Fintech KYC: onboard more without weaker checks

Fintech KYC decides the first ninety seconds of onboarding. Someone downloads the app, enters their details, and waits for the identity check to clear. When it clears on the spot, they fund the account and start using the product. When it stalls and asks them to photograph a passport, a share of those people close the app and do not come back.

The applicants most likely to hit that stall are the ones a fintech is built to serve: someone opening their first current account at twenty-three, or a skilled worker who arrived in the UK last year. Their credit footprint is thin or missing, so a standard identity check cannot find enough matching records to clear them. They are genuine, and the check treats them as unverifiable.

That is a revenue problem before it is a compliance problem. Every good applicant who drops out at the identity step is acquisition spend with nothing to show for it, and a customer who often opens the account they wanted somewhere else instead. The answer is a wider check, one that draws on more of the independent data proving a real person exists.

What is fintech KYC and why does it fail thin-file customers?

Fintech KYC is the process a regulated fintech uses to confirm a new customer is who they claim to be before opening an account. Most digital checks match a name, address and date of birth against Credit Reference Agency records. Thin-file customers have too few records there to match, so the check fails even when the person is real.

A thin file is not a red flag on its own. It usually means the person has simply not built up much borrowing history in the UK. That describes a meaningful minority of adults, concentrated among younger people, recent movers and those newly arrived in the country. The FCA's Financial Lives survey put around 0.9 million UK adults as unbanked, down from 1.3 million in 2017, and found 22% of the 15.3 million people who applied for a regulated credit agreement in the two years to May 2024 were declined. These are the segments a growing fintech wants most, and the ones a narrow check turns away.

What identity verification do the Money Laundering Regulations require?

The Money Laundering Regulations 2017, Regulation 28, require a firm to verify a customer's identity using information from a source that is reliable and independent of both the firm and the customer. It does not name a specific technology or a fixed number of data points. Electronic verification is an accepted route to meet this obligation.

In practice, electronic verification meets that standard through an industry convention often called "2+2": matching at least two identity attributes, such as name and address, against at least two independent, reliable data sources. The 2+2 shorthand is a convention drawn from JMLSG and HMRC guidance, not a term written into the regulations. HMRC's guidance is clear that a single-source electronic check is not normally enough on its own, and that verification should draw on multiple sources (HMRC ECSH33357).

The identity match is one part of the wider job. Customer due diligence also covers risk assessment, source of funds where required, sanctions and PEP screening, and ongoing monitoring. Confirming identity does not discharge those duties. The firm keeps them and remains responsible for them.

Why do CRA-only KYC checks reject good fintech customers?

A CRA-only check can only match a customer against the records the Credit Reference Agencies hold. Someone with a thin or absent credit history has too few of those records, so the check cannot reach 2+2 and returns a fail. The person is genuine. The data source is just too narrow to see them.

The gap is a data-coverage problem, and it can be closed by widening the sources a check draws on. A real person leaves a footprint in more places than the credit file. They hold a current account and a mobile contract, and appear in insurance and public-sector records. Matching identity attributes across those independent sources reaches people the credit file misses, while still meeting the reliable-and-independent test.

Data source What it evidences Segments it reaches
Credit Reference Agency data Borrowing and credit history Established borrowers with a credit footprint
Bank and current-account data An active, verified banking relationship Younger adults and newcomers with an account but little credit history
Mobile network data A live, contracted mobile identity Recent movers and first-time account holders
Insurance policy and claims data A stable named individual over time People outside mainstream credit
Public sector data Officially recorded presence in the UK Newcomers and those new to formal credit
Finance application data Recent, active financial engagement Thin-file applicants building a footprint

 

Can fintechs use digital identity to meet KYC under the MLRs?

Yes. UK government guidance published on 26 February 2026, "Using digital identities with the Money Laundering Regulations", confirms that services certified under the UK Digital Verification Services Trust Framework count as a reliable and independent source for the identity-verification step. A fintech can rely on a certified provider for that step.

Relying on a certified service does not move the wider due diligence off the firm. The guidance is explicit that the firm keeps responsibility for risk assessment, ongoing monitoring and the rest of its CDD obligations, and remains ultimately liable. Certification covers the identity step. It does not replace the compliance judgement around it.

