The 6 Biggest Compliance Risks of Using AI in KYB Onboarding and How to Mitigate Them

Compliance management

Client onboarding

KYB and KYC Verification

Biggest Compliance Risks of Using AI in KYB Onboarding

For most compliance functions, there's a good chance that AI or automation is already involved in how you onboard business clients. It might be a platform that retrieves registry data automatically. It might be a tool that maps beneficial ownership across jurisdictions and assigns a risk score. It might be a workflow that flags potentially high-risk structures for human review while passing standard cases through without analyst involvement.

All of those things make compliance more manageable at scale. They also introduce specific compliance risks that are easy to underestimate, because the risk does not announce itself in the way a missed document or an unsigned form does. AI-related compliance failures tend to be systemic rather than isolated. When a miscalibrated model is producing unreliable risk scores, it is producing them for every case it processes. When the registry data behind an automated onboarding check is stale, every client onboarded through that check has a gap in their CDD record that may not be visible until an examination.

Regulators are already finding and acting on these failures. From April 2024 to March 2025, the EBA's EuReCA database recorded 1,279 serious AML/CFT deficiencies across EU credit and financial institutions, with CDD shortcomings the most frequently cited. The EBA's July 2025 Opinion on ML/TF risks found that more than one third of competent authorities report significant or very significant risks specifically linked to the "unthinking use" of onboarding and CDD RegTech solutions. That finding is about tools that are deployed without adequate governance, not tools that are inherently unreliable. The risk is not in using AI for KYB onboarding. It is in using it without understanding what can go wrong and how.

This article breaks down the six biggest compliance risks of using AI in KYB onboarding, the regulatory framework that makes each one a genuine legal exposure rather than just an operational concern, and the specific mitigations that actually close the gap.

Why AI in KYB Onboarding Deserves This Level of Scrutiny

Before examining the specific risks, it is worth being clear about why KYB onboarding is a particularly consequential area for AI-related compliance risk.

KYB onboarding is the moment at which a regulated institution decides whether to establish a business relationship. It is where the institution's CDD obligations under the current AML Directives and, from July 2027, under Regulation (EU) 2024/1624 (the AMLR) are activated. It is where beneficial ownership must be identified and verified. It is where the risk rating that will govern the entire customer relationship is first assigned. And it is the point at which the institution collects and records the evidence that must be retrievable for five years from the end of the relationship.

Every compliance failure that occurs at onboarding compounds over time. A beneficial ownership record that was incorrectly captured on day one becomes the foundation for five years of monitoring decisions. A risk score that was miscalibrated at onboarding determines whether enhanced due diligence is triggered, whether the relationship receives heightened monitoring, and whether sanctions or PEP checks are run at the frequency the risk profile actually warrants.

When AI makes those initial assessments, the quality of everything downstream depends on whether the AI is operating on accurate data, is calibrated to the institution's actual risk profile, and is properly overseen by humans who understand what the system is doing and can intervene when it goes wrong.

Risk 1: AI Operating on Stale or Non-Live Registry Data

The most fundamental risk in AI-powered KYB onboarding is also the least visible: the data that feeds the AI is not current.

Many KYB tools and data providers do not connect directly to official company registries. Instead, they operate on aggregated, cached, or periodically refreshed commercial datasets that pull from multiple sources and present a consolidated view. The lag between a registry update and its appearance in the tool can range from days to months, depending on the data provider's refresh cycle and the jurisdiction involved.

This matters because the AMLR requires that customer due diligence is conducted using "reliable and independent sources." AMLA's February 2026 consultation on its draft Regulatory Technical Standards under Article 28(1) of the AMLR is developing specific requirements around what those sources must look like, including attributes that electronic identification means and other verification sources must have to qualify. A dataset that reflects registry information from several months ago does not present the same reliability as a live query to the official registry, and the distinction matters in an examination.

The practical consequence is that an institution may believe it has verified a company's registration status and ownership structure, while the AI tool is returning information that no longer accurately reflects the company. A director who resigned three months ago may still appear as a controller. A company that has been struck off may appear as active. A change in ownership structure that would have triggered enhanced due diligence may be invisible in the cached dataset.

Mitigation: When evaluating KYB tools, require vendors to demonstrate live or near-live registry connectivity, not simply data refresh cycles. Ask specifically how long data can be cached before a fresh query is triggered and what the retrieval model is for jurisdictions where your client base is concentrated. For the highest-risk onboarding cases, build in a policy of direct registry verification rather than relying solely on aggregated data. Document the data sources used for each onboarding decision as part of the audit trail.

Risk 2: Automation Bias and the Rubber-Stamp Review Problem

The second risk is one that the EU AI Act identifies directly, and that regulators see consistently in examinations: the human reviewer who is nominally overseeing AI-assisted KYB decisions is not actually exercising independent judgment. They are approving what the system has already indicated it recommends.

This is the automation bias problem. When a KYB tool presents a compliance analyst with a verification summary, a risk score, and a recommended decision, the cognitive effort required to override that recommendation is substantially higher than the effort required to approve it. The institutional environment compounds this: analysts working through a large queue of onboarding cases are under time pressure, and a system that has correctly categorised the last fifty cases will tend to receive deference on the fifty-first even when independent judgment would have led to a different outcome.

The EU AI Act (Regulation (EU) 2024/1689) addresses this directly in Article 26. Deployers of high-risk AI systems must assign oversight to natural persons who are enabled to be aware of the possibility of automatically deferring to the AI, and must ensure those persons have the information and authority to correctly interpret and, where necessary, override the system's output. AI systems used in AML risk profiling and decisions affecting access to financial services fall within the high-risk category under Annex III. An institution that deploys such a system without taking specific measures to counteract automation bias in its review process is not meeting the deployer obligations the Act imposes.

Article 22 of the GDPR adds a parallel protection: decisions about individuals that produce significant legal effects cannot be made solely on the basis of automated processing. Where a KYB tool's automated output is the de facto basis for an onboarding decision that affects the business customer, the absence of genuine human review creates a potential GDPR violation alongside the AI Act exposure.

Mitigation: Design the human review workflow to require the analyst to document their independent assessment rather than simply approving a recommendation. Implement a structured review checklist that requires the analyst to examine specific elements of the onboarding record separately from the AI's summary. Build in periodic calibration exercises where analysts review cases and compare their independent assessments to the AI's outputs, so that divergence and accuracy can be tracked. Ensure that the human oversight person has the necessary competence and training to question the AI output, as the EU AI Act explicitly requires.

Risk 3: Beneficial Ownership Miscapture at Complex or Layered Structures

The third risk is specific to beneficial ownership identification and sits at the intersection of a threshold change, a data coverage gap, and an inherent limitation of automated ownership mapping tools.

From 10 July 2027, the AMLR harmonises the EU beneficial ownership threshold at 25 percent or more of shares, voting rights, or other ownership interests. The current AML Directives use "more than 25 percent." This shift means that a natural person holding exactly 25 percent of a company's equity must now be identified and verified as a UBO. KYB tools configured around the old threshold will miss that person automatically and consistently, across every onboarding case where the edge case arises, without any alert being generated.

Beyond the threshold issue, AI-powered ownership mapping tools vary significantly in their ability to handle complex or layered ownership structures. A company that is owned by a holding company that is owned by a trust that is administered by a nominee trustee on behalf of a beneficiary who holds effective control presents a chain of relationships that automated mapping tools may handle differently depending on the depth of their data sources and the logic of their ownership resolution algorithms. The AMLR requires identification of all natural persons in the ownership chain above the threshold, including a fallback to the senior managing official where no natural person meets the threshold. For trusts, foundations, and similar structures, the identification obligation extends to settlors, trustees, protectors, beneficiaries, and anyone exercising ultimate effective control.

An AI tool that terminates its ownership search at the first legal entity layer, or that fails to resolve nominee arrangements, is producing an incomplete beneficial ownership record even when it appears to have completed the verification.

Mitigation: Test your KYB tool against complex ownership structures before relying on it for live onboarding decisions. Create a set of test cases that include layered holding company chains, nominee arrangements, trusts, and structures where ownership is dispersed across multiple natural persons near the threshold. Understand specifically how the tool handles the fallback to senior managing official when no natural person meets the threshold. Update all onboarding workflows to reflect the AMLR's 25 percent or more threshold ahead of the July 2027 application date. For structurally complex clients, build a policy of supplementary manual review rather than relying solely on automated mapping output.

Risk 4: Risk Scoring Miscalibration as Business Profiles Evolve

The fourth risk is one of the most operationally damaging because it is invisible in day-to-day operations and only becomes visible when something goes wrong: the AI-powered risk scoring model is calibrated to a version of the institution's risk profile that no longer exists.

Most AI-powered KYB tools apply risk scoring models that weight factors like jurisdiction of incorporation, ownership structure complexity, business sector, transaction type, and PEP connections to produce a risk rating for each new business client. Those models are trained or configured at a point in time based on the institution's understanding of its risk exposure at that moment. As the institution's business evolves, its client mix changes, it enters new markets, or it adds new products, the risk profile shifts. The model does not update itself.

The EBA's July 2025 Opinion found that 52 percent of competent authorities cite a lack of institutions' understanding of ML/TF risks associated with their fintech products and services as a concern, up from 35 percent in 2023. That finding is closely related to this problem: when an institution's risk assessment was designed for one version of its business and the business has grown beyond it, the automated risk scoring that flows from that assessment will systematically misclassify clients in ways that are hard to detect from inside the institution.

A risk score that is too low will cause a client who should receive enhanced due diligence to receive standard CDD. A risk score that is too high will generate unnecessary friction and alert volume. Both create compliance exposure: the first because it produces CDD that does not meet the regulatory standard for the client in question, and the second because it degrades the quality of the review process for cases where elevated scrutiny is genuinely warranted.

Mitigation: Establish a formal programme for periodic recalibration of the risk scoring model, triggered by material changes in the business, including new client segments, new geographies, new products, or significant changes in transaction volume or profile. This recalibration should be treated as a compliance governance activity, not a technical maintenance task, which means the compliance officer should be involved in approving the updated parameters. Document the current calibration and the reasoning behind it as part of the business-wide risk assessment, so that supervisors examining the institution can see how the automated risk scoring connects to the risk appetite framework.

Risk 5: Audit Trail Deficiencies in AI-Assisted Onboarding Decisions

The fifth risk is one that combines an AI-specific problem with the general audit trail requirements that the AMLR imposes, and creates a gap that is particularly difficult to close retroactively.

When an AI system produces a risk score or a verification summary, the output is the result of a process that may not be fully transparent even to the compliance team using the tool. The model applied a set of rules or weights to a set of inputs and produced a number or a recommendation. If a supervisor examining the case three years later asks "why was this client rated medium risk rather than high risk," the answer "the system scored them at 62 out of 100" is not an adequate explanation under the AMLR's CDD requirements. The institution must be able to demonstrate that the decision was made on a sound, documented basis.

Under Article 77 of the AMLR, records must be retained in a form that is usable for investigation and monitoring purposes. That standard requires more than storing the AI's output. It requires that the reasoning behind the onboarding decision is documented in a way that can be understood and assessed by a competent authority years after the decision was made. Where the AI's contribution to that decision is a black-box score, the audit trail is deficient regardless of how much other documentation exists.

This is compounded by the EU AI Act's deployer obligation to maintain documentation of how the high-risk AI system was used and to monitor its performance over time. An institution that cannot explain what its AI-powered KYB tool did in a specific case is not meeting either the AMLR's audit trail standard or the AI Act's documentation obligations.

