine compliance effort if the firm is later under scrutiny. The wider RegTech stack is increasingly capable of generating case summaries to support analyst decision-making, but the substantive analytical judgment remains a human obligation.

The Shift to Perpetual KYC

Traditional periodic review treated customer files like an audit schedule: high-risk customers refreshed annually, standard-risk customers every three to five years. That approach has an obvious flaw — a customer who becomes a PEP in month seven of a three-year refresh cycle, or whose UBO is sanctioned in month fourteen of an annual cycle, is not caught until the next scheduled review, which may be years away.

Perpetual KYC (pKYC) replaces the periodic schedule with continuous, event-driven monitoring. Rather than waiting for a refresh date, the system monitors for triggering events: sanctions list additions, PEP database updates, adverse media alerts, document expiry, changes in registered ownership at Companies House. When a trigger fires, a review workflow is initiated immediately. The customer's file is re-screened, and — if the trigger implies elevated risk — EDD may be required.

Several UK challenger banks and neobanks have built pKYC architectures in recent years, partly from genuine compliance ambition and partly from pragmatism: manual periodic reviews create compliance backlogs that scale badly with customer volume. A firm with two million customers on a three-year refresh cycle needs to process over 650,000 reviews per year without a material triggering event in sight. pKYC converts that into a smaller, more manageable queue of event-driven cases — and is increasingly what the FCA expects sophisticated firms to demonstrate. The tooling to support it sits in the orchestration layer, discussed below.

The RegTech Stack for KYC and AML

The vendor market for KYC and AML has segmented into distinct layers, and understanding the layers helps clarify why firms typically use multiple products rather than a single platform. The full RegTech stack for neobanks is covered in detail separately; the highlights relevant to KYC and AML are as follows.

Identity verification is dominated by Onfido (now part of Entrust), Jumio, Sumsub, and Veriff. Each offers document verification, biometric liveness, and varying combinations of database checks and AML screening. Selection criteria typically centre on country coverage (Sumsub and Onfido have strong global coverage), false positive and false negative rates, API latency, and price per check. Sumsub has gained significant share among crypto and neobank clients, partly on price and partly on depth of integration with orchestration platforms.

Sanctions, PEP, and adverse media data is supplied by ComplyAdvantage (real-time updating, strong API-first design), Refinitiv World-Check (extensive coverage depth, historically preferred by large banks), and Dow Jones Risk and Compliance. The choice here involves trade-offs between coverage depth, false positive rate, update frequency, and cost — World-Check's breadth can generate high alert volumes that overwhelm analyst capacity if not tuned carefully.

Transaction monitoring for larger institutions is typically handled by NICE Actimize, which dominates the enterprise segment, or Fiserv AML Manager. For fintechs and neobanks, ThetaRay (particularly for cross-border payments), Featurespace (behavioural analytics), and Unit21 (case management plus monitoring) are more common. ThetaRay uses unsupervised machine learning and proprietary AI algorithms to identify suspicious activity in correspondent banking and cross-border payment flows, where traditional rules-based systems can struggle.

Orchestration platforms sit above the individual point solutions. Alloy and Unit21 are the most widely-used in the fintech segment: they integrate outputs from identity verification vendors, sanctions databases, and transaction monitoring into a unified decision engine, add case management workflows, and provide the audit trail that regulators want to see when they review a firm's AML processes. The orchestration layer is also where pKYC logic lives — event triggers from sanctions databases or registry monitors route into the case management queue without requiring manual monitoring of each individual data source.

What Good Looks Like — and What Regulators Actually Find

The FCA's enforcement actions and its Financial Crime Guide are explicit about the recurring failure modes. Over-reliance on automated screening is the most common: a firm that screens every customer against a sanctions list at onboarding but has never tested its screening model, does not review false positives with genuine judgement, and has no escalation path for edge cases has process without substance. Automated screening is a necessary condition; it is not a sufficient one.

EDD documentation failures are the second persistent category. A high-risk customer who has been assigned EDD should have a file that explains the source of their wealth (not "salary" without further investigation), the expected volume and nature of their transactions, senior management's specific sign-off, and the date of the next review. The FCA has found — repeatedly — that EDD records are either absent or formulaic, copying template language rather than reflecting genuine analysis of the specific customer.

