What is Know Your Customer (KYC), and Why is It Important in Banking?

Know Your Customer (KYC) is the process by which banks and other regulated institutions verify their customers’ identities and information, in order to prevent fraud and comply with AML/CTF regulations. When implemented properly, KYC processes are an opportunity to understand intent and to use a verified identity profile, with the help of tools like ShadowDragon Horizon™, as the backbone for risk-based monitoring, thus protecting your customers and your brand.

In this guide, we’ll cover what KYC is and why it matters, KYC’s core building blocks (CIP, CDD, EDD), walk through the KYC process step by step, and review digital/eKYC approaches. We’ll also share the global rule set, including FATF standards, U.S. BSA/AML and FFIEC expectations, EU requirements, and UK regulations.

In addition, we’ll clear up the relationship between KYC, AML, and KYB, and help you strike the right balance between compliance and a seamless customer experience. Finally, we’ll highlight common pitfalls and where OSINT tools like ShadowDragon Horizon™ enhance identity assurance, screening, and investigations.

What is Know Your Customer?

Banks and other regulated companies utilize Know Your Customer processes to verify a customer’s identity before opening an account or providing financial services. In practice, KYC involves gathering and validating various pieces of information, such as a government-issued ID, proof of address, and, when warranted by risk, additional background information. This helps ensure that the person or business is who they claim to be and that their funds originate from a legitimate source.

Financial institutions use open-source intelligence (OSINT) tools such as ShadowDragon Horizon™ to augment that verification process. By cross-checking customer data with publicly available information (e.g., networks, company connections, online activity) OSINT can help investigators confirm identities, identify discrepancies, and reveal hidden exposures that may not be visible in official documents.

Financial institutions, money service businesses, and other regulated entities are required to perform KYC under anti-money laundering (AML) and counter-terrorist financing (CTF) laws and regulations. Confirming a customer’s identity at the beginning of the customer relationship and on an ongoing basis can help detect and prevent financial crimes, such as money laundering, terrorist financing, fraud, and sanctions evasion.

Horizon Monitor™ can support continuous KYC monitoring, providing external risk alerts of new businesses or online connections attributed to sanctioned or otherwise high-risk individuals or entities. This helps the compliance team keep risk profiles up-to-date and evidence-based rather than being dependent on intermittent manual checks.

KYC is a central focus for international and U.S. regulators seeking to combat financial crime. The Financial Action Task Force (FATF), an intergovernmental body that sets global AML/CTF standards, requires jurisdictions to impose customer due diligence measures, including identifying and verifying customers and their beneficial owners.

FATF’s focus on beneficial ownership transparency is consistent with real-world use of OSINT tools like ShadowDragon. Cross-jurisdictional mapping of public data with ShadowDragon can expose connections between beneficial owners, associated companies and online infrastructure, enabling compliance with FATF guidance and national beneficial ownership disclosure regulations.

In the United States, the Federal Financial Institutions Examination Council (FFIEC) addresses KYC in its Bank Secrecy Act (BSA)/AML Examination Manual, which describes exam expectations for customer identification programs and ongoing monitoring activities.

Incorporating OSINT into these activities also creates a much stronger audit trail for examiners. If institutions can show that identity and risk checks are backed up by independently verified open source intelligence (e.g., indications of ownership structure or external affiliations), then regulators will have more confidence that the institution’s KYC process is both thorough and defensible.

Incorporating KYC into account opening and ongoing account management allows financial institutions to meet these international and domestic requirements while reducing financial crime and mitigating their regulatory risk. KYC used in tandem with OSINT-derived intelligence goes beyond static compliance, transforming it into a proactive risk management practice.

Why KYC Matters in Banking

KYC is a vital risk management practice that safeguards financial institutions and their customers from fraud, ensures they meet compliance standards set by international regulatory bodies, and also protects their reputation and consumer trust. Financial institutions are turning to OSINT tools such as ShadowDragon to supplement their existing KYC efforts. Integrating OSINT in KYC workflows can help banks identify discrepancies, hidden relationships, or online activity that indicates high-risk behavior.

Preventing Financial Crime

Inadequate KYC controls make financial institutions susceptible to fraud, as criminals can open fake accounts, transfer illegal funds, and steal other people’s identities.

By establishing and verifying a customer’s identity and clarifying the nature and purpose of a transaction, institutions can detect suspicious activity and potential fraud linked to money laundering and terrorist financing earlier.

OSINT platforms, such as ShadowDragon, allow compliance teams to discover those risks faster by correlating internal customer data with external sources of intelligence (associated social identities, online business activity, etc.). This early awareness can help identify a network of related accounts or entities indicative of layering or placement activity well in advance of that activity being observed in transaction data.

Identity Theft Prevention

Effective KYC protects legitimate account holders from being impersonated or having their accounts used for fraudulent schemes. Accurate identity checks and ongoing monitoring help keep personal funds and data secure.

Adding a layer of OSINT-based verification also provides additional protection from impersonation and synthetic identity fraud. By using a tool such as ShadowDragon Horizon™ to verify online presence and activity (emails, social media, etc.) against claimed identities and expected behaviors, investigators can confirm legitimacy and flag anomalies consistent with stolen or fabricated profiles.

Compliance

In many jurisdictions, including those governed by regulations such as the Bank Secrecy Act, the European Union’s AML directives, and the Financial Action Task Force (FATF) Recommendations, financial institutions and other designated entities are required to perform customer due diligence.

Negligence in KYC procedures can result in regulatory penalties, substantial fines, and more stringent future oversight. In the United States, the FFIEC BSA/AML Manual details these expectations for member institutions. For international standards, the FATF Recommendations serve as the benchmark.

Mapping ownership structures, cross-border affiliations, and external risk indicators with OSINT tools like ShadowDragon Horizon™ can help institutions create more robust due diligence documentation and defensible compliance evidence in the event of audits or regulatory reviews.

Maintaining Trust

Financial institutions found to be complicit in illegal activity can face reputational risks and a loss of trust from their customers and business partners. SWIFT emphasizes in its KYC compliance guidance that trust is the lifeblood of global payments. Thales also notes that identity and access management are key to reducing risk in banks and other financial institutions.

Implementing strong KYC procedures prevents fraud and protects customer data while minimizing regulatory risks and ensuring continued business with trusted partners and customers.

The Building Blocks of KYC

A comprehensive KYC framework comprises three core elements: Customer Identification, Customer Due Diligence, and Enhanced Due Diligence. Each layer builds on the other to establish and maintain a clear understanding of who the customer is and how they use financial services.

OSINT platforms such as ShadowDragon Horizon™ augment each layer of the KYC framework. By linking the conventional customer data to online activities, associations, and behavioral risk factors, intelligence-led visibility allows institutions to confirm identities, assess risk more accurately, and uncover hidden relationships that might indicate misuse or elevated exposure.

Customer Identification Program (CIP)

In the U.S., the Bank Secrecy Act and the AML regulations that incorporate it require financial institutions to establish a Customer Identification Program (CIP). As outlined by the FFIEC and FinCEN, a CIP must obtain and verify at least the following four data elements for each customer:

• Full name
• Date of birth (for individuals)
• Residential or business address
• Identification number (Social Security number, taxpayer ID, or for non-U.S. persons, a foreign government-issued ID number)

Each institution must have a reasonable belief that it knows the identity of each customer before it opens an account. Verification of this information can be documentary (e.g., government-issued IDs) or non-documentary (e.g., third-party reference data from trusted databases).

OSINT tools like ShadowDragon support non-documentary verification by enabling compliance teams to compare information supplied by customers to data available from external sources (email addresses, web activity, etc.). This enables compliance teams to verify the existence of an individual or entity, identify potential indications or identity fabrication, and record verification efforts with defensible proof.

Financial institutions must maintain records of all information received, including how and from whom it was verified, and the results of verification, in accordance with BSA/AML record-keeping requirements.

Customer Due Diligence (CDD)

After identifying a customer, the next step for banks is to assess the customer’s risk profile and the expected nature of the relationship. FATF Recommendation 10 defines this process as Customer Due Diligence, including:

• Determining the purpose and expected nature of the account or business relationship
• Performing a risk assessment using geography, transaction and product types, customer activities, and other risk factors
• Ongoing monitoring to ensure that transactions are consistent with the stated purpose and risk level, as well as to identify unusual or suspicious activity

Embedding OSINT into the CDD stage enables institutions to update customer risk profiles on an ongoing basis with real-world information. ShadowDragon Horizon™ can reveal new risk indicators, such as links to sanctioned parties, emerging adverse media, or online ties to high-risk locations, that can help compliance teams align monitoring to the customer’s changing risk profile.

Customer Due Diligence is an ongoing process that occurs throughout the customer relationship and continues to evolve in response to changing risk levels and behaviors.

Enhanced Due Diligence (EDD)

In some cases, more information about a customer is necessary due to higher perceived risks. Enhanced Due Diligence (EDD) may be triggered by any of the following:

• Relationships with or transactions involving high-risk jurisdictions or sectors, as designated by FATF and other regulators
• Customers who are or may be politically exposed persons (PEPs), such as government officials or executives at high-profile companies who may be at higher risk of bribery or corruption
• Legal entities with complex ownership structures or opaque beneficial ownership

EDD measures often include additional scrutiny into the origin of funds, independent verification of beneficial owners, and increased transaction monitoring. OSINT platforms like ShadowDragon are particularly useful at this stage. Mapping out the relationships between companies, beneficial owners, and their digital infrastructure will help to uncover obscured ownership layers, offshore connections, and online footprints that point towards higher-risk activity.

The FATF guidance has also urged the financial sector to take reasonable measures to identify and verify the beneficial owners of legal entities, ensuring that ultimate ownership is not hidden.

Together, CIP, CDD, and EDD form a comprehensive KYC program in compliance with U.S. BSA/AML requirements and FATF international standards that safeguards financial institutions against misuse.

The KYC Process

An effective Know Your Customer process follows a series of steps, beginning at onboarding and continuing through the life of the customer relationship.

Collect and Verify Identity Information

Core identity information, including a customer’s name, date of birth, address, and a government-issued ID (such as a passport or driver’s license), is collected and verified against trusted data sources.

Increasingly, financial institutions supplement document verification with biometrics (e.g., selfies, live video) to ensure that the person presenting the document is the same person as the individual applying for the account.

Verification involves more than just collecting documents. Banks and fintechs also verify the authenticity of the provided documents by confirming key document security features and validating them against trusted sources.

Identity platforms like Horizon™ Identity and risk-data vendors such as LexisNexis integrate with third-party solutions and customer onboarding flows, automating identity verification and streamlining onboarding while meeting FFIEC and FinCEN guidelines for establishing a “reasonable belief” that a customer is who they claim to be.

Screen Against Lists and Assess Risk

Next, customer information is screened against sanctions and watchlists, such as the U.S. OFAC list, the UN Security Council Consolidated List, and the EU Consolidated Financial Sanctions List, and checked for politically exposed persons (PEPs). Sanctions screening enables financial institutions to avoid relationships with individuals or entities associated with terrorism, organized crime, or other prohibited activities.

The institution then assigns a risk rating (low, medium, or high) to the customer based on the results of the sanctions screening and the overall customer profile. This rating will determine the level of transaction monitoring and frequency of future KYC reviews.

OSINT-powered intelligence can also add context to sanctions and PEP screening. ShadowDragon Horizon™ can help compliance teams uncover indirect or obscured links to sanctioned parties through online relationship mapping, shared infrastructure, or beneficial ownership networks. This additional context provides investigators with a more comprehensive understanding of high-risk associations that may be overlooked by static screening processes, enabling them to better inform customer risk ratings.

This risk-based approach is a key principle of effective CDD, according to FATF guidance and EU AML regulations.

Ongoing Monitoring and Refresh

KYC requirements don’t end after onboarding. Financial institutions should monitor new events that could alter a customer’s risk profile, such as unusual transaction activity or periodic verification to ensure the information on file remains accurate.

Suspicious transactions, a change in majority ownership, a new flurry of high-risk transactions, or adverse news coverage might trigger a KYC refresh. Horizon™ Monitor enables continuous KYC monitoring by notifying institutions of related external events, such as new internet entities, website registrations, or online activity by existing customers. These real-time signals can be ingested into monitoring workflows for live risk profile updates, earlier exposure detection, and defensible documentation of changes in customer behavior.  

For some banks, the ultimate goal is a perpetual KYC model (pKYC), also known as Dynamic Customer Due Diligence (advocated by Oracle and PwC,  among others), where information updates in real-time as events unfold, rather than on a fixed calendar cycle. When combined, identity validation, risk-based screening, and ongoing monitoring create a KYC process that meets compliance expectations while adjusting to changes in customer risk.

Digital KYC and eKYC Methods

Digital KYC (also known as electronic KYC or eKYC) refers to the ability of financial institutions to verify customer identities remotely, thereby speeding up the onboarding process while still satisfying AML/CTF requirements. The specific processes involved may differ from jurisdiction to jurisdiction and between different regulators; however, some common methods and supporting technologies are being used worldwide.

OSINT tools like ShadowDragon Horizon™ extend the reach of digital KYC by linking known, verified identity data to external, real-world information. Institutions can cross-reference applicant details using open source signals, including website ownership, social presence, and associated online infrastructure.

Remote Identity Verification Methods

KYC processes can now be completed entirely online, using one or more of the following methods:

• Video KYC – Verification over a live or recorded video call with a compliance officer, who checks an applicant’s ID document and matches it against their live appearance.
• One-time password (OTP) verification – A code is sent to a registered mobile phone number or email address, which is used to verify possession of a device or email account.
• National e-ID schemes – Digital ID programs backed by governments, such as India’s Aadhaar, the EU’s eIDAS framework, or Singapore’s SingPass, that can be used for secure electronic authentication.

Thales Group notes that each country has its own unique set of rules for digital onboarding, but national e-ID frameworks and third-party remote identity proofing solutions are increasingly accepted by regulators when they provide adequate levels of security, privacy, and auditability.

ShadowDragon Horizon™ can augment the above methods by confirming the digital identity associated with a customer (e.g., email address, phone number, related websites) has verifiable and legitimate online activity, potentially enabling financial institutions to identify synthetic identity fraud, attempted identity theft, or impersonation that might otherwise be missed in standard eKYC checks.

Tools and Technology

Behind the scenes, digital KYC relies on a range of specialized tools and technologies for verification and fraud detection, such as:

• Optical character recognition (OCR) to extract personal data from identity documents for automated validation.
• Liveness detection to verify the person presenting an ID document is physically in front of a camera and not using a photo, deepfake, or video recording.
• Document authenticity checks are used to validate the security features of IDs and detect tampering by verifying digital signatures, holograms, watermarks, microprint, or other security features.
• Risk engines and analytics to assess behavioral, geolocation, and device fingerprinting data and flag anomalies.
• OSINT tools like ShadowDragon Horizon™ to compare and contrast behaviors and geolocations against open-source indicators of risk, such as connections to known fraud rings, malicious websites, or criminal infrastructure.

Oracle notes how these layered controls, once built into a core banking or KYC/compliance process, allow a perpetual KYC posture where identity and risk data are continuously updated. The integration of secure remote identity verification with cutting-edge fraud detection tools enables financial organizations to expedite customer onboarding and meet regulatory standards more effectively than before.

Global Standards and Who Must Comply

KYC regulations are based on international standards and are enforced through domestic laws and regulations. The compliance requirements extend to certain non-financial entities and sectors, such as law firms, accountants, real estate agents, and casinos, when these entities conduct transactions that present money-laundering or terrorism-financing risks.

OSINT plays a growing role in meeting these obligations. By correlating publicly available information, such as social networks and online activity, OSINT helps compliance teams verify identities, map beneficial ownership, and uncover obscured connections between counterparties operating across jurisdictions.

FATF Framework

The Financial Action Task Force is an intergovernmental organization that provides a global benchmark for anti-money laundering and counter-terrorist financing activities. Under FATF Recommendation 10 (Customer Due Diligence), financial institutions and certain non-financial businesses (known as designated non-financial businesses and professions, or DNFBPs) are required to:

• Identify and verify the identity of customers and beneficial owners
• Understand the nature and purpose of the business relationship
• Conduct ongoing due diligence and monitoring for suspicious activity

The FATF supports a risk-based approach to AML/CFT: firms should apply enhanced due diligence measures where the risk is greater; conversely, they may simplify measures where there is a demonstrably low risk of money laundering or terrorist financing.

Integrating OSINT into a FATF-compliant framework aligns with this risk-based approach. Leveraging tools like ShadowDragon Horizon™ enables compliance teams to dynamically identify higher-risk relationships or jurisdictions by surfacing external risk indicators, such as links to sanctioned parties, previously exposed intermediaries, or digital evidence of shell company structures. This can help inform enhanced due diligence actions, as well as simplified measures for verified low-risk customers.

Key elements of the FATF Recommendations are directly incorporated into the AML/CFT laws of over 200 countries and territories. They also inform national supervisory expectations in most jurisdictions worldwide.

KYC in the United States

KYC requirements in the United States are contained within the Bank Secrecy Act (BSA) and related anti-money laundering (AML) regulations and guidance. For example, in the FFIEC BSA/AML Examination Manual, Customer Identification Program (CIP) standards require institutions to obtain a customer’s name, date of birth, address, and a taxpayer identification number (TIN) or equivalent. An institution must also have a reasonable belief that it knows the customer’s true identity.

OSINT tools like ShadowDragon Horizon™ can aid institutions in meeting this reasonable belief standard. These tools go beyond traditional documentary verification checks, mapping emails and online presence to active, verifiable business or personal activity. This enables compliance teams to validate legitimacy and identify inconsistencies that can point to synthetic or fraudulent identities.

FinCEN issued an order in 2025 granting an exemption from TIN collection for certain low-risk accounts, including certain government benefit disbursement accounts, from opening and maintaining TINs, provided the institution satisfies alternative BSA/AML verification steps.

Operationally, this means that institutions can tailor their onboarding flows and make some efficiencies for those account types that meet the exemption standards, but must still document risk assessments and substitute controls.

Banks, credit unions, broker-dealers, and money service businesses are all directly responsible for CIP, CDD, and suspicious activity reporting (SAR) requirements regardless of these exemptions.

ShadowDragon also strengthens SAR processes by enabling organizations to identify external corroboration of suspicious activity. For example, OSINT analysts can determine if an entity’s counterpart has publicly known relationships to darknet activity or a history of regulatory enforcement, which can strengthen the evidentiary quality of SAR filings and demonstrate proactive oversight to FinCEN.

KYC in the European Union

The European Union’s (EU) national governments are required to implement FATF standards and have done so through an extensive AML/CFT legislative framework, currently defined by the EU’s Anti-Money Laundering Directives and the upcoming EU AML Regulation, set to take effect in July 2027.

Firms must perform risk assessments at the enterprise and customer levels and apply due diligence measures that are proportionate to those risks.

The European Banking Authority (EBA) provides additional guidance on risk factors, emphasizing the importance of identifying and verifying beneficial ownership, as well as understanding complex ownership or control structures.

ShadowDragon’s network analysis capabilities can help institutions meet these expectations by providing visual representation of beneficial ownership and identification of indirect control relationships across jurisdictions. With correlation from OSINT data, compliance teams can detect offshore intermediaries or online connections that could reveal efforts to conceal ownership, fulfilling EBA and FATF transparency requirements.

Banks, non-bank financial institutions, payment institutions, crypto-asset service providers, and certain non-financial sectors across the EU are all expected to adopt the required risk-based and beneficial-ownership controls in their KYC programs.

By aligning with the FATF’s framework and these regional requirements, financial institutions and regulated non-financial entities can operate across borders while meeting the core objective of preventing money laundering, terrorist financing, and related financial crimes.

KYC vs. AML vs. KYB

KYC is the identity verification component of a broader AML program. Picture it as the front door: Know who the customer is, determine their purpose, and set an appropriate level of monitoring. AML encompasses the entire house: KYC, sanctions screening, transaction monitoring, investigations, and reporting (e.g., SARs). That framing aligns with the FATF’s placement of customer due diligence within a risk-based AML/CFT framework.

KYB (Know Your Business) is the application of KYC principles to legal entities. The focus is on verifying the entity itself (registration, status, control structure) and identifying beneficial owners, or the natural person(s) who ultimately own or control it. The FATF guidance directly links this to CDD expectations for legal persons and beneficial ownership transparency.

ShadowDragon supports KYC objectives by mapping publicly available information about company structures, websites, and online networks. Its OSINT capabilities help to uncover who really owns or controls a company, unmask obscured layers of ownership, and identify potential connections to sanctioned jurisdictions or shell companies. These capabilities support beneficial ownership transparency in alignment with FATF recommendations.

How They Work Together

KYC, KYB, and AML work as a system: KYC and KYB establish the identity of the individuals and the business context in which they’ll be operating, then AML leverages that information to determine how closely to monitor activity and when to escalate. In that sense, identity and context are supporting risk management and oversight functions.

Onboarding

KYC confirms individuals through documentary/non-documentary checks. KYB checks confirm the existence and identity of the company, including its legal name, registration number, registered address, active status, and maps the ultimate beneficial owners (UBOs). KYC and KYB due diligence results flow directly into the financial institution’s AML program.

ShadowDragon’s OSINT analysis aids in onboarding due diligence by automatically identifying any digital or reputational red flags, such as connections to inactive shell companies, previously flagged IP infrastructure, or internet activity that’s potentially connected to sanctioned actors. These insights provide an early warning system before customers or businesses are fully onboarded.

Risk Assessment and Screening

The KYC/KYB profile (customer type, geography, products, channels, etc.) determines the initial risk rating. AML then uses this information to set the scope and sensitivity of sanctions, PEP, and adverse-media screening and to define monitoring thresholds.

AML watchlists will have specific thresholds (higher or lower depending on type) at which specific actions must be taken. ShadowDragon’s OSINT capabilities can help to narrow these thresholds by providing contextual risk information (new connections, negative online behaviors, etc.) that’s not yet visible on formal watchlists. This external layer enhances risk scoring and prioritization accuracy.

Ongoing Monitoring

AML transaction monitoring assesses whether actual activity is consistent with the KYC/KYB profile and stated purpose. Suspicious patterns, changes in ownership, negative news, etc. trigger a KYC/KYB refresh, and where appropriate, investigations and regulatory reporting.

Continuous OSINT monitoring with Horizon™ Monitor also enables institutions to detect these trigger events in real time. Identifying new website registrations, digital infrastructure changes, or evolving connections to sanctioned networks allows compliance teams to initiate reviews and update customer profiles dynamically, supporting a perpetual KYC and KYB model.

Finally, beneficial ownership controls, which are central to KYB and required under FATF CDD expectations, ensure firms identify and verify the natural-person owners/controllers, understand complex structures, and reassess when control changes.

To make those controls effective in practice, the Institute of International Finance (IIF) and Deloitte urge jurisdictions to provide verifiable, up-to-date beneficial-ownership registries to the regulated sector, ideally anchored by unique identifiers like the Legal Entity Identifier (LEI). With that foundation, systematic BO checks, control-structure mapping, and trigger-based monitoring expose nominee arrangements and layered or circular ownership chains, closing the gaps that shell companies and front organizations are designed to exploit.

In summary, KYC is the process of verifying and identifying the individual, while KYB is the process of verifying and understanding the legal entity, including its registration, control structure, and beneficial owners. AML/CFT comprises the end-to-end controls that use KYC/KYB data with risk-based screening, transaction monitoring, investigations, and required reporting to prevent money laundering and terrorist financing.

Customer Experience and Friction

KYC processes are essential for verifying customer identity, but they’re often seen as slowing onboarding and triggering costly back-office reviews. Historically, regulations have created tension between fast, seamless customer experiences and the obligation to know the customer and monitor transactions. With modern approaches, compliance requirements and customer expectations no longer need to be at odds.

OSINT platforms like ShadowDragon Horizon™ make this balance easier to achieve. By discreetly aggregating and correlating publicly available information during onboarding (website ownership, online behavior, network affiliations, etc.), institutions can validate low-risk customers faster while subjecting only higher-risk cases to manual review. This allows OSINT to function as a friction-reduction layer for compliance.  

The aim is to meet AML/CTF obligations and keep conversion high by applying a risk-based approach: less friction when risk is low; more evidence when signals say it’s warranted. That’s the principle FATF embeds in Recommendation 10 and its sector guidance.

Begin with light-touch checks for the most predictable, lowest-risk applicants, then introduce more stringent processes when context changes, such as unusual geographies or activity, high-value activity, inconsistent profile data, or adverse media. OSINT can automate the detection of those context changes.

For instance, Horizon™ Monitor continuously surfaces risk-relevant signals, such as new website registrations, emerging adverse media, or evolving digital connections, which can reveal when a customer that was previously considered low risk may now merit closer examination. This allows compliance teams to take action when risk escalates without impeding the experience for the broader customer base.

European supervisors (via the EBA’s ML/TF risk factor guidelines) also encourage firms to calibrate due diligence measures to customer and product risk, rather than applying maximum friction by default.

Below are some best practices for protecting UX while supporting compliance:

• Route by risk. Use customer profile, channel, geography, and product to assign an initial risk rating. Let low-risk users move fast and gate higher-risk cases for additional evidence (e.g., document checks, liveness, secondary records). Insights from ShadowDragon’s OSINT solutions can help power these routing models by validating digital footprints and external affiliations, helping confirm legitimate applicants faster and isolate anomalies early.
• Layer evidence, don’t front-load it. Start with silent controls (e.g., data validation, device/behavioral checks) and ask for stronger proof only on anomalies, consistent with FATF’s proportionality guidance.
• Refresh when facts change. Replace calendar-driven reviews with pKYC models that continuously validate key attributes and trigger reviews on meaningful events. This reduces unnecessary re-verification while improving detection. PwC and Deloitte describe pKYC and continuous monitoring as more efficient and customer-friendly than blanket periodic reviews. ShadowDragon supports pKYC by monitoring for real-world signals, such as newly registered websites, changes in company ownership, or associations with sanctioned networks, automatically prompting targeted refreshes without re-verifying every customer.
• Use modern authenticators to reduce clicks. Passkeys and WebAuthn flows tighten security while shortening the path through sign-up and re-authentication.
• Explain the “why.” Clear, in-flow messaging about what’s being checked and how data is used cuts abandonment and builds trust during onboarding.
• Keep verification reusable and refreshable. Build flows that reuse prior checks and refresh only when risk or profile changes.

Handled this way, KYC supports compliance and customer trust at the same time: good customers move quickly, higher-risk cases get the scrutiny they warrant, and the program remains aligned with FATF’s risk-sensitive expectations and EU supervisors’ guidance on proportionate due diligence.

Incorporating OSINT into this model also helps to satisfy that trust equation. Discreetly verifying legitimacy, identifying discrepancies, and tracking risk changes over time with external intelligence enables institutions to keep onboarding frictionless and defensible, enhancing trust with both customers and regulators.

Common Challenges and Pitfalls

KYC programs frequently encounter persistent challenges, including excessive screening noise that obscures genuine risk, fraudulent or synthetic identities, unreliable or inconsistent reference data, cross-border regulatory inconsistencies, and social-engineering tactics such as fraudulent “urgent KYC” requests.

The solutions are simple: refine matching with better attributes, layer document and liveness validation, enforce data governance, adjust controls by jurisdiction, and train customers to recognize phishing. These are the common challenges to be aware of and the controls that can help prevent them.

Many of these challenges stem from a lack of context within internal systems. OSINT platforms like ShadowDragon Horizon™ can help fill those gaps by connecting customer data to real-world signals, confirming identities, uncovering suspicious connections, and surfacing additional evidence to help compliance teams cut through the noise and confidently differentiate genuine risk and false positives.

False Positives

Name-only screening and aggressive fuzzy matching can overwhelm analysts with alerts. Transliteration, nicknames, and common surnames (e.g., sanctions hits on “Mohammed” or “Kim”) also contribute to high volumes.

Fix the basics by enriching data with corroborating attributes (date/place of birth, nationality, address history, identifiers, etc.), fine-tuning the thresholds for each list, and using entity resolution that recognizes transliteration and aliasing. Build a feedback loop from investigations back into matching rules so precision gets better over time.

OSINT can be leveraged to enhance matching accuracy by bringing in additional data points for corroboration from other sources. ShadowDragon Horizon™, for instance, can associate names, aliases, and linked profiles to verify whether an alert is a genuine match to the individual or a false match. This is especially useful in high-volume screening scenarios involving common or transliterated names.

Document Forgery

High-quality counterfeits, recycled IDs, and synthetic identities are prevalent. Deepfake selfies and video replay attacks heighten the risk environment.

Counter with layered checks. Document cryptographic or Near Field Communication (NFC)/e-passport validation where available, Machine Readable Zone (MRZ)/barcode consistency checks, tamper and clone detection, and face match paired with liveness (e.g., challenge-response, motion and texture analysis). Cross-verify extracted data against trusted sources (e.g., civil registries, credit headers, corporate registries) rather than relying on the image alone.

OSINT supports cross-verification by validating external signals tied to identity artifacts, such as emails or digital profiles, against expected and legitimate usage patterns. Detecting inconsistencies between declared and observed behavior can expose fabricated or synthetic identities, even with sophisticated document forgeries.

Data Quality

Poor or stale reference data is another common challenge in KYC. Out-of-date sanctions/watchlists, incomplete PEP datasets, duplicate customer records, and inconsistent name formats, such as Unicode/homoglyph variations, can all introduce risk.

Institute strong data governance, including defined list-refresh cadences, versioning, survivorship rules for golden records, and audit trails. Normalize names and addresses with international standards, and keep adverse media pipelines de-duplicated and source-ranked to avoid noise.

OSINT tools like ShadowDragon Horizon™ can enhance KYC data quality by validating and enriching customer records with external, real-world intelligence. These tools cross-verify details such as emails and company names against public data to confirm legitimacy, fill in missing context, and surface inconsistencies or conflicts that signal data errors. This creates more complete, accurate, and reliable customer profiles for compliance teams. 

Additionally, ShadowDragon automatically documents data sources, relationships, and analyst actions within each case. This creates a transparent, time-stamped audit trail that shows how conclusions were reached and which evidence supported them. As a result, institutions can demonstrate defensible, well-documented decision-making to regulators, auditors, or internal reviewers.

Cross-Border Differences

ID standards, address formats, name order, and even calendar systems differ across countries. Requirements on what information can be collected and how it can be verified, as well as the availability and quality of beneficial ownership data, also vary widely.

Design onboarding flows that branch by jurisdiction. Accept local ID types, apply the right consent language, select the correct verification methods, and document when local law limits what you can retain. Don’t copy/paste controls from one market to another; instead, risk-rate and evidence-map them country by country.

ShadowDragon Horizon™ is highly effective in cross-border contexts where public records, naming conventions, and ownership structures may vary. Aggregating data from global sources, OSINT can help to verify entities and beneficial owners across jurisdictions. For investigators, OSINT can provide a consistent visibility layer where national registries may be incomplete or unavailable.

KYC Fraud and Phishing: Consumer Tips

Attackers increasingly use “urgent KYC update” phishing lures to steal credentials, one-time passwords (OTPs), and ID images. Provide customers with concise, actionable guidance:

• Never share sensitive information such as OTPs, full passwords, or ID selfies via email, SMS, or chat.
• Avoid unsolicited links. Do not click links in unexpected messages requesting that you update your personal information. Instead, access services through the official mobile app or by manually typing the institution’s verified URL.
• Verify the source. Check the sender’s email address and app-store publisher, and be alert to certificate warnings or unusual spellings. Institutions can also leverage OSINT-based web and network analysis to identify and take down fraudulent websites posing as legitimate institutions. ShadowDragon’s ability to map malicious infrastructure helps banks and other institutions identify phishing campaigns before they’re fully launched and notify customers before the fraudulent sites are heavily exploited.
• Enable strong security. Turn on multi-factor authentication in the official app and activate account alerts for new devices, password changes, and high-value transfers.
• Act quickly if exposed. If information has been shared or a link clicked, immediately contact the institution, change passwords, revoke tokens or sessions, place a fraud alert or credit freeze where available, and monitor account statements and credit reports.

When managed systematically, these risks become controllable: reduce false positives with better data and tuning, defeat forgeries with layered verification, respect local rules with jurisdiction-aware flows, and keep customers safe with plain-language anti-phishing playbooks.

Final Thoughts

Regulations and guidance documents tell you what to do. Open-source intelligence (OSINT) helps you do it faster and with fewer blind spots. ShadowDragon’s solutions give your KYC and fraud teams the external context they need to validate identities, triage alerts, and investigate anomalies without drowning in noise.

• Resolve identities across the open web. Horizon™ Identity correlates disparate identifiers (emails, phone numbers, usernames, IP addresses, etc.) into actionable profiles, surfacing aliases, geo-indicators, and behavioral signals you can compare against what the customer told you. That’s invaluable for onboarding assurance, step-up reviews, and EDD.
• Surface relationships you’d otherwise miss. ShadowDragon Horizon™ delivers link analysis and graphing at speed, pivoting across large datasets to reveal connections between subjects, infrastructure, and entities, which is especially useful when mapping beneficial owners/controllers or testing for undisclosed ties. Integrations such as OpenCorporates help enrich corporate due-diligence work.
• Monitor for changes that matter. Horizon™ Monitor watches open sources in real time (e.g., social platforms, forums, dark-web venues, news) and alerts you to risk triggers (e.g., adverse chatter tied to a customer, sale of forged documents, or newly surfaced compromise) so you can refresh KYC based on events, not just calendar cycles.
• Reduce false positives and focus investigations. ShadowDragon Horizon™ is purpose-built to filter out noise and highlight meaningful digital connections, shortening the time from alert to decision while maintaining a defensible audit trail.

A strong KYC program aligns to FATF and local regulations, runs a risk-based process, and maintains fresh information. Augmenting that framework with ShadowDragon’s Horizon™ suite of tools helps teams validate identities faster, surface hidden relationships, and trigger timely reviews, enabling compliance, fraud, and investigations teams to operate effectively and efficiently. Contact us for a demo to learn how ShadowDragon can support your KYC processes.

Frequently Asked Questions