Mitigation: Require explainability as a procurement criterion for any AI-powered KYB tool. The tool should be able to produce, for each onboarding decision, a human-readable explanation of which factors contributed to the risk score and at what weight, in a form that can be stored as part of the case file. Supplement automated outputs with structured analyst notes that explain the decision in the analyst's own assessment, rather than simply logging the AI's recommendation. Ensure the case management system captures both the AI output and the human decision as separate, connected records with distinct timestamps.

Risk 6: Concentration Risk in RegTech Dependency

The sixth risk is one that the EBA's July 2025 Opinion identifies explicitly and that does not receive enough attention in most compliance team discussions: the concentration risk that arises when a significant proportion of EU financial institutions are relying on the same small number of RegTech providers for their KYB onboarding infrastructure.

The EBA found that 32 percent of competent authorities view this concentration risk as significant, noting that relying heavily on a small number of RegTech solutions across many supervised entities can create systemic vulnerabilities, especially when those solutions are not customised to each entity's specific needs. This risk has two dimensions that affect KYB compliance directly.

The first is institutional: if the institution's entire KYB process is dependent on a single vendor and that vendor experiences a significant data quality failure, a service outage, or a regulatory finding of its own, the institution's KYB programme fails with it. The institution that has no fallback mechanism, no alternative data source, and no documented understanding of what the vendor's tool is actually doing with their data is in the most exposed position.

The second is systemic: if a widely used KYB tool has a shared miscalibration, shared data gap, or shared blind spot, the failure replicates across every institution using it. Regulators monitoring the sector-wide pattern of KYB failures can identify when a single vendor's approach is producing correlated deficiencies across multiple supervised entities, which triggers supervisory attention at sector level rather than just individual institution level.

Mitigation: Avoid single-vendor dependency for critical KYB workflows. Where a primary vendor is used for most onboarding cases, maintain the capability to route specific case types, jurisdictions, or risk levels through an alternative source or a direct registry query. Understand your vendor's own data sources, refresh cycles, and quality controls rather than treating the tool as a black box. Ensure the tool is configured to your institution's specific risk profile rather than running on generic default settings, since non-customised tools are precisely what the EBA's finding about unthinking use refers to. Maintain a DORA-compliant register of the vendor relationship, including the contractual terms covering data quality, service levels, and incident notification.

The Risks and Mitigations at a Glance

The table below summarises the six compliance risks, the primary regulatory framework that makes each one a legal exposure, and the key mitigation for each.


Compliance Risk

What Goes Wrong

Regulatory Basis for the Risk

Key Mitigation

Stale or non-live registry data

AI returns cached data that does not reflect current company status, director appointments, or ownership; CDD record built on out-of-date information

AMLR Art. 20 (CDD using reliable independent sources); AMLA CDD RTS (attributes of qualifying verification sources)

Require live or near-live registry connectivity; test data freshness for jurisdictions in your client mix; document data source and retrieval date for each onboarding record

Automation bias in human review

Analyst approves AI recommendations without independent assessment; oversight is nominal rather than meaningful

EU AI Act Art. 26 (deployer obligation to counteract automation bias); GDPR Art. 22 (no solely automated decisions with significant effects)

Design review workflow to require documented independent assessment; implement structured review checklist; train analysts specifically on recognising and counteracting automation bias

Beneficial ownership miscapture

AI misses natural persons at the 25% or more AMLR threshold; fails to resolve layered structures; does not trigger fallback to senior manager

AMLR Art. 52 (25% or more threshold from July 2027); AMLR Art. 20 (verification from reliable independent sources)

Test tool against complex structures; update threshold to 25% or more in all workflows; policy of supplementary manual review for structurally complex clients

Risk scoring miscalibration

Model trained on outdated risk profile; systematically misclassifies clients as business evolves; EDD triggered incorrectly or not triggered when required

