Know your customer KYC and why it breaks without process

KYC compliance demands consistent verification processes and thorough documentation. Here is how we approach compliance management.

If you work in financial services, you already know KYC isn’t optional. But here’s what bugs me about how most organizations handle it - they treat KYC like a checkbox exercise. Fill out the forms, collect the documents, move on. That’s how things slip through the cracks.

when your KYC workflow is held together with email chains and spreadsheets, throwing automation on top just means you’ll miss suspicious activity faster and more consistently.

We got this wrong at first, assuming compliance teams across banking, insurance, and professional services just needed better tools. But the pattern is always the same. The organizations that struggle aren’t lacking tools. They’re lacking process.

What KYC means and why it exists

“Know Your Customer” is exactly what it sounds like - a set of regulations requiring businesses that handle money to verify who they’re dealing with. The USA Patriot Act of 2001 made this mandatory for U.S. financial institutions. But it’s not just an American thing. Global standards from bodies like the Financial Action Task Force (FATF) push every country toward the same basic idea - know who’s giving you money, and watch what they do with it.

The numbers tell the story. Financial institutions were filing over 10,000 Suspicious Activity Reports every single day by 2024. SAR filings surged by 51.8% between 2020 and 2024. Synthetic identity fraud alone exploded by 37% year-over-year as criminals started using AI to create fabricated identities that blend right into financial systems.

That’s not a problem you solve with a PDF checklist.

The more familiar you are with an account holder and their spending habits, the easier it becomes to spot something wrong. Sounds simple. In practice, it’s a mess for most organizations. Let me break down what’s supposed to happen.

Verifying identity before anything else

The first step is a Customer Identification Program (CIP). Every institution needs a written one. It spells out how they confirm a new account holder is who they claim to be.

CIPs generally require four things:

• Name
• Date of birth (for individuals)
• Address
• Identification number

Banks verify this through documentation - passports, government-issued IDs. They might also cross-reference with public databases or other financial institutions. But here’s the part people forget - they also run every name against federal government watchlists of known or suspected terrorists and criminal organizations.

That last piece is where process matters most. Miss a name match because someone skipped a step? That’s not just a compliance violation. That’s front-page news.

One thing that keeps coming up at Tallyfy, the teams that handle identity verification well aren’t the ones with the fanciest software. They’re the ones with clear, repeatable workflows where every step has an owner and nothing gets skipped. We’ve built Tallyfy specifically around this idea - tracking tasks between people, not just moving data between apps.

Building spending profiles that flag problems

Once you know who someone is, you need to predict what normal behavior looks like for them. Modern data science makes this easier than it used to be, but it’s still not automatic.

Banks create a spending profile for each new account holder based on known characteristics and the behavior of similar individuals. Then, when a transaction falls outside predictions, it gets flagged. Maybe it’s repeated wire transfers to unfamiliar accounts. Maybe it’s sudden international money movement that doesn’t match their history.

This is Customer Due Diligence (CDD) monitoring. It protects banks from fraud losses, reputation damage, and compromised security. It also benefits account holders - spending monitoring strengthens a bank’s ability to alert people when something suspicious happens on their account.

But here’s the catch. 68% of consumers have abandoned a financial application during onboarding because of friction. That number keeps climbing. So you’ve got two competing pressures - regulators demanding more thorough verification, and people walking away when it takes too long.

I think the answer isn’t choosing one over the other. It’s designing the process so verification happens quickly without cutting corners. That’s a workflow design problem, not a technology problem.

Risk ratings and Enhanced Due Diligence

Early in the relationship, banks assign a risk rating to each account holder. This drives everything else in the KYC process. How often do you monitor transactions? How deep do you dig? The risk rating decides.

Compliance is the most common topic we hear about in conversations at Tallyfy - appearing in over 1,100 of our discussions. And this risk rating step is where things tend to fall apart. If the rating process is inconsistent - different analysts applying different criteria - you end up with a patchwork of monitoring that regulators will tear apart during an audit.

