5 most common KYC process mistakes and how to avoid them

70% of financial institutions have lost customers in the past year due to an ineffective onboarding process.

That's according to the Financial Crime Industry Trends 2025 report prepared by Fenergo, based on a survey of 600 decision-makers from banks, asset management firms and fund administrators.

What's more, the Fenergo study shows that the scale of the problem is growing. In 2024, the percentage was 67%, and in 2023. 48%.

One of the main reasons for these difficulties is the complexity of KYC (Know Your Customer) processes and the mistakes made in it.

Key findings

• 70% of financial institutions are losing customers through ineffective onboarding, including those related to KYC processes.
• The most common mistakes we see include an outdated or superficial risk assessment, improper identity verification, lack of compliance with RODO, treating KYC as a one-time process, and lack of a consistent compliance culture.
• In more than half of financial institutions, between 31% and 60% of tasks related to KYC processes are still performed manually. At the same time, institutions are increasingly recognizing the need for automation, with 62% of organizations citing investment in technology as one of their top KYC and AML priorities.
• Improper KYC processes, and often related to simultaneous compliance with RODO regulations, can lead to penalties (including financial ones). As in the case of ING Bank, where the fine was set at more than PLN 18 million.
  
• Automation and digital identity verification tools (e.g. Autenti) reduce these risks and increase efficiency.

What is KYC and why is it so important?

KYC involves verifying a customer's identity and assessing the risks associated with establishing a relationship.

It is an essential component of anti-money laundering (AML) and counter-terrorist financing (CFT) systems, as it allows institutions to understand who they are working with and whether the customer's activities match the declared profile.

Mistakes in this area can lead to serious consequences, ranging from regulatory risk, reputational damage, loss of customers (see the Fenergo report) and situations in which an institution unwittingly becomes a vehicle for money laundering or other crimes.

A large part of these consequences is due to repeated mistakes in the KYC process.

In the rest of this article, we discuss five of the most common mistakes that occur in the KYC process, and how they can be effectively avoided.

1. outdated or superficial customer risk assessment

What the error is

One of the most common problems in the KYC process is the failure to update the customer's risk assessment after applying financial security measures.

This means a situation where the risk profile is created only at the onboarding stage and then remains unchanged for a long time. Changes to the customer's profile, even something as simple as residential address, are often not taken into account.

Risk assessment is sometimes treated as a one-time formality, instead of being part of the ongoing process of managing the customer relationship.

What this is due to

One reason is definitely the limited time and resources of compliance teams. Additionally, in many organizations KYC processes still rely heavily on manual work.

Fenergo's research shows that in more than half of financial institutions, between 31% and 60% of tasks related to KYC processes are still done manually. At the same time, institutions increasingly recognize the need for automation, with 62% of organizations citing investment in technology as one of their top KYC and AML priorities. (source)

Why it's a problem

A customer's risk profile is not immutable.

If an institution does not update this assessment, there is a risk of misclassifying the customer and, consequently, applying inappropriate security measures.

How to avoid it

To reduce this risk, organizations should:

• regularly update the customer risk assessment, e.g., quarterly,
• link the risk assessment to cyclical AML reviews and customer relationship monitoring,
• automate the process of updating data in compliance systems,
• use solutions that enable digital verification and confirmation of customer identities, e.g. through electronic verification platforms such as Autenti.

2 Incorrect verification of customer identity

What the error is

The second common problem in KYC processes is incorrect verification of customer identity or the wrong choice of identification method.

This occurs in various verification methods. For example:

• video verification: the error can be the lack of verification of "liveness" (liveness detection, which is the evaluation of the head movements made), blurred images of the document or the lack of comparison of the image with the identity document,
  
  
• verification using an e-card or other document with an electronic layer: the problem is sometimes the failure to read data from the electronic layer of the document or the omission of cryptographic authentication of the document,
  
  
• verification through e-banking: there are times when the account owner's data is not checked against the customer's data or transfers from accounts belonging to other people are allowed,
  
  
• identification using a qualified signature or Trusted Profile: the error may be the failure to verify the validity of the certificate or the failure to link the signature to a specific person whose data is in the system,
  
  
• verification of the customer's document when visiting the organization's facility in person: failure to perform proper verification of the customer's document, such as not paying attention to the expiration date of the document.