AMLR risk-based CDD; EBA finding: 52% of CAs cite institutions' lack of understanding of ML/TF risks; institution's own risk assessment

Formal recalibration programme triggered by material business changes; compliance officer approval of updated parameters; model calibration documented in business-wide risk assessment

Audit trail deficiency in AI decisions

AI risk score not explainable; no record of which factors drove the decision; supervisor cannot assess reasoning from the case file

AMLR Art. 77 (five-year retention in form usable for investigation); EU AI Act Art. 26 (documentation of high-risk AI system use)

Require explainability outputs from vendors; supplement AI score with structured analyst note; case management captures AI output and human decision as distinct timestamped records

Concentration risk in RegTech dependency

Single vendor failure, outage, or shared miscalibration replicates across the institution's entire KYB programme; non-customised tools produce systemic gaps

EBA July 2025 Opinion (32% of CAs flag concentration risk; one-third flag risks from unthinking use of onboarding RegTech); DORA third-party ICT risk management

Avoid single-vendor dependency for critical workflows; maintain alternative data source capability; understand vendor's own data sources and quality controls; maintain DORA-compliant ICT third-party register

About SpeedyDD

SpeedyDD is a KYB and due diligence platform built around the specific problems that AI-powered onboarding tools most commonly fail to solve: registry data that reflects the actual current state of a company rather than a cached snapshot, beneficial ownership mapping that traces the full chain rather than stopping at the first legal entity, and an audit trail that captures every verification step as it happens rather than requiring reconstruction after the fact.

Our mission is to help complex regulated businesses, PSPs, EMIs, CSPs, and iGaming operators, maintain audit readiness as a default state rather than as an exercise performed in preparation for an examination. SpeedyDD connects to more than 3000 corporate registry data sources across more than 200 countries and territories, integrates directly with The KYB for registry data retrieval, and logs every query, verification decision, and approval automatically with timestamps, so that the audit trail under the AMLR's five-year retention requirement already exists in the form that a competent authority or FIU needs.

For the human layer that must sit above any automated KYB process, SpeedyDD's outputs are designed to support informed independent judgment rather than to replace it.

The mitigation for most of the risks in this article is not to avoid AI in KYB onboarding. It is to use it with the right data sources, the right governance, and the right human oversight in place. That is what SpeedyDD is built to support. You can learn more here.

Frequently Asked Questions

What is the most common AI-related compliance failure in KYB onboarding?

Based on the EBA's supervisory data, the most common failure pattern is not a single deficiency but a combination: an automated onboarding tool that is deployed without being customised to the institution's specific risk profile, and where human reviewers have effectively deferred to the tool's recommendations without conducting independent assessments. The EBA's July 2025 Opinion specifically found that more than one third of competent authorities flag significant or very significant risks from the unthinking use of onboarding and CDD RegTech solutions. The word "unthinking" is important: the risk is governance failure, not technology failure.

Does the EU AI Act apply to AI tools used in KYB onboarding?

It depends on the specific functions of the tool and how it is used. AI systems used in AML risk profiling, decisions affecting access to financial services, and fraud detection fall within the high-risk AI category under Annex III of the EU AI Act. KYB tools that assign risk scores and make or recommend onboarding decisions that affect whether a business is accepted as a client are likely to fall within this category. Compliance teams should assess each tool individually against the Act's classification criteria rather than assuming they are out of scope, since the consequence of deploying a high-risk AI system without meeting the deployer obligations in Article 26 is an active regulatory exposure.

What does "reliable and independent sources" mean for AI-powered beneficial ownership verification?

Under Article 20 of the AMLR, CDD must be conducted using reliable and independent sources. AMLA's February 2026 CDD RTS consultation is developing the detailed specification of what those sources must look like, including the attributes that electronic identification means and other verification sources must have to qualify under the AMLR. A cached commercial dataset that aggregates registry information from multiple countries and refreshes on a weekly or monthly cycle is not the same as a live query to an official company registry, and the two are likely to be treated differently under the standards that AMLA publishes. Compliance teams using AI-powered KYB tools should ensure they understand specifically what data sources the tool is drawing on and whether those sources will meet the AMLR standard as AMLA defines it through 2026 and 2027.

