Hire an FD/CFO contactus
HIRE AN FD/CFO CONTACT US

Know Your Customer (KYC): A UK Compliance Guide

  • Home
  • Know Your Customer (KYC): A UK Compliance Guide

Customer Onboarding, Identity Verification and the Risk-Based Approach in 2026

Know Your Customer (KYC) is the operational discipline of identifying and verifying the customers a regulated firm establishes business relationships with. In UK financial services, KYC sits within the broader Customer Due Diligence framework set out by the Money Laundering Regulations 2017 — KYC is the identity verification component, and CDD is the wider obligation to understand the relationship, its purpose, and the customer’s risk profile. The terminology is sometimes used interchangeably, but the practical and regulatory distinction matters: KYC is necessary but not sufficient for full CDD compliance.

This guide explains how KYC actually works in UK regulated firms — the regulatory framework, the operational customer onboarding process, the technology that has transformed the discipline since 2018, and the integration with sanctions, PEP and adverse media screening that good KYC depends on. It also covers the recruitment dimension — what financial crime onboarding teams need to look like to operate KYC effectively at scale, and where firms commonly under-invest.

What’s missing from most online explanations of KYC is the operational reality. The regulations describe what KYC must achieve; this guide describes what good KYC operational delivery looks like in modern UK regulated firms — including the technology integration, the team capability, and the ongoing maintenance discipline that distinguishes effective KYC from a one-time onboarding event.

KYC vs CDD — The Practical Distinction

The KYC/CDD relationship is best understood as nested:

  • KYC = identifying the customer and verifying their identity. Specifically: who is the customer, what evidence proves they are who they say they are, and (for corporate customers) what is the ownership and control structure
  • CDD = the broader obligation that includes KYC plus understanding the relationship’s purpose, assessing the customer’s risk profile, and ongoing monitoring throughout the relationship lifetime

Regulation 28 of MLR 2017 sets out the core CDD measures: identifying the customer (KYC); identifying the beneficial owner (KYC for corporates); understanding the purpose and intended nature of the relationship (CDD-specific); and ongoing monitoring of the relationship (CDD-specific). KYC is the first two of the four measures.

For the wider framework, see our CDD Guide and MLRO Guide.

The Three Tiers of KYC — Standard, Simplified and Enhanced

The UK risk-based approach to KYC creates three operational tiers depending on the risk profile of the customer relationship:

Tier When applied KYC measures
Simplified Due Diligence (SDD) Lower-risk relationships specifically permitted under Regulation 37 Reduced verification — typically still requiring core identity confirmation but with reduced documentation requirements
Standard CDD/KYC The default — applies unless SDD or EDD applies Full identity verification; beneficial ownership identification; relationship purpose understanding; standard ongoing monitoring
Enhanced Due Diligence (EDD) Higher-risk relationships per Regulation 33 Enhanced verification, source of funds and source of wealth, senior management approval, intensified monitoring — see our EDD Guide

The risk-based assessment that determines which tier applies is itself a regulated requirement under Regulation 18 (firm-wide risk assessment) and Regulation 28 (relationship-level risk assessment). The firm must document its risk-based methodology and apply it consistently.

The Customer Onboarding Process

For a typical retail or corporate customer onboarding in a UK regulated firm, the KYC process operates through a structured workflow:

Step 1: Pre-onboarding risk assessment

Before active onboarding, the firm conducts an initial risk assessment based on customer-provided information — proposed activity, jurisdiction, business profile (for corporate customers), and any obvious risk factors. This determines whether the customer is suitable to onboard at all (some firms decline customers above their risk appetite), and the KYC tier that will apply.

Step 2: Identity capture

Capturing core identity information from the customer:

  • For individuals: full name, date of birth, residential address, nationality, identification document references
  • For corporate customers: legal name, registered number, registered address, jurisdiction of incorporation, principal activities, ownership and control structure

Step 3: Identity verification

The firm verifies the captured information against reliable, independent sources. Common verification approaches include:

  • Documentary verification — passport, driving licence, identity card, certified copies of company registration documents
  • Electronic verification — through providers such as GBG, Onfido, Jumio, LexisNexis, Equifax, Experian, accessing data sources including credit bureaus, voter rolls, identity registers, and similar
  • Biometric verification — increasingly common for retail onboarding, using selfie verification matched against identity document photos
  • Document authentication — automated document quality and authenticity checks using AI-based systems

Step 4: Beneficial ownership identification (corporate customers)

For corporate customers, the firm must identify the ultimate beneficial owners — generally individuals who own or control 25% or more of the customer entity. This requires investigation of the ownership chain, including holding companies, trusts, and other intermediate entities.

