For decades, KYC has been a cornerstone of financial crime compliance. Verify a customer’s identity, assess their risk and review them periodically. It is a model built around a simple assumption: that risk changes slowly.
Today’s financial system tells a different story. Customers can onboard in minutes, move money instantly and change their risk profile long before the next scheduled review. Yet many institutions still rely on point-in-time assessments that offer only a snapshot of risk in an environment defined by constant change.
As financial crime grows more sophisticated and regulators demand greater agility, the limitations of traditional KYC are becoming harder to ignore. The challenge is no longer identifying who a customer is at onboarding, but understanding how their risk evolves over time.
In the first article of this four-part series, we examine why traditional KYC is reaching its limits and why continuous KYC is emerging as the industry’s next evolution.
Why has KYC become so operationally inefficient?
A key question in this wider debate surrounds why KYC has become so operationally inefficient.
In the view of Tom Devlin, Managing Director at KYC360, banks rely on disconnected tools, spreadsheets and the manual rekeying of data. “This is inefficient and means teams spend more time chasing information than focusing on risk decisions. Reviews are typically mandated on a periodic basis rather than triggered by events that would keep risk live,” he said.
The challenge from the perspective of Devlin is magnified when onboarding complex structures, or when the same client needs to be onboarded multiple times by different parties. “Without a single source of truth, risk ratings drift out of date, audit trails remain incomplete, and assessments become inconsistent,” remarked Devlin.
Meanwhile, Michael Thirer, CLO at Muinmos, uses an example from another sector to underline the disconnect.
“If car manufacturers built cars the way banks perform KYC, cars would cost 10 times as much, drive 10 times slower, and require 10 people to operate them. The reason cars are affordable, fast and easy to drive is because they are built as one, purposeful unit.
KYC in banks and in other financial institutions, on the other hand, is a fragmented, stitched-together collection of differing data and processes, he said.
One team handles sanction screening, another ID verification and third on risk profile. Alternatively, if it’s the same team that handles all relevant processes, these are handled in different systems, with files that need to be moved manually from one environment to the other, with multiple decision points and journey stops.
Thirer continued, “And even teams that use automated tools, they usually don’t use an automated layer connecting those tools. Until a certain point, this fully or semi-manual, fragmented structure works.”
However, the Muinmos CLO explains, then the customer base grows. More data sources are constantly made available, more data-points are constantly added in each data source and more regulations come into force like AMLA’s new data requirements. “The result is an exponential growth in compliance workload, and no compliance program can hire exponentially,” he said.
The solution for Thirer is looking at compliance completely differently, like a car. “Humans design it. Humans control it. But the car is the one that moves, all of its components together. The same approach needs to be applied to KYC: the team configures it. Sets policies. Defines guardrails. Orchestrated, connected specialised agents gather the data and analyse it. The team reviews the ready file (if necessary), and decide. The team also tests, and supervises to make sure the outcomes are correct.”
This, he adds, is anyhow the direction that regulation has turned to in the last several years – a more outcome-focused regulation.
He expressed, “Regulators now will test you on your processes; your compliance tools; and your outcomes. So you need to set the correct processes, choose the right compliance tools, and make sure your outcomes are as expected. In the process, you will also have solved your operational inefficiencies.”
KYC has become increasingly inefficient because it was built for a financial system that moved far more slowly than today’s. As digital onboarding volumes have grown and customer journeys have become more complex, many institutions remain reliant on fragmented data sources, manual reviews and periodic risk assessments.
According to Kevin McGuinness, Head of Strategy at Napier AI, the problem is that many firms are still operating processes that were designed for a largely analogue era.
“Financial institutions are effectively re-verifying the same customer information across multiple channels and products, often without leveraging prior intelligence,” he says.
The result is significant duplication of effort, rising compliance costs and slower decision-making at a time when speed and accuracy are becoming increasingly important. Rather than focusing resources on identifying emerging risks, compliance teams often find themselves maintaining records and repeating checks that have already been performed elsewhere in the organisation.