How should a compliance officer think about human oversight of AI in KYB onboarding?

Human oversight in the EU AI Act sense is not a procedural step. It is a substantive requirement that the person overseeing the AI output has the competence, training, and authority to understand what the system is doing, to interpret its outputs correctly, and to override them when independent judgment warrants. A compliance officer building a KYB onboarding programme that uses AI-powered tools should define specifically who holds human oversight responsibility, what training those individuals receive on the tool's logic and limitations, how their independent assessments are documented separately from the AI's recommendation, and what escalation path exists when the human's judgment diverges from the system's output.

What happens to historical KYB records when the AMLR applies in July 2027?

The EBA's March 2025 consultation paper on CDD RTSs acknowledged that it may not be possible for all obliged entities to apply new CDD standards to all existing customers immediately from 10 July 2027, and proposed that institutions prioritise higher-risk relationships in the first instance, with a risk-based approach to transitioning the remaining relationships within a five-year period. For historical KYB records that were created under the current framework, institutions need to assess whether those records meet the AMLR's new standard for each customer relationship or whether remediation work is required. Where AI-powered tools were used for historical onboarding and the records contain AI-generated outputs without documented human reasoning, that remediation may be material.

Is it acceptable to use AI for the onboarding decision itself, or only for information gathering?

The legal framework draws a clear distinction between using AI to gather and structure information for a human decision, which is acceptable and encouraged, and using AI as the sole or effective basis for a decision that produces significant legal effects, which is restricted by GDPR Article 22. In the KYB context, this means AI can retrieve registry data, map ownership chains, run screening checks, generate risk scores, and present a case summary for human review. The decision to establish a business relationship, to apply enhanced due diligence, or to decline a client should be a human decision supported by that AI output, not a decision taken automatically by the system. The same logic applies to the SAR filing decision under the AMLR, which the compliance officer is personally accountable for and which cannot be made by an automated system.

What is the concentration risk in KYB RegTech and why does it matter?

The EBA's July 2025 Opinion found that 32 percent of competent authorities view concentration risk in RegTech as a significant concern. The risk arises because a significant proportion of EU financial institutions are using the same small number of KYB and onboarding platforms. If a widely used platform has a shared data gap, a miscalibrated model, or a service outage, the failure replicates across all the institutions using it simultaneously. For an individual institution, the practical risk is that its entire KYB programme is dependent on a single vendor's data quality, service availability, and calibration accuracy without any fallback mechanism. The mitigation is to maintain the capability to verify clients through alternative sources and to understand the vendor's own data quality controls rather than treating the platform as a guaranteed-accurate source.

🇺🇸 Based in the U.S.? Explore our solutions for onboarding, compliance, and document management across the U.S. and EU

🇺🇸 Based in the U.S.? Explore our solutions for onboarding, compliance, and document management across the U.S. and EU

SpeedyDD Trading Limited a company registered in Cyprus under Registration Number: HE457236 and with Registered Address at Griva Digeni 81, Marinos Court, 3rd Floor, Flat/Office 301, 6043 Larnaca, Cyprus

© 2026 SpeedyDD. All rights reserved.

SpeedyDD Trading Limited a company registered in Cyprus under Registration Number: HE457236 and with Registered Address at Griva Digeni 81, Marinos Court, 3rd Floor, Flat/Office 301, 6043 Larnaca, Cyprus

© 2026 SpeedyDD. All rights reserved.

SpeedyDD Trading Limited a company registered in Cyprus under Registration Number: HE457236 and with Registered Address at Griva Digeni 81, Marinos Court, 3rd Floor, Flat/Office 301, 6043 Larnaca, Cyprus

© 2026 SpeedyDD. All rights reserved.