Our Take
KYC failed not because regulation got tighter, but because banks kept adding process layers instead of redesigning for real-time risk—and now they're losing both customers and enforcement actions.
Why it matters
Monzo paid £21m to the FCA in 2025 for onboarding high-risk customers without adequate checks, while fintechs reset customer expectations around speed. Banks face a genuine squeeze: slow onboarding hemorrhages revenue, but weak controls invite heavy fines.
Do this week
Compliance teams: audit whether your KYC workflow is event-triggered or calendar-driven; if it's the latter, map the data sources you already own but aren't surfacing during ongoing monitoring so you can reduce re-verification cycles by month-end.
Banks designed KYC for a slower world—and it's now unraveling
For decades, KYC operated on a simple assumption: risk changes slowly. Institutions verified identity, assessed risk, and reviewed periodically. That model worked when customers took days to onboard and transactions settled in weeks. Today's financial system operates in minutes and in real time.
Customers onboard digitally, move money instantly, and shift their risk profile long before the next scheduled review. Yet most banks still rely on point-in-time assessments that offer only a snapshot. The result is a widening gap between how fast the financial system actually moves and how often banks refresh their understanding of customer risk.
The operational cost is severe. Most institutions rely on disconnected tools, spreadsheets, and manual data entry. Teams spend more time chasing information than analyzing risk. When the same customer onboards across multiple divisions or products, different teams re-verify the same information in separate systems. Scott Nice, Chief Risk Officer at Label, argues that KYC has become "less about understanding the customer and more about evidencing that a process has been followed."
Michael Thirer, CLO at Muinmos, frames the fragmentation plainly: "If car manufacturers built cars the way banks perform KYC, cars would cost 10 times as much, drive 10 times slower, and require 10 people to operate them." One team handles sanctions screening, another ID verification, a third risk profiling. Even when a single team owns all processes, they operate in separate systems with manual file transfers between each decision point.
Compliance workload grows exponentially as customer bases expand, new data sources emerge, and regulations like AMLA add data requirements. No compliance program can hire exponentially to match.
Slow onboarding is now a revenue and enforcement risk
Onboarding has become a competitive weakness for incumbents. Fintechs and digital-native platforms have reset expectations around speed and simplicity. Lengthy verification processes, repeated document requests, and unclear status updates create friction exactly when customer acquisition matters most. Kevin McGuinness, Head of Strategy at Napier AI, calls it "a direct revenue and retention risk."
The regulatory downside is equally sharp. Monzo paid £21m to the FCA in 2025 for repeatedly onboarding high-risk customers without adequate KYC checks. The enforcement message is clear: weak controls at entry invite heavy penalties. Financial institutions cannot trade compliance for speed without consequence.
The pressure is forcing a shift in perspective. Regulators have moved toward outcome-focused requirements. They test your processes, your compliance tools, and your outcomes. This creates an opening: institutions that redesign KYC as a continuous, automated, event-driven process—rather than a periodic manual checkpoint—can meet both compliance thresholds and customer expectations simultaneously.
Taavi Tamkivi, CEO at Salv, describes the alternative as "perpetual KYC": updating customer knowledge on a daily or weekly basis rather than in calendar-driven cycles. Digital-first providers are already moving this direction, collecting only what's needed upfront and expanding understanding as the relationship develops. That iterative approach forces continuous monitoring whether or not institutions formally adopt it.
Redesign for continuous monitoring, not faster reviews
The fix is not to speed up periodic reviews. It is to replace periodic reviews with risk-sensitive, data-led, event-driven workflows. This requires treating KYC as an orchestrated system rather than a collection of separate tools and manual handoffs.
Humans design policy and define guardrails. Automated agents gather data and analyze it continuously. Teams then review ready files only when risk signals warrant review, and decide. This shifts the burden from manual data chasing to systematic policy enforcement and exception handling.
Tom Devlin, Managing Director at KYC360, notes that the key is combining compliance assurance with operational efficiency. When risk ratings drift out of date, audit trails remain incomplete, and assessments become inconsistent, both compliance and customer experience suffer. A single source of truth, continuously updated against event triggers rather than calendar dates, solves both.
The competitive advantage will go to institutions that move fastest from fragmented, stitched-together processes to unified, data-driven ones. The alternative is losing customers to faster competitors while facing regulatory enforcement for the outdated controls that created the friction in the first place.