Sumsub and belo signal tighter KYC for LATAM fintech growth

At a glance

What this is: Sumsub says its collaboration with belo is designed to support user verification and KYC/AML compliance as the digital wallet expands across LATAM.

Why it matters: For IAM and identity governance teams, the case shows how growth-stage fintechs must align onboarding, fraud prevention, and compliance controls across regional markets without creating friction or control drift.

👉 Read Sumsub's article on the belo partnership and LATAM KYC scaling

Context

KYC and AML controls become harder to govern when a fintech expands across multiple countries, payment rails, and customer segments at once. In practice, the identity problem is not just proving who a user is at onboarding, but sustaining defensible verification, monitoring, and trust as the business adds markets and products.

For LATAM fintechs, the governance challenge spans customer identity, fraud controls, and compliance operations. When user volumes rise quickly, teams need to treat identity verification as an operating control rather than a one-time checkpoint, especially where digital wallets, crypto transfers, and fiat movement converge.

Key questions

Q: How should fintech teams balance user onboarding speed with KYC and AML control?

A: Fintech teams should separate conversion metrics from control metrics. Fast onboarding is useful only if the programme can still explain who was verified, what evidence was accepted, and when exceptions were made. The right balance comes from policy-driven routing, documented escalation, and monitoring that continues after account opening.

Q: Why do digital wallets need lifecycle identity governance after onboarding?

A: Digital wallets handle continuing transactions, changing customer behaviour, and evolving risk profiles, so first-time verification is not enough. Lifecycle governance adds refresh triggers, review points, and escalation paths that keep identity controls aligned with how the account is actually used over time.

Q: What breaks when compliance is treated as a one-time verification step?

A: Controls become brittle. Teams lose visibility into changing user risk, manual review queues grow without clear criteria, and fraud or AML signals may appear too late to matter. In regulated fintech, onboarding without lifecycle monitoring creates a false sense of assurance.

Q: How should security teams govern cross-border identity verification in LATAM fintech?

A: They should centralise policy while allowing jurisdiction-specific rules for evidence, screening, and escalation. That approach keeps governance consistent across markets without forcing every country into the same workflow. It also makes audits easier because decisions are tied to documented controls rather than local improvisation.

Technical breakdown

Cross-border KYC orchestration in fintech onboarding

Cross-border onboarding is an orchestration problem, not a single verification step. Different markets can impose different identity evidence, screening, and approval requirements, while the customer experience still needs to remain consistent enough to support conversion. That creates a governance layer above the identity proofing flow: routing, policy decisioning, exceptions, and auditability. In fintech, the operational risk is that growth pressure pushes teams to loosen checks or create country-specific workarounds that are hard to govern centrally.

Practical implication: define market-specific KYC policies centrally, then enforce them through controlled onboarding workflows rather than local exceptions.

User pass rates versus fraud pressure in identity verification

User pass rate is often treated as a product metric, but in regulated fintech it also reflects control design. If a verification process is too strict, legitimate users drop out. If it is too permissive, fraud, mule activity, and synthetic identity risk rise. The governance challenge is to tune thresholds, document exception handling, and preserve evidence for audit and review. AI-assisted verification can improve throughput, but it does not remove the need for human oversight where risk is elevated or signals conflict.

Practical implication: track pass rates alongside fraud outcomes, exception volumes, and review outcomes so the control can be tuned without losing compliance evidence.

KYC and AML controls as a lifecycle governance issue

Identity verification in fintech does not end at account creation. As customers move money, change behaviour, or expand into new services, the lifecycle of the identity relationship changes too. That means ongoing monitoring, refresh triggers, and policy-based escalation matter as much as initial proofing. For digital wallets handling crypto, stablecoin, and fiat transfers, the control question becomes whether the programme can keep pace with changing risk without over-relying on manual review.

