KYC360 (a part of Experian) has established itself as a specialist RegTech provider focused on helping regulated businesses transform compliance from a regulatory obligation into a competitive advantage. Its end-to-end platform brings together client onboarding, AML screening, and customer lifecycle management (CLM).
Rather than treating compliance as the destination, KYC360 managing director Tom Devlin sees it as the foundation for better business performance.
“Our core purpose is to enable our customers to comply and outperform,” says Devlin, arguing that regulation alone is no longer enough to justify investment in technology. He recognises that the pursuit of compliance in and of itself is a limited market – what most organisations are interested in ultimately is the commercial output of using compelling solutions, and KYC360 built its platform to do both.
By automating manual processes and embedding structured risk models into onboarding workflows, KYC360 enables banks to process clients more quickly, lower operational costs and apply a more nuanced, risk-based approach to decision-making.
That philosophy has shaped the company’s approach. KYC360’s platform is designed not only to strengthen AML and KYC processes, but to make client onboarding faster, cheaper and easier.
As regulatory expectations have intensified, Devlin believes that advantage has become more pronounced. Rather than layering additional compliance onto existing processes, firms need technology that embeds the risk-based approach into the heart of their operating model. In his view, that is where RegTech delivers its greatest value not simply by helping organisations meet their obligations, but by turning compliance into a source of competitive strength.
The Experian acquisition
For Devlin, the acquisition of KYC360 by Experian represents an opportunity to combine advanced financial crime technology with one of the deepest data ecosystems in financial services.
“The logic behind the acquisition was twofold,” he explains. “First, it strengthened Experian’s financial crime capability by bringing our customer base and solution set alongside. Second, it gives us the opportunity to integrate Experian’s data into our platform to create something that isn’t really available elsewhere in the UK market.”
That combination is expected to shape KYC360’s next phase of growth. While the company had already developed technology capable of supporting complex, enterprise-scale onboarding programmes, Devlin acknowledges that some of the market still viewed it as an ambitious scale-up rather than a proven Tier 1 provider.
“That objection has been removed,” he says. Beyond strengthening market confidence, the acquisition also significantly expands KYC360’s reach. With Experian already embedded across much of the UK’s financial services sector, the company can showcase its onboarding, screening and client lifecycle capabilities through relationships that are already well established.
For customers, the longer-term opportunity lies in bringing richer data and more sophisticated analytics directly into compliance workflows.
Why perpetual KYC has been slow to arrive
The promise of CLM and perpetual KYC has been discussed across the industry for years. Yet many firms still rely on fixed review cycles, spreadsheets and manual intervention. Devlin believes the reasons are as much about confidence and data as they are about technology.
“Some businesses lack the confidence to do it,” he says, pointing to uncertainty over how supervisors such as the FCA will view a move away from fixed review cycles. In reality, he argues, regulators are increasingly receptive to event-driven approaches—provided firms can demonstrate that they are properly designed and governed. “In my experience, that’s something the FCA and others are very open to, and indeed encourage from an effectiveness perspective.”
The bigger obstacle, however, has been data. “It’s all very well having a tech platform that can trigger an event-driven review when your passport expires,” Devlin says. “That’s really only one of the things that you might need to manage within the lifecycle of the client.”
To replace periodic reviews with continuous monitoring, firms need far richer intelligence. The challenge is creating a system that can identify genuinely meaningful changes to a customer’s risk profile while avoiding unnecessary intervention.
“We’ve got a system which is going to tell us when anything meaningful happens with a client,” he explains. “Because we’re confident that we’ve calibrated it correctly, we can respond when there is something we genuinely need to deal with. Equally, we can have the confidence to say that in the nine out of ten cases where we didn’t carry out a review, there simply wasn’t an actionable event that required one.”
That, Devlin argues, is where the combination of KYC360’s workflow technology and Experian’s data assets changes the equation. Continuous monitoring extends well beyond document expiry, incorporating changes to addresses, occupations and proof-of-life indicators for individuals, alongside director changes, beneficial ownership, registered addresses and broader business activity for corporate clients.
“When you layer those two things together – the data that has the insights you need with the solution that’s able to visualise and act upon those insights – you’ve got a really powerful proposition,” he says.
The response from the market, he adds, suggests firms are beginning to see Perpetual KYC as an achievable operating model rather than an aspiration. “We’ve been trying to crack this for years,” is the feedback KYC360 increasingly hears from prospective customers. “This is the first time we’ve seen a joined-up proposition that puts together those two elements of data and tech in a single package.”
Why manual processes persist
For Devlin, firms that continue to rely on manual compliance processes are rarely being held back by technology alone.
“I’m always of the view that what looks from the outside like technological change is really about people, process and technology,” he says. “Often, of those three aspects, the tech is, in some ways, the least important.”
The harder challenge is convincing people that there is a better way of working. New platforms only deliver value if the teams using them trust the output and understand how automation allows them to focus on higher-value work rather than repetitive administration.
“If you don’t succeed in doing that,” Devlin says, “you can have wonderful technology, but it won’t be adopted.”