KYB failures tend to concentrate at the UBO identification stage. Firms verify the entity and the named directors but do not trace the ownership structure to the ultimate natural persons. Nominee arrangements and intermediate holding companies are accepted at face value rather than looked through. This is not a technical capability gap — the information is often available, and the MLRs require firms to take reasonable measures to obtain it. It is more often a resource or process gap: the firm's KYB flow was designed for simple structures and was never tested against opaque ones.

SAR filing remains analytically shallow at many firms. A SAR filed with the minimum required fields, describing the transaction without reasoning about its suspicious characteristics or the customer's known profile, is technically compliant and substantively weak. The NCA's UKFIU has published guidance on what makes a useful SAR; the FCA has noted in thematic reviews that SAR quality across the industry does not consistently meet that standard. The shift to broader regulatory obligations under frameworks like DORA has increased pressure on compliance functions — the risk is that AML analytical capacity is thinned by competing regulatory demands rather than protected as core.

What the better-performing firms share is not a more expensive technology stack. It is a compliance programme designed around the actual risks their customer base presents — genuinely calibrated risk appetite rather than checkbox-driven CDD, analysts who understand the typologies they are looking for, and senior management who treat the MLRO function as substantive rather than administrative. The RegTech vendors can accelerate that programme; they cannot substitute for it.

Sources and methodology: This article draws on the Financial Action Task Force (FATF) 40 Recommendations; the UK Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017; EU 6th Anti-Money Laundering Directive; FCA Financial Crime Guide; and NCA guidance on SAR filing. Product capabilities of named vendors are drawn from their publicly available documentation. No proprietary data is cited.

Frequently asked questions

What is the difference between KYC and AML?

KYC (Know Your Customer) is the identity verification process carried out at onboarding and refreshed periodically throughout the customer relationship. AML (Anti-Money Laundering) is the continuous monitoring programme applied to customer transactions — detecting suspicious activity, investigating alerts, and filing Suspicious Activity Reports with the relevant Financial Intelligence Unit when suspicion cannot be resolved. KYC establishes who the customer is; AML monitors what they do.

Which firms are required to carry out KYC and AML?

Any firm that falls within the scope of the UK Money Laundering Regulations 2017 — banks, payment institutions, e-money institutions, credit firms, crypto asset exchanges registered with the FCA, and a range of other regulated entities. The obligations also apply to certain non-financial businesses such as accountants, solicitors, and estate agents when conducting specified activities. Operating a regulated fintech without a compliant KYC and AML programme is not a grey area; it is a condition of authorisation.

What counts as a UBO under UK and EU rules?

An Ultimate Beneficial Owner is a natural person who holds, directly or indirectly, more than 25% of the shares or voting rights in a legal entity, or who otherwise exercises effective control over it. Where no natural person meets the ownership threshold, the firm must identify the person who exercises control through other means — such as the right to appoint or remove the majority of the board. Nominee arrangements and layered holding structures do not extinguish the obligation; firms must trace through them.

What happens if a firm fails to file a Suspicious Activity Report?

Failure to file a SAR when there are grounds for suspicion is a criminal offence under the Proceeds of Crime Act 2002 in the UK, potentially engaging the principal money laundering offences. It also exposes the firm to FCA enforcement action and, under the Senior Managers and Certification Regime, personal liability for the Money Laundering Reporting Officer. Firms that file late or file SARs of inadequate quality may also face supervisory consequences, even if the failure falls short of a criminal threshold.

How long does KYC take with modern RegTech tools?

For a standard retail customer with a valid passport or driving licence, automated document verification and biometric liveness checks typically complete in under 60 seconds, with a sanctions and PEP screening result returned simultaneously. Manual review queues add time when the automated check cannot reach a decision — unusual documents, quality issues, or partial name matches on sanctions lists. Enhanced Due Diligence for higher-risk customers is a different process: it requires documentation of source of wealth and source of funds, often supplemented by open-source research and senior management sign-off, which can take several days.

KYCKYBAMLcomplianceregtechfinancial crime

The CloudFintech Briefing

Independent fintech analysis — AI in banking, payments, crypto, and regulation. No spam, unsubscribe any time.

By subscribing you agree to our Privacy Policy.