Common red flags include:

• Repeated wire transfers to or from high-risk jurisdictions
• Transactions with offshore accounts
• Moving money internationally without clear business purpose
• Activity patterns that don’t match the stated account purpose

Higher-risk individuals get flagged for Enhanced Due Diligence (EDD). Politically exposed persons (PEPs) - people in public office who are vulnerable to corruption - almost always trigger this. Additional monitoring gets set based on the level of risk they pose.

If someone is seen as too high-risk, the bank can just decline the relationship entirely. That’s a judgment call, and it needs to be documented and defensible.

FinCEN regularly issues advisories with information on the latest threats and vulnerabilities facing financial institutions.

Example Procedure

Client Onboarding

1Gather Basic Information

2Send Welcome E-Mail

3Conduct a Kick-Off Call

4Conduct a 1 month check-in Call

5Request Feedback

+1 more steps

View template

Example Procedure

Background Checks

1Contact candidate for written permission

2Receive signed consent from candidate

3Submit request to background check provider

4Handle candidate refusal (if applicable)

5Review background check results

+2 more steps

View template

Real cost of getting KYC wrong

Here’s something that surprised me. Over half of corporate and institutional banks spend between $1,500 and $3,000 to complete just one KYC review. And the total cost of financial crime compliance across U.S. and Canadian financial institutions hit $61 billion annually. A third of banks employ between 1,001 and 1,500 full-time people just for KYC operations.

Those numbers are staggering. But the cost of not doing KYC properly is worse. Fines, criminal prosecution, reputation destruction. Deutsche Bank, HSBC, Danske Bank - the list of institutions that learned this lesson the hard way keeps growing.

What I’ve noticed in feedback we’ve received from financial services teams is that the biggest cost driver isn’t the verification itself. It’s the rework. Missing information requires manual follow-ups. Inconsistent documentation creates audit headaches. Multi-state or multi-jurisdiction compliance creates requirements that slip through the cracks without proper verification checkpoints.

That’s a process problem. Fix the process, and the costs drop.

How AI changes KYC and where it doesn’t

More than 68% of compliance officers now expect to be hands-on in designing AI-driven compliance programs. The KYC software market is expected to grow at a 30.3% compound annual rate through 2035. Everyone’s rushing to automate.

I keep coming back to the same point. If your CDD monitoring workflow is inconsistent - different people following different steps, documentation scattered across email threads and shared drives - automating that mess just creates automated mess.

The FATF’s latest evaluation cycle emphasizes exactly this. Regulators aren’t just asking “do you have KYC controls?” anymore. They’re asking “do your controls work in practice?” That’s an effectiveness question. And effectiveness requires defined, repeatable processes.

Running Tallyfy taught us this firsthand. The organizations that get the most out of automation are the ones that first mapped their compliance workflows clearly. Who does what, when, and what happens if something goes wrong. Then they automate. Not the other way around.

Perpetual KYC - continuously monitoring and updating risk profiles rather than doing periodic reviews - is emerging as a major trend. But perpetual KYC without a defined process for handling alerts, escalations, and updates? That’s just perpetual noise.

Making KYC work in practice

KYC combines thorough initial verification and ongoing due diligence to reduce exposure to fraud and illicit activities. When you’re confident about an account holder’s true identity, you can anticipate risk and catch suspicious activity before it causes real damage.

Financial services teams represent about 17% of our conversations at Tallyfy, and the institutions that treat KYC as a continuous process rather than a one-time checkbox see dramatically better outcomes. The teams that struggle most are collecting documentation through email and spreadsheets - missing information requires manual follow-ups, and multi-jurisdiction compliance creates requirements that fall through without proper verification checkpoints.

My honest take? The technology for KYC has never been better. The processes surrounding it have never been more important. And most organizations are spending on the first while ignoring the second. Define the process. Make it repeatable. Track every step. Then - and only then - add the AI and automation on top. That’s how KYC compliance stops being a headache and starts being something you can actually trust.