The challenge extends beyond onboarding. As McGuinness notes, legacy approaches can also hinder financial crime compliance across the wider customer lifecycle, where “real-time screening across payments and client behaviours is essential to meeting modern regulatory expectations.”
For many institutions, KYC has become inefficient not because of regulation itself, but because of how compliance programmes have evolved around it. As customer types, product offerings and regulatory obligations have grown more complex, firms have often responded by adding new processes rather than redesigning existing ones.
According to Scott Nice, CRO at Label, the result is a fragmented operating model where onboarding, AML, sanctions, tax documentation and ongoing monitoring frequently sit in separate workflows, supported by separate teams and data repositories.
“A lot of effort is spent gathering information the institution may already hold, rather than assessing whether that information is complete, reliable, current and relevant to the risk being managed,” he says.
This duplication creates inefficiencies for both institutions and customers, leading to repeated information requests, disconnected decision-making and growing operational costs. More fundamentally, Nice argues that the industry has lost sight of KYC’s original purpose.
Nice said, “KYC has become less about understanding the customer and more about evidencing that a process has been followed.”
As regulatory expectations continue to evolve, firms are increasingly looking beyond periodic reviews and document-driven workflows. The future, says Nice, will be “more data-led, event driven and risk-sensitive”, with institutions making better use of verified information across multiple compliance obligations rather than repeatedly collecting the same data.
For Taavi Tamkivi, CEO at Salv, the inefficiency of traditional KYC stems from a model that has remained largely unchanged despite dramatic advances in technology and data availability.
In many institutions, customer due diligence still follows a familiar pattern: onboard a customer, conduct a full review, assign a risk rating and revisit the relationship at fixed intervals. But Tamkivi argues that this calendar-driven approach no longer reflects how risk actually evolves.
“We have had the computing power and the data to do better for years,” he says. “What we actually need is perpetual KYC: updating your knowledge about a customer continuously, on a daily or weekly basis, rather than in these discrete, calendar-driven cycles.”
The shift is being driven not only by compliance demands, but also by changing customer expectations. As digital-first providers reshape the onboarding experience, many firms are moving away from collecting vast amounts of information upfront and instead adopting a more iterative approach to customer due diligence.
Tamkivi points to fintechs that gather only the information needed to provide an initial service, expanding their understanding of the customer as the relationship develops. “If you’re collecting less at the start, you have to be gathering more throughout the lifecycle,” he says. “That forces you toward perpetual KYC whether you want to go there or not.”
In his view, the future of KYC is not about conducting reviews more efficiently. It is about replacing periodic reviews altogether with a model built around continuous customer understanding.
Onboarding: A competitive weakness for banks?
On the question whether onboarding is now a competitive weakness for banks, Devlin is succinct: banks can lose customers to friction at onboarding – however, compliance cannot be an afterthought, with heavy fines and enforcement for lax onboarding.
He gave the example, “Monzo’s £21m FCA fine in 2025 for repeatedly onboarding high-risk customers without adequate KYC shows how quickly weak controls become a regulatory problem. The key is to combine compliance assurance with operational efficiency, which is where commercial outperformance comes from.”
Thirer is clear in his view that it is a competitive weakness. He said, “ A couple of weeks ago an amusing story was published in the media about a phone call the former Cardinal Robert F. Prevost – now Pope Leo – had with his bank, to give his new phone number and information.
“According to the story, he had to go through a series of security questions only to find out from the bank’s clerk that the bank would not make the change unless he were to come to the bank in person. The amusing part of the story is that the Pope explained it’s a bit difficult for him to come to the bank because he’s, well, the Pope – after which the clerk hung up on him.”
The point of the story from Thirer was that the banks’ long slow, rigid processes keep clients away. Many of their onboarding and KYC processes were created for another era, one in which clients were expected to visit branches in person, bring paper documents and wait days or weeks for approvals.