Step 5: Sanctions, PEP and adverse media screening

The customer (and beneficial owners) are screened against:

  • Sanctions lists — UK OFSI consolidated list, EU sanctions, UN sanctions, US OFAC where applicable. See our Sanctions Screening Guide
  • PEP lists — comprehensive PEP databases identifying domestic and foreign politically exposed persons, family members and known close associates. See our PEPs Guide
  • Adverse media — news searches and adverse media databases identifying negative information about the customer or beneficial owners

Step 6: Risk-based outcome

Based on the verification and screening results, the firm reaches a risk-based outcome:

  • Standard onboarding — proceed to relationship establishment
  • Enhanced onboarding (EDD trigger) — proceed with enhanced measures
  • Senior management escalation — for PEPs or other high-risk situations requiring approval
  • Decline — where risk exceeds the firm’s appetite or where verification cannot be completed

Step 7: Documentation and ongoing record

The KYC outcome is documented and retained — typically for at least five years after the relationship ends, per Regulation 40 of MLR 2017.

The Technology Transformation Since 2018

KYC has been transformed by technology over the past several years. The shift has been from primarily paper-based, manually verified onboarding to predominantly digital, electronically verified onboarding — with substantial implications for cost, customer experience, and effectiveness.

Identity verification platforms

Specialist identity verification providers (Onfido, Jumio, GBG, Yoti, LexisNexis, ComplyAdvantage, and others) have dramatically reduced the time and cost of identity verification. Modern platforms can complete document authentication, biometric verification, and watchlist screening in under five minutes for retail customers — versus days for traditional manual onboarding.

API integration and orchestration

Firms increasingly use orchestration platforms that integrate multiple data sources via API — combining identity verification, sanctions screening, PEP screening, adverse media, and customer risk scoring into single workflows with consolidated outputs.

Continuous monitoring

The historic distinction between point-in-time onboarding KYC and ongoing monitoring is breaking down. Modern frameworks use continuous monitoring — sanctions and PEP databases are checked daily or weekly against the firm’s customer base, and customer status changes (e.g., a customer becoming a PEP through new political appointment) are detected automatically.

AI and machine learning in KYC

Increasingly, firms use AI/ML for: document authentication, risk scoring, alert prioritisation, and anomaly detection. The FCA has issued guidance on the use of AI in financial crime, focused on ensuring transparency, explainability, and ongoing testing of model effectiveness.

Implications for team structure

The technology shift has changed what financial crime onboarding teams look like. Where previously the role was predominantly manual document review and verification, the modern role is more about exception handling, complex case investigation, and oversight of automated processes. Team composition has shifted toward fewer high-volume processors and more senior specialists.

KYC Refresh and Ongoing Maintenance

KYC is not a one-time onboarding event. The risk-based approach requires ongoing maintenance:

  • Periodic review — typically annual for higher-risk customers, every 2-5 years for standard-risk customers
  • Trigger-based review — when material customer events occur (significant transaction patterns, ownership changes, jurisdiction changes, sanctions/PEP status changes)
  • Sanctions and PEP rescreening — typically continuous or daily for the customer base
  • Adverse media monitoring — typically continuous via specialist providers

The “KYC refresh” workload is one of the most underestimated operational burdens in modern AML compliance. For an Enhanced firm with hundreds of thousands of customers, refresh is a significant ongoing operation requiring dedicated team capacity.

The KYC Backlog Trap

Firms that scale customer numbers faster than they scale KYC operational capacity frequently develop “KYC refresh backlogs” — populations of customers due for periodic review but waiting in queue. The FCA has been increasingly explicit that KYC backlogs are a regulatory concern: customers due for refresh whose data is no longer current cannot be properly risk-managed, and the firm’s ongoing CDD obligation is not being met. Firms should monitor refresh-due metrics as a leading indicator of operational health, not a lagging indicator.

Sector-Specific KYC

KYC in retail banking and consumer financial services

Retail KYC focuses on volume, speed and customer experience. The challenge is balancing AML effectiveness with onboarding friction. Modern retail KYC is overwhelmingly digital, with biometric verification, document authentication, and real-time screening producing onboarding decisions in minutes.

KYC in wealth management

Wealth management KYC focuses on depth — understanding complex ownership structures, source of wealth, multi-jurisdiction profiles, and family wealth dynamics. The customer volume is typically much lower than retail but each KYC case requires substantially more work. EDD applies frequently. See our EDD Guide.

KYC in corporate banking

Corporate banking KYC focuses on entity verification, beneficial ownership investigation, and understanding business activity. For complex corporate customers — multi-entity groups, holding structures, fund structures — KYC can be substantial work involving company registries across multiple jurisdictions, trust documentation review, and similar.

KYC in payments and e-money firms

Payments KYC operates at high volume with rapid onboarding cycles. The combination of speed, scale and AML risk creates particular operational challenges. Strong payments KYC typically uses heavy automation with risk-based exception routing to specialist teams.

KYC in cryptoasset firms

Cryptoasset firms registered under MLR 2017 face specific challenges around source of funds verification (where funds may originate from blockchain-traced sources), the integration of blockchain analytics with traditional KYC data, and the FCA’s particular focus on the sector.

