The State of KYC at the End of 2025

KYC has kept moving from a “tick-box” onboarding step to a live risk control that runs through the whole customer relationship. By the end of 2025, that shift is clear across lending, payments, wealth, and crypto-adjacent services. The drivers have been consistent: higher fraud pressure, tighter expectations from regulators, and a steady move towards digital journeys where customers expect quick onboarding without compromising safety.

For financial institutions and fintech firms, the practical question is no longer whether to modernise KYC checks, but how to do it in a way that improves decision-making while reducing data risk and keeping KYC compliance manageable.

What changed in 2025

KYC moved closer to “real time”

A lot of KYC verification still starts with identity and screening, but more firms now treat KYC as an ongoing process rather than a one-off event at onboarding. In simple terms, the best controls are the ones that can reflect a customer’s current position, not what was true a month ago.

That’s one reason Open Banking data (and the broader direction toward open finance) stayed high on the agenda. The FCA published research on the state of open banking and open finance in the UK to inform its work in this area. (FCA) The same research note indicates that, as of March 2025, there were around 13.3 million active open banking users in the UK—evidence of continuing mainstream adoption. (FCA)

For KYC, that matters because real-time or near real-time financial insights can support affordability checks, risk scoring, and better detection of inconsistencies—when consent and lawful basis are handled properly.

More attention on how KYC data is handled, not just collected

Another visible change in 2025 is that firms are being pushed to show strong controls around data security and data minimisation. It is not enough to say “we do KYC”; firms are expected to show that they handle customer data responsibly, limit access, and keep retention under control.

That is where “no data stored” or zero-retention KYC approaches have gained interest. The logic is straightforward: if sensitive customer data is not stored, it reduces the surface area for breach risk and simplifies parts of GDPR compliance. This does not remove all obligations—firms still need governance, logging, and clear processes—but it can materially reduce exposure linked to large stored datasets.

UK identity verification became more central in business checks

On the UK side, company identity verification reforms became more concrete. The government confirmed that Companies House identity verification would roll out from 18 November 2025, with new directors needing to verify their identity for incorporation or appointment, and existing directors/PSCs moving through verification during a transition period. (GOV.UK)

This matters for KYC compliance in business onboarding because it raises expectations around the quality of identity assurance for directors and people with significant control (PSCs), and it changes what “reasonable checks” may look like in practice over time.

The themes shaping KYC at year-end

1) Stronger expectations around financial crime controls

The FCA continued to focus on financial crime systems and controls, including updates to its Financial Crime Guide. (FCA) For compliance teams, this reinforces a familiar point: regulators generally expect controls that are designed, documented, tested, and improved—rather than controls that exist only on paper.

From a KYC perspective, that typically means clearer ownership, proper customer risk assessment, sensible enhanced due diligence triggers, and consistent decisions across the business.

2) Data protection is now part of KYC risk management

GDPR compliance is not separate from KYC anymore. The way KYC checks are done—what data is collected, where it is stored, who can access it, and how long it is kept—directly affects operational risk.

This is where the “no data stored” conversation has become more practical. If a firm can complete KYC verification using live access or session-based retrieval (with appropriate consent and controls), it may reduce:

• the amount of sensitive customer data retained

• The impact of potential security incidents

• The internal work is tied to retention and deletion processes

It won’t remove all compliance work, but it can help organisations align with GDPR’s data minimisation principle while improving data security.

3) Open Banking and open finance are no longer niche

By late 2025, Open Banking will no longer be “new” in the UK; it is an established channel with material adoption. (FCA) The FCA’s continued focus on open finance direction is a reminder that the scope of permissioned data access could expand beyond payment accounts over time. (FCA)

For KYC and AML teams, this points to a future where customer risk assessment can be supported by better, consented data access—particularly for affordability checks, source of funds/source of wealth indicators (where relevant), and ongoing monitoring signals.

4) AI is becoming a governance issue, not just a tooling choice

AI use in financial services kept accelerating, and by the end of 2025, the conversation had moved into governance and accountability. Reuters reported that British banks are progressing toward “agentic AI” trials with the FCA, and the regulator has highlighted risks linked to autonomy, speed, and oversight. (Reuters)

In KYC terms, AI can help with automation, prioritisation, and anomaly detection—but it also raises questions firms need to answer clearly:

• Who is accountable for outcomes?

• How do you test for errors and bias?

• What controls prevent over-reliance on automated decisions?

• What is the escalation path when a model flags (or misses) a risk?

This is especially relevant where KYC checks affect access to financial services and customer outcomes.

5) Crypto regulation continues to tighten

Cryptoasset regulation is still moving toward more formal oversight. The Financial Times reported that the UK government is planning legislation to regulate cryptoasset companies, with a broader regime expected to come in over time under FCA supervision. (Financial Times)

For firms operating near crypto—directly or indirectly—the direction is clear: KYC compliance and AML controls will be expected to look more like those in traditional financial services.

What “good” KYC looks like going into 2026

At the end of 2025, the gap between basic KYC and mature KYC is usually visible in day-to-day operations. Mature programmes tend to have:

Clearer, simpler customer journeys

Customers still need proper checks, but firms are working to reduce avoidable friction—especially for low-risk customers—while keeping strong controls for higher-risk cases.

Better use of real-time signals

Where lawful and appropriate, firms are looking at how real-time KYC inputs (including consented Open Banking data) can support more accurate decisions than static documents alone. (FCA)

Stronger data handling choices

More attention is being paid to whether data truly needs to be stored. Zero-retention approaches, tokenisation, and tighter retention policies are all ways firms are trying to reduce GDPR exposure while maintaining effective KYC verification.

Governance that matches the technology

With more automation and AI in the mix, regulators are watching how firms manage accountability and risk. The focus is moving toward oversight, auditability, and controls—not just innovation. (Reuters)

Closing thoughts

By the end of 2025, KYC is best described as a blend of compliance, risk management, data protection, and customer experience. The direction of travel is towards real-time decision support, stronger controls around customer data, and clearer governance—especially as automation increases.

For most financial institutions, the practical next step is to focus on the basics done well: consistent KYC checks, good record keeping, sensible use of live signals, and a data strategy that limits unnecessary retention. That combination is what reduces risk and keeps KYC compliance workable.