For the customer, a digital route means an account that opens in seconds, rather than one that asks them to photograph a passport and wait. That wait is where drop-off happens.

How does a KYC second wash recover customers who fail 2+2?

A second wash re-runs the records that failed a first CRA-only check against additional independent data sources. Many applicants who could not reach 2+2 on the credit file alone are found in banking, mobile, insurance or public-sector data, so they clear on the second pass. The genuine thin-file customers get through, and only the records with no footprint anywhere remain isolated for review.

This is where OneID's KYC Match fits. It is an optional add-on across OneID's identity products that returns a configurable count of matches across independent sources, going beyond Credit Reference Agency data to check name, address and date of birth against banks, mobile networks, insurance data, public-sector data, finance applications and CRAs, in whatever combination a firm chooses. It runs as a real-time API for onboarding or as a batch data wash over records that failed first time. It performs the identity-matching step only. The firm keeps the rest of its CDD.

The recovery is real and it is measurable. In one Tier-1 gaming operator's data, close to 30% of new customers failed a CRA-only 2+2 check. A second wash on those failures found records on a majority of them across additional sources, and around half of the previously failed customers were onboarded, an overall uplift of roughly 15% in new-customer onboarding. That result comes from gambling, where the customer mix differs from fintech, so treat it as directional evidence of what a wider check recovers, not a rate to expect in another sector.

Does BNPL need FCA-regulated KYC?

Buy Now Pay Later comes under full FCA regulation from 15 July 2026, with final rules already published in FCA Policy Statement PS26/1 in February 2026 and a Temporary Permissions Regime open beforehand. From that point, in-scope BNPL providers carry the same expectations around identity verification and customer due diligence as other regulated credit firms.

BNPL's core customer base skews young and thin-file, the same profile that fails CRA-only checks most often. Providers preparing for the regime face the identity-coverage problem directly, and the case for matching beyond the credit file applies to them as sharply as to any neobank, EMI or payment firm.

Frequently asked questions

What does KYC mean for fintech companies?

KYC, or know your customer, is the process of confirming a new customer's identity before opening an account, as part of the customer due diligence the Money Laundering Regulations 2017 require of regulated firms. For fintechs it usually happens digitally at onboarding.

Is the "2+2" rule a legal requirement?

No. "2+2" is an industry convention describing how electronic verification meets Regulation 28 of the MLRs 2017, matching at least two identity attributes against at least two independent sources. It is drawn from JMLSG and HMRC guidance, not written into the regulations.

Why do younger adults and newcomers to the UK fail KYC checks?

They tend to have a thin or absent credit footprint, so a check that relies only on Credit Reference Agency data cannot find enough records to match. The person is genuine, but a credit-only source is too narrow to confirm them.

What is a KYC data wash or second wash?

A second wash re-runs records that failed a first identity check against additional independent data sources, so genuine customers missed the first time can be recovered. "Data wash" is an industry product term, not regulatory language.

Do digital identity checks meet the Money Laundering Regulations?

Yes. Government guidance from 26 February 2026 confirms services certified under the UK Digital Verification Services Trust Framework are a reliable, independent source for the identity step. The firm keeps the wider CDD and remains liable.

When does BNPL come under FCA regulation?

From 15 July 2026, with final rules set out in FCA PS26/1 and a Temporary Permissions Regime open before that date.

See what a wider check recovers for you

The straightforward way to see how many good customers your fintech KYC check is turning away is to test it against your own data. You can run 1,000 records through KYC Match for free and compare the results against your existing provider, by contacting OneID. OneID is a digital verification services provider, certified under the UK's Digital Verification Services Trust Framework.

Recent posts

What is age verification, and how does it work?

Age verification is the process of confirming that a person is old enough to access a product, service o...

The UK digital driving licence: what it is, when it arrives, and how it will be used

The UK digital driving licence is a version of your driving licence held on your phone rather than on a ...

UK government ID: the digital ID scheme and the wallet

UK government digital ID refers to the government’s own tools for proving who you are online. In the UK,...