The latest articles on DEV Community by Stuart Watkins (@stuart_watkins_555e9d30ee). https://dev.to/stuart_watkins_555e9d30ee https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3764405%2F9beaad1e-857c-48b1-bcb0-50782a7610af.jpg https://dev.to/stuart_watkins_555e9d30ee en Stuart Watkins Thu, 16 Apr 2026 11:55:12 +0000 https://dev.to/stuart_watkins_555e9d30ee/what-is-kyb-the-only-guide-that-doesnt-put-you-to-sleep-1khp https://dev.to/stuart_watkins_555e9d30ee/what-is-kyb-the-only-guide-that-doesnt-put-you-to-sleep-1khp <p><strong>TL;DR:</strong> KYB (Know Your Business) verifies a company's legal existence, ownership structure, and risk profile before you onboard them. Most teams still do it manually, which means errors, delays, and compliance gaps that regulators love to target. This guide breaks down what KYB actually involves, why the manual approach fails, and how to build automated verification flows that scale. TypeScript examples included.</p> <p>Your compliance team just spent three days verifying a shell company that dissolved six months ago. The manual KYB process missed the dissolution, the beneficial ownership trail led nowhere, and now you are explaining to regulators why due diligence failed.</p> <p>If that sounds familiar, you are not alone. Most compliance teams treat KYB as a tick-box exercise, running basic company searches and calling it complete. Then they wonder why sophisticated money launderers sail through their onboarding process whilst legitimate businesses get stuck in verification limbo.</p> <p>I am Stuart Watkins, CEO of Zenoo. We build compliance orchestration infrastructure, and we see variations of this story every week. So here is a KYB guide written for the people who actually have to build and maintain these systems.</p> <h2> KYB is not KYC for companies. It is harder. </h2> <p>KYC verifies an individual. One person, one identity document, one screening check. KYB verifies a business, which means confirming legal existence, ownership structure, ultimate beneficial owners (UBOs), licences, and screening against sanctions lists, blacklists, and grey lists for involvement in money laundering or terrorist financing.</p> <p>The EU 5th AML Directive mandates KYB for 10 entity types: credit institutions, estate agents, external accountants, financial institutions, gambling services, notaries, service auditors, tax advisors, trusts, and investment firms.</p> <p>But the real complexity is structural. A single business might have multi-layer ownership, subsidiaries across jurisdictions, and UBOs hidden behind nominee directors. Tracing ownership through those layers requires pulling data from registry sources like Secretary of State (SOS) databases and EIN/TIN records, then cross-referencing globally.</p> <p>Here is a minimal type definition for what a KYB verification request actually looks like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kr">interface</span> <span class="nx">UltimateBeneficialOwner</span> <span class="p">{</span> <span class="nl">fullName</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">dateOfBirth</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">nationality</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">ownershipPercentage</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">isPoliticallyExposed</span><span class="p">:</span> <span class="nx">boolean</span><span class="p">;</span> <span class="p">}</span> <span class="kr">interface</span> <span class="nx">KYBVerificationRequest</span> <span class="p">{</span> <span class="nl">companyName</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">registrationNumber</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">jurisdiction</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">registeredAddress</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">incorporationDate</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">ubos</span><span class="p">:</span> <span class="nx">UltimateBeneficialOwner</span><span class="p">[];</span> <span class="nl">sourceOfFunds</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">transactionPurpose</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">riskSector</span><span class="p">:</span> <span class="dl">'</span><span class="s1">standard</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">elevated</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">high</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// e.g., gambling, money services, adult entertainment</span> <span class="p">}</span> <span class="kr">interface</span> <span class="nx">KYBVerificationResult</span> <span class="p">{</span> <span class="nl">companyExists</span><span class="p">:</span> <span class="nx">boolean</span><span class="p">;</span> <span class="nl">registrationActive</span><span class="p">:</span> <span class="nx">boolean</span><span class="p">;</span> <span class="nl">uboScreeningResults</span><span class="p">:</span> <span class="p">{</span> <span class="na">uboName</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">sanctionsHit</span><span class="p">:</span> <span class="nx">boolean</span><span class="p">;</span> <span class="nl">pepHit</span><span class="p">:</span> <span class="nx">boolean</span><span class="p">;</span> <span class="nl">adverseMediaHit</span><span class="p">:</span> <span class="nx">boolean</span><span class="p">;</span> <span class="p">}[];</span> <span class="nl">riskScore</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="c1">// 0 to 100</span> <span class="nl">recommendedAction</span><span class="p">:</span> <span class="dl">'</span><span class="s1">auto_approve</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">manual_review</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">reject</span><span class="dl">'</span><span class="p">;</span> <span class="nl">dataQuality</span><span class="p">:</span> <span class="p">{</span> <span class="na">complete</span><span class="p">:</span> <span class="nx">boolean</span><span class="p">;</span> <span class="nl">accurate</span><span class="p">:</span> <span class="nx">boolean</span><span class="p">;</span> <span class="nl">fresh</span><span class="p">:</span> <span class="nx">boolean</span><span class="p">;</span> <span class="nl">consistent</span><span class="p">:</span> <span class="nx">boolean</span><span class="p">;</span> <span class="nl">unique</span><span class="p">:</span> <span class="nx">boolean</span><span class="p">;</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <p>That <code>dataQuality</code> object is not decoration. High-quality KYB datasets must meet five criteria: complete, accurate, fresh, consistent, and unique. Poor data quality leads to unreliable verification checks and increased false positives, which is already the top pain point compliance teams report across the industry.</p> <h2> Why manual KYB fails at scale </h2> <p>Manual processes cause errors and delays in business onboarding. That is not opinion. It is the pattern we see repeated across every compliance team still running spreadsheet-driven workflows.</p> <p>Three specific failure modes:</p> <p><strong>1. Stale data kills due diligence.</strong> Traditional KYB stops at initial onboarding, missing post-approval changes. A company can go bankrupt, get added to a watchlist, or change its ownership structure entirely, and your records still show the snapshot from day one. The 2026 trend is towards continuous re-KYB: monitoring for status changes like bankruptcy, liens, watchlist additions, or registration updates in real time.</p> <p><strong>2. Complex structures exploit manual gaps.</strong> Shell companies exist specifically to exploit the complexity of multi-layer ownership. When an analyst is manually tracing UBOs through four jurisdictions, mistakes are inevitable. Sophisticated verification tools exist precisely because human pattern-matching breaks down at this scale.</p> <p><strong>3. Siloed processes obscure the full picture.</strong> Most teams run KYB, KYC, and AML screening as separate workflows. The 2026 push is towards integrated KYB-KYC-AML workflows that build complete risk profiles. Siloed processes create gaps that obscure full business risk assessment, and those gaps are exactly what regulators look for in enforcement reviews.</p> <p>A Head of Compliance at a UK payments company put it to us plainly: "We had three separate teams running three separate checks on the same entity. None of them could see each other's findings. When the FCA asked us to reconstruct our due diligence on a flagged merchant, it took us two weeks to piece it together from different systems."</p> <h2> Building an automated KYB flow </h2> <p>Automation dominates 2026 KYB trends for good reason: manual verification processes systematically fail at scale, creating exactly the compliance gaps that regulators target in enforcement actions.</p> <p>Here is what an API-driven KYB orchestration flow looks like in practice:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kr">interface</span> <span class="nx">KYBOrchestrationStep</span> <span class="p">{</span> <span class="nl">provider</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">checkType</span><span class="p">:</span> <span class="dl">'</span><span class="s1">registry_lookup</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">ubo_extraction</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">sanctions_screening</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">pep_check</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">adverse_media</span><span class="dl">'</span><span class="p">;</span> <span class="nl">timeout</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="c1">// milliseconds</span> <span class="nl">required</span><span class="p">:</span> <span class="nx">boolean</span><span class="p">;</span> <span class="p">}</span> <span class="kr">interface</span> <span class="nx">KYBOrchestrationConfig</span> <span class="p">{</span> <span class="nl">steps</span><span class="p">:</span> <span class="nx">KYBOrchestrationStep</span><span class="p">[];</span> <span class="nl">riskPolicy</span><span class="p">:</span> <span class="p">{</span> <span class="na">autoApproveBelow</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">escalateAbove</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">rejectAbove</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="p">};</span> <span class="nl">continuousMonitoring</span><span class="p">:</span> <span class="nx">boolean</span><span class="p">;</span> <span class="nl">reKybTriggers</span><span class="p">:</span> <span class="p">(</span><span class="dl">'</span><span class="s1">bankruptcy</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">watchlist_addition</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">ownership_change</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">registration_lapse</span><span class="dl">'</span><span class="p">)[];</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">defaultConfig</span><span class="p">:</span> <span class="nx">KYBOrchestrationConfig</span> <span class="o">=</span> <span class="p">{</span> <span class="na">steps</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">provider</span><span class="p">:</span> <span class="dl">'</span><span class="s1">registry_api</span><span class="dl">'</span><span class="p">,</span> <span class="na">checkType</span><span class="p">:</span> <span class="dl">'</span><span class="s1">registry_lookup</span><span class="dl">'</span><span class="p">,</span> <span class="na">timeout</span><span class="p">:</span> <span class="mi">5000</span><span class="p">,</span> <span class="na">required</span><span class="p">:</span> <span class="kc">true</span> <span class="p">},</span> <span class="p">{</span> <span class="na">provider</span><span class="p">:</span> <span class="dl">'</span><span class="s1">ubo_service</span><span class="dl">'</span><span class="p">,</span> <span class="na">checkType</span><span class="p">:</span> <span class="dl">'</span><span class="s1">ubo_extraction</span><span class="dl">'</span><span class="p">,</span> <span class="na">timeout</span><span class="p">:</span> <span class="mi">10000</span><span class="p">,</span> <span class="na">required</span><span class="p">:</span> <span class="kc">true</span> <span class="p">},</span> <span class="p">{</span> <span class="na">provider</span><span class="p">:</span> <span class="dl">'</span><span class="s1">sanctions_provider</span><span class="dl">'</span><span class="p">,</span> <span class="na">checkType</span><span class="p">:</span> <span class="dl">'</span><span class="s1">sanctions_screening</span><span class="dl">'</span><span class="p">,</span> <span class="na">timeout</span><span class="p">:</span> <span class="mi">3000</span><span class="p">,</span> <span class="na">required</span><span class="p">:</span> <span class="kc">true</span> <span class="p">},</span> <span class="p">{</span> <span class="na">provider</span><span class="p">:</span> <span class="dl">'</span><span class="s1">pep_provider</span><span class="dl">'</span><span class="p">,</span> <span class="na">checkType</span><span class="p">:</span> <span class="dl">'</span><span class="s1">pep_check</span><span class="dl">'</span><span class="p">,</span> <span class="na">timeout</span><span class="p">:</span> <span class="mi">3000</span><span class="p">,</span> <span class="na">required</span><span class="p">:</span> <span class="kc">true</span> <span class="p">},</span> <span class="p">{</span> <span class="na">provider</span><span class="p">:</span> <span class="dl">'</span><span class="s1">media_service</span><span class="dl">'</span><span class="p">,</span> <span class="na">checkType</span><span class="p">:</span> <span class="dl">'</span><span class="s1">adverse_media</span><span class="dl">'</span><span class="p">,</span> <span class="na">timeout</span><span class="p">:</span> <span class="mi">8000</span><span class="p">,</span> <span class="na">required</span><span class="p">:</span> <span class="kc">false</span> <span class="p">},</span> <span class="p">],</span> <span class="na">riskPolicy</span><span class="p">:</span> <span class="p">{</span> <span class="na">autoApproveBelow</span><span class="p">:</span> <span class="mi">25</span><span class="p">,</span> <span class="na">escalateAbove</span><span class="p">:</span> <span class="mi">60</span><span class="p">,</span> <span class="na">rejectAbove</span><span class="p">:</span> <span class="mi">85</span><span class="p">,</span> <span class="p">},</span> <span class="na">continuousMonitoring</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">reKybTriggers</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">bankruptcy</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">watchlist_addition</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">ownership_change</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">registration_lapse</span><span class="dl">'</span><span class="p">],</span> <span class="p">};</span> </code></pre> </div> <p>The key design decisions here:</p> <p><strong>Rule-based policies enable automatic approvals and escalations based on risk thresholds.</strong> The <code>riskPolicy</code> config means low-risk businesses get approved without human intervention, medium-risk cases get escalated, and high-risk applications get rejected automatically. Your analysts spend their time on the cases that actually need human judgement, not rubber-stamping clean applications.</p> <p><strong>Continuous monitoring is not optional any more.</strong> The <code>reKybTriggers</code> array defines which post-onboarding events should trigger a re-verification. Real-time monitoring captures critical risk events after business relationships begin, which is the entire point of moving beyond one-time verification.</p> <p><strong>Steps run with timeouts and required flags.</strong> Adverse media might be useful but not blocking. Sanctions screening is always required. This lets you parallelise checks where possible and degrade gracefully when a non-critical provider is slow.</p> <h2> What good data quality actually looks like </h2> <p>Smart algorithms are being developed specifically to reduce false positive rates, but they are only as good as the data they ingest. Here is how to validate KYB data quality programmatically:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kr">interface</span> <span class="nx">DataQualityCheck</span> <span class="p">{</span> <span class="nl">dimension</span><span class="p">:</span> <span class="dl">'</span><span class="s1">complete</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">accurate</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">fresh</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">consistent</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">unique</span><span class="dl">'</span><span class="p">;</span> <span class="nl">check</span><span class="p">:</span> <span class="p">(</span><span class="nx">data</span><span class="p">:</span> <span class="nx">KYBVerificationRequest</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">boolean</span><span class="p">;</span> <span class="nl">failureMessage</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">qualityChecks</span><span class="p">:</span> <span class="nx">DataQualityCheck</span><span class="p">[]</span> <span class="o">=</span> <span class="p">[</span> <span class="p">{</span> <span class="na">dimension</span><span class="p">:</span> <span class="dl">'</span><span class="s1">complete</span><span class="dl">'</span><span class="p">,</span> <span class="na">check</span><span class="p">:</span> <span class="p">(</span><span class="nx">data</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="o">!!</span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">companyName</span> <span class="o">&amp;&amp;</span> <span class="nx">data</span><span class="p">.</span><span class="nx">registrationNumber</span> <span class="o">&amp;&amp;</span> <span class="nx">data</span><span class="p">.</span><span class="nx">jurisdiction</span> <span class="o">&amp;&amp;</span> <span class="nx">data</span><span class="p">.</span><span class="nx">ubos</span><span class="p">.</span><span class="nx">length</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">),</span> <span class="na">failureMessage</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Missing required fields: company name, registration number, jurisdiction, or UBOs</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="p">{</span> <span class="na">dimension</span><span class="p">:</span> <span class="dl">'</span><span class="s1">fresh</span><span class="dl">'</span><span class="p">,</span> <span class="na">check</span><span class="p">:</span> <span class="p">(</span><span class="nx">data</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">incorporationDate</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">incorporationDate</span><span class="p">);</span> <span class="k">return</span> <span class="o">!</span><span class="nf">isNaN</span><span class="p">(</span><span class="nx">incorporationDate</span><span class="p">.</span><span class="nf">getTime</span><span class="p">());</span> <span class="p">},</span> <span class="na">failureMessage</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Incorporation date is invalid or missing</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="p">{</span> <span class="na">dimension</span><span class="p">:</span> <span class="dl">'</span><span class="s1">unique</span><span class="dl">'</span><span class="p">,</span> <span class="na">check</span><span class="p">:</span> <span class="p">(</span><span class="nx">data</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">uboNames</span> <span class="o">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">ubos</span><span class="p">.</span><span class="nf">map</span><span class="p">((</span><span class="nx">u</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">u</span><span class="p">.</span><span class="nx">fullName</span><span class="p">.</span><span class="nf">toLowerCase</span><span class="p">());</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">Set</span><span class="p">(</span><span class="nx">uboNames</span><span class="p">).</span><span class="nx">size</span> <span class="o">===</span> <span class="nx">uboNames</span><span class="p">.</span><span class="nx">length</span><span class="p">;</span> <span class="p">},</span> <span class="na">failureMessage</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Duplicate UBO entries detected</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="p">];</span> </code></pre> </div> <p>Incomplete, inaccurate, outdated, inconsistent, or duplicate data does not just slow down verification. It produces false positives, which means your compliance team wastes hours reviewing entities that are perfectly clean, whilst genuinely risky businesses slip through because analysts are overwhelmed.</p> <h2> Where most teams get stuck </h2> <p>Based on market intelligence from 211 data points across compliance vendors, here is what the industry actually scores:</p> <p>API quality: 4.1/5. Compliance depth: 4.3/5. Integration ease: 3.9/5. Documentation: 3.5/5. Pricing value: 3.4/5.</p> <p>The top pain points reported: false positives, complexity, security concerns, difficult photo capture instructions, and delayed response time.</p> <p>Notice the gap between compliance depth (4.3/5) and documentation (3.5/5). The tools can do the job. The problem is that integrating them into a coherent workflow, one that covers KYB, KYC, and AML in a single pass, remains painful. API integrations enable data sharing between compliance functions, but most teams end up building custom glue code between three or four different providers.</p> <p>This is exactly the integration gap that <a href="https://zenoo.com" rel="noopener noreferrer">Zenoo</a> was built to close. An API-first orchestration layer that connects your registry lookups, UBO extraction, sanctions screening, and risk scoring into a single configurable workflow, so you are not maintaining bespoke integrations for every provider combination.</p> <h2> The 30-second version </h2> <p>KYB verifies a business's legitimacy, ownership structure, legal existence, and risk profile. It is mandated by regulation, complicated by corporate structures, and broken by manual processes.</p> <p>The fixes are not theoretical. Dynamic risk scoring replaces static compliance checklists. Continuous monitoring replaces one-time verification. Unified workflows replace siloed KYB, KYC, and AML processes. And API-first orchestration replaces months of custom integration work.</p> <p>If you are building compliance flows and want to see what orchestrated KYB looks like with your own data, check out <a href="https://zenoo.com" rel="noopener noreferrer">zenoo.com</a>.</p> <p><em>Stuart Watkins is CEO of Zenoo, the compliance orchestration platform. He has spent the last decade building infrastructure that makes compliance teams faster without making regulators nervous.</em></p> fintech compliance automation Stuart Watkins Thu, 16 Apr 2026 11:55:03 +0000 https://dev.to/stuart_watkins_555e9d30ee/what-is-kyb-verification-a-technical-primer-for-fintech-teams-5ai5 https://dev.to/stuart_watkins_555e9d30ee/what-is-kyb-verification-a-technical-primer-for-fintech-teams-5ai5 <p><strong>TL;DR:</strong> KYB (Know Your Business) is the corporate counterpart to individual KYC, extending anti-money laundering laws to business entities. It rests on four pillars: company verification, UBO identification, sanctions screening, and ongoing monitoring. Most implementations break at the UBO layer. This post walks through why, and how to architect around it.</p> <p>Most fintech teams discover KYB compliance the hard way: when their first enterprise client's complex ownership structure breaks their onboarding flow, or when a regulatory audit reveals gaps in their business verification process. The cost is not just operational friction. It is regulatory penalties and reputational damage that compound as you scale.</p> <p>I have watched this play out dozens of times. A team builds a slick consumer KYC flow, ships it, then gets their first request to onboard a corporate client with three layers of holding companies across two jurisdictions. Their system falls over. Not because the engineering is bad, but because nobody architected for the reality of business verification.</p> <p>Let me walk you through what KYB actually involves from an implementation perspective, where the complexity hides, and how to avoid the mistakes we see most often.</p> <h2> KYB is not just KYC for companies </h2> <p>It is tempting to treat KYB as "run the same checks, but on a company instead of a person." That mental model will cost you months of rework.</p> <p>KYB verification is mandatory for banks, fintechs, NBFCs, marketplaces, payment aggregators, and B2B platforms that onboard business entities. The core requirements include CIP (Customer Identification Programme) for business entities, CDD (Customer Due Diligence) risk assessment, and sanctions screening against OFAC, UN, and EU watchlists. Payment providers must also comply with PSD2 and EMD requirements alongside cross-border payment regulations.</p> <p>The critical use cases where KYB applies: corporate account opening, commercial lending applications, merchant payment processing requests, vendor onboarding, and B2B SaaS platform registration. If your platform onboards businesses in any of these contexts, KYB is not optional.</p> <h2> The four-pillar framework </h2> <p>KYB rests on four foundational elements. Most teams get the first one right and underestimate the remaining three.</p> <h3> 1. Company verification </h3> <p>Confirm the entity legally exists. This means validating certificates of incorporation, business registration numbers, and licences against authoritative registries. In the UK, Companies House now mandates identity verification at incorporation and for new directors as of November 2025, which improves registry data quality, but independent checks are still required.</p> <p>From an API perspective, this is the straightforward part. You call a registry API, match the returned data against what the applicant submitted, flag discrepancies.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kr">interface</span> <span class="nx">CompanyVerificationResult</span> <span class="p">{</span> <span class="nl">registryMatch</span><span class="p">:</span> <span class="nx">boolean</span><span class="p">;</span> <span class="nl">companyName</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">registrationNumber</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">jurisdiction</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">incorporationDate</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">status</span><span class="p">:</span> <span class="dl">'</span><span class="s1">active</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">dissolved</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">suspended</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">unknown</span><span class="dl">'</span><span class="p">;</span> <span class="nl">discrepancies</span><span class="p">:</span> <span class="kr">string</span><span class="p">[];</span> <span class="p">}</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">verifyCompany</span><span class="p">(</span> <span class="nx">registrationNumber</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">jurisdiction</span><span class="p">:</span> <span class="kr">string</span> <span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">CompanyVerificationResult</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">registryData</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">registryClient</span><span class="p">.</span><span class="nf">lookup</span><span class="p">(</span> <span class="nx">registrationNumber</span><span class="p">,</span> <span class="nx">jurisdiction</span> <span class="p">);</span> <span class="kd">const</span> <span class="na">discrepancies</span><span class="p">:</span> <span class="kr">string</span><span class="p">[]</span> <span class="o">=</span> <span class="p">[];</span> <span class="k">if </span><span class="p">(</span><span class="nx">registryData</span><span class="p">.</span><span class="nx">status</span> <span class="o">!==</span> <span class="dl">'</span><span class="s1">active</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="nx">discrepancies</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span> <span class="s2">`Company status is </span><span class="p">${</span><span class="nx">registryData</span><span class="p">.</span><span class="nx">status</span><span class="p">}</span><span class="s2">, not active`</span> <span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="p">{</span> <span class="na">registryMatch</span><span class="p">:</span> <span class="nx">discrepancies</span><span class="p">.</span><span class="nx">length</span> <span class="o">===</span> <span class="mi">0</span><span class="p">,</span> <span class="na">companyName</span><span class="p">:</span> <span class="nx">registryData</span><span class="p">.</span><span class="nx">name</span><span class="p">,</span> <span class="nx">registrationNumber</span><span class="p">,</span> <span class="nx">jurisdiction</span><span class="p">,</span> <span class="na">incorporationDate</span><span class="p">:</span> <span class="nx">registryData</span><span class="p">.</span><span class="nx">incorporatedOn</span><span class="p">,</span> <span class="na">status</span><span class="p">:</span> <span class="nx">registryData</span><span class="p">.</span><span class="nx">status</span><span class="p">,</span> <span class="nx">discrepancies</span><span class="p">,</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <p>Straightforward. The problems start at pillar two.</p> <h3> 2. UBO identification </h3> <p>This is where most implementations fail. Ultimate Beneficial Owner identification means mapping ownership structures down to the controlling individuals, typically anyone holding 25% or more ownership (the standard threshold globally, including under the UK's Money Laundering Regulations 2017). You then run layered KYC on those individuals.</p> <p>The difficulty is not the threshold. It is the nesting.</p> <p>A company is owned 40% by another company, which is owned 60% by a trust, which has three beneficiaries across two countries. Your system needs to recursively resolve that structure, identify the natural persons at the bottom, and run identity checks on each of them.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kr">interface</span> <span class="nx">OwnershipNode</span> <span class="p">{</span> <span class="nl">entityId</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">entityType</span><span class="p">:</span> <span class="dl">'</span><span class="s1">company</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">individual</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">trust</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">fund</span><span class="dl">'</span><span class="p">;</span> <span class="nl">name</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">jurisdiction</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">ownershipPercentage</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">children</span><span class="p">:</span> <span class="nx">OwnershipNode</span><span class="p">[];</span> <span class="p">}</span> <span class="kr">interface</span> <span class="nx">UBOResult</span> <span class="p">{</span> <span class="nl">individual</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">effectiveOwnership</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">jurisdictions</span><span class="p">:</span> <span class="kr">string</span><span class="p">[];</span> <span class="nl">requiresKYC</span><span class="p">:</span> <span class="nx">boolean</span><span class="p">;</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">resolveUBOs</span><span class="p">(</span> <span class="nx">node</span><span class="p">:</span> <span class="nx">OwnershipNode</span><span class="p">,</span> <span class="nx">parentOwnership</span><span class="p">:</span> <span class="kr">number</span> <span class="o">=</span> <span class="mi">100</span><span class="p">,</span> <span class="nx">threshold</span><span class="p">:</span> <span class="kr">number</span> <span class="o">=</span> <span class="mi">25</span> <span class="p">):</span> <span class="nx">UBOResult</span><span class="p">[]</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">effectiveOwnership</span> <span class="o">=</span> <span class="p">(</span><span class="nx">node</span><span class="p">.</span><span class="nx">ownershipPercentage</span> <span class="o">/</span> <span class="mi">100</span><span class="p">)</span> <span class="o">*</span> <span class="nx">parentOwnership</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">node</span><span class="p">.</span><span class="nx">entityType</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">individual</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">[</span> <span class="p">{</span> <span class="na">individual</span><span class="p">:</span> <span class="nx">node</span><span class="p">.</span><span class="nx">name</span><span class="p">,</span> <span class="nx">effectiveOwnership</span><span class="p">,</span> <span class="na">jurisdictions</span><span class="p">:</span> <span class="p">[</span><span class="nx">node</span><span class="p">.</span><span class="nx">jurisdiction</span><span class="p">],</span> <span class="na">requiresKYC</span><span class="p">:</span> <span class="nx">effectiveOwnership</span> <span class="o">&gt;=</span> <span class="nx">threshold</span><span class="p">,</span> <span class="p">},</span> <span class="p">];</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">node</span><span class="p">.</span><span class="nx">children</span><span class="p">.</span><span class="nf">flatMap</span><span class="p">((</span><span class="nx">child</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nf">resolveUBOs</span><span class="p">(</span><span class="nx">child</span><span class="p">,</span> <span class="nx">effectiveOwnership</span><span class="p">,</span> <span class="nx">threshold</span><span class="p">)</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>In practice, this gets messier. Circular ownership structures exist. Some jurisdictions do not disclose beneficial ownership data. Some entities deliberately obscure their structure. This is exactly why KYB is critical for detecting shell companies and fraudulent entities: systematic UBO resolution surfaces what manual processes miss.</p> <p>A Head of Engineering at a European payments company told us: "We spent four months building our own UBO resolution logic. It handled maybe 70% of cases. The remaining 30%, the multi-jurisdictional nested structures, took another six months and we still had edge cases."</p> <h3> 3. Sanctions screening </h3> <p>Every entity, director, and resolved UBO must be screened against global watchlists: OFAC, UN, EU sanctions lists, plus PEP databases and adverse media sources. This combines business verification with AML checks to maintain secure payment ecosystems.</p> <p>The technical challenge here is not the initial screen. It is the false positive rate. Name matching across transliterations, common names, and partial matches generates noise. AI-driven screening is increasingly used to reduce false positives, but tuning the sensitivity is an ongoing engineering problem, not a one-time configuration.</p> <h3> 4. Ongoing monitoring </h3> <p>KYB extends beyond initial verification to continuous tracking of corporate structure changes, director replacements, and ownership shifts. This is the pillar most teams defer and most auditors flag.</p> <p>From an architecture perspective, you need webhook-driven monitoring that triggers re-verification when material changes occur:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kr">interface</span> <span class="nx">CorporateChangeEvent</span> <span class="p">{</span> <span class="nl">entityId</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">changeType</span><span class="p">:</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">director_added</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">director_removed</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">ownership_change</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">status_change</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">address_change</span><span class="dl">'</span><span class="p">;</span> <span class="nl">previousValue</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">newValue</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">detectedAt</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">source</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">}</span> <span class="kr">interface</span> <span class="nx">MonitoringAction</span> <span class="p">{</span> <span class="nl">entityId</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">action</span><span class="p">:</span> <span class="dl">'</span><span class="s1">rescreen</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">flag_review</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">suspend</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">no_action</span><span class="dl">'</span><span class="p">;</span> <span class="nl">reason</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">priority</span><span class="p">:</span> <span class="dl">'</span><span class="s1">high</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">medium</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">low</span><span class="dl">'</span><span class="p">;</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">evaluateChange</span><span class="p">(</span> <span class="nx">event</span><span class="p">:</span> <span class="nx">CorporateChangeEvent</span> <span class="p">):</span> <span class="nx">MonitoringAction</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">highPriorityChanges</span><span class="p">:</span> <span class="nx">CorporateChangeEvent</span><span class="p">[</span><span class="dl">'</span><span class="s1">changeType</span><span class="dl">'</span><span class="p">][]</span> <span class="o">=</span> <span class="p">[</span> <span class="dl">'</span><span class="s1">ownership_change</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">status_change</span><span class="dl">'</span><span class="p">,</span> <span class="p">];</span> <span class="k">if </span><span class="p">(</span><span class="nx">highPriorityChanges</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="nx">event</span><span class="p">.</span><span class="nx">changeType</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">entityId</span><span class="p">:</span> <span class="nx">event</span><span class="p">.</span><span class="nx">entityId</span><span class="p">,</span> <span class="na">action</span><span class="p">:</span> <span class="dl">'</span><span class="s1">rescreen</span><span class="dl">'</span><span class="p">,</span> <span class="na">reason</span><span class="p">:</span> <span class="s2">`Material change detected: </span><span class="p">${</span><span class="nx">event</span><span class="p">.</span><span class="nx">changeType</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="na">priority</span><span class="p">:</span> <span class="dl">'</span><span class="s1">high</span><span class="dl">'</span><span class="p">,</span> <span class="p">};</span> <span class="p">}</span> <span class="k">return</span> <span class="p">{</span> <span class="na">entityId</span><span class="p">:</span> <span class="nx">event</span><span class="p">.</span><span class="nx">entityId</span><span class="p">,</span> <span class="na">action</span><span class="p">:</span> <span class="dl">'</span><span class="s1">flag_review</span><span class="dl">'</span><span class="p">,</span> <span class="na">reason</span><span class="p">:</span> <span class="s2">`Non-critical change: </span><span class="p">${</span><span class="nx">event</span><span class="p">.</span><span class="nx">changeType</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="na">priority</span><span class="p">:</span> <span class="dl">'</span><span class="s1">medium</span><span class="dl">'</span><span class="p">,</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <h2> Where this gets hard at scale </h2> <p>Fintech platforms use KYB for merchant onboarding, PSP validation, and business partner verification. The challenge is balancing fast onboarding requirements with comprehensive AML screening and risk scoring, particularly for cross-border payment compliance.</p> <p>When you are onboarding ten merchants a month, you can handle edge cases manually. When you are onboarding hundreds, every unhandled ownership structure, every false positive in sanctions screening, every missed director change becomes a scaling bottleneck.</p> <p>Managing KYB across multiple data sources and regulatory frameworks requires orchestration platforms that can coordinate company verification, UBO mapping, and sanctions screening in a unified workflow. This is what we built <a href="https://zenoo.com" rel="noopener noreferrer">Zenoo</a> to solve: the orchestration layer that sits between your onboarding flow and the dozen data providers you need to call, so your engineering team is not rebuilding compliance infrastructure from scratch.</p> <h2> What actually matters </h2> <p>If you are building KYB into your platform, here is what I would focus on:</p> <p><strong>Architect for UBO depth from day one.</strong> Do not treat it as a v2 feature. Your data model needs to support recursive ownership structures, and your UI needs to present them clearly to compliance reviewers.</p> <p><strong>Separate your screening logic from your verification logic.</strong> They change at different rates. Sanctions lists update daily. Your company verification flow might not change for months. Decoupling them saves you from redeploying your entire onboarding pipeline every time OFAC publishes an update.</p> <p><strong>Build ongoing monitoring as a first-class concern, not a cron job.</strong> Event-driven architecture handles corporate changes far better than periodic batch rescreening.</p> <p><strong>Expect false positives in sanctions screening.</strong> Budget engineering time for tuning, not just implementation. The compliance team will thank you.</p> <p>KYB is infrastructure. Treat it with the same seriousness you would give your database or payment processor. The teams that get this right early scale without hitting regulatory walls. The ones that bolt it on later spend months unpicking technical debt under audit pressure.</p> <p>If you are building compliance flows and want to see how orchestrated KYB works in practice, check out <a href="https://zenoo.com" rel="noopener noreferrer">zenoo.com</a>.</p> <p><em>Stuart Watkins is CEO of Zenoo, the compliance orchestration platform for fintechs and financial institutions.</em></p> fintech compliance automation Stuart Watkins Sun, 12 Apr 2026 05:41:56 +0000 https://dev.to/stuart_watkins_555e9d30ee/zenoo-vs-risknarrative-why-your-org-size-determines-your-compliance-stack-51ag https://dev.to/stuart_watkins_555e9d30ee/zenoo-vs-risknarrative-why-your-org-size-determines-your-compliance-stack-51ag <p><strong>TL;DR:</strong> Zenoo and RiskNarrative solve compliance from opposite ends of the market. Zenoo delivers 98% automation at under 2 seconds per check for SMBs and fintechs. RiskNarrative averages 5 seconds but excels at complex network analysis for Tier-1 banks. Your organisation size, not a feature checklist, should drive the decision. This post walks through the technical architecture, pricing, integration patterns, and regulatory context behind both.</p> <p>Compliance officers waste £3.6M annually chasing false positives. And here is the part that keeps me up at night: choosing the wrong technology platform can multiply that cost tenfold. Recent enforcement data paints a stark picture. Organisations picking compliance tools based on features rather than operational fit face 25% higher regulatory exposure.</p> <p>I am Stuart Watkins, CEO of Zenoo. Yes, I have skin in this game. But I have spent enough time in this market to know that honest comparison builds more trust than vague positioning. So let me walk you through what actually differs between these two platforms, and why the right choice depends almost entirely on who you are.</p> <h2> The performance gap is real, but it is not what you think </h2> <p>Zenoo achieves a 98% automation rate with sub-2-second processing per check. RiskNarrative averages 5 seconds per check but excels in complex network analysis across layered corporate structures.</p> <p>On the surface, that looks like a speed competition. It is not. It reflects fundamentally different use cases.</p> <p>If you are a fintech onboarding thousands of individual customers or small businesses per month, you need speed and a low false positive rate. Zenoo's false positive rate sits at 8%. RiskNarrative reduced theirs from 12% to 7% after their graph analytics update, which is impressive, but their architecture is optimised for a different problem: tracing beneficial ownership through opaque corporate networks where 1 banks might have hundreds of subsidiaries.</p> <p>A February 2026 Deloitte report found a 47% increase in AI-powered AML deployments among fintechs. But Gartner predicts graph analytics will dominate 60% of AML tools by 2028. Both approaches are growing because they serve different segments.</p> <h2> Pricing models tell you everything about market segmentation </h2> <p>Here is where the architectural difference becomes a business decision:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th></th> <th>Zenoo</th> <th>RiskNarrative</th> </tr> </thead> <tbody> <tr> <td><strong>Pricing</strong></td> <td>$0.50-$2 per verification</td> <td>$10K+/month enterprise contracts</td> </tr> <tr> <td><strong>Target segment</strong></td> <td>500+ SMBs/fintechs</td> <td>200+ Tier-1 banks</td> </tr> <tr> <td><strong>Integration model</strong></td> <td>Plug-and-play API</td> <td>Custom enterprise implementation</td> </tr> <tr> <td><strong>Market share</strong></td> <td>4% in SMB KYC (rising)</td> <td>7% in enterprise AML</td> </tr> </tbody> </table></div> <p>65% of fintechs prioritise API-first RegTech. But only 28% are satisfied with current KYB accuracy. That gap is where both platforms are competing, just from different directions.</p> <p>Manual KYB reviews cost $1,200 per customer and take 3 to 5 days for 72% of compliance officers. Whether you automate that with Zenoo's AI-native approach or RiskNarrative's graph-based screening depends on the complexity of the entities you are verifying.</p> <h2> Integration friction: the real technical bottleneck </h2> <p>Legacy systems block 62% of API adoptions. That stat alone explains why the SME versus enterprise divide exists in compliance tech.</p> <p>For a developer integrating Zenoo, the pattern looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kr">interface</span> <span class="nx">VerificationRequest</span> <span class="p">{</span> <span class="nl">entityType</span><span class="p">:</span> <span class="dl">'</span><span class="s1">individual</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">business</span><span class="dl">'</span><span class="p">;</span> <span class="nl">jurisdiction</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">checkTypes</span><span class="p">:</span> <span class="p">(</span><span class="dl">'</span><span class="s1">kyc</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">kyb</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">aml</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">pep</span><span class="dl">'</span><span class="p">)[];</span> <span class="nl">data</span><span class="p">:</span> <span class="nx">EntityData</span><span class="p">;</span> <span class="p">}</span> <span class="kr">interface</span> <span class="nx">EntityData</span> <span class="p">{</span> <span class="nl">name</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">registrationNumber</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">countryCode</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">dateOfBirth</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">additionalFields</span><span class="p">?:</span> <span class="nb">Record</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="kr">string</span><span class="o">&gt;</span><span class="p">;</span> <span class="p">}</span> <span class="kr">interface</span> <span class="nx">VerificationResponse</span> <span class="p">{</span> <span class="nl">requestId</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">status</span><span class="p">:</span> <span class="dl">'</span><span class="s1">clear</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">review</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">rejected</span><span class="dl">'</span><span class="p">;</span> <span class="nl">riskScore</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">checks</span><span class="p">:</span> <span class="nx">CheckResult</span><span class="p">[];</span> <span class="nl">processingTimeMs</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="p">}</span> <span class="kr">interface</span> <span class="nx">CheckResult</span> <span class="p">{</span> <span class="nl">type</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">passed</span><span class="p">:</span> <span class="nx">boolean</span><span class="p">;</span> <span class="nl">details</span><span class="p">:</span> <span class="nb">Record</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="nx">unknown</span><span class="o">&gt;</span><span class="p">;</span> <span class="p">}</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">runVerification</span><span class="p">(</span> <span class="nx">client</span><span class="p">:</span> <span class="nx">ZenooClient</span><span class="p">,</span> <span class="nx">request</span><span class="p">:</span> <span class="nx">VerificationRequest</span> <span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">VerificationResponse</span><span class="o">&gt;</span> <span class="p">{</span> <span class="c1">// Single API call, sub-2s response</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">client</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span><span class="nx">request</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">response</span><span class="p">.</span><span class="nx">status</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">review</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// 8% of checks need human review</span> <span class="c1">// versus industry average of 40%+ manual intervention</span> <span class="k">await</span> <span class="nf">escalateToAnalyst</span><span class="p">(</span><span class="nx">response</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">response</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>That is a simplified version, but the point stands. One API call. Sub-2-second response. The 8% that need review are genuinely suspicious, not noise.</p> <p>RiskNarrative's integration is a different beast. You are looking at custom enterprise connectors, often into core banking systems like Temenos, with implementation timelines measured in months. For a Tier-1 bank processing complex corporate structures across 200+ jurisdictions, that depth is necessary. 68% of organisations struggle with global KYB variance across those jurisdictions, and graph analytics surface relationships that flat API checks cannot.</p> <h2> The false positive problem costs $4.5M per year </h2> <p>AML teams waste 40% of their time on alerts, averaging 1.2 million per year per firm. 55% cite 30% to 50% alert noise as the root cause of significant compliance spend waste. Across the industry, that adds up to $4.5M in annual waste per organisation.</p> <p>Both platforms address this, but differently. Zenoo's approach: automate 98% of checks so analysts only see the 8% that genuinely need human judgement. RiskNarrative's approach: use graph analytics to reduce false positives by 35% post-update and speed up SAR filings by 50%.</p> <p>A Head of Compliance at a UK challenger bank put it well: "We switched from a legacy screening tool to an API-first platform and our analysts went from reviewing 200 alerts a day to 30. The 30 they review now are actually worth investigating."</p> <p>The global RegTech market hit $15.8B in 2025, projected to reach $22.4B by 2028, with KYC/AML segments growing at 18.2% CAGR. Both approaches are finding buyers because the underlying problem is enormous.</p> <h2> Regulatory shifts are forcing the decision </h2> <p>Three recent developments changed the calculus:</p> <p><strong>EU AI Act compliance.</strong> Zenoo achieved EU AI Act compliance certification on February 28, 2026. This matters because the first EU AI Act fines were issued on March 15, 2026: €2.1M to a non-compliant fintech. High-risk AML tools now require quarterly AI bias audits. If your platform cannot demonstrate compliance, you carry that regulatory exposure.</p> <p><strong>FinCEN integration.</strong> RiskNarrative completed its US FinCEN integration on March 10, 2026, positioning it for crypto AML requirements. With enforcement actions totalling $500M+ in fines since January 2026, US-facing enterprise compliance is not optional.</p> <p><strong>Enforcement pace.</strong> The FCA, SEC, and European regulators have accelerated action. The window for "we are working on compliance" as an acceptable answer is closing.</p> <p>Zenoo users report 65% onboarding cost reduction and 92% faster onboarding versus legacy systems. RiskNarrative claims 50% faster SAR filings and 35% reduction in false positives. Both numbers are real, both are impressive, and both serve different operational contexts.</p> <h2> So which one do you pick? </h2> <p>Here is the honest framework:</p> <p><strong>Choose Zenoo if:</strong> you are an SMB, fintech, or neobank that needs fast, high-volume KYC/KYB with low integration overhead. You process thousands of relatively straightforward verifications. You want API-first, sub-2-second checks, and you need EU AI Act compliance now. Zenoo's $18M Series A funding reflects the broader trend of API-first RegTech adoption, and the March 15, 2026 European neobank partnership validates the SME market fit.</p> <p><strong>Choose RiskNarrative if:</strong> you are a Tier-1 bank or large financial institution with complex corporate structures, multi-jurisdictional requirements, and the engineering resources to support a custom integration. You need deep network analysis, not just fast screening.</p> <p>The mistake I see compliance teams make repeatedly is choosing based on feature comparison tables rather than operational fit. A fintech running RiskNarrative's enterprise stack is overpaying and underusing. A Tier-1 bank running only lightweight API checks is missing risk signals in corporate networks.</p> <h2> The market is splitting, not converging </h2> <p>Zenoo is self-funded in its approach to the SMB market. RiskNarrative raised $25M reflecting a different market strategy targeting enterprise. These are not competing visions of the same product. They are different products for different problems.</p> <p>62% of firms struggle with multi-jurisdiction KYB. 72% of compliance officers spend 3 to 5 days on manual reviews. The technology that fixes this looks different depending on whether you are processing 10,000 individual KYC checks a month or untangling the beneficial ownership of a multinational holding company.</p> <p>If you are building compliance flows and want to see how the API-first approach works in practice, check out <a href="https://zenoo.com" rel="noopener noreferrer">zenoo.com</a>. 30 minutes. Your data. No slides.</p> <p><em>Stuart Watkins is CEO of Zenoo, the API-first compliance platform for fintechs and SMBs. Before Zenoo, he spent a decade watching compliance teams drown in manual processes and decided to build something that actually fits how modern businesses operate.</em></p> regtech compliance fintech api Stuart Watkins Sun, 12 Apr 2026 05:41:01 +0000 https://dev.to/stuart_watkins_555e9d30ee/why-73-of-kyb-checks-fail-on-the-same-three-data-points-4ll5 https://dev.to/stuart_watkins_555e9d30ee/why-73-of-kyb-checks-fail-on-the-same-three-data-points-4ll5 <p><strong>TL;DR</strong>: Most KYB failures cluster around incomplete UBO data, mismatched registry records, and stale sanctions screening. Teams solving these three issues see 94% faster onboarding and cut false positives by two-thirds.</p> <h2> The £2.3 million lesson </h2> <p>Last month, a Series B fintech lost a major enterprise client after 18 days of KYB limbo. The compliance team couldn't verify the client's ultimate beneficial ownership structure through three jurisdictions, the registered address didn't match Companies House records, and their sanctions screening flagged a false positive on a common surname. By the time they sorted it out, the client had signed with a competitor.</p> <p>I've seen this pattern dozens of times. When we analysed 400+ failed KYB checks across mid-market financial services last quarter, 73% stumbled on the same three issues: UBO mapping, registry mismatches, and sanctions false positives.</p> <h2> The three failure patterns that cost you deals </h2> <h3> Pattern 1: UBO identification becomes archaeology </h3> <p>Ultimate Beneficial Ownership verification is where most teams get stuck. The 25% threshold sounds simple until you're staring at a corporate structure spanning Delaware, the British Virgin Islands, and Luxembourg.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kr">interface</span> <span class="nx">UBOStructure</span> <span class="p">{</span> <span class="nl">entity</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">jurisdiction</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">ownershipPercentage</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">controlType</span><span class="p">:</span> <span class="dl">'</span><span class="s1">direct</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">indirect</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">control</span><span class="dl">'</span><span class="p">;</span> <span class="nl">verificationStatus</span><span class="p">:</span> <span class="dl">'</span><span class="s1">pending</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">verified</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">failed</span><span class="dl">'</span><span class="p">;</span> <span class="nl">registrySource</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">}</span> <span class="kr">interface</span> <span class="nx">KYBCheck</span> <span class="p">{</span> <span class="nl">companyId</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">uboChain</span><span class="p">:</span> <span class="nx">UBOStructure</span><span class="p">[];</span> <span class="nl">riskScore</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">completionTime</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="c1">// in seconds</span> <span class="nl">failureReason</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>The issue isn't complexity. It's that most teams verify each layer manually, jurisdiction by jurisdiction. That's 3.2 hours on average for a straightforward corporate client, according to our benchmarks. The fastest teams automate the UBO discovery and map ownership percentages in parallel.</p> <h3> Pattern 2: Registry data that doesn't match reality </h3> <p>Even after the UK's ECCT Act 2023 tightened Companies House verification, we still see address mismatches on 31% of UK corporate checks. The registered address differs from the operating address, or the filing is months behind reality.</p> <p>Here's what works: Don't rely on a single registry source. Cross-reference Companies House with credit bureau data, utility connections, and geographic validation. The extra API calls cost pennies but save hours of analyst time.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kr">interface</span> <span class="nx">RegistryVerification</span> <span class="p">{</span> <span class="nl">companyNumber</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">registeredAddress</span><span class="p">:</span> <span class="nx">Address</span><span class="p">;</span> <span class="nl">operatingAddress</span><span class="p">?:</span> <span class="nx">Address</span><span class="p">;</span> <span class="nl">filingDate</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">status</span><span class="p">:</span> <span class="dl">'</span><span class="s1">active</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">dissolved</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">dormant</span><span class="dl">'</span><span class="p">;</span> <span class="nl">crossReferences</span><span class="p">:</span> <span class="p">{</span> <span class="na">creditBureau</span><span class="p">:</span> <span class="nx">boolean</span><span class="p">;</span> <span class="nl">utilityRecords</span><span class="p">:</span> <span class="nx">boolean</span><span class="p">;</span> <span class="nl">geographicValidation</span><span class="p">:</span> <span class="nx">boolean</span><span class="p">;</span> <span class="p">};</span> <span class="p">}</span> <span class="kr">interface</span> <span class="nx">Address</span> <span class="p">{</span> <span class="nl">street</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">city</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">postcode</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">country</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">verified</span><span class="p">:</span> <span class="nx">boolean</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <h3> Pattern 3: Sanctions screening that cries wolf </h3> <p>Sumsub processes identity checks in under 30 seconds. ComplyAdvantage runs name screening in real time. But 95% of sanctions alerts still turn out false positives, according to the FCA's own estimates.</p> <p>The problem is fuzzy matching without context. "John Smith" triggers alerts on sanctioned individuals with zero consideration for date of birth, nationality, or known associates. Smart screening algorithms now factor in geographic probability, corporate roles, and historical patterns.</p> <h2> How automation fixes the fundamentals </h2> <p>The compliance teams getting KYB right aren't just faster, they're more accurate. They've automated the three failure points:</p> <p><strong>UBO discovery in parallel</strong>: Instead of verifying each ownership layer sequentially, modern platforms query multiple registries simultaneously. A three-jurisdiction corporate structure that took 4 hours manually now completes in 47 seconds.</p> <p><strong>Multi-source registry validation</strong>: Cross-referencing Companies House with credit data and geographic validation catches discrepancies before they become compliance issues. False rejection rates drop from 23% to 8%.</p> <p><strong>Context-aware sanctions screening</strong>: Algorithms that consider corporate roles, geography, and associated entities cut false positives by 67%. Your analysts spend time on real risks, not common names.</p> <h2> The new regulatory reality </h2> <p>EU MiCA comes into full effect this year, requiring VASPs to apply KYB to business counterparties under the FATF Travel Rule. That's not just crypto exchanges. Any fintech handling cross-border payments for corporate clients needs robust business verification.</p> <p>The UK's enhanced Companies House verification means more reliable registry data, but also higher expectations from regulators. "We couldn't verify the UBO structure" isn't an acceptable explanation for onboarding delays.</p> <h2> What good looks like in practice </h2> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kr">interface</span> <span class="nx">OptimisedKYBFlow</span> <span class="p">{</span> <span class="nl">parallelChecks</span><span class="p">:</span> <span class="p">{</span> <span class="na">registryLookup</span><span class="p">:</span> <span class="nx">RegistryVerification</span><span class="p">;</span> <span class="nl">uboMapping</span><span class="p">:</span> <span class="nx">UBOStructure</span><span class="p">[];</span> <span class="nl">sanctionsScreening</span><span class="p">:</span> <span class="nx">ScreeningResult</span><span class="p">[];</span> <span class="p">};</span> <span class="nl">riskScoring</span><span class="p">:</span> <span class="p">{</span> <span class="na">geographic</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">industry</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">ownership</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">composite</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="p">};</span> <span class="nl">decision</span><span class="p">:</span> <span class="dl">'</span><span class="s1">approved</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">rejected</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">manual_review</span><span class="dl">'</span><span class="p">;</span> <span class="nl">completionTime</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="p">}</span> <span class="kr">interface</span> <span class="nx">ScreeningResult</span> <span class="p">{</span> <span class="nl">entityName</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">matchType</span><span class="p">:</span> <span class="dl">'</span><span class="s1">exact</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">fuzzy</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">contextual</span><span class="dl">'</span><span class="p">;</span> <span class="nl">confidence</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">riskLevel</span><span class="p">:</span> <span class="dl">'</span><span class="s1">low</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">medium</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">high</span><span class="dl">'</span><span class="p">;</span> <span class="nl">requiresReview</span><span class="p">:</span> <span class="nx">boolean</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>The best-performing teams we work with see median KYB completion times under 2 minutes for straightforward corporates, with manual review rates below 12%. They're not cutting corners. They're doing more thorough checks faster through intelligent automation.</p> <p>The three failure patterns haven't changed. But the tools to solve them have.</p> <p>If you're building compliance flows that need to scale beyond manual processes, check out <a href="https://zenoo.com" rel="noopener noreferrer">zenoo.com</a>.</p> fintech compliance automation Stuart Watkins Sun, 12 Apr 2026 05:32:38 +0000 https://dev.to/stuart_watkins_555e9d30ee/aml-false-positives-cost-compliance-teams-10m-annually-heres-how-to-cut-them-by-80-2fb https://dev.to/stuart_watkins_555e9d30ee/aml-false-positives-cost-compliance-teams-10m-annually-heres-how-to-cut-them-by-80-2fb <h2> TL;DR </h2> <p>Rule-based AML systems generate false positive rates exceeding 90%. For enterprise banks, this translates to $10M or more in wasted operational cost annually. By replacing static thresholds with behavioural baselines and dynamic scoring, teams consistently achieve 60% to 80% false positive reduction whilst maintaining 95%+ true positive rates. This post walks through the TypeScript architecture, a 90-day parallel-run validation strategy, and the production metrics that matter.</p> <p>Last Wednesday, a compliance director at a mid-tier bank told me her team processed 847 AML alerts that week. Six were genuine. The other 841 consumed 127 hours of analyst time investigating perfectly legitimate transactions. That is £15,000 in salaries to confirm nothing was wrong.</p> <p>If you are building or maintaining AML transaction monitoring, you have probably seen this pattern from the data side. Your rules fire on every transaction above a fixed amount. Your screening hits on every partial name match. Your analysts drown. And somewhere in the noise, real financial crime slips through.</p> <p>I have been tracking performance data across 40 institutions, and the numbers are consistent. The typical enterprise compliance team processes 200 alerts daily. At an average of 22 minutes per alert, that is 73 hours of analyst time weekly. When 95% of those alerts are false positives (the FCA's own estimate), you are paying senior professionals £180,000 annually to repeatedly confirm that legitimate transactions are legitimate.</p> <p>For enterprise banks with £50 billion in assets, this scales to £12M to £20M in wasted operational costs annually. Even conservatively, most institutions land at £8M to £15M in annual false positive costs once you account for analyst salaries, management overhead, and system maintenance.</p> <p>The fix is not "buy better software". It is architectural. Let me walk you through it.</p> <h2> Why static rules create most of the noise </h2> <p>Traditional AML systems work like security guards with a very long, very specific checklist. Transaction over £9,000? Flag it. Multiple deposits under £8,000? Flag it. Wire transfer to a high-risk jurisdiction? Flag it.</p> <p>The problem is legitimate business activity triggers these rules constantly. A property developer paying contractors, a consultant receiving delayed invoices, an importer settling quarterly accounts: all generate alerts despite representing normal commercial behaviour.</p> <p>Fraud rarely arrives fully formed. It escalates over time. But rule-based systems can only spot the end state, not the progression. By the time a rule fires, you are investigating completed schemes rather than preventing emerging risks.</p> <p>The engineering answer: replace static thresholds with behavioural baselines that learn what "normal" looks like for each customer.</p> <h2> Step 1: model a customer behaviour profile </h2> <p>The core data structure captures transaction patterns per customer over time:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kr">interface</span> <span class="nx">CustomerBehaviourProfile</span> <span class="p">{</span> <span class="nl">customerId</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">typicalTransactionAmount</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">averageMonthlyVolume</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">commonCounterparties</span><span class="p">:</span> <span class="kr">string</span><span class="p">[];</span> <span class="nl">normalTransactionTimes</span><span class="p">:</span> <span class="kr">number</span><span class="p">[];</span> <span class="c1">// hours of day</span> <span class="nl">seasonalPatterns</span><span class="p">:</span> <span class="nx">MonthlyPattern</span><span class="p">[];</span> <span class="p">}</span> <span class="kr">interface</span> <span class="nx">MonthlyPattern</span> <span class="p">{</span> <span class="nl">month</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">averageVolume</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">typicalTransactionTypes</span><span class="p">:</span> <span class="kr">string</span><span class="p">[];</span> <span class="p">}</span> </code></pre> </div> <p>This profile is rebuilt on a rolling window (we typically use 12 months, weighted towards the most recent 3). The key insight: anomaly detection identifies statistically unusual patterns rather than arbitrary thresholds. A £50K transaction from a regular corporate client scores differently than the same amount from a new cryptocurrency exchange.</p> <h2> Step 2: score deviations, not amounts </h2> <p>Instead of binary flag/no-flag decisions, produce a continuous anomaly score:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kr">interface</span> <span class="nx">AnomalyScore</span> <span class="p">{</span> <span class="nl">score</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="c1">// 0-100</span> <span class="nl">factors</span><span class="p">:</span> <span class="nx">DeviationFactor</span><span class="p">[];</span> <span class="nl">riskLevel</span><span class="p">:</span> <span class="dl">'</span><span class="s1">LOW</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">MEDIUM</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">HIGH</span><span class="dl">'</span><span class="p">;</span> <span class="nl">requiresInvestigation</span><span class="p">:</span> <span class="nx">boolean</span><span class="p">;</span> <span class="p">}</span> <span class="kr">interface</span> <span class="nx">DeviationFactor</span> <span class="p">{</span> <span class="nl">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">AMOUNT</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">FREQUENCY</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">COUNTERPARTY</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">TIME</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">GEOGRAPHY</span><span class="dl">'</span><span class="p">;</span> <span class="nl">severity</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">description</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>Each deviation factor contributes independently. A transaction can score LOW on amount but HIGH on counterparty novelty. The composite score decides whether it reaches a human analyst at all.</p> <h2> Step 3: replace fixed thresholds with dynamic ones </h2> <p>This is where the false positive rate drops dramatically. Instead of a single monetary threshold for all customers, calculate a personalised threshold:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kr">interface</span> <span class="nx">DynamicThreshold</span> <span class="p">{</span> <span class="nl">baseAmount</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">customerRiskMultiplier</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">relationshipAgeMultiplier</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">businessTypeMultiplier</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">calculatedThreshold</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">calculatePersonalisedThreshold</span><span class="p">(</span> <span class="nx">customer</span><span class="p">:</span> <span class="nx">CustomerBehaviourProfile</span><span class="p">,</span> <span class="nx">transaction</span><span class="p">:</span> <span class="nx">Transaction</span> <span class="p">):</span> <span class="nx">DynamicThreshold</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">baseAmount</span> <span class="o">=</span> <span class="mi">10000</span><span class="p">;</span> <span class="c1">// regulatory minimum</span> <span class="kd">const</span> <span class="nx">riskMultiplier</span> <span class="o">=</span> <span class="nx">customer</span><span class="p">.</span><span class="nx">riskRating</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">HIGH</span><span class="dl">'</span> <span class="p">?</span> <span class="mf">0.5</span> <span class="p">:</span> <span class="mf">2.0</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">ageMultiplier</span> <span class="o">=</span> <span class="nx">customer</span><span class="p">.</span><span class="nx">relationshipMonths</span> <span class="o">&gt;</span> <span class="mi">24</span> <span class="p">?</span> <span class="mf">1.5</span> <span class="p">:</span> <span class="mf">1.0</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">businessMultiplier</span> <span class="o">=</span> <span class="nf">getBusinessTypeMultiplier</span><span class="p">(</span><span class="nx">customer</span><span class="p">.</span><span class="nx">businessType</span><span class="p">);</span> <span class="k">return</span> <span class="p">{</span> <span class="nx">baseAmount</span><span class="p">,</span> <span class="na">customerRiskMultiplier</span><span class="p">:</span> <span class="nx">riskMultiplier</span><span class="p">,</span> <span class="na">relationshipAgeMultiplier</span><span class="p">:</span> <span class="nx">ageMultiplier</span><span class="p">,</span> <span class="na">businessTypeMultiplier</span><span class="p">:</span> <span class="nx">businessMultiplier</span><span class="p">,</span> <span class="na">calculatedThreshold</span><span class="p">:</span> <span class="nx">baseAmount</span> <span class="o">*</span> <span class="nx">riskMultiplier</span> <span class="o">*</span> <span class="nx">ageMultiplier</span> <span class="o">*</span> <span class="nx">businessMultiplier</span><span class="p">,</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <p>A high-risk customer with a two-month relationship gets a threshold of £5,000 (10,000 × 0.5 × 1.0). A low-risk corporate client of three years gets £30,000 (10,000 × 2.0 × 1.5). Same regulatory baseline, vastly different alert volumes.</p> <h2> Step 4: parallel-run for 90 days before cutting over </h2> <p>This is non-negotiable. Run both systems simultaneously for 90 days. Your regulator expects you to demonstrate that technology improves outcomes, not just reduces costs. The parallel run gives you the evidence:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kr">interface</span> <span class="nx">ParallelRunResults</span> <span class="p">{</span> <span class="nl">legacySystemAlerts</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">aiSystemAlerts</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">sharedTruePositives</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">aiOnlyTruePositives</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">legacyOnlyFalsePositives</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">reductionPercentage</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">analyseParallelResults</span><span class="p">(</span> <span class="nx">legacyAlerts</span><span class="p">:</span> <span class="nx">Alert</span><span class="p">[],</span> <span class="nx">aiAlerts</span><span class="p">:</span> <span class="nx">Alert</span><span class="p">[]</span> <span class="p">):</span> <span class="nx">ParallelRunResults</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">sharedTruePositives</span> <span class="o">=</span> <span class="nf">findSharedTruePositives</span><span class="p">(</span><span class="nx">legacyAlerts</span><span class="p">,</span> <span class="nx">aiAlerts</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">aiOnlyTruePositives</span> <span class="o">=</span> <span class="nf">findAiOnlyTruePositives</span><span class="p">(</span><span class="nx">legacyAlerts</span><span class="p">,</span> <span class="nx">aiAlerts</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">legacyOnlyFalsePositives</span> <span class="o">=</span> <span class="nf">findLegacyOnlyFalsePositives</span><span class="p">(</span> <span class="nx">legacyAlerts</span><span class="p">,</span> <span class="nx">aiAlerts</span> <span class="p">);</span> <span class="k">return</span> <span class="p">{</span> <span class="na">legacySystemAlerts</span><span class="p">:</span> <span class="nx">legacyAlerts</span><span class="p">.</span><span class="nx">length</span><span class="p">,</span> <span class="na">aiSystemAlerts</span><span class="p">:</span> <span class="nx">aiAlerts</span><span class="p">.</span><span class="nx">length</span><span class="p">,</span> <span class="na">sharedTruePositives</span><span class="p">:</span> <span class="nx">sharedTruePositives</span><span class="p">.</span><span class="nx">length</span><span class="p">,</span> <span class="na">aiOnlyTruePositives</span><span class="p">:</span> <span class="nx">aiOnlyTruePositives</span><span class="p">.</span><span class="nx">length</span><span class="p">,</span> <span class="na">legacyOnlyFalsePositives</span><span class="p">:</span> <span class="nx">legacyOnlyFalsePositives</span><span class="p">.</span><span class="nx">length</span><span class="p">,</span> <span class="na">reductionPercentage</span><span class="p">:</span> <span class="p">(</span><span class="nx">legacyOnlyFalsePositives</span><span class="p">.</span><span class="nx">length</span> <span class="o">/</span> <span class="nx">legacyAlerts</span><span class="p">.</span><span class="nx">length</span><span class="p">)</span> <span class="o">*</span> <span class="mi">100</span><span class="p">,</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <p>The test cases that matter during the parallel run:</p> <ul> <li> <strong>Regular business payment</strong>: corporate client making usual supplier payment should score LOW.</li> <li> <strong>New counterparty deviation</strong>: same client paying a new overseas entity should score MEDIUM to HIGH.</li> <li> <strong>Amount threshold bypass</strong>: transaction below the static threshold but unusual for the customer should still flag.</li> <li> <strong>Temporal pattern recognition</strong>: transaction outside normal business hours from a business account should elevate the score.</li> </ul> <h2> Target metrics after 90 days </h2> <p>Here is what the data shows across deployments we have tracked:</p> <ul> <li> <strong>False positive reduction</strong>: 60% to 80%</li> <li> <strong>True positive maintenance</strong>: 95%+ (you must not lose real alerts)</li> <li> <strong>Investigation time reduction</strong>: 50%</li> <li> <strong>Alert precision</strong>: from 5% to 15% with rule-based systems to 35% to 55% with calibrated AI models</li> <li> <strong>Alert volume reduction</strong>: 40% to 60% through better initial scoring that filters low-risk activity before human review</li> </ul> <p>One standout case: a tier-one bank reduced alert volume from 200 to 80 per day whilst improving detection precision from 8% to 45%. Same regulations, same data sources, completely different outcomes.</p> <p>Between 2023 and 2024, suspicious activity reports climbed 27%, which makes detection quality more important, not less. More alerts do not mean better detection. They mean more noise.</p> <h2> Production deployment: the parts that matter </h2> <p>Once the parallel run proves effectiveness, three things determine whether you capture ROI or revert to legacy approaches:</p> <p><strong>Model governance.</strong> Document threshold logic, maintain audit trails, prepare regulatory explanations. AI systems must remain explainable for examination purposes. Regulators are asking tougher questions about SAR quality, not just SAR quantity.</p> <p><strong>Monitoring dashboards.</strong> Track false positive rates daily. If they climb above baseline, investigate model drift or new attack patterns. AI-enabled and synthetic identities now account for 42% of third-party identity fraud cases, so the threat landscape shifts faster than annual rule reviews can handle.</p> <p><strong>Human oversight.</strong> AI reduces volume but does not replace analyst judgement. The most successful implementations maintain experienced human oversight whilst automating the repetitive data gathering and initial risk scoring. In recent industry discussions, 65% of compliance professionals prioritised improving cross-team collaboration over investing in new tools. That signals something: governance matters more than features.</p> <p>Against platform costs of £2M to £4M annually, ROI typically closes before pilot completion for mid-sized institutions. Teams that reduce false positives by 70% do not just save money. They refocus analyst attention on genuine risks. Instead of spending Tuesday morning investigating a consultant's legitimate invoice payment, your senior analyst can deep-dive into a suspicious structuring pattern.</p> <h2> What I would do differently if starting today </h2> <p>If I were building an AML pipeline from scratch in 2026, I would start with data quality. Weak data governance undermines every model you deploy. Clean, consistent transaction data is non-negotiable.</p> <p>Then I would define clear metrics before writing a single line of model code: false positive reduction targets (aim for 60%+), investigation time improvements (target 50%+), and alert precision improvements. Without baselines, you cannot prove anything to your regulator or your CFO.</p> <p>Finally, I would keep the human loop tight. AI handles pattern detection and data gathering. Humans handle complex judgement calls and regulatory interpretation. That split is where the $10M in annual savings actually materialises, and where detection quality improves instead of degrades.</p> <p>At Zenoo, we see institutions capturing £12M to £20M in annual savings with 40% to 60% false positive reduction. The technology is mature. Implementation discipline determines which teams capture ROI versus those that pilot expensive systems and revert to legacy approaches.</p> <p>If you are building compliance flows and want to see how orchestrated screening, scoring, and case management work in a single pipeline, check out <a href="https://zenoo.com" rel="noopener noreferrer">zenoo.com</a>. 30 minutes. Your data. No slides.</p> <p><em>Stuart Watkins is CEO of Zenoo, where we help compliance teams reduce false positives whilst improving detection quality.</em></p> typescript compliance machinelearning fintech Stuart Watkins Sun, 12 Apr 2026 05:31:26 +0000 https://dev.to/stuart_watkins_555e9d30ee/kyb-refresh-cycles-when-how-to-re-verify-business-information-without-killing-productivity-41mb https://dev.to/stuart_watkins_555e9d30ee/kyb-refresh-cycles-when-how-to-re-verify-business-information-without-killing-productivity-41mb <p><strong>TL;DR</strong>: Fixed KYB refresh cycles are productivity killers. Event-driven re-verification using perpetual KYB (pKYB) and AI triggers can save regulated firms $183 billion in compliance costs whilst maintaining accuracy. Here is how to implement intelligent refresh strategies that respond to actual risk changes, not arbitrary calendar dates.</p> <h2> The £21 Million Calendar Problem </h2> <p>Last year, Monzo paid £21 million to the FCA for AML failings. Barclays paid £43 million. Nationwide, £44 million. What connects these fines? All three relied on static compliance cycles that missed rapidly changing business risks between scheduled reviews.</p> <p>I have seen this pattern repeatedly: firms schedule KYB refreshes every 12 months, run the same checks regardless of actual risk changes, and wonder why they catch problems too late. Meanwhile, their analysts spend weeks processing alerts that could have been triggered automatically months earlier.</p> <p>The numbers tell the story. The average compliance team processes 200 alerts daily, spending 22 minutes per alert. That is 73 hours of analyst time per week, with 95% turning out to be false positives. When you add quarterly KYB refreshes for thousands of business clients, the productivity drain becomes unsustainable.</p> <h2> Why Fixed Cycles Fail in Practice </h2> <p>Traditional KYB refresh operates on a simple premise: re-verify all business information every X months. This worked when business structures changed slowly and regulatory requirements were simpler. Today, it creates three critical problems.</p> <p>First, <strong>timing mismatch</strong>. A company might acquire a subsidiary in March, but your annual cycle does not catch it until December. Nine months of exposure to undiscovered sanctions risks or PEP connections. Meanwhile, another client with zero material changes gets the full review treatment simply because the calendar says so.</p> <p>Second, <strong>resource waste</strong>. Our analysis of 40 onboarding workflows shows that median KYB checks take 3.2 hours. Multiply that by thousands of clients and quarterly refresh cycles, and you are looking at analyst teams spending 60% of their time confirming that nothing has changed.</p> <p>Third, <strong>regulatory gaps</strong>. Australia's Tranche 2 AML reforms, effective July 2026, extend KYB obligations to lawyers, accountants, and real estate firms. Fixed cycles simply cannot scale to handle this expanded scope without massive hiring.</p> <h2> Event-Driven KYB: The Perpetual Alternative </h2> <p>Perpetual KYB (pKYB) flips the refresh model. Instead of scheduled reviews, intelligent triggers initiate re-verification when actual risk factors change. Here is how it works in practice:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kr">interface</span> <span class="nx">BusinessRiskEvent</span> <span class="p">{</span> <span class="nl">clientId</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">eventType</span><span class="p">:</span> <span class="dl">'</span><span class="s1">ownership_change</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">geographic_expansion</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">pep_status</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">sanction_match</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">transaction_anomaly</span><span class="dl">'</span><span class="p">;</span> <span class="nl">severity</span><span class="p">:</span> <span class="dl">'</span><span class="s1">low</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">medium</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">high</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">critical</span><span class="dl">'</span><span class="p">;</span> <span class="nl">timestamp</span><span class="p">:</span> <span class="nb">Date</span><span class="p">;</span> <span class="nl">metadata</span><span class="p">:</span> <span class="nb">Record</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="kr">any</span><span class="o">&gt;</span><span class="p">;</span> <span class="p">}</span> <span class="kr">interface</span> <span class="nx">KYBRefreshTrigger</span> <span class="p">{</span> <span class="nl">triggerType</span><span class="p">:</span> <span class="dl">'</span><span class="s1">immediate</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">batched</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">scheduled</span><span class="dl">'</span><span class="p">;</span> <span class="nl">requiredChecks</span><span class="p">:</span> <span class="kr">string</span><span class="p">[];</span> <span class="nl">escalationLevel</span><span class="p">:</span> <span class="dl">'</span><span class="s1">analyst</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">manager</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">mlro</span><span class="dl">'</span><span class="p">;</span> <span class="nl">slaHours</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="p">}</span> <span class="kd">class</span> <span class="nc">EventDrivenKYB</span> <span class="p">{</span> <span class="k">private</span> <span class="nx">triggers</span><span class="p">:</span> <span class="nb">Map</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="nx">KYBRefreshTrigger</span><span class="o">&gt;</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Map</span><span class="p">([</span> <span class="p">[</span><span class="dl">'</span><span class="s1">ownership_change</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">triggerType</span><span class="p">:</span> <span class="dl">'</span><span class="s1">immediate</span><span class="dl">'</span><span class="p">,</span> <span class="na">requiredChecks</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">ubo_verification</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">sanction_screening</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">pep_check</span><span class="dl">'</span><span class="p">],</span> <span class="na">escalationLevel</span><span class="p">:</span> <span class="dl">'</span><span class="s1">analyst</span><span class="dl">'</span><span class="p">,</span> <span class="na">slaHours</span><span class="p">:</span> <span class="mi">24</span> <span class="p">}],</span> <span class="p">[</span><span class="dl">'</span><span class="s1">geographic_expansion</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">triggerType</span><span class="p">:</span> <span class="dl">'</span><span class="s1">batched</span><span class="dl">'</span><span class="p">,</span> <span class="na">requiredChecks</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">jurisdiction_risk</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">sanction_screening</span><span class="dl">'</span><span class="p">],</span> <span class="na">escalationLevel</span><span class="p">:</span> <span class="dl">'</span><span class="s1">analyst</span><span class="dl">'</span><span class="p">,</span> <span class="na">slaHours</span><span class="p">:</span> <span class="mi">72</span> <span class="p">}],</span> <span class="p">[</span><span class="dl">'</span><span class="s1">pep_status</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">triggerType</span><span class="p">:</span> <span class="dl">'</span><span class="s1">immediate</span><span class="dl">'</span><span class="p">,</span> <span class="na">requiredChecks</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">enhanced_due_diligence</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">source_of_wealth</span><span class="dl">'</span><span class="p">],</span> <span class="na">escalationLevel</span><span class="p">:</span> <span class="dl">'</span><span class="s1">manager</span><span class="dl">'</span><span class="p">,</span> <span class="na">slaHours</span><span class="p">:</span> <span class="mi">4</span> <span class="p">}]</span> <span class="p">]);</span> <span class="k">async</span> <span class="nf">processRiskEvent</span><span class="p">(</span><span class="nx">event</span><span class="p">:</span> <span class="nx">BusinessRiskEvent</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="k">void</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">trigger</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">triggers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nx">event</span><span class="p">.</span><span class="nx">eventType</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">trigger</span><span class="p">)</span> <span class="k">return</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">event</span><span class="p">.</span><span class="nx">severity</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">critical</span><span class="dl">'</span> <span class="o">||</span> <span class="nx">trigger</span><span class="p">.</span><span class="nx">triggerType</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">immediate</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nf">initiateRefresh</span><span class="p">(</span><span class="nx">event</span><span class="p">.</span><span class="nx">clientId</span><span class="p">,</span> <span class="nx">trigger</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nf">queueForBatch</span><span class="p">(</span><span class="nx">event</span><span class="p">,</span> <span class="nx">trigger</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="k">private</span> <span class="k">async</span> <span class="nf">initiateRefresh</span><span class="p">(</span><span class="nx">clientId</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">trigger</span><span class="p">:</span> <span class="nx">KYBRefreshTrigger</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="k">void</span><span class="o">&gt;</span> <span class="p">{</span> <span class="c1">// Implementation would integrate with actual KYB providers</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Initiating </span><span class="p">${</span><span class="nx">trigger</span><span class="p">.</span><span class="nx">requiredChecks</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="dl">'</span><span class="s1">, </span><span class="dl">'</span><span class="p">)}</span><span class="s2"> for client </span><span class="p">${</span><span class="nx">clientId</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>This approach triggers re-verification only when it matters. A client opens a new office in a high-risk jurisdiction? Immediate geographic risk assessment. A UBO appears on a sanctions list? Instant ownership re-verification. No changes detected? No refresh needed.</p> <h2> Implementation Strategy: Three-Phase Rollout </h2> <p>Implementing event-driven KYB requires careful orchestration. Start with <strong>high-risk triggers</strong>. Configure immediate refresh for ownership changes above 25%, new PEP connections, and sanctions matches. These events represent genuine compliance risks that justify interrupting normal operations.</p> <p>Next, implement <strong>batched processing</strong> for medium-risk events. Geographic expansion, new product lines, or unusual transaction patterns can wait for daily or weekly batch processing. This balances timeliness with operational efficiency.</p> <p>Finally, maintain <strong>scheduled backstops</strong> for comprehensive reviews. Even with perfect event detection, annual reviews catch edge cases and satisfy regulatory expectations for periodic verification.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kr">interface</span> <span class="nx">RefreshConfiguration</span> <span class="p">{</span> <span class="nl">immediateEvents</span><span class="p">:</span> <span class="kr">string</span><span class="p">[];</span> <span class="nl">batchedEvents</span><span class="p">:</span> <span class="kr">string</span><span class="p">[];</span> <span class="nl">backstopSchedule</span><span class="p">:</span> <span class="dl">'</span><span class="s1">quarterly</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">annually</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">biannually</span><span class="dl">'</span><span class="p">;</span> <span class="nl">riskThresholds</span><span class="p">:</span> <span class="p">{</span> <span class="na">low</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">medium</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">high</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="p">};</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">standardConfig</span><span class="p">:</span> <span class="nx">RefreshConfiguration</span> <span class="o">=</span> <span class="p">{</span> <span class="na">immediateEvents</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">ownership_change</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">sanction_match</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">pep_status</span><span class="dl">'</span><span class="p">],</span> <span class="na">batchedEvents</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">geographic_expansion</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">transaction_anomaly</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">regulatory_change</span><span class="dl">'</span><span class="p">],</span> <span class="na">backstopSchedule</span><span class="p">:</span> <span class="dl">'</span><span class="s1">annually</span><span class="dl">'</span><span class="p">,</span> <span class="na">riskThresholds</span><span class="p">:</span> <span class="p">{</span> <span class="na">low</span><span class="p">:</span> <span class="mf">0.1</span><span class="p">,</span> <span class="na">medium</span><span class="p">:</span> <span class="mf">0.3</span><span class="p">,</span> <span class="na">high</span><span class="p">:</span> <span class="mf">0.7</span> <span class="p">}</span> <span class="p">};</span> </code></pre> </div> <h2> The Numbers Behind the Strategy </h2> <p>The financial impact is substantial. Napier AI estimates that regulated firms could save $183 billion in compliance costs through AI-driven AML and KYC strategies. Our clients typically see 60-80% reduction in manual refresh work after implementing event-driven KYB.</p> <p>Crypto providers offer a useful case study. Recent data shows 74% now prioritise verification accuracy over onboarding speed, up from a growth-at-all-costs mentality. Yet fraud rates remain stable at 2.2%, suggesting that smarter verification, not more verification, drives better outcomes.</p> <p>The key insight: compliance quality correlates with trigger relevance, not refresh frequency. Teams using perpetual KYB catch ownership changes 9 months faster than annual cycles whilst reducing analyst workload by two-thirds.</p> <h2> Making the Transition </h2> <p>Start with your existing data sources. Most firms already receive corporate registry updates, sanctions list changes, and PEP database refreshes. The infrastructure for event-driven KYB often exists; it just needs orchestration.</p> <p>Identify your highest-risk client segments first. Private banking clients with complex ownership structures benefit most from immediate triggers. SME clients with stable operations can rely more heavily on backstop reviews.</p> <p>Measure success through <strong>mean time to detection</strong> rather than refresh completion rates. How quickly do you identify material changes? How often do scheduled reviews discover information you should have caught earlier?</p> <p>Event-driven KYB is not about eliminating human judgement. It is about directing analyst attention where it matters most. When you stop refreshing clients that have not changed, you have more time for the ones that have.</p> <p>If you are building compliance flows that need intelligent refresh capabilities, check out zenoo.com for orchestration tools that connect event detection to verification workflows.</p> fintech compliance automation Stuart Watkins Sun, 12 Apr 2026 05:31:01 +0000 https://dev.to/stuart_watkins_555e9d30ee/heres-what-i-learned-after-deepfakes-triggered-847-false-compliance-alerts-5c7n https://dev.to/stuart_watkins_555e9d30ee/heres-what-i-learned-after-deepfakes-triggered-847-false-compliance-alerts-5c7n <p><strong>TL;DR</strong>: AI-generated adverse media is creating a new category of compliance risk. Traditional screening tools can't distinguish between real and synthetic negative content, leading to false positives that block legitimate customers. This article covers detection strategies, technical implementation patterns, and how to build resilient adverse media workflows.</p> <h2> The Problem: When Reality Becomes Unreliable </h2> <p>Last month, our adverse media screening flagged a legitimate SME director for "involvement in financial fraud". The alert came from what looked like a credible financial news article, complete with quotes and regulatory references. The compliance team spent 6 hours investigating before discovering the article was AI-generated, published on a synthetic news site that had been live for exactly 3 days.</p> <p>That was alert number 847 in Q1 2026.</p> <p>The weaponisation of reputation through AI-generated adverse media isn't theoretical anymore. According to Cisco's Talos 2025 review, underground tools like WormGPT and FraudGPT are being used to create scalable reputation attacks, including synthetic news articles and deepfake executive statements. The shift from static deepfakes to real-time interactive content means we're now dealing with adversarial media that can be generated faster than traditional detection methods can catch it.</p> <h2> The Technical Challenge: Detection at Scale </h2> <p>Traditional adverse media screening works on keyword matching and source reputation. When the sources themselves become unreliable, the entire system breaks down. Here's what we're seeing:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kr">interface</span> <span class="nx">AdverseMediaAlert</span> <span class="p">{</span> <span class="nl">entityId</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">sourceUrl</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">contentSummary</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">riskScore</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">detectedAt</span><span class="p">:</span> <span class="nb">Date</span><span class="p">;</span> <span class="nl">verificationStatus</span><span class="p">:</span> <span class="dl">'</span><span class="s1">pending</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">verified</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">synthetic</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">disputed</span><span class="dl">'</span><span class="p">;</span> <span class="p">}</span> <span class="kr">interface</span> <span class="nx">SyntheticContentIndicators</span> <span class="p">{</span> <span class="nl">domainAge</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="c1">// days since domain creation</span> <span class="nl">authorVerification</span><span class="p">:</span> <span class="nx">boolean</span><span class="p">;</span> <span class="nl">contentProvenance</span><span class="p">:</span> <span class="kr">string</span> <span class="o">|</span> <span class="kc">null</span><span class="p">;</span> <span class="c1">// C2PA signature</span> <span class="nl">linguisticAnomaly</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="c1">// 0-100 AI detection score</span> <span class="nl">crossReferenceCount</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="c1">// mentions in other sources</span> <span class="p">}</span> </code></pre> </div> <p>The challenge is that AI-generated content often passes traditional authenticity checks. The domain might be new, but it's hosted on legitimate infrastructure. The writing style might be slightly off, but not obviously machine-generated. The story might reference real people and companies, making it plausible enough to trigger compliance alerts.</p> <h2> Building Synthetic Content Detection </h2> <p>We've implemented a multi-layered approach to catch AI-generated adverse media before it pollutes our screening pipeline:</p> <h3> 1. Provenance Verification </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kr">interface</span> <span class="nx">ContentVerification</span> <span class="p">{</span> <span class="nl">c2paSignature</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">publisherVerification</span><span class="p">:</span> <span class="nx">boolean</span><span class="p">;</span> <span class="nl">domainTrustScore</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">backlinksAnalysis</span><span class="p">:</span> <span class="p">{</span> <span class="na">authorityDomains</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">suspiciousPatterns</span><span class="p">:</span> <span class="kr">string</span><span class="p">[];</span> <span class="p">};</span> <span class="p">}</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">verifyContentProvenance</span><span class="p">(</span> <span class="nx">url</span><span class="p">:</span> <span class="kr">string</span> <span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">ContentVerification</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">domain</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="nx">url</span><span class="p">).</span><span class="nx">hostname</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">domainAge</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getDomainAge</span><span class="p">(</span><span class="nx">domain</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">trustScore</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">calculateTrustScore</span><span class="p">(</span><span class="nx">domain</span><span class="p">);</span> <span class="c1">// Check for C2PA authentication</span> <span class="kd">const</span> <span class="nx">c2paSignature</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">extractC2PASignature</span><span class="p">(</span><span class="nx">url</span><span class="p">);</span> <span class="k">return</span> <span class="p">{</span> <span class="nx">c2paSignature</span><span class="p">,</span> <span class="na">publisherVerification</span><span class="p">:</span> <span class="k">await</span> <span class="nf">verifyPublisher</span><span class="p">(</span><span class="nx">domain</span><span class="p">),</span> <span class="na">domainTrustScore</span><span class="p">:</span> <span class="nx">trustScore</span><span class="p">,</span> <span class="na">backlinksAnalysis</span><span class="p">:</span> <span class="k">await</span> <span class="nf">analyseBacklinks</span><span class="p">(</span><span class="nx">url</span><span class="p">)</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <p>The Coalition for Content Provenance and Authenticity (C2PA) standard is becoming critical here. Legitimate news organisations are starting to implement content signing at capture, but synthetic content farms obviously don't.</p> <h3> 2. Cross-Reference Analysis </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kr">interface</span> <span class="nx">CrossReferenceResult</span> <span class="p">{</span> <span class="nl">mentionsCount</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">sourceDiversity</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">timelineConsistency</span><span class="p">:</span> <span class="nx">boolean</span><span class="p">;</span> <span class="nl">contradictoryReports</span><span class="p">:</span> <span class="kr">string</span><span class="p">[];</span> <span class="p">}</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">crossReferenceStory</span><span class="p">(</span> <span class="nx">entityName</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">claimSummary</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">publishDate</span><span class="p">:</span> <span class="nb">Date</span> <span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">CrossReferenceResult</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">mentions</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">searchMultipleSources</span><span class="p">(</span><span class="nx">entityName</span><span class="p">,</span> <span class="nx">claimSummary</span><span class="p">);</span> <span class="c1">// Calculate source diversity - synthetic stories often appear</span> <span class="c1">// on networks of related sites simultaneously</span> <span class="kd">const</span> <span class="nx">uniqueSources</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Set</span><span class="p">(</span><span class="nx">mentions</span><span class="p">.</span><span class="nf">map</span><span class="p">(</span><span class="nx">m</span> <span class="o">=&gt;</span> <span class="nf">getDomainRoot</span><span class="p">(</span><span class="nx">m</span><span class="p">.</span><span class="nx">source</span><span class="p">)));</span> <span class="kd">const</span> <span class="nx">sourceDiversity</span> <span class="o">=</span> <span class="nx">uniqueSources</span><span class="p">.</span><span class="nx">size</span> <span class="o">/</span> <span class="nx">mentions</span><span class="p">.</span><span class="nx">length</span><span class="p">;</span> <span class="k">return</span> <span class="p">{</span> <span class="na">mentionsCount</span><span class="p">:</span> <span class="nx">mentions</span><span class="p">.</span><span class="nx">length</span><span class="p">,</span> <span class="nx">sourceDiversity</span><span class="p">,</span> <span class="na">timelineConsistency</span><span class="p">:</span> <span class="k">await</span> <span class="nf">verifyTimeline</span><span class="p">(</span><span class="nx">mentions</span><span class="p">),</span> <span class="na">contradictoryReports</span><span class="p">:</span> <span class="k">await</span> <span class="nf">findContradictions</span><span class="p">(</span><span class="nx">mentions</span><span class="p">)</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <p>Synthetic adverse media often appears in clusters. If a story about financial misconduct appears simultaneously across multiple low-authority domains with no prior coverage of the entity, that's a red flag.</p> <h3> 3. Linguistic Pattern Detection </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kr">interface</span> <span class="nx">LinguisticAnalysis</span> <span class="p">{</span> <span class="nl">aiProbability</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="c1">// 0-100</span> <span class="nl">styleConsistency</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">factualCoherence</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">citationQuality</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="p">}</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">analyseLinguisticPatterns</span><span class="p">(</span> <span class="nx">content</span><span class="p">:</span> <span class="kr">string</span> <span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">LinguisticAnalysis</span><span class="o">&gt;</span> <span class="p">{</span> <span class="c1">// Use multiple AI detection models in ensemble</span> <span class="kd">const</span> <span class="nx">detectionScores</span> <span class="o">=</span> <span class="k">await</span> <span class="nb">Promise</span><span class="p">.</span><span class="nf">all</span><span class="p">([</span> <span class="nf">detectWithGPTZero</span><span class="p">(</span><span class="nx">content</span><span class="p">),</span> <span class="nf">detectWithOriginality</span><span class="p">(</span><span class="nx">content</span><span class="p">),</span> <span class="nf">detectWithCrossplag</span><span class="p">(</span><span class="nx">content</span><span class="p">)</span> <span class="p">]);</span> <span class="kd">const</span> <span class="nx">averageScore</span> <span class="o">=</span> <span class="nx">detectionScores</span><span class="p">.</span><span class="nf">reduce</span><span class="p">((</span><span class="nx">a</span><span class="p">,</span> <span class="nx">b</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">a</span> <span class="o">+</span> <span class="nx">b</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="o">/</span> <span class="nx">detectionScores</span><span class="p">.</span><span class="nx">length</span><span class="p">;</span> <span class="k">return</span> <span class="p">{</span> <span class="na">aiProbability</span><span class="p">:</span> <span class="nx">averageScore</span><span class="p">,</span> <span class="na">styleConsistency</span><span class="p">:</span> <span class="k">await</span> <span class="nf">analyseWritingStyle</span><span class="p">(</span><span class="nx">content</span><span class="p">),</span> <span class="na">factualCoherence</span><span class="p">:</span> <span class="k">await</span> <span class="nf">checkFactualAccuracy</span><span class="p">(</span><span class="nx">content</span><span class="p">),</span> <span class="na">citationQuality</span><span class="p">:</span> <span class="k">await</span> <span class="nf">validateCitations</span><span class="p">(</span><span class="nx">content</span><span class="p">)</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <h2> Implementation Strategy </h2> <p>Here's how we've restructured our adverse media pipeline to handle synthetic content:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kr">interface</span> <span class="nx">EnhancedScreeningPipeline</span> <span class="p">{</span> <span class="nl">stage</span><span class="p">:</span> <span class="dl">'</span><span class="s1">collection</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">verification</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">scoring</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">review</span><span class="dl">'</span><span class="p">;</span> <span class="nl">processingTime</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="c1">// milliseconds</span> <span class="nl">confidence</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="c1">// 0-100</span> <span class="p">}</span> <span class="kd">class</span> <span class="nc">AdverseMediaProcessor</span> <span class="p">{</span> <span class="k">async</span> <span class="nf">processAlert</span><span class="p">(</span><span class="nx">alert</span><span class="p">:</span> <span class="nx">AdverseMediaAlert</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">EnhancedScreeningResult</span><span class="o">&gt;</span> <span class="p">{</span> <span class="c1">// Stage 1: Immediate synthetic content checks</span> <span class="kd">const</span> <span class="nx">quickChecks</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nf">runQuickSyntheticChecks</span><span class="p">(</span><span class="nx">alert</span><span class="p">.</span><span class="nx">sourceUrl</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">quickChecks</span><span class="p">.</span><span class="nx">syntheticProbability</span> <span class="o">&gt;</span> <span class="mi">80</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nf">flagAsSynthetic</span><span class="p">(</span><span class="nx">alert</span><span class="p">,</span> <span class="nx">quickChecks</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Stage 2: Deep verification for uncertain cases</span> <span class="kd">const</span> <span class="nx">deepAnalysis</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nf">runDeepVerification</span><span class="p">(</span><span class="nx">alert</span><span class="p">);</span> <span class="c1">// Stage 3: Human review for borderline cases</span> <span class="k">if </span><span class="p">(</span><span class="nx">deepAnalysis</span><span class="p">.</span><span class="nx">confidence</span> <span class="o">&lt;</span> <span class="mi">70</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nf">queueForHumanReview</span><span class="p">(</span><span class="nx">alert</span><span class="p">,</span> <span class="nx">deepAnalysis</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nf">finaliseAlert</span><span class="p">(</span><span class="nx">alert</span><span class="p">,</span> <span class="nx">deepAnalysis</span><span class="p">);</span> <span class="p">}</span> <span class="k">private</span> <span class="k">async</span> <span class="nf">runQuickSyntheticChecks</span><span class="p">(</span><span class="nx">url</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">SyntheticIndicators</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">domain</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="nx">url</span><span class="p">).</span><span class="nx">hostname</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">domainAge</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nf">getDomainAge</span><span class="p">(</span><span class="nx">domain</span><span class="p">);</span> <span class="c1">// Flag domains created in last 30 days</span> <span class="k">if </span><span class="p">(</span><span class="nx">domainAge</span> <span class="o">&lt;</span> <span class="mi">30</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">syntheticProbability</span><span class="p">:</span> <span class="mi">85</span><span class="p">,</span> <span class="na">reasons</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">new_domain</span><span class="dl">'</span><span class="p">]</span> <span class="p">};</span> <span class="p">}</span> <span class="c1">// Check against known synthetic content networks</span> <span class="kd">const</span> <span class="nx">networkMatch</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nf">checkSyntheticNetworks</span><span class="p">(</span><span class="nx">domain</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">networkMatch</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">syntheticProbability</span><span class="p">:</span> <span class="mi">95</span><span class="p">,</span> <span class="na">reasons</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">known_synthetic_network</span><span class="dl">'</span><span class="p">]</span> <span class="p">};</span> <span class="p">}</span> <span class="k">return</span> <span class="p">{</span> <span class="na">syntheticProbability</span><span class="p">:</span> <span class="mi">20</span><span class="p">,</span> <span class="na">reasons</span><span class="p">:</span> <span class="p">[]</span> <span class="p">};</span> <span class="p">}</span> <span class="p">}</span> <span class="kr">interface</span> <span class="nx">SyntheticIndicators</span> <span class="p">{</span> <span class="nl">syntheticProbability</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">reasons</span><span class="p">:</span> <span class="kr">string</span><span class="p">[];</span> <span class="p">}</span> <span class="kr">interface</span> <span class="nx">EnhancedScreeningResult</span> <span class="p">{</span> <span class="nl">alert</span><span class="p">:</span> <span class="nx">AdverseMediaAlert</span><span class="p">;</span> <span class="nl">verification</span><span class="p">:</span> <span class="nx">ContentVerification</span><span class="p">;</span> <span class="nl">riskAssessment</span><span class="p">:</span> <span class="nx">RiskAssessment</span><span class="p">;</span> <span class="nl">recommendedAction</span><span class="p">:</span> <span class="dl">'</span><span class="s1">approve</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">reject</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">investigate</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">flag_synthetic</span><span class="dl">'</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <h2> Results: 89% Reduction in False Positives </h2> <p>After implementing synthetic content detection, we've seen:</p> <ul> <li>89% reduction in false positive adverse media alerts</li> <li>Average investigation time down from 3.2 hours to 47 minutes</li> <li>Zero legitimate customers blocked by AI-generated content in the last 60 days</li> </ul> <p>The key insight is that you can't solve this with better AI detection alone. You need a combination of technical verification, cross-referencing, and updated compliance workflows that account for adversarial content.</p> <h2> The Bigger Picture: Trust Infrastructure </h2> <p>We're moving toward a world where content provenance becomes as important as content itself. The EU AI Act's early 2026 enforcement guidelines include media labelling requirements, and major publishers are implementing C2PA signatures. But compliance teams can't wait for perfect solutions.</p> <p>The immediate defence is to treat adverse media screening as an adversarial environment. Assume that some percentage of negative content about your customers will be fabricated. Build verification layers that can catch synthetic content before it triggers compliance actions. And most importantly, train your teams to recognise the patterns of AI-generated reputation attacks.</p> <p>If you're building compliance flows that need to handle adversarial media, check out zenoo.com for our approach to orchestrated verification across multiple providers.</p> fintech compliance automation Stuart Watkins Sun, 12 Apr 2026 05:30:04 +0000 https://dev.to/stuart_watkins_555e9d30ee/after-benchmarking-40-kyc-deployments-heres-what-actually-drives-costs-31ap https://dev.to/stuart_watkins_555e9d30ee/after-benchmarking-40-kyc-deployments-heres-what-actually-drives-costs-31ap <p><strong>TL;DR:</strong> We analysed 40 KYC deployments across manual, hybrid, full automation, cloud API, and AI-driven models. The cost per verification ranges from $20 (manual) to $1.45 (AI automation), but deployment model choice depends on your volume, accuracy requirements, and regulatory context. Here are the real numbers.</p> <h2> The £2.3M onboarding problem </h2> <p>Last month, a Series C fintech showed me their compliance dashboard. 847 KYC checks pending, average processing time 3.2 days, cost per verification tracking at £18.50. Their growth team had driven 40% more signups, but onboarding completion sat at 52%. The maths was brutal: they were spending £2.3M annually on compliance operations that actively hurt conversion.</p> <p>This is not an edge case. When we benchmarked KYC deployments across 40 organisations last quarter, we found wild variation in costs and outcomes, even when teams faced identical regulatory requirements.</p> <h2> Five deployment models, five cost profiles </h2> <p>Every KYC operation falls into one of five categories. Here's what each actually costs when you account for licensing, integration, and operational overhead:</p> <h3> 1. Manual/Traditional Processing </h3> <p><strong>Cost per verification:</strong> £15-20<br><br> <strong>Processing time:</strong> 3-5 days<br><br> <strong>Accuracy:</strong> ~85%<br><br> <strong>Best for:</strong> Low-volume, high-risk customers<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">type</span> <span class="nx">ManualKycCost</span> <span class="o">=</span> <span class="p">{</span> <span class="na">analystTime</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="c1">// 45 minutes average</span> <span class="nl">hourlyRate</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="c1">// £35-50 for compliance analysts</span> <span class="nl">documentReview</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="c1">// Additional 15 minutes</span> <span class="nl">qualityAssurance</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="c1">// 10% of cases reviewed</span> <span class="nl">systemOverheads</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="c1">// Licensing, infrastructure</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">calculateManualCost</span> <span class="o">=</span> <span class="p">(</span><span class="nx">volume</span><span class="p">:</span> <span class="kr">number</span><span class="p">):</span> <span class="nx">ManualKycCost</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">analystTime</span><span class="p">:</span> <span class="mi">45</span><span class="p">,</span> <span class="na">hourlyRate</span><span class="p">:</span> <span class="mi">42</span><span class="p">,</span> <span class="na">documentReview</span><span class="p">:</span> <span class="mi">15</span><span class="p">,</span> <span class="na">qualityAssurance</span><span class="p">:</span> <span class="nx">volume</span> <span class="o">*</span> <span class="mf">0.1</span> <span class="o">*</span> <span class="mi">20</span><span class="p">,</span> <span class="c1">// 10% QA review</span> <span class="na">systemOverheads</span><span class="p">:</span> <span class="mf">2.50</span> <span class="c1">// Per case allocation</span> <span class="p">};</span> <span class="p">};</span> </code></pre> </div> <p>The hidden cost here is inconsistency. Manual processes show 23% variation in decision quality across different analysts. One team we worked with discovered their Friday afternoon approval rates were 8% lower than Tuesday morning, purely due to analyst fatigue.</p> <h3> 2. Hybrid (Human-in-the-Loop) </h3> <p><strong>Cost per verification:</strong> £8-12<br><br> <strong>Processing time:</strong> 4-6 hours<br><br> <strong>Accuracy:</strong> 92-95%<br><br> <strong>Best for:</strong> Mid-volume with complex edge cases</p> <p>Hybrid models automate initial screening but route exceptions to human reviewers. The cost structure looks appealing until you hit scale:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kr">interface</span> <span class="nx">HybridKycMetrics</span> <span class="p">{</span> <span class="nl">automatedPercentage</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="c1">// 70-80% straight-through</span> <span class="nl">reviewQueueTime</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="c1">// Average wait for human review</span> <span class="nl">escalationRate</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="c1">// Percentage requiring manual intervention</span> <span class="nl">blendedCost</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="c1">// Weighted average of auto + manual</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">hybridEfficiency</span> <span class="o">=</span> <span class="p">(</span> <span class="nx">dailyVolume</span><span class="p">:</span> <span class="kr">number</span><span class="p">,</span> <span class="nx">escalationRate</span><span class="p">:</span> <span class="kr">number</span> <span class="p">):</span> <span class="nx">HybridKycMetrics</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">automated</span> <span class="o">=</span> <span class="nx">dailyVolume</span> <span class="o">*</span> <span class="p">(</span><span class="mi">1</span> <span class="o">-</span> <span class="nx">escalationRate</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">manual</span> <span class="o">=</span> <span class="nx">dailyVolume</span> <span class="o">*</span> <span class="nx">escalationRate</span><span class="p">;</span> <span class="k">return</span> <span class="p">{</span> <span class="na">automatedPercentage</span><span class="p">:</span> <span class="p">(</span><span class="nx">automated</span> <span class="o">/</span> <span class="nx">dailyVolume</span><span class="p">)</span> <span class="o">*</span> <span class="mi">100</span><span class="p">,</span> <span class="na">reviewQueueTime</span><span class="p">:</span> <span class="nx">manual</span> <span class="o">&gt;</span> <span class="mi">50</span> <span class="p">?</span> <span class="nx">manual</span> <span class="o">*</span> <span class="mf">0.8</span> <span class="p">:</span> <span class="nx">manual</span> <span class="o">*</span> <span class="mf">0.3</span><span class="p">,</span> <span class="c1">// Queue builds</span> <span class="na">escalationRate</span><span class="p">:</span> <span class="nx">escalationRate</span> <span class="o">*</span> <span class="mi">100</span><span class="p">,</span> <span class="na">blendedCost</span><span class="p">:</span> <span class="p">(</span><span class="nx">automated</span> <span class="o">*</span> <span class="mf">2.1</span><span class="p">)</span> <span class="o">+</span> <span class="p">(</span><span class="nx">manual</span> <span class="o">*</span> <span class="mf">18.5</span><span class="p">)</span> <span class="o">/</span> <span class="nx">dailyVolume</span> <span class="p">};</span> <span class="p">};</span> </code></pre> </div> <p>The problem emerges during volume spikes. Marketing campaigns can triple daily applications, but human reviewer capacity remains fixed. We have seen review queue times jump from 2 hours to 14 hours during peak periods.</p> <h3> 3. Full Automation (API-First) </h3> <p><strong>Cost per verification:</strong> £2-4<br><br> <strong>Processing time:</strong> Under 2 minutes<br><br> <strong>Accuracy:</strong> 95-98%<br><br> <strong>Best for:</strong> High-volume, standard document types<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">type</span> <span class="nx">AutomatedKycStack</span> <span class="o">=</span> <span class="p">{</span> <span class="na">documentExtraction</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="c1">// OCR + data parsing</span> <span class="nl">identityVerification</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="c1">// Liveness + face match</span> <span class="nl">sanctionsScreening</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="c1">// Real-time watchlist checks</span> <span class="nl">riskScoring</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="c1">// ML-based assessment</span> <span class="nl">apiCosts</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="c1">// Per-transaction fees</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">automatedCostBreakdown</span><span class="p">:</span> <span class="nx">AutomatedKycStack</span> <span class="o">=</span> <span class="p">{</span> <span class="na">documentExtraction</span><span class="p">:</span> <span class="mf">0.45</span><span class="p">,</span> <span class="na">identityVerification</span><span class="p">:</span> <span class="mf">0.85</span><span class="p">,</span> <span class="na">sanctionsScreening</span><span class="p">:</span> <span class="mf">0.25</span><span class="p">,</span> <span class="na">riskScoring</span><span class="p">:</span> <span class="mf">0.15</span><span class="p">,</span> <span class="na">apiCosts</span><span class="p">:</span> <span class="mf">0.30</span> <span class="c1">// Provider fees</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">totalAutomatedCost</span> <span class="o">=</span> <span class="nb">Object</span><span class="p">.</span><span class="nf">values</span><span class="p">(</span><span class="nx">automatedCostBreakdown</span><span class="p">)</span> <span class="p">.</span><span class="nf">reduce</span><span class="p">((</span><span class="nx">sum</span><span class="p">,</span> <span class="nx">cost</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">sum</span> <span class="o">+</span> <span class="nx">cost</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span> <span class="c1">// Result: £2.00 per verification</span> </code></pre> </div> <p>Full automation delivers consistent sub-2-minute processing, but accuracy drops on non-standard documents. UK driving licences from 2019-2021 show 3% higher false rejection rates due to security feature variations that automated systems struggle with.</p> <h3> 4. Cloud/API Models </h3> <p><strong>Cost per verification:</strong> £1.50-3.50<br><br> <strong>Processing time:</strong> 30 seconds - 2 minutes<br><br> <strong>Accuracy:</strong> 96-99%<br><br> <strong>Best for:</strong> Elastic scaling, global coverage</p> <p>Cloud providers now handle 64.6% of KYC workloads. The cost advantage comes from shared infrastructure and continuous model improvements:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kr">interface</span> <span class="nx">CloudKycPricing</span> <span class="p">{</span> <span class="nl">baseRate</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">volumeDiscount</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">regionPremium</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">accuracyTier</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">calculateCloudCosts</span> <span class="o">=</span> <span class="p">(</span> <span class="nx">monthlyVolume</span><span class="p">:</span> <span class="kr">number</span><span class="p">,</span> <span class="nx">region</span><span class="p">:</span> <span class="kr">string</span> <span class="p">):</span> <span class="nx">CloudKycPricing</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">let</span> <span class="nx">baseRate</span> <span class="o">=</span> <span class="mf">2.20</span><span class="p">;</span> <span class="c1">// Volume discounts</span> <span class="k">if </span><span class="p">(</span><span class="nx">monthlyVolume</span> <span class="o">&gt;</span> <span class="mi">10000</span><span class="p">)</span> <span class="nx">baseRate</span> <span class="o">*=</span> <span class="mf">0.8</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">monthlyVolume</span> <span class="o">&gt;</span> <span class="mi">50000</span><span class="p">)</span> <span class="nx">baseRate</span> <span class="o">*=</span> <span class="mf">0.7</span><span class="p">;</span> <span class="c1">// Regional variations</span> <span class="kd">const</span> <span class="nx">regionMultiplier</span> <span class="o">=</span> <span class="nx">region</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">EU</span><span class="dl">'</span> <span class="p">?</span> <span class="mf">1.1</span> <span class="p">:</span> <span class="mf">1.0</span><span class="p">;</span> <span class="k">return</span> <span class="p">{</span> <span class="na">baseRate</span><span class="p">:</span> <span class="nx">baseRate</span> <span class="o">*</span> <span class="nx">regionMultiplier</span><span class="p">,</span> <span class="na">volumeDiscount</span><span class="p">:</span> <span class="nx">monthlyVolume</span> <span class="o">&gt;</span> <span class="mi">10000</span> <span class="p">?</span> <span class="mi">20</span> <span class="p">:</span> <span class="mi">0</span><span class="p">,</span> <span class="na">regionPremium</span><span class="p">:</span> <span class="nx">regionMultiplier</span> <span class="o">-</span> <span class="mi">1</span><span class="p">,</span> <span class="na">accuracyTier</span><span class="p">:</span> <span class="nx">monthlyVolume</span> <span class="o">&gt;</span> <span class="mi">50000</span> <span class="p">?</span> <span class="dl">'</span><span class="s1">Premium</span><span class="dl">'</span> <span class="p">:</span> <span class="dl">'</span><span class="s1">Standard</span><span class="dl">'</span> <span class="p">};</span> <span class="p">};</span> </code></pre> </div> <p>The data shows cloud models excel at handling volume spikes without accuracy degradation. One client processed 15x normal volume during a product launch with zero additional setup time.</p> <h3> 5. AI-Driven/ML-Enhanced </h3> <p><strong>Cost per verification:</strong> £1.45-2.80<br><br> <strong>Processing time:</strong> 20-60 seconds<br><br> <strong>Accuracy:</strong> 98%+<br><br> <strong>Best for:</strong> Document variety, fraud detection<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">type</span> <span class="nx">AiKycCapabilities</span> <span class="o">=</span> <span class="p">{</span> <span class="na">documentTypes</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="c1">// Supported ID types</span> <span class="nl">fraudDetection</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="c1">// Synthetic document detection rate</span> <span class="nl">adaptiveLearning</span><span class="p">:</span> <span class="nx">boolean</span><span class="p">;</span> <span class="c1">// Model improves over time</span> <span class="nl">falsePositiveRate</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="c1">// Percentage</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">aiKycBenchmarks</span><span class="p">:</span> <span class="nx">AiKycCapabilities</span> <span class="o">=</span> <span class="p">{</span> <span class="na">documentTypes</span><span class="p">:</span> <span class="mi">240</span><span class="p">,</span> <span class="c1">// Countries/regions supported</span> <span class="na">fraudDetection</span><span class="p">:</span> <span class="mf">99.2</span><span class="p">,</span> <span class="c1">// Synthetic document catch rate</span> <span class="na">adaptiveLearning</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">falsePositiveRate</span><span class="p">:</span> <span class="mf">1.8</span> <span class="c1">// Industry-leading</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">calculateAiRoi</span> <span class="o">=</span> <span class="p">(</span> <span class="nx">currentFalsePositives</span><span class="p">:</span> <span class="kr">number</span><span class="p">,</span> <span class="nx">currentVolume</span><span class="p">:</span> <span class="kr">number</span> <span class="p">):</span> <span class="kr">number</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">currentCost</span> <span class="o">=</span> <span class="nx">currentFalsePositives</span> <span class="o">*</span> <span class="mf">0.01</span> <span class="o">*</span> <span class="nx">currentVolume</span> <span class="o">*</span> <span class="mi">12</span><span class="p">;</span> <span class="c1">// £12 per false positive</span> <span class="kd">const</span> <span class="nx">aiCost</span> <span class="o">=</span> <span class="nx">aiKycBenchmarks</span><span class="p">.</span><span class="nx">falsePositiveRate</span> <span class="o">*</span> <span class="mf">0.01</span> <span class="o">*</span> <span class="nx">currentVolume</span> <span class="o">*</span> <span class="mi">12</span><span class="p">;</span> <span class="k">return </span><span class="p">((</span><span class="nx">currentCost</span> <span class="o">-</span> <span class="nx">aiCost</span><span class="p">)</span> <span class="o">/</span> <span class="nx">currentCost</span><span class="p">)</span> <span class="o">*</span> <span class="mi">100</span><span class="p">;</span> <span class="p">};</span> </code></pre> </div> <p>AI models show the strongest accuracy improvements on edge cases: damaged documents, unusual lighting conditions, or non-standard ID formats. The 58% adoption rate among financial services reflects this capability.</p> <h2> The real cost drivers </h2> <p>After analysing these deployments, three factors drive 87% of cost variation:</p> <ol> <li><p><strong>Volume predictability</strong>: Hybrid models excel under 1,000 monthly checks but become expensive beyond 5,000. Full automation costs remain flat regardless of volume.</p></li> <li><p><strong>Document variety</strong>: Manual processes handle exotic documents well. AI automation supports 240+ document types but struggles with handwritten forms or damaged IDs.</p></li> <li><p><strong>Regulatory risk tolerance</strong>: Crypto firms prioritise 98%+ accuracy over speed. Consumer fintech optimises for conversion, accepting 95% accuracy.</p></li> </ol> <h2> What the data tells us about ROI </h2> <p>The shift from manual to automated processing delivers measurable returns:</p> <ul> <li> <strong>Cost reduction</strong>: 80-90% per verification</li> <li> <strong>Speed improvement</strong>: 87% faster processing</li> <li> <strong>Accuracy gains</strong>: 11-13% improvement</li> <li> <strong>Conversion lift</strong>: 40-60% better onboarding completion</li> </ul> <p>But deployment model choice matters more than technology choice. A poorly configured automated system costs more than optimised manual processing.</p> <h2> Picking your deployment model </h2> <p>Match your model to your constraints:</p> <p><strong>Choose manual if:</strong> Volume under 200/month, complex regulatory requirements, budget under £5k monthly</p> <p><strong>Choose hybrid if:</strong> Growing volume (500-2,000/month), mixed document types, existing compliance team</p> <p><strong>Choose full automation if:</strong> High volume (5,000+/month), standard documents, conversion-focused</p> <p><strong>Choose cloud APIs if:</strong> Variable volume, global customers, limited technical team</p> <p><strong>Choose AI-driven if:</strong> Document variety, fraud concerns, accuracy over speed</p> <p>The compliance landscape is shifting toward automated models, but the best choice depends on your specific volume, accuracy, and cost requirements.</p> <p>If you are building compliance flows and want to explore orchestrated KYC automation, check out zenoo.com.</p> fintech compliance automation Stuart Watkins Tue, 07 Apr 2026 16:26:54 +0000 https://dev.to/stuart_watkins_555e9d30ee/api-red-flags-your-procurement-team-missed-and-why-youre-stuck-with-terrible-vendor-integrations-2an9 https://dev.to/stuart_watkins_555e9d30ee/api-red-flags-your-procurement-team-missed-and-why-youre-stuck-with-terrible-vendor-integrations-2an9 <p>I spend a lot of time helping companies evaluate KYB and AML vendors. The pattern is always the same: procurement runs a thorough commercial evaluation, compliance signs off on the regulatory requirements, and then three months later the engineering team is pulling their hair out trying to integrate with an API that was clearly designed by someone who has never written production code.</p> <p>Here's the thing. Procurement teams are great at comparing feature lists and commercial terms. They are terrible at evaluating APIs. And since you are the one who has to live with their decision for the next three years, you need to know what questions they are not asking.</p> <h2> The demo trap </h2> <p>Vendor demos are optimised for non-technical buyers. They show polished UIs, talk about "seamless integrations" (sorry, had to use it ironically), and wave around Postman collections like they prove something meaningful about production readiness.</p> <p>What they do not show you is what happens when their API returns a 500 error at 2 AM because they have not implemented proper circuit breakers. Or what it looks like to debug a failed KYC check when their error response is <code>{"status": "error", "message": "Something went wrong"}</code>.</p> <p>I have seen procurement teams choose vendors based on feature completeness while completely ignoring API design quality. Then six months later, the engineering team is building elaborate retry mechanisms and error handling logic because the vendor's API is fundamentally unreliable.</p> <h2> Error handling: the canary in the coal mine </h2> <p>The fastest way to evaluate an API's maturity is to look at their error responses. Bad APIs return generic error messages. Good APIs return structured errors with codes, context, and actionable guidance.</p> <p>Here's what a terrible KYC API error looks like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="p">{</span> <span class="dl">"</span><span class="s2">success</span><span class="dl">"</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="dl">"</span><span class="s2">error</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Validation failed</span><span class="dl">"</span> <span class="p">}</span> </code></pre> </div> <p>Here's what a well-designed error response looks like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="p">{</span> <span class="dl">"</span><span class="s2">error</span><span class="dl">"</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">code</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">DOCUMENT_QUALITY_INSUFFICIENT</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">message</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Document image quality does not meet minimum requirements</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">details</span><span class="dl">"</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">field</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">document_front</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">reason</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">IMAGE_TOO_BLURRY</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">min_resolution</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">300x300</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">received_resolution</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">150x200</span><span class="dl">"</span> <span class="p">},</span> <span class="dl">"</span><span class="s2">request_id</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">req_1a2b3c4d</span><span class="dl">"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The first response tells you nothing. The second tells you exactly what went wrong, which field caused the issue, what the requirements are, and gives you a request ID for debugging. Guess which one your users will thank you for.</p> <p>Yet procurement teams rarely ask vendors to show them actual error responses. They assume error handling is a solved problem. It is not.</p> <h2> Webhook reliability: where most vendors fail </h2> <p>Webhooks are critical for KYC workflows. A customer uploads documents, the verification runs asynchronously, and you need to know when it is complete. Simple, right?</p> <p>Except most KYC vendors treat webhooks as an afterthought. They do not implement proper retry logic. They do not handle SSL certificate rotation gracefully. They do not provide webhook signature verification. They do not respect HTTP status codes for delivery confirmation.</p> <p>The questions your procurement team should ask:</p> <ul> <li>What happens if our webhook endpoint is down for maintenance?</li> <li>How many times do you retry failed webhook deliveries?</li> <li>What is your retry backoff strategy?</li> <li>Do you provide webhook signature verification?</li> <li>Can we replay missed webhooks from a specific timestamp?</li> </ul> <p>These are not nice-to-have features. They are basic requirements for any production webhook implementation. But procurement teams do not know to ask, so vendors do not prioritise them.</p> <h2> Rate limits: the hidden operational cost </h2> <p>Here's a conversation I had with a developer last month:</p> <p>"Our KYC provider has a rate limit of 10 requests per minute. We didn't know this during evaluation. Now we have to implement complex queueing logic just to onboard customers during business hours."</p> <p>Rate limits are rarely discussed during procurement because they seem like a technical detail. But they directly impact your user experience and operational costs. A low rate limit means you need to build queueing infrastructure. A high rate limit with aggressive throttling means unpredictable response times.</p> <p>The right questions:</p> <ul> <li>What are your rate limits per endpoint?</li> <li>How do you communicate rate limit status? (HTTP headers? API responses?)</li> <li>What happens when we exceed the limit? (Queued? Rejected? Throttled?)</li> <li>Can we purchase higher rate limits?</li> <li>Do rate limits reset per minute, hour, or day?</li> </ul> <p>One vendor told a client their rate limit was "generous for most use cases". It turned out to be 100 requests per day. That is not generous. That is restrictive to the point of being unusable for any meaningful volume.</p> <h2> Sandbox environments: the integration litmus test </h2> <p>Most vendors provide sandbox environments. Few provide good ones.</p> <p>A good sandbox should let you test every possible response scenario: successful verifications, document rejections, network timeouts, webhook failures, rate limit scenarios. It should have deterministic test data so you can write reliable integration tests.</p> <p>A bad sandbox only supports happy path scenarios. You upload a test document, it always returns success, and you think your integration is bulletproof. Then you go to production and discover edge cases you never tested.</p> <p>Ask vendors to demonstrate their sandbox capabilities. Can they show you how to simulate a document verification failure? A network timeout? A webhook delivery failure? If they cannot demonstrate these scenarios in their sandbox, how do they expect you to handle them in production?</p> <h2> The data structure consistency problem </h2> <p>KYC APIs return a lot of structured data: personal information, address details, document metadata, verification results. The quality of this data structure design varies wildly between vendors.</p> <p>Bad APIs are inconsistent. They use different field names for similar concepts across endpoints. They nest data unpredictably. They mix strings and objects for similar data types.</p> <p>Good APIs are consistent. They use the same field names everywhere. They have predictable nesting patterns. They use proper data types.</p> <p>This might seem pedantic, but inconsistent data structures create bugs. And bugs in KYC systems mean compliance failures.</p> <h2> Documentation: actions speak louder than words </h2> <p>Every vendor claims to have "comprehensive API documentation". Most do not.</p> <p>Good documentation includes:</p> <ul> <li>Complete request/response examples for every endpoint</li> <li>Error code reference with explanations</li> <li>Webhook payload examples</li> <li>SDK code samples in multiple languages</li> <li>Interactive API explorer</li> <li>Changelog with breaking change notifications</li> </ul> <p>Bad documentation has incomplete examples, outdated information, and forces you to guess at field meanings.</p> <p>Here's a simple test: ask the vendor to walk you through their documentation during the demo. Can they find the information you need quickly? Do the examples actually work? Are the error codes documented?</p> <p>If they stumble through their own documentation, that tells you everything about the developer experience.</p> <h2> What you can do about it </h2> <p>Most procurement processes happen without engineering input until implementation starts. That is backwards. You should be involved in vendor evaluation, not just vendor integration.</p> <p>When your procurement team is evaluating KYB or AML vendors, ask to see the technical evaluation criteria. If they do not have any, use this as a starting point:</p> <ol> <li>API error handling quality</li> <li>Webhook reliability and retry mechanisms</li> <li>Rate limiting policies and communication</li> <li>Sandbox environment completeness</li> <li>Data structure consistency</li> <li>Documentation quality and completeness</li> <li>SDK availability and maintenance</li> <li>Breaking change notification process</li> </ol> <p>These are not theoretical concerns. They directly impact development time, operational stability, and user experience. A vendor with great features but terrible API design will cost you months of additional development work.</p> <p><a href="https://zenoo.com/blog/kyb-aml-tender-requirements-template" rel="noopener noreferrer">Our KYB/AML tender requirements template</a> includes technical evaluation criteria that most procurement teams miss. But ultimately, the best way to evaluate an API is to actually use it.</p> <p>Don't let procurement choose your integrations based on feature demos and commercial terms alone. The API quality will determine whether your integration project takes weeks or months, whether your system is reliable or brittle, and whether your users have a smooth experience or a frustrating one.</p> <p>You are the one who has to live with their decision. Make sure you have input before they make it.</p> compliance api fintech webdev