By NHI Mgmt Group Editorial TeamDomain: Governance & RiskSource: Smile IDPublished August 6, 2025

TL;DR: KYC programmes still create major operational and customer-experience strain, and large financial institutions can spend up to $500 million annually on compliance, according to Smile ID citing Thomson Reuters. The practical issue is not just cost but whether identity verification, fraud controls, and regulatory change can be managed without excessive friction.


At a glance

What this is: This is an analysis of the top KYC implementation challenges, from fraudulent accounts and manual review to false positives, user friction, and regulatory change.

Why it matters: It matters because KYC sits at the intersection of human identity, fraud prevention, compliance, and onboarding governance, where weak process design can raise risk while slowing legitimate access.

By the numbers:

👉 Read Smile ID's analysis of the top five KYC challenges and solutions


Context

KYC, or know your customer, is the identity verification process used to confirm that a customer is who they claim to be before access is granted to regulated services. In practice, KYC is a human identity control with compliance, fraud, and customer-experience consequences, not just a checklist for onboarding.

The challenge is that many KYC programmes are still built around manual review, fragmented data sources, and rules that struggle with modern fraud patterns such as deepfakes and synthetic identities. For identity teams, the issue is how to balance assurance, speed, and regulatory consistency without creating avoidable onboarding failure.

For organisations operating across multiple jurisdictions, the governance problem grows quickly because KYC obligations change by country and the verification experience must still remain usable. That makes KYC a lifecycle and control-design problem as much as a compliance requirement.


Key questions

Q: How should organisations balance KYC assurance with customer experience?

A: Use risk-based onboarding so low-risk customers complete a lighter flow and higher-risk cases receive deeper checks. The key is to make verification proportional to risk, then measure abandonment, override rates, and false positives together. If legitimate customers are dropping out, the programme is too rigid even if it is technically compliant.

Q: Why do false positives create security and compliance problems in KYC?

A: False positives waste analyst time, frustrate customers, and encourage manual workarounds that weaken consistency. They also hide whether the underlying data or rules are outdated. When teams cannot explain why a legitimate customer was flagged, the control is losing reliability and the business starts absorbing unnecessary friction.

Q: What do teams get wrong about global KYC workflows?

A: Teams often assume a single onboarding flow can satisfy every market if the form is long enough. In practice, global KYC fails when the same journey is reused everywhere without local policy branching, document acceptance rules, and escalation thresholds. Good governance localises the control logic, not just the language.

Q: Who is accountable when KYC requirements change across jurisdictions?

A: Accountability should sit with a named compliance owner and an operational owner who can update workflows, training, and evidence requirements as regulations change. KYC becomes fragile when ownership is split across legal, compliance, and product teams without a clear control steward. Clear governance is essential for auditability and change management.


Technical breakdown

Why fraudulent accounts defeat static verification checks

Fraudulent account creation works when verification is too dependent on document lookups, shallow rules, or database checks that do not keep up with modern impersonation tactics. Deepfakes and synthetic identities can pass weak controls because the system is validating surface-level consistency rather than provenance and intent. Biometric checks and stronger document analysis help, but only if they are part of a broader assurance model that includes risk scoring and anomaly detection.

Practical implication: move beyond document-only verification and add layered identity assurance for higher-risk onboarding paths.

How manual KYC work creates operational drag

Manual KYC depends on people reading documents, entering data, and deciding whether the evidence is sufficient. That creates delay, inconsistency, and a high error rate, especially when volumes rise or teams must apply the same rule set across multiple regions. Automation reduces repetitive effort, but the real architecture question is where human review remains necessary and where machine-assisted verification is trustworthy enough to scale.

Practical implication: reserve manual review for exceptions and use automation for repeatable verification steps that do not require judgement.

Why false positives and poor user experience become governance issues

False positives happen when legitimate customers are flagged because the rules are too strict, the reference data is stale, or the system cannot interpret context correctly. That is not just a tuning issue. It becomes a governance problem when high-friction onboarding causes abandonment, customer support escalation, and inconsistent decisions across teams or markets. Good KYC design needs measurable thresholds, review feedback loops, and risk-based step-up paths.

Practical implication: track false positive rates and abandonment together, because both reflect whether the control is working as intended.


Threat narrative

Attacker objective: The objective is to obtain a trusted customer identity that can be used for fraud, laundering, or other financial crime.

  1. Entry occurs when criminals use fake documents, synthetic identities, or deepfakes to present as legitimate applicants during onboarding. Credential access is not the main issue here, but identity evidence is harvested or forged to pass initial verification.
  2. Escalation follows when weak or manual review processes accept the fraudulent identity and create a valid customer account or trusted relationship. The attacker then uses that account to move into financial crime, fraud, or laundering activity.
  3. Impact is realised when the business incurs losses, regulatory exposure, reputational damage, or downstream fraud linked to accounts that should never have been approved.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

KYC is no longer just an onboarding control, it is an identity assurance system under constant attack. The article shows that fake documents, deepfakes, and operational friction are all part of the same governance problem. If the verification stack cannot distinguish legitimate identity from engineered identity without making the customer journey unusable, the programme is under-designed for current fraud conditions. Practitioners should treat KYC as a continuously tuned assurance workflow, not a one-time gate.

False positives are a control-quality signal, not just a customer-service issue. When legitimate users are repeatedly blocked, the organisation is often relying on brittle rules, stale reference data, or oversimplified risk logic. That weakens both compliance and conversion because teams start overriding controls informally. The governance lesson is that KYC outcomes must be measured as both security effectiveness and operational reliability.

Customer friction is the hidden cost of over-centralised verification. A single rigid process rarely fits all risk levels or jurisdictions, and the result is avoidable abandonment. Risk-based onboarding is not about weakening assurance. It is about matching the depth of verification to the customer’s risk profile so that high-trust cases move quickly while higher-risk cases receive deeper scrutiny.

Continuous regulatory change turns KYC into a lifecycle discipline. The article makes clear that country-specific requirements, evolving AML expectations, and training demands all create ongoing management work. That means KYC cannot be owned as a static policy document. It has to be governed like a living control set, with ownership, testing, and regional adaptation built in from the start.

From our research:

  • 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
  • Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks.
  • That pattern is a reminder that identity governance fails when operational controls lag behind how identities are actually used, which is why the Ultimate Guide to NHIs , Key Challenges and Risks remains relevant.

What this signals

KYC programmes are increasingly judged on whether they can absorb fraud pressure without creating measurable onboarding loss. With 72% of organisations reporting or suspecting a breach of non-human identities in our research, the wider lesson is that identity controls fail when assurance logic and operational reality drift apart, even in human identity workflows.

Identity assurance debt: the gap between what a control is supposed to prove and what the workflow can actually sustain under load. For KYC teams, that debt shows up as manual rework, inconsistent decisions, and customer drop-off. The practical response is to make assurance measurable across both compliance and conversion, not just audit readiness.


For practitioners

  • Map KYC decision points by risk tier Separate low-risk, medium-risk, and high-risk onboarding paths so the same verification depth is not applied to every applicant. This reduces unnecessary friction while preserving stronger checks where identity confidence is lower.
  • Measure false positives and abandonment together Treat rejected legitimate customers as a control failure signal, not just a service issue. Review the rate of manual overrides, abandonment spikes, and repeated re-verification requests to find brittle rules.
  • Add layered checks for fraud-prone onboarding journeys Use document verification, biometric checks, and anomaly detection together for cases with elevated risk, especially when evidence quality is weak or the applicant profile is inconsistent.
  • Build jurisdiction-specific KYC rule sets Maintain configurable workflows for different countries and regulatory requirements so compliance updates do not require a wholesale redesign of the onboarding process.

Key takeaways

  • KYC is a governance control for human identity, but it fails when fraud techniques outpace the verification model.
  • False positives, manual review, and customer abandonment are all evidence that the control is too brittle to scale.
  • The right KYC programme adapts verification depth to risk, jurisdiction, and operational capacity without losing auditability.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST SP 800-63 and NIST CSF 2.0 set the technical controls, while ISO/IEC 27001:2022 and GDPR define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST SP 800-63SP 800-63AKYC relies on identity proofing and evidence collection for customer onboarding.
NIST CSF 2.0PR.AC-1KYC is part of identity and access governance for customer onboarding.
ISO/IEC 27001:2022A.5.15KYC data handling requires access control and governance over sensitive identity records.
GDPRArt.32KYC processing involves personal data and requires appropriate security measures.

Use SP 800-63A to structure identity proofing and evidence verification for higher-risk onboarding.


Key terms

  • Embedded KYC: Embedded KYC is the practice of placing customer identity verification directly inside the onboarding workflow instead of managing it as a separate process. In regulated environments, it creates a single control path for identity proofing, sanctions screening, and audit evidence, which can improve consistency if governance is clear.
  • False Positive: A false positive is a scanner result that looks like a secret but is not actually sensitive. In secret governance, false positives matter because they consume analyst time, weaken trust in alerts, and can delay response to the findings that truly change exposure and access risk.
  • Risk-based onboarding: An onboarding model that changes verification depth, approval thresholds, and manual review based on customer risk. It uses the same identity workflow differently across geographies, products, and behaviour signals so low-risk customers move quickly while higher-risk cases receive additional scrutiny.
  • Identity proofing: The process of verifying that a person is who they claim to be before granting or restoring access. In higher-risk recovery paths, proofing can include stronger evidence checks such as government ID validation or liveness-based facial verification so the assurance level matches the sensitivity of the request.

What's in the full article

Smile ID's full article covers the operational detail this post intentionally leaves for the source:

  • Step-by-step selection criteria for KYC software features such as OCR, biometrics, and AML screening.
  • Detailed guidance on choosing between manual review, automation, and hybrid onboarding flows.
  • Practical considerations for integrating KYC tools with CRM, ERP, and other existing systems.
  • Country-specific compliance and data protection points that affect regional deployment choices.

👉 Smile ID's full article covers KYC software selection, onboarding design, and compliance detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org