Practical implication: connect onboarding, monitoring, and periodic review into one lifecycle model so compliance does not stop at first verification.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Compliance-first growth is now an identity architecture problem, not just a legal one. When a fintech expands across Brazil, Argentina, and wider Latin America, the control surface includes onboarding policy, fraud prevention, and evidence retention. The article shows that identity verification is being used as part of market expansion strategy, which means governance must scale with the business rather than trail it. Practitioners should treat regional compliance as an operating model decision, not a paperwork exercise.

High pass rates are only defensible when they are tied to policy, not convenience. In regulated financial services, pass rate pressure can quietly erode control quality if teams optimise for conversion alone. The better question is whether the verification design can explain why a user passed, which signals were reviewed, and where exceptions were allowed. That is the difference between controlled onboarding and uncontrolled friction reduction.

Digital wallet growth increases the need for lifecycle-based identity governance. Crypto, stablecoin, and fiat flows create a broader trust boundary than traditional single-rail payments. As the relationship between the customer and the platform changes over time, the identity programme has to support refresh, escalation, and review across the whole lifecycle. Practitioners should align onboarding controls with continuing risk signals, not stop at initial verification.

Named concept: compliance-throughput tension. This partnership illustrates the pressure point where faster user onboarding and stronger compliance controls pull in opposite directions. That tension is not solved by a single verification tool, because the underlying issue is governance of trade-offs across markets, products, and risk tiers. Practitioners should recognise that scaling fintech identity is about managing that tension deliberately, not eliminating it.

From our research:

• Companies are dedicating an average of 32.4% of their security budgets to secrets management and code security, with US organisations leading at 40.8%, according to The State of Secrets in AppSec.
• Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
• For the lifecycle and evidence side of this problem, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for the governance model that keeps access decisions auditable.

What this signals

Compliance-throughput tension: fintech teams should expect identity verification to be judged on more than acceptance rates as regulators and partners ask for stronger evidence of control quality. That means the onboarding stack, review queue, and exception process need to be managed as one governance system, not separate operational silos.

The next planning cycle should assume that cross-border growth will expose gaps between local workflows and central policy. Teams that cannot show why a customer passed verification, or how that decision would be defended later, will struggle to scale trust as fast as they scale transactions.

For practitioners building or refreshing their operating model, the question is whether identity controls are keeping pace with market expansion. A defensible programme ties onboarding to lifecycle review and audit trails, which is the difference between controlled growth and compliance debt.

For practitioners

• Map KYC policy by market and product Separate onboarding requirements for Brazil, Argentina, and wider LATAM expansion paths, then document which evidence, screening, and review steps apply to each product line.
• Measure verification quality beyond pass rate Track exception rates, manual review volume, false positives, fraud outcomes, and auditability together so the programme does not optimise conversion at the expense of control.
• Link onboarding to lifecycle monitoring Create refresh triggers for changed behaviour, new transfer patterns, and higher-risk activity so identity governance continues after account opening.

Key takeaways

• LATAM fintech expansion turns identity verification into a governance control, not just an onboarding step.
• The key risk is optimising for user pass rates without preserving auditability, escalation, and fraud resilience.
• Practitioners should connect market-specific KYC policy to ongoing lifecycle monitoring if they want growth without control drift.

Key terms

• KYC orchestration: KYC orchestration is the policy-driven coordination of evidence collection, identity checks, screening, and review across an onboarding flow. It matters because regulated businesses rarely rely on one check alone. The real control is how those checks are sequenced, logged, and escalated across markets and products.
• Compliance-throughput tension: Compliance-throughput tension is the operational conflict between speeding up customer onboarding and preserving rigorous identity controls. In fintech, this tension appears when teams optimise for pass rates or conversion without enough attention to auditability, exception handling, and fraud detection.
• Lifecycle identity governance: Lifecycle identity governance is the discipline of managing identity controls after initial onboarding, including refresh, review, escalation, and offboarding when risk changes. For customer identity programmes, it keeps decisions aligned with actual behaviour rather than assuming the first verification result stays valid forever.

Deepen your knowledge

KYC and AML lifecycle governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for regulated onboarding and review, it is worth exploring.

This post draws on content published by SumSub: the belo partnership for LATAM compliance and user verification. Read the original.