When we talk to compliance teams about their KYC/KYB, the conversation usually lands on the same things: collecting documents, identifying beneficial owners, running sanctions checks and assigning a risk rating. All of these matter of course, however the risk we see that is underestimated most often isn't whether evidence was collected, but whether anyone can explain how the decision was made. That distinction sounds small, but it isn't.

‍

The Problem Nobody Notices Until It's Too Late

Over the years we've spoken with compliance teams across banking, payments, fintech, and crypto. Some, still collect clients’ documents via emails, others have built in-house document repositories, some even automated document collection. However, one thing that comes up again and again, is that while the documents exist, the decision trail doesn't.

In most organisations, onboarding is scattered. Documents go back and forth over emails, company registry data gets downloaded and saved somewhere, screening runs in a separate tool, analysts keep notes in spreadsheets, and the approvals happen over Slack.

At the time, it feels fine. The customer is onboarded, the case is closed, everyone moves on.

The problem shows up months or even year slater when an auditor, a regulator, or a remediation team asks a simple question:

"Why was this customer approved?"

Most firms can pull the documents. However, far fewer can reconstruct the thinking behind the decision.

McKinsey’s KYC Benchmark Survey of top global banks found US annual financial-crime compliance costs had grown by around 43% in the years prior, even as budgets were being cut. The firms that outperformed peers did so primarily through better data management and documented decision-making — not by collecting more information. (Source: McKinsey & Company)

Documents Are Not an Audit Trail

There's a common assumption that storing customer documents is enough to evidence a compliant process. It isn't.

Regulators don't just want to see what you collected. They want to understand what happened:

• Who reviewed the file?
• What risk factors were flagged?
• Why was that risk rating assigned?
• Was enhanced due diligence considered?
• Who signed off?
• What changed during the review?
• What was the rationale for the final decision?

A folder of PDFs can't answer any of that. An audit trail can.

‍

What This Looks Like in Practice

Picture a payments firm onboarding a corporate client with a layered ownership structure across multiple jurisdictions. The onboarding specialist digs in, collects additional information, escalates to a manager, and the customer gets approved. Looks like a reasonable process, no?

Two years later, that customer is under investigation. The regulator wants to understand the original onboarding decision.

The firm can produce the corporate documents, the beneficial ownership declarations, the screening reports, the risk assessment.

What they can't produce is the reasoning. Why was the structure considered acceptable? What concerns were identified? What did the manager actually review? Where did the escalation go?

The original decision might have been entirely sound. But the organisation can no longer demonstrate how they got there. That's the problem.

‍

Remediation Makes It Visible

If you've been through a KYB remediation project, you've probably seen this firsthand.

Analysts open historical files expecting to understand what happened. Instead, they find documents with no reviewer notes, risk ratings with no explanation, approvals with no supporting rationale, and decisions that exist only in someone's inbox.

So, they redo the work. Not because it was wrong, but because there's no record that it was right.

We've seen firms spend significant time and resource rebuilding context that should have been captured the first time around.

KPMG’s KYC practice notes that financial institutions spend an average of $150 million per year on KYC and customer due diligence operations, with fragmented, non-standardised processes and limited automation consistently cited as the primary drivers of rework and cost. The result: when remediation is required, institutions often find themselves repeating work that was never properly recorded the first time. (Sources: KPMG)

‍

Regulatory Direction of Travel

Regulators are very explicit about this. Weaknesses in customer due diligence controls have been highlighted where firms couldn't evidence how their processes were actually applied — not just that the policies existed.

That's the shift. Having a policy isn't enough. Following it isn't enough. You need to be able to show that you followed it, file by file, decision by decision.

TheFCA’s 2023 enforcement actions illustrate this directly. In one published Final Notice, a firm was fined £6.47 million after investigators found record-keeping failures across its customer due diligence process: no documented procedures for enhanced due diligence on high-risk clients, missing rationale for onboarding decisions, and governance failures that meant senior management could not account for how decisions were reached. Across all FCA enforcement actions in 2023, nearly 40% of the total fine value — over £20 million —related to financial crime obligations. (Sources: FCA)

‍

The Costs You Don't See Coming

Missing audit trails create problems beyond the regulatory risk:

• People leave. Institutional knowledge walks out with them. Decisions made two years ago become impossible to explain.
• Internal audit spends time chasing information across systems rather than actually auditing.
• Remediation projects cost more and take longer than they should.

The numbers bear this out. A 2023 study commissioned by LexisNexis Risk Solutions and conducted by Forrester, surveying over 1,180 senior compliance decision-makers at financial institutions globally, found that the total cost of financial crime compliance in the US and Canada alone had reached $61 billion annually — a rise driven largely by labour costs and manual process inefficiency. McKinsey’s research corroborates this at the case level: banks that streamlined documentation and reduced hand-offs in the KYC process reduced average case completion time by 38% and cut customer outreach by around 40%. The implication is that a significant portion of compliance cost is process waste — much of it traceable to the absence of a structured, reusable audit trail. (Sources: LexisNexis; McKinsey & Company)

• Senior management ends up accountable for decisions they can't fully evidence.

‍

What a Good Audit Trail Actually Looks Like

It's not complicated in principle. A proper audit trail gives you a chronological record of the entire onboarding journey — documents collected, screening results, risk assessments, analyst notes, escalations, approvals, changes, and the rationale behind decisions.

It should be able to answer two questions:

What happened? And why?

‍

Where KYB Is Heading

Most firms already collect a lot of information. The challenge isn't volume.

It's transparency around decision-making.

The organisations that will be best placed for regulatory scrutiny going forward aren't necessarily the ones with the most documents. They're the ones that can show, clearly and completely, how every onboarding decision was reached, reviewed, challenged, and approved.

Because when a regulator asks why a customer was onboarded, the answer shouldn't depend on finding an old email thread.

It should already be part of the record.