Problems also arise when the verification method is not matched to the customer's risk level, or when the process is not properly documented and does not leave a clear audit trail.

Here you can read more about the different methods of verifying a customer's identity, how to prepare for them, how to go through them correctly, and which method to choose in a given situation.

What it stems from

There can be many reasons for incorrect identity verification. Often they are simple human errors, resulting from a large number of processes being handled or time pressure.

The problem can also be an ambiguously described verification process, where we don't have clear guidelines on what steps to follow and how to document each verification step.

An additional challenge can be the tools used for remote verification, which are not intuitive or do not integrate well with the organization's systems.

Also, don't overlook situations where the problem stems from an intentional user action. Attempts to impersonate others or use other people's data are among the most common forms of abuse in digital services today.

According to Sumsub's 2025 data the number of identity verification fraud attempts hasincreased by 48% globally, although the Asia-Pacific region has seen a decline, partly attributed to regulatory progress on digital identification (the data relates to the cryptocurrency market).

Why it's a problem

Failure to properly verify a customer undermines one of the primary goals of the KYC process, which is to ensure that an institution knows with whom it is establishing a relationship.

Deficiencies in this area increase the risk of regulatory violations and make audits or inspections more difficult.

How to avoid it

To reduce the risk of errors in customer identity verification, it is worthwhile to take care of several elements:

• precisely defining the verification methods permitted in the organization and the situations in which they should be used,
• documenting each stage of the verification process so that it can be reconstructed during an audit,
• standardizing procedures across the organization, especially if the process is handled by several teams or systems,
• using remote identity verification tools that automate customer verification, record the process, and integrate the verification result with compliance systems.

3 Lack of compliance with RODO and mismanagement of customer data

What the error consists of

The KYC process involves processing a large amount of personal data, including sensitive data.

Errors in this area include:

• storing data without adequate safeguards,
• failure to control access to identity documents,
• processing data without a clearly defined purpose,
• lack of a proper data retention policy.

What this is due to

Most often, this is due to systems not being aligned with the requirements of the RODO or treating KYC solely as an AML obligation, without considering the data protection aspects.

Why it's a problem

Data protection violations can lead to:

• leaks of personal data,
• administrative penalties under RODO,
• loss of customer confidence.

Data protection violations can lead to personal data leaks, administrative penalties under RODO, and loss of customer confidence.

A real-world example is the case of ING Bank Slaski, which was finedmore than 18 million zlotys by the President of the Office for Personal Data Protection (UODO) for unreasonably collecting copies of customers' ID cards.

The supervisory authority found that the bank had introduced procedures requiring bulk acquisition of documents for many activities, going beyond the AML Act, without an individual risk assessment and without a legal basis.

According to the DPA, scanning documents "in bulk" posed a high risk of violating customers' rights, such as identity theft or loan defrauding.

How to avoid this

• Implement data security and access control policies,
• apply the principle of data minimization,
• clearly define data retention periods,
• use certified solutions that meet GDPR requirements.

4. treating KYC as a one-time process

What the mistake is

In many organizations, KYC ends at the onboarding stage, with no further updates to customer data.

Changes such as:

• change in customer behavior,
• change in risk level,
• new information about the customer.

What this is due to

The reason is often lack of automation and limited resources of compliance teams.

Why it's a problem

The customer profile changes over time. Lack of updates can lead to:

• incorrect risk assessment,
• use of inappropriate security measures,
• AML violations.

For an example, let's look at financial institutions.

Lacking effective monitoring of customer relationships, an institution may miss transactions that deviate from the customer's stated business profile or lack a clear business rationale.

Suspicious operations, such as sudden changes in transaction volumes, transfers to new countries or unusual sources of funds may go undetected.

