Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

KYC and AML online onboarding: where identity verification breaks


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9059
Topic starter  

TL;DR: KYC is the onboarding-stage identity check within AML, while AML runs continuously through monitoring, rescreening, and reporting, according to iProov’s analysis of regulated customer verification. The real pressure point is remote identity binding, where document checks alone cannot prove a live person is present and fraud risk concentrates.

NHIMG editorial — based on content published by iProov: KYC and AML identity verification and compliance guidance

By the numbers:

  • Global financial penalties for AML, KYC, sanctions, and customer due diligence failures reached $4.6 billion in 2024.
  • iProov face verification achieves completion rates of 98% compared to the 30-50% drop-off typical of document-based refresh workflows.

Questions worth separating out

Q: How should teams handle remote identity verification in KYC onboarding?

A: Teams should use controls that prove both document authenticity and live presence, because a valid ID alone does not establish that the presenter is the real holder.

Q: Why do KYC controls matter to AML programmes?

A: KYC matters because AML depends on knowing who the customer is before monitoring can be calibrated effectively.

Q: What breaks when customer risk classification is wrong?

A: When classification is wrong, the organisation applies the wrong level of scrutiny for the rest of the customer relationship.

Practitioner guidance

  • Separate identity proofing from AML monitoring Map which controls establish customer identity at onboarding and which controls continue through the lifecycle.
  • Strengthen live-binding at remote onboarding Use biometric liveness and face verification where regulations allow remote onboarding, because document authenticity alone does not prove the presenter is the real identity holder.
  • Link risk tiers to monitoring thresholds Make customer risk classification drive sanctions rescreening, enhanced due diligence, and refresh frequency so higher-risk accounts receive the correct level of scrutiny.

What's in the full article

iProov's full article covers the operational detail this post intentionally leaves for the source:

  • A stage-by-stage breakdown of KYC onboarding checks and how they map to remote identity verification workflows.
  • Jurisdiction-specific discussion of how KYC and AML obligations differ across the UK, EU, and US.
  • Examples of biometric verification as applied to onboarding and returning-user refresh in regulated environments.
  • The article's FAQ section, which expands on KYC versus AML, due diligence, and compliance obligations.

👉 Read iProov's analysis of KYC and AML identity verification →

KYC and AML online onboarding: where identity verification breaks?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8498
 

KYC is a proofing control, not the AML programme itself. The article is clear that KYC sits inside AML and exists to establish identity at onboarding, while AML continues through monitoring, screening, and reporting. That distinction matters because many control failures start when organisations treat identity proofing as the end state rather than the opening control. Practitioners should map KYC evidence into the wider AML lifecycle, not isolate it as a front-door task.

A few things that frame the scale:

  • 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs.
  • Only 5.7% of organisations have full visibility into their service accounts, which shows how often identity governance starts with incomplete inventory.

A question worth separating out:

Q: Who is accountable when KYC and AML failures lead to financial crime exposure?

A: Accountability typically sits with the regulated entity, but regulators increasingly look at governance, auditability, and senior ownership rather than a single team. The practical test is whether the organisation can show that onboarding, monitoring, refresh, and reporting were designed as one control chain. That is where evidence such as clear policies and retrievable decisions matters most.

👉 Read our full editorial: KYC and AML identity verification is under strain online



   
ReplyQuote
Share: