What’s New and What can we Expect in 2026 for KYC?

Know your customer (KYC) is finally at a turning point. No longer merely a box-ticking exercise, it is being rebuilt into something closer to core financial infrastructure, driven by converging forces that will reshape compliance in 2026. The EU’s new Anti-Money Laundering Authority (AMLA) has begun operations, signalling tighter, more harmonised supervision across member states. At the same time, digital identity frameworks such as the European Digital Identity Wallet are set for widespread rollout, promising seamless cross-border verification. Finally, artificial intelligence is moving beyond experimentation into real-world supervision and risk scoring. Think of legacy KYC as early-2000s airport security — clunky, reactionary and stuck in yesterday’s world. Is KYC finally growing up?

Beyond the Checkbox

KYC across the UK and Europe is shifting from static process to living risk judgement. The traditional model, verify once at onboarding, then revisit every few years, is steadily giving way to evolving risk narratives that track how customers actually behave over time. For example, several European banks now reassess customer risk when transaction patterns change materially, rather than waiting for scheduled reviews, aligning with supervisory expectations on proportionality set out by the European Banking Authority (EBA).

Regulators are also moving away from rewarding sheer volume. In the UK, the Financial Conduct Authority (FCA) has been explicit that good outcomes matter more than procedural excess, particularly where rigid KYC creates barriers to financial inclusion. This is encouraging firms to segment customers by behavioural risk, such as payment velocity or account dormancy, rather than relying solely on nationality or sector.

Crucially, KYC is becoming a commercial decision-making tool. Fintechs operating across the EU increasingly use consistent internal risk scores to decide which customers to onboard, which to limit, and which to exit. This is a trend reinforced by EU-wide harmonisation under the new AML framework. But the real change is philosophical: KYC is now less about proving identity, and more about clearly explaining and defending decisions to regulators, auditors and customers alike.

From Regulation to Real-Time

KYC in the UK and EU is moving decisively from periodic compliance to real-time risk management. Annual or triennial reviews are increasingly being replaced by continuous KYC, where specific events trigger reassessment. A sudden spike in transaction velocity, a change in control structure, or new counterparty exposure can now prompt an immediate review. This is very much an approach explicitly encouraged in EU guidance on ongoing monitoring.

Automation is also moving up the value chain. While document verification is largely commoditised, firms are now deploying automated behavioural anomaly detection to identify unusual account activity and network analysis to map hidden relationships between customers, directors and counterparties. UK regulators have acknowledged the growing role of advanced analytics, while stressing the need for robust oversight. This has typically elevated AI governance to board-level importance. Under the EU AI Act, systems used in anti-money laundering (AML) and KYC are likely to be classified as high-risk, bringing new obligations around transparency, testing and human oversight. Data quality and explainability are fast becoming regulatory flashpoints.

What is genuinely new is the operating model. KYC stacks are becoming modular and composable, allowing firms to swap components as risks evolve. In parallel, EU-backed initiatives exploring shared AML utilities and trusted data exchanges are gaining traction. The result? KYC teams increasingly resemble control-room operators, monitoring live risk signals rather than ticking static forms.

Two Jurisdictions, One Direction?

In 2026, the UK and EU will look increasingly different on paper, yet strikingly similar in practice when it comes to KYC expectations. The paradox is simple, as rules diverge, but outcomes converge. The EU is pressing ahead with centralisation through the AMLA, which will directly supervise high-risk cross-border firms and set a single supervisory tone across member states. By contrast, the UK remains structurally flexible, relying on supervisory judgement from bodies such as the FCA rather than a single, overarching authority.

Yet post-Brexit divergence is now less about substance and more about governance style. Customer due diligence (CDD) thresholds, beneficial ownership checks and sanctions screening expectations are broadly aligned. A UK payments firm onboarding EU merchants, for example, will still be expected by EU counterparties to evidence standards consistent with the EU AML package, even if its primary regulator is British.

This reality is driving a quiet trend where UK firms are voluntarily aligning to EU benchmarks to stay commercially viable. Meanwhile, mutual recognition is becoming operationally important even without formal agreements, particularly for correspondent banking and cross-border fintech partnerships.

The business takeaway is clear. Firms that design KYC frameworks for interoperability, not fragmentation, will win. Those betting on regulatory distance are likely to lose access, trust and ultimately revenue.

The Next KYC Reckoning

By 2026, KYC failures will no longer be treated as technical mishaps but as governance breakdowns, with accountability moving decisively upwards. Regulators are already signalling that enforcement is becoming more personal. In the UK, the Senior Managers and Certification Regime (SM&CR) makes individual accountability explicit, and recent FCA statements have reinforced expectations that senior leaders own financial crime outcomes, not just policies.

Rising KYC costs are also being reframed. Regulators increasingly argue that expense inflation is driven less by regulation itself and more by inefficient operating models. Large banks still carrying years-old onboarding backlogs or recycling low-quality alerts are inviting scrutiny. The FCA has highlighted concerns around KYC backlogs, alert effectiveness and customer friction as indicators of weak control environments rather than capacity issues.

In practice, this means firms should expect deeper supervisory questions, such as why alerts lack precision, why customers abandon onboarding journeys, and why ownership of KYC data remains unclear. A retail bank unable to explain prolonged remediation queues, or a fintech unable to evidence alert-quality improvement, may find failures escalated to board level.

What must be rethought is not tooling, but foundations: operating models before technology, incentives before controls, and data ownership before vendor selection. The firms that struggle in 2026 won’t be those who ignored KYC, but those who treated it as someone else’s problem.

KYC as Competitive Advantage

By 2026, KYC will clearly separate firms that understand risk from those that merely document it. Regulators are pushing KYC to become more continuous, more judgement-based and far more visible at board level, with senior accountability now explicit rather than implied. UK guidance under the SM&CR reinforces that financial crime controls are a leadership responsibility, not a back-office function. At the same time, supervisory focus is shifting towards outcomes, data quality and customer impact, as set out in the FCA’s current Business Plan. Treated well, KYC is no longer just a cost of compliance but a source of commercial trust and operational resilience. The future belongs to designers.

And what about you…?

• Which parts of our KYC process create the most customer friction, and do we actively measure whether that friction is justified by genuine risk?

• What keeps us awake at night about KYC in 2026: regulatory enforcement, rising costs, reputational damage, or the possibility that competitors will simply do it better?