He went on, “Today, customers compare their banking experience not only to other banks, but to the seamless digital experiences they receive from online-native institutions like FinTechs and Neo-Banks – and traditional banks often the customer experience battle.”
The further point behind this was a telling one for banks, with Thirer stressing that if banks don’t change their ways in this respect, they will keep losing clients to more digital-native platforms.
McGuiness is another who sees onboarding a competitive weakness for banks, labelling it as a frontline differentiator, with many incumbents underperforming.
He explained, “Lengthy verification processes, repeated document requests, and unclear status updates create friction at the worst possible moment in the customer journey. FinTech’s and digital-native players have reset expectations around speed and simplicity, meaning that slow onboarding is no longer just an operational issue—it’s a direct revenue and retention risk.”
From the viewpoint of the Napier AI strategy ahead, the trade-off for speed cannot be increased risk exposure, as there have been high-profile regulatory repercussions for financial crime compliance failures amongst FinTechs, especially as they seek banking licenses.
“Operating with direct access to banking and payment systems means meeting the high-thresholds for both digital-first and secure customer experiences, it is not acceptable for new entrants to introduce new risk into the ecosystem,” said McGuinness.
Tim Khamzin, CEO and founder of Vivox AI, stressed that the challenge is that customer expectations have evolved faster than onboarding processes. While customer-facing experiences have become increasingly digital, many compliance workflows remain fragmented and heavily manual.
He said, “Historically, banks could afford lengthy onboarding processes because customers had few alternatives. Today, businesses can choose from banks, fintechs and payment providers, and they all compete on speed and customer experience. “
As a result of this, onboarding is no longer just a compliance function – it directly affects customer acquisition, satisfaction and conversion.
“Delays, repeated information requests and lengthy reviews can create friction at the very start of the relationship. In an increasingly competitive market, slow onboarding is no longer simply an operational issue, it can become a commercial disadvantage,” he said.
For many banks, onboarding, Khamzin stresses, has become a competitive weakness because customer expectations now move way faster than traditional compliance processes.
He commented, “Businesses expect to open accounts and begin transacting quickly, but onboarding can still take days or weeks due to fragmented systems and manual reviews. The issue is no longer compliance itself, but the operational inefficiency surrounding it. Institutions that reduce onboarding friction without compromising risk controls will have a clear competitive advantage. Institutions that fail to modernise onboarding risk losing customers before the relationship has even begun.”
Another who sees onboarding as a competitive weakness for banks is Tamkivi. He explained, “Yes, and its not about compliance shortcuts. The gap is the experience. There are literally machines in airports that will print you a Revolut card in a minute. Then you go to your traditional bank and you’re asked to fill in paper forms. That contrast is the pressure banks are under, and it’s only increasing.”
Nice also agrees with the suggestion. “Onboarding is often the first real operational experience a client has with a financial institution, and too often it is slow, repetitive and opaque. That creates a poor first impression, particularly for sophisticated clients who expect a digital, responsive and proportionate process.”
For banks, this is no longer just a compliance issue – its now also commercial. The Label CRO remarked that if onboarding takes weeks, requires multiple document requests and lacks transparency, clients will compare that experience against fintechs, digital banks and private market platforms that are investing heavily in smoother onboarding journeys.
He added, “The challenge is that banks are trying to balance client experience with regulatory assurance, and that balance is difficult when the underlying operating model is fragmented. A better onboarding experience does not mean weakening controls. It means using data more intelligently, removing duplication and making the process more targeted.”
He finished by stating that the banks that solve this will not treat onboarding as an administrative gateway, but as a strategic client, risk and data process.
Is static, document-based KYC becoming obsolete?
This all ties back to one key tipping-point question: Is static, document-based KYC – the KYC we all know – becoming a dinosaur?
Devlin believes so and puts this considerably down to evolving regulatory requirements and the need for speed.