From a regulatory perspective, the consequences of such negligence can be very serious.

The pressure from regulators especially on financial institutions regarding AML is steadily increasing. Fenergo's analysis of AML penalties shows that the global value of fines imposed on financial institutions reached $4.6 billion in 2024 (after a record $6.6 billion in 2023), with North America accounting for 94% of all fines in 2024. In the first half of 2025, regulators have already imposed $1.23 billion in fines, a 417% increase compared to the first half of 2024. (source)

How to avoid this

• Implement cyclical KYC reviews, such as quarterly,
• automate data updates,
• link KYC to customer activity monitoring.

5. lack of consistent communication and compliance culture in the organization

What the mistake is

A final, often overlooked mistake in the KYC process is the lack of consistent internal communication and insufficient understanding of compliance responsibilities by employees.

In practice, this means that:

• different teams (e.g., operations, onboarding, compliance) operate in isolation from each other,
• employees are not clear about their responsibilities in the KYC process,
• procedures exist formally, but are not actually followed.

What this is due to

Most often, this is due to a lack of regular training and insufficient organizational commitment to building a compliance culture.

It can also be a problem that teams are disconnected from each other and that KYC is treated as the responsibility of the compliance department alone, rather than the entire organization.

Why it's a problem

Even the best-designed KYC procedures will not be effective if they are not properly understood and applied by employees.

Lack of consistency in operations can lead to:

• inconsistent customer verification,
• omission of important elements of the process,
• increased risk of errors and regulatory violations.

How to avoid it

To mitigate these risks, it is worthwhile to:

• conduct regular KYC and AML training,
• clearly define roles and responsibilities in the process,
• build cooperation between teams (compliance, operations, IT),
• treat compliance as part of daily operations, not a one-time obligation,
• use training tools (e.g., online modules, workshops) to help keep knowledge up-to-date in the organization.

Summary

In European markets, and especially in Poland, the legal basis for AML activities is the Act of March 1, 2018 onAML and terrorist financing, implementing EU directivesand defining the obligations of financial institutions.

Collecting data and documents is not yet KYC.

The most common mistakes, including an outdated risk assessment, improper identity verification, poor data management, or treating the process as a one-off, can lead to lost customers and even regulatory violations.

An effective KYC process requires continuous data updates, process automation, thorough customer verification, and constant monitoring of customer activities. Only in this way can an institution actually minimize risk and build customer trust.

However, creating such a procedure is not the easiest task as the ING example shows us.

One of the solutions to all these problems is adequate expert support and the choice of modern, and, above all, safe technological solutions.

If you are not sure if your customer identification processes are appropriate, contact our experts, we will help you choose the right customer identity verification methods that fit your KYC procedures.

FAQ

Why was my KYC verification rejected? And what should I do after KYC rejection?

Your KYC verification may have been rejected if the data was outdated, the documents were incorrect, or the identity verification was not performed according to procedure. In such a situation, it is best to fill in the missing information and provide the correct documents, and if in doubt, contact the institution handling the process.

What mistakes to avoid in the KYC process?

The most common mistakes in KYC processes include an outdated or superficial customer risk assessment, improper identity verification, lack of compliance with RODO and improper data management, treating KYC as a one-time process, lack of consistent communication and compliance culture within the organization, and insufficient transaction monitoring. Any of these problems can lead to serious consequences, including loss of customers, misclassification of risks and regulatory violations.

How to effectively avoid errors in the KYC process?

To minimize the risk of errors, the KYC process should be continuous and systematic. It is important to regularly update customer data and risk assessments, automate identity verification processes using digital tools, continuously monitor customer activity and transactions, and establish consistent communication and compliance culture across the organization. At the same time, it is important to ensure data security and compliance with regulations, including RODO, to protect both the institution and customers.

What tools can support KYC?

Automation and digital identity verification platforms, such as Autenti, can significantly reduce the risk of errors, speed up the onboarding process and provide a full audit trail. They can enable an institution to efficiently manage data updates, document verification and customer monitoring while maintaining regulatory compliance.