Data quality remains another persistent barrier. Many organisations recognise the potential of automation but hesitate because they lack confidence in the information sitting inside their own systems.
“We very often hear from prospective clients, ‘We’d love to do this, but actually our own data is in such a mess that we just don’t feel comfortable about any kind of automated approach.'”
While that challenge has slowed adoption, Devlin believes it is becoming increasingly solvable as organisations improve their data foundations and gain access to more sophisticated tools.
He also sees artificial intelligence accelerating the next phase of transformation. Simply monitoring every change across a customer base is unlikely to improve efficiency if every alert generates another case for analysts to investigate. The real opportunity, he argues, is using AI to determine which events genuinely matter.
“AI offers a really interesting capability in assessing the salience of changes that have occurred,” he says. By learning from previous human decisions, AI can identify which events warrant investigation and which can safely be ignored, helping firms reduce unnecessary reviews without increasing risk.
The same principle applies once a review is triggered. Risk assessments, KYC checks and supporting evidence can be assembled before an analyst even opens the case, with routine deficiencies resolved automatically through trusted data sources or client outreach where appropriate.
“When you dramatically reduce the scope of the work that’s required,” Devlin says, “ultimately your cost per case is reduced.”
For Devlin, that is where the industry is heading: not towards replacing compliance professionals, but equipping them with better information so they spend their time on judgement rather than administration.
The shift to an event-driven model
KYC360 has been vocal about the shift from calendar-based periodic reviews to event-driven monitoring. Devlin believes parts of the market are already moving, but many firms remain attached to the familiarity of fixed review cycles.
“There are certainly some places that are doing it, and doing it well,” he says, pointing to a major UK bank that has largely replaced scheduled reviews with an event-driven approach powered by continuous data and analytics.
For much of the industry, however, the obstacle is less technological than psychological.
“I think there is an element of psychological safety in the process that’s known and understood,” Devlin says. The familiar one-, three- or five-year review cycle may be widely criticised, but it remains the default approach across much of the industry, making it feel like the lower-risk option.
He argues that the opposite is often true. “If you try and review every relationship once every five years, and you’re operating at any kind of scale, you’re probably not going to have the resource to do that review justice,” he says. “The perceived safer option can often, in fact, be less safe than the more responsive, dynamic approach.”
Rather than spending time reviewing customers whose risk profile has barely changed, an event-driven model allows compliance teams to focus their attention where it is genuinely needed. Fewer cases require investigation, and those that do can arrive with much of the supporting analysis already prepared, allowing analysts to concentrate on judgement rather than administration.
Devlin believes regulators are increasingly aligned with that direction of travel. Supervisory bodies themselves, he notes, face growing pressure from organisations such as MONEYVAL and the FATF to demonstrate that anti-money laundering frameworks deliver measurable effectiveness rather than simply procedural compliance.
“The one-, three- or five-year schema is an archetype of process over effectiveness,” he says. A genuinely risk-based approach, by contrast, recognises that some customers may not require a formal review for a decade or more because their risk profile has remained stable and firms have confidence in the quality of their ongoing monitoring.
“That is, in fact, a safer decision than saying we’re going to look at her every three years just for form’s sake,” he says. “Otherwise you’re diverting resource from more pressing cases that you could be considering.”
For Devlin, the industry’s direction is becoming increasingly clear to him. The question is no longer whether continuous, event-driven monitoring is possible, but how quickly firms are prepared to move beyond the comfort of familiar processes and embrace a model built around demonstrable risk.
Where KYC360 sees its differentiation
In a crowded RegTech market, Devlin believes KYC360’s clearest differentiator begins before the technology itself.
“We’re regulatory lawyers,” he says. “Before we established KYC360, we spent several years investigating banks, trust companies, stock exchanges, accountancy practices, you name it, on behalf of financial regulators.”
Those investigations exposed a striking pattern for Devlin. Regardless of the size of the institution or the sector it operated in, many enforcement cases stemmed from the same handful of avoidable mistakes. That experience became the foundation for KYC360’s platform, with the aim of helping firms address the underlying causes of compliance failure rather than simply digitising existing processes.
But the investigations also left a more personal impression in the view of Devlin. “What we saw was the human cost on compliance professionals,” he says. “It is not something you would wish on your worst enemy. Short of a personal tragedy, it’s probably one of the most stressful experiences that somebody could have in their life.”
For some professionals, if such a situation goes badly, it can mean the end of their working life in financial services, which short of a criminal conviction, is one of the worst things that can happen from an employment viewpoint.
For individuals caught up in a regulatory investigation, the consequences can be career-defining. That, he argues, has shaped the philosophy behind KYC360’s products just as much as its legal expertise.
“We’ve never lost sight of that in the design of our solutions,” he says. “We’ve always sought to solve the common challenges, but also to have empathy and understanding for the position the compliance professional finds themselves in, trying to manage what is almost an infinite challenge with finite resources.”
That thinking explains the platform’s strong emphasis on governance, auditability and accountability. Rather than simply helping firms complete compliance tasks, KYC360 is designed to help organisations demonstrate the quality of the decisions they have made if regulators come calling. “We want users to get credit for the positive actions they have taken,” Devlin says.