He said, “Static document-based KYC is manual and periodic by design. Risk evolves continuously, so firms need to spot triggers as they happen rather than at yearly intervals. Legacy records get out of date quickly, which then leads to expensive one-off remediation projects. Sanctions shift, ownership changes, IDs expire, and all of this needs to be captured quickly.”
Similarly, Thirer stresses that traditional KYC was built for a world where information was difficult to access and verify and mostly stored on paper. This world, Thirer makes clear, no longer exists.
He remarked, “Today, databases hold information about almost everything and everyone: company ownership, sanctions exposure, adverse media, political exposure, and much more. Yet many institutions still build KYC processes around manually collecting PDFs from customers – documents that are often outdated the moment they are uploaded. The real value today is no longer in collecting documents. It is in connecting and analysing live data.”
Because of this, KYC is shifting towards continuous monitoring instead of periodic refreshes, event-drive reviews instead of manual remediation exercises, live data integrations instead of static files and real-time risk intelligence instead of document storage.
Thirer concluded, “Documents will still exist. But increasingly, they will become supporting evidence – not the foundation of KYC.
While static, document-based KYC remains an important part of customer onboarding, its limitations are becoming increasingly apparent in a financial system where risk can change rapidly.
According to McGuinness, the core problem is that traditional KYC provides only a snapshot of a customer’s risk profile at a single moment in time, while financial crime risk is constantly evolving.
“Risk profiles are dynamic, but traditional KYC relies on point-in-time document verification that quickly becomes outdated,” he says.
The industry has spent years discussing concepts such as perpetual KYC, but McGuinness argues that the bigger challenge lies in connecting identity verification at onboarding with a customer’s changing behaviour throughout the relationship. Rather than viewing KYC as a standalone process, he advocates for what Napier AI describes as perpetual client risk assessment (pCRA): a model that continuously evaluates customer risk across the entire lifecycle.
Under this approach, information from KYC, sanctions screening, transaction monitoring, fraud systems and other risk controls is brought together to create a more complete and current view of the customer. As new data emerges, risk assessments are updated automatically rather than waiting for the next scheduled review.
“When customer data is monitored and refreshed in real time, banks can achieve more accurate risk assessment across the lifecycle rather than just at onboarding,” McGuinness says.
Static, document-based KYC is unlikely to disappear anytime soon, but its role is changing. Documents remain an important source of information for verifying identity, ownership structures, tax status and authority to act. The challenge is that, on their own, they provide only a snapshot of a customer at a particular moment in time.
According to Scott Nice, CRO at Label, firms are increasingly recognising that a point-in-time view is no longer enough to manage evolving risk.
“The real shift is from collecting documents to maintaining a reliable, dynamic understanding of the customer,” he says.
That shift requires organisations to look beyond documentation and incorporate a broader range of signals, including transactional behaviour, ownership changes, sanctions exposure, tax classifications and other risk indicators. Rather than relying on periodic reviews, institutions are moving towards a more continuous view of customer risk that can adapt as circumstances change.
This is particularly relevant in areas such as FATCA and CRS, where documentation remains essential but must be supported by ongoing monitoring and validation. Firms need to identify changes in customer circumstances, assess whether classifications remain appropriate and ensure reporting obligations continue to be met over time.
As Nice puts it, “the future is not ‘no documents’. It is fewer unnecessary documents, better data extraction, stronger validation and more event-driven refresh.”
In other words, documents are not disappearing. They are becoming part of a broader, data-driven approach in which static files are gradually being replaced by living customer profiles.
On the topic of the role data sharing plays in pKYC, Tamkivi said, “This is actually where we are at the frontier of what’s possible. One of the things we do at Salv is bring in data points from other banks to feed into a customer’s ongoing KYC profile.
“So if a customer has been offboarded from one institution — flagged as suspicious, or confirmed as a bad actor — other banks can continuously check against that shared list as part of their perpetual KYC process. The list of providers doing this cross-institutionally is still very small.
Copyright © 2026 RegTech Analyst
Copyright © 2018 RegTech Analyst
