Most customers who abandon a regulated sign-up never tell you why. They open the page, reach the point where they are asked to photograph a passport and take a selfie, and close the tab. The account is never funded. The lead is never converted. KYC checks are where that loss happens, and for many firms it accounts for a larger share of lost revenue than any marketing channel makes up for.
The regulator counts the same failure from the other end. On 16 July 2025 the FCA fined Barclays £42 million, made up of £39.3 million against Barclays Bank PLC and £3.09 million against Barclays Bank UK PLC, for financial crime risk failings that included gathering insufficient information at the start of a customer relationship and inadequate ongoing monitoring. That is the cost of getting KYC checks wrong on the compliance side. The abandoned sign-up is the cost on the commercial side. Both come from the same set of obligations, and most firms are losing on both at once.
KYC stands for Know Your Customer. KYC checks are the identity verification steps a regulated firm carries out before it enters into a business relationship, confirming that a customer is who they claim to be. They are the first and most visible part of a wider obligation called Customer Due Diligence.
Customer Due Diligence is the broader process. It requires a firm to identify the customer and verify that identity against a reliable, independent source, to identify any beneficial owners, to understand the purpose and intended nature of the relationship, and to keep all of it under ongoing review. KYC verification is the front door. Customer Due Diligence is the whole building.
The distinction matters commercially because the front door is where conversion is won or lost. A customer never experiences your record-keeping or your risk model. They experience the identity check. If it is slow, repetitive, or rejects them in error, they leave, and the compliance work behind it never gets the chance to run.
A customer opens an account with a new fintech. They are asked to photograph the front and back of their passport. The lighting has to be right, the edges in frame, the glare gone. They upload it. Then a selfie. Then a utility bill dated within the last three months that most people under forty do not receive on paper. Some finish. Many do not.
The abandonment is not random. Younger customers and those without a long credit history are more likely to drop out. Customers with non-Latin names hit higher rejection rates from optical character recognition. People banking on the same phone they are being asked to photograph a document with find the whole sequence awkward. Each friction point removes a real customer who was ready to transact.
For a firm onboarding 10,000 customers a month, the gap between a 55% completion rate and an 85% one is 3,000 people. That is the difference between hitting a growth target and explaining why it slipped. The KYC check is rarely treated as a growth lever. For most regulated firms it is the single biggest one they are not pulling.
The UK KYC process follows a defined sequence set out in the Money Laundering Regulations 2017. Each step maps to a specific regulation, which is what makes it auditable.
1. Customer identification. Obtain the customer’s full name, date of birth and address, and for a company the legal identifiers. This is the information-gathering step before anything is verified.
2. Identity verification. Verify that identity against a reliable, independent source. This is the step a certified digital verification service can now satisfy under guidance published in February 2026, covered in the next section.
3. Beneficial ownership. For corporate customers, identify and take reasonable measures to verify the people who ultimately own or control the business.
4. Purpose and nature of the relationship. Understand why the customer wants the product and how they intend to use it. This shapes the risk view and is not something a document upload can answer.
5. Ongoing monitoring. Keep the relationship under review, scrutinising transactions and refreshing information so the customer record stays current. The Barclays case turned in part on this step being inadequate.
6. Risk-based escalation. Apply Enhanced Due Diligence in higher-risk situations, such as customers in high-risk countries or politically exposed persons. Apply Simplified Due Diligence where the risk is demonstrably low.
7. Record-keeping. Keep the evidence of every check for five years after the relationship ends, so the work can be reconstructed for a supervisor.
Step two is the part the customer feels, and the part that decides whether they finish. Compliance lives in the other six. A good provider speeds up step two without weakening any of the rest.
UK anti-money laundering law applies to a defined list of sectors, the “relevant persons” set out in the regulations. Operating in any of them makes KYC checks a legal obligation before a customer relationship begins.
Financial services sit at the centre. Banks, payment and e-money institutions, investment firms, consumer credit providers and asset managers all fall under the Money Laundering Regulations 2017, with the FCA as supervisor. Cryptoasset exchange and custodian wallet providers must register with the FCA and meet the same obligations. Financial crime is one of the FCA’s stated priorities under its 2025 to 2030 strategy, which is why enforcement like the Barclays fine carries the weight it does. For a practical view of how these obligations are met in onboarding, see our overview of KYC checks.
Outside financial services the duty is just as binding, with supervision split across bodies. HMRC supervises money service businesses, high-value dealers, art market participants, and accountancy and trust or company service providers not already covered by a professional body. The Gambling Commission covers licensed operators, who must verify identity and age before a customer deposits or plays. Legal and accountancy professional bodies supervise their own members.
The KYC requirements UK firms work to have shifted in a way that directly affects conversion. The change is that a digital identity check now carries clear legal standing for the verification step, where before it sat in a grey area many compliance teams were unwilling to rely on.
Part 2 of the Data Use and Access Act 2025 established Digital Verification Services as the statutory framework for UK digital identity, in force since late 2025. On 26 February 2026, HM Treasury and the Department for Science, Innovation and Technology published “Using digital identities with the Money Laundering Regulations”, confirming that a firm can fulfil its Regulation 28 identity-verification obligation using a digital verification service that is both certified against the trust framework and listed on the GOV.UK DVS Register.
The Office for Digital Identities and Attributes set out the reasoning the same day. A service that is certified and registered counts as a reliable and independent source with anti-impersonation assurance, while an uncertified one cannot reliably be deemed suitable, and such a service can support verification of company directors.
One honesty point matters here. A certified digital verification service satisfies the Regulation 28 identity-verification component. It does not discharge the rest of Customer Due Diligence. The firm remains responsible for its own risk assessment, for ongoing monitoring, for Enhanced Due Diligence where the risk calls for it, and for record-keeping under Regulation 40. Digital identity supplements the regulations. It does not supersede them.
The direction is the same across the Channel. The European Banking Authority’s guidelines on remote customer onboarding have applied since 2 October 2023, and they require reliable document capture, a liveness check, a match between the document and the live person, and a complete, auditable record of how the check was performed. Whichever side of the regulatory line a firm sits, the expectation is converging on verified, person-present, auditable identity rather than a photograph of a document on its own.
Many firms still run KYC verification on credit reference agency data alone. A CRA check confirms that a name, date of birth and address exist together in a credit file. It verifies that the data is real. It does not verify that the person submitting the data is the person it belongs to.
That gap is where fraud lives. A check confirming that “Sarah Jones, born 12 June 1990, of 14 Elm Road” is a genuine identity tells you nothing about who is sitting at the other end of the form. A fraudster holding Sarah’s stolen details passes, because the data is authentic even though the person is not.
There is a deeper distinction underneath this. CRA-style document and data checks are probabilistic. They score how likely it is that the data is genuine. A check anchored to something the customer cryptographically controls, such as their own bank authentication, is deterministic. It proves the person initiating the check holds the credentials tied to that identity. For thin-file customers, those with little credit history or a recent arrival in the UK, a single probabilistic lookup also produces the most false rejections, sending good customers to a competitor for no reason other than a sparse file.
|
Factor |
CRA-only KYC |
Multi-source digital KYC |
|
What it confirms |
The data is valid |
The data is valid and the person is present |
|
Method |
Probabilistic data match |
Deterministic, cryptographic where bank-based |
|
Fraud resilience |
Exposed to stolen data |
Authentication against bank or device |
|
Thin-file customers |
Higher false-rejection rate |
Multiple sources reduce false rejections |
|
Regulatory direction |
Static |
Aligned with the 2026 DVS guidance |
For compliance leads, the regulator’s question is authority, not anomaly. It is not whether a record looks unusual. It is whether the firm can show it confirmed the right person, against a reliable source, and kept the evidence.
This is the point at which the conversion problem and the compliance problem can be solved with the same check. OneID is a UK FCA-regulated digital verification services provider, certified under the Digital Verification Services Trust Framework as the first Identity Service Provider, the first Orchestration Service Provider and the first Holder Service Provider, B Corp certified, ACCS accredited, and aligned with the Data Use and Access Act 2025. That certification is what the February 2026 guidance requires for the verification step to count: certified against the framework and on the GOV.UK DVS Register.
The commercial case sits in OneID’s own onboarding data. Across bank-based and digital-wallet verification, OneID observes completion rates of 80 to 90%, against the 50 to 60% typical of passport-chip and document-upload journeys. On the experience the customer feels, the check runs in under 12 seconds, and the fastest bank-verified path completes in around 3 seconds. The customer authenticates with something they already use and is back in your flow before they have time to reconsider.
Rather than rely on a single CRA lookup, OneID runs Configurable KYC Match Counts across independent data sources, including banks, mobile network operators, public sector records, financial datasets and credit reference agencies. A firm sets how many independent confirmations it needs for a given risk level. For thin-file customers, drawing on several sources rather than one is the difference between an approval and a false rejection.
OneID powers KYC verification for firms including Anna Money, NatWest, Sumsub and Shufti. The point of the certification, the multi-source matching and the speed is a single one: the firm clears the Regulation 28 verification step with audit-ready evidence, while keeping the customers a document-upload journey would have lost.
What is KYC?
KYC stands for Know Your Customer. KYC checks are the identity verification steps a regulated firm carries out before it enters into a business relationship with a customer. In the UK they form part of Customer Due Diligence under the Money Laundering Regulations 2017.
How long does a KYC check take?
A document-upload KYC check can take from a few minutes to several days where manual review is needed. A digital identity check, such as a bank-verified one, can complete in under 12 seconds, with the fastest paths around 3 seconds.
Who needs to do KYC checks in the UK?
Any firm operating in a sector covered by the Money Laundering Regulations 2017. That includes banks and other financial services firms, cryptoasset businesses, gambling operators, legal and accountancy professionals, trust and company service providers, estate and letting agents, high-value dealers and art market participants.
What is the difference between KYC and Customer Due Diligence?
KYC is the identity verification part. Customer Due Diligence is the wider framework it sits inside, which also covers beneficial ownership, understanding the purpose of the relationship, ongoing monitoring and record-keeping. Every KYC check is part of Customer Due Diligence, but Customer Due Diligence covers more than the initial identity check.
Can a digital identity service meet UK KYC requirements?
For the identity-verification step, yes. Since the February 2026 HM Treasury and DSIT guidance, a firm can satisfy its Regulation 28 obligation using a provider that is certified against the trust framework and listed on the GOV.UK DVS Register. The firm stays responsible for the rest of its Customer Due Diligence, including risk assessment, monitoring and record-keeping.
The verification step is now the one part of compliance that can also be a conversion gain. The law is settled, the guidance is published, and a digital check that satisfies Regulation 28 is the same check that keeps the customers a document upload would have lost.
If you are reviewing your KYC checks, three questions cut through. Is your provider certified under the DVSTF and on the DVS Register? How many independent sources does it match against? And what are your completion rates telling you about the customers walking away? For how a certified service meets Customer Due Diligence in practice, see our guide to KYC verification with digital identity, and for choosing a provider, our guide to selecting a KYC provider in the UK.
Strong KYC checks should clear the regulator and keep the customer in the same few seconds. Done well, the check that satisfies the regulator is the same one that keeps the customer.
A director needs to prove who they are to Companies House. They want to do it once, have it accepted fir...
A new director cannot be appointed until they have proved who they are. Existing directors are receiving...
Choosing the best KYC provider UK firms can rely on comes down to six things: whether it verifies across...