Common KYC Pitfalls

Treating KYC as IT project rather than ongoing operational discipline. KYC technology implementations that focus on onboarding-day automation without considering refresh, exception handling, and ongoing monitoring frequently produce frameworks that look strong on paper but fail under scaled operation.

Inadequate beneficial ownership investigation. Where corporate ownership chains pass through multiple entities, jurisdictions or trust structures, KYC investigation often stops short of true ultimate beneficial ownership identification.

Weak adverse media integration. Adverse media screening that relies on automated alert generation without skilled human review of complex matches frequently produces both false positives (wasted analyst time) and false negatives (missed adverse information).

KYC and ongoing monitoring siloing. Where the onboarding KYC team and the ongoing transaction monitoring team operate in functional silos with limited information sharing, the firm loses the holistic view of customer risk that effective AML requires.

Regulator-facing weakness on substantive verification. FCA reviews increasingly examine KYC files for substantive verification quality — not just whether documents were collected. Files that show document collection without verification activity (corroboration, independent source checking) are flagged.

Inadequate vendor management on KYC platforms. Where firms rely on third-party KYC platforms, the firm retains regulatory accountability but often delegates effective oversight. Strong vendor management — including testing, performance monitoring, and contractual rights to evidence — is required. See Third-Party Risk Management Guide.

KYC and Recruitment — What Strong Onboarding Teams Look Like

Effective KYC operations require team capability beyond standard administrative onboarding processing:

  • Onboarding analysts — handling standard cases efficiently with appropriate quality discipline
  • Senior KYC specialists — handling complex corporate structures, beneficial ownership investigation, and exception case escalation
  • Adverse media analysts — skilled at interpreting media findings, distinguishing relevant from irrelevant matches, and conducting investigation of substantive concerns
  • EDD specialists — handling enhanced cases, source of wealth verification, and PEP processes (see EDD Guide)
  • KYC technology lead — increasingly important role bridging financial crime and technology, owning vendor relationships and platform effectiveness
  • Senior management oversight — typically MLRO or Deputy MLRO with overall accountability for the framework

A Note from Our Founder — Adrian Lawrence FCA

Know Your Customer is the entry point of every regulated firm’s relationship with every customer — and the area of AML compliance where technology has changed the operational reality most dramatically over the last several years. The firms that have invested well in modern KYC technology and integrated team capability typically run efficient, effective onboarding with low cost-per-customer and strong risk discipline. The firms that have under-invested run expensive, slow onboarding with quality concerns and growing refresh backlogs.

The recruitment angle that comes up most often in our placements is the changing skill requirement for KYC teams. The role used to be predominantly document review and manual verification. The modern role is more about exception handling, complex case investigation, and oversight of automated processes. Hiring boards looking for KYC team leaders should focus on candidates who understand both the operational discipline and the technology — and who can lead teams through the inevitable friction between speed, customer experience, and AML rigour.

For senior financial crime leadership specifically, the KYC framework is one of the most important elements of the role. MLROs joining firms with weak KYC frameworks face a substantial remediation challenge; MLROs joining firms with strong KYC frameworks can focus on the higher-value strategic work. Hiring boards should expect senior MLRO candidates to ask probing questions about the KYC framework during interview — and to factor the answer into their decision.

At FD Capital we work on senior financial crime mandates regularly across UK regulated firms. If you are recruiting MLRO, Deputy MLRO, Head of Financial Crime, or KYC operational leadership, I’m happy to have a direct conversation about your specific situation.

Speak to Adrian about a financial crime appointment →

Adrian Lawrence FCA | Founder, FD Capital | ICAEW Verified Fellow | ICAEW-Registered Practice | Companies House no. 13329383

Hire MLROs and Financial Crime Leaders

Effective KYC frameworks require specialist financial crime leadership and operational team capability. FD Capital places MLROs, Deputy MLROs, Heads of Financial Crime, KYC operational leaders and senior AML professionals across UK regulated firms.

020 3287 9501

MLRO Recruitment › | Financial Crime Recruitment | Contact Us

Further Reading and Authoritative Sources

For the regulatory framework, see MLR 2017, particularly Regulations 27-30 (CDD measures). For FCA expectations, see the Financial Crime Guide. The JMLSG Guidance provides detailed sector-specific KYC implementation guidance.

Related Guides: AML and Financial Crime

Part of FD Capital’s series of practical guides for FCA-regulated firms: MLRO Guide — Pillar | Customer Due Diligence (CDD) | Enhanced Due Diligence (EDD) | Politically Exposed Persons (PEPs) | Sanctions Screening | MLR 2017 Compliance Guide | Transaction Monitoring | Suspicious Activity Reports (SARs) | SMF17 — The MLRO Function

FD Capital
FD Capital
FD Capital

FD Capital Recruitment Ltd is registered at Companies House (no. 13329383) and has been providing CFOs and Finance Directors since 2018 and is operated by an ICAEW-registered practice. Our founder Adrian Lawrence FCA holds an ICAEW practising certificate.