The second area of differentiation, he argues, is the integration of Experian’s identity and commercial data directly into KYC360’s analytical workflows. Instead of sourcing data and compliance technology from separate providers, firms can access both through a single platform, reducing integration complexity while giving analysts richer information to support risk decisions.
Devlin said, “Businesses can access both data and the analytical layer on top, which otherwise they might have had to obtain from two quite separate vendors without the guarantee that they would work nicely together. Having this integrated proposition is a quantum leap for businesses that previously struggled with manual processes, and having the analytical layer with the subject matter expertise within it gives confidence for compliance professionals and is the cherry on the top.”
Where AI adds value in compliance
AI continues to dominate compliance conversations, but Devlin believes the market is becoming more realistic about where it can genuinely add value.
“We’re probably at, or just past, the peak of the hype cycle,” said Devlin. “People have been talking about AI at compliance conferences for as long as I’ve been going to them, which is at least 15 years now. AI, in one form or another, is always riding over the horizon to save the day.”
That long history has inevitably bred a degree of scepticism. Compliance teams operate in an environment where explainability, governance and accountability are non-negotiable, making them understandably cautious about handing critical decisions to opaque models.
Even so, Devlin sees significant opportunities where AI complements, rather than replaces, existing processes. “There are some areas where it is materially assistive,” he says, highlighting tasks such as summarising lengthy documents, extracting insights from unstructured data, natural language search and analysing the operational impact of changes to risk appetite. AI also has an important role to play in prioritising alerts, helping compliance teams distinguish genuinely significant events from routine background noise.
Where he is more cautious is the prospect of fully autonomous compliance operations. “I don’t think you’re going to see even the most forward-looking businesses saying, ‘We’re going to automate all of our compliance operations’, they’re still going to need to be a human in the loop somewhere.”
Recent examples of AI hallucinations appearing in legal proceedings only reinforce that view. Until regulators establish a clearer legal framework for autonomous decision-making, Devlin expects firms to remain wary of removing human oversight from high-stakes compliance activities.
He also believes many compliance professionals have become more discerning consumers of AI. “They’ve already been sold the dream sometimes two or three times,” he says. This is leading organisations as a result to become less interested in headline-grabbing demonstrations and more focused on outcomes that are measurable and realistic governance as well as whether a use case delivers genuine value.
Devlin detailed that there is more scepticism than you may see in public from some firms. He remarked, “I think there was a recognition that there are some things it’s good at, some things that it’s less suited for, and also an emerging appreciation of the potential cost of tokens.”
Compliance: a commercial enabler?
KYC360 puts forward the idea that compliance can be a commercial enabler rather than simply a cost centre.
Devlin rejects the idea that compliance and commercial performance sit at opposite ends of the spectrum. In his view, firms that embrace a genuinely risk-based, technology-enabled approach can improve both simultaneously.
The KYC360 managing director gave an example. The company previously worked with one of the world’s largest banks on a large-scale remediation programme covering hundreds of thousands of investor records. The bank’s original plan relied on a traditional, analyst-led review process that was expected to take years, consume significant resources and risk frustrating customers through repeated requests for information.
“There was no commercial upside,” Devlin says. “There was only downside in terms of the cost of the exercise and the likelihood that they might lose some of those customers by annoying them in the course of the exercise.”
Instead, KYC360 redesigned the process around a risk-based workflow. Customers were triaged according to risk, with straightforward cases resolved automatically through trusted bureau data wherever possible. Only where additional verification was genuinely required did the process progress through increasingly targeted forms of outreach, from electronic identity verification to automated document requests.
The results, Devlin says, transformed both the economics and the operational burden of the project. “We were able to complete the exercise in just under three months versus a couple of years, as had been the original expectation,” he says. The programme was delivered with fewer than 20 bank employees overseeing the process, compared with the five or six times that number originally anticipated.
The benefits extended well beyond lower costs. Rather than producing thousands of manually completed case files, the bank finished with a standardised, high-quality data set covering around half a million customers, generated largely through straight-through processing. Management information was available throughout the programme, while the final data could be loaded directly into the bank’s core systems without further manual intervention.
Devlin finished, “When we talk about comply and outperform, that’s what it looks like, because if that bank’s competitor had undertaken this exercise, it would have cost them several times as much and they would have lost several clients in the process and would have been no further forward than when they started.”
For compliance teams under pressure to reduce cost, improve customer experience and evidence stronger risk decisions, Devlin’s argument is clear: the next phase of financial crime compliance will be defined by better data, smarter workflow and the ability to act when risk genuinely changes.
KYC360 delivers award-winning onboarding, screening, and customer lifecycle solutions to financial institutions and regulated businesses. Designed by compliance professionals for compliance professionals, it empowers customers to meet evolving AML obligations through intelligent, efficient, and auditable workflows. KYC360 is a part of Experian, a global data and technology company, powering opportunities for people and businesses around the world.
Copyright © 2026 RegTech Analyst
Copyright © 2018 RegTech Analyst





