Financial regulation has always been shaped by the boundaries it seeks to defend. Once, those boundaries were physical—bank branches, vaults, national borders. Then they became digital, defined by networks, firewalls, and systems.
Today, those perimeters are dissolving. In their place, a new focal point is emerging: identity. As financial services fragment across platforms, jurisdictions and technologies, the question is no longer just where risk resides, but who carries it. Increasingly, regulation is following that shift—reorienting itself around identity as the most persistent, portable, and contested layer in the system.
Where regulatory responsibility anchors
As financial products detach from traditional institutions and embed themselves across platforms, the question of accountability becomes harder to pin down. Regulatory responsibility, once clearly anchored to firms, is now diffusing across a more complex ecosystem—forcing a rethink of where it ultimately resides.
For Scott Nice, CRO of Label, regardless of how financial products evolve or how many intermediaries are involved, regulatory responsibility ultimately continues to sit with the regulated entity. Firms, he claims, cannot outsource accountability, even if they rely on third-party platforms, embedded finance models, or external infrastructure.
He said, “What is changing, however, is the complexity of the ecosystem. As services are distributed across multiple parties, the challenge for firms is ensuring that they still have sufficient visibility and control over the end-to-end process.”
Nice stressed that identity becomes more important in this context. However, it does not replace accountability. “It becomes a key component of how firms demonstrate control, particularly in environments where traditional boundaries are less clear,” he exclaimed.
Ryan Swann, founder at RiskSmart, meanwhile, believes that the traditional boundaries of regulation are blurring.
He stated, “As ecosystems expand, responsibility is becoming less about where an activity happens, and more about who is involved. Identity is emerging as a more stable anchor point in an increasingly decentralised landscape.”
Strong identity frameworks
As identity frameworks become more robust and data-rich, a fundamental question is starting to surface: can better upfront certainty reduce the need for heavy downstream controls? The answer has significant implications for how financial crime prevention is structured.
In the view of Swann, stronger identity frameworks can shift the balance from detection to prevention.” “If firms have high confidence in who they’re dealing with, the reliance on retrospective monitoring can reduce—but not disappear. It’s about rebalancing controls, not replacing them entirely,” he said.
Similarly, Nice remarked that strong identity frameworks can reduce certain types of downstream risk by increasing confidence at the point of onboarding or interaction.
He said, “If a firm has a high degree of certainty around who a customer is, and that identity is continuously validated, then some risks can be mitigated earlier in the lifecycle.”
Despite this, Nice believes identity alone is not sufficient. He made clear that behaviour still matters, and risk can emerge over time regardless of how robust the initial identity verification was. As a result, transaction monitoring and ongoing surveillance remain necessary.
He finished, “In practice, strong identity frameworks should complement, rather than replace, downstream controls, enabling those controls to be more targeted and efficient.”
Identity-led model shift
Regulatory frameworks are not being rewritten overnight—but their centre of gravity may be shifting. As identity becomes more central to risk, supervision is beginning to reflect a quieter transition toward more identity-led models.
In the opinion of Nice, there are indications that regulators are placing increasing emphasis on identity, particularly through initiatives around digital identity, beneficial ownership transparency, and cross-border information sharing. The direction of travel suggests a desire for more reliable, reusable identity data that can be trusted across institutions and jurisdictions.
He remarked, “However, this is not a wholesale shift to identity led supervision. Rather, it is an evolution toward combining strong identity foundations with ongoing monitoring and control.”
For firms, Nice believes this means investing not just in onboarding processes, but in maintaining accurate, up-to-date identity over time, and ensuring that this data can be effectively integrated into broader compliance frameworks.
Swann implies a similar sentiment on this matter, stating that there are strong signals pointing in this direction.
He remarked, “Digital identity, KYC evolution, and cross-border data sharing initiatives all suggest a move toward identity-led supervision. The challenge for firms is building identity frameworks that are both robust and scalable.”
Cornerstone of compliance
Identity verification has long been a cornerstone of compliance, but as RelyComply suggests, it is increasingly becoming one of its most contested pressure points. With identity-based crime rising in both scale and sophistication, the firm points to growing regulatory scrutiny on how institutions design and execute their KYC frameworks, particularly at the point of onboarding.
According to RelyComply, the threat landscape has evolved rapidly. Stolen and synthetic identities, often traded across dark web forums, enable bad actors to exploit legitimate credentials or bypass internal safeguards entirely. At the same time, advances in generative AI and deepfake technology are beginning to test the limits of even well-established verification tools, exposing financial institutions to heightened fraud risks while operating under strict data protection obligations.
RelyComply emphasised that identity protection is no longer a one-sided challenge. It requires both stronger public awareness around safeguarding personal data and more advanced, real-time detection capabilities within institutional KYC systems. As identity verification (IDV) forms the gateway to accessing financial services—whether through banks, payment platforms or e-wallets—the firm notes that regulators are increasingly focused on ensuring risks are addressed at this earliest stage.
This shift is also being reinforced at the regulatory level. RelyComply highlights frameworks such as the EU’s Payment Services Directive 3 (PSD3), which not only targets payment fraud reduction but also advances data-sharing through Open Banking. While this reduces the need for consumers to repeatedly share sensitive credentials, it places greater responsibility on all participating institutions to demonstrate the strength of their KYC and AML controls.
The acceleration of real-time payment systems adds further urgency. As RelyComply points out, in an environment where transactions are executed in seconds, the ability to verify identity instantly becomes critical. Access to financial services is increasingly contingent on the legitimacy of an identity against trusted data sources, pushing firms toward immediate, continuous verification models rather than periodic, batch-based checks.
As a result, RelyComply observes that the concept of perpetual KYC is gaining traction. Identity is no longer verified once at onboarding, but continuously reassessed, with risk profiles dynamically updated as new data emerges. This, the firm argues, demands greater automation, consistency, and connectivity across external data sources.
Biometric verification, in particular, is emerging as a key component of this evolving model. RelyComply notes that when securely deployed and shared across trusted networks, biometrics can enable stronger authentication while supporting seamless fund flows between institutions. Within a more interconnected anti-financial crime ecosystem, these capabilities offer a path toward reducing fraud risk without undermining the frictionless digital experiences customers increasingly expect.
In this context, RelyComply’s position is clear, in that identity is no longer just a compliance requirement—it is becoming a central control layer. As threats intensify and systems accelerate, the ability to establish, verify and continuously trust identity may prove decisive in maintaining both security and regulatory alignment.
Copyright © 2026 RegTech Analyst
Copyright © 2018 RegTech Analyst
