惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

The Last Watchdog
The Last Watchdog
博客园_首页
Martin Fowler
Martin Fowler
S
SegmentFault 最新的问题
美团技术团队
小众软件
小众软件
V
V2EX
博客园 - Franky
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
The GitHub Blog
The GitHub Blog
Microsoft Security Blog
Microsoft Security Blog
Attack and Defense Labs
Attack and Defense Labs
S
Security Affairs
Simon Willison's Weblog
Simon Willison's Weblog
I
Intezer
T
The Exploit Database - CXSecurity.com
有赞技术团队
有赞技术团队
S
Schneier on Security
人人都是产品经理
人人都是产品经理
Security Archives - TechRepublic
Security Archives - TechRepublic
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
K
Kaspersky official blog
PCI Perspectives
PCI Perspectives
AI
AI
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
罗磊的独立博客
O
OpenAI News
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
The Register - Security
The Register - Security
V
Vulnerabilities – Threatpost
GbyAI
GbyAI
博客园 - 【当耐特】
C
Cisco Blogs
大猫的无限游戏
大猫的无限游戏
Help Net Security
Help Net Security
Google DeepMind News
Google DeepMind News
S
Securelist
Application and Cybersecurity Blog
Application and Cybersecurity Blog
P
Proofpoint News Feed
博客园 - 三生石上(FineUI控件)
雷峰网
雷峰网
L
LangChain Blog
SecWiki News
SecWiki News
博客园 - 叶小钗
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
V2EX - 技术
V2EX - 技术
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
J
Java Code Geeks
L
LINUX DO - 热门话题
Cisco Talos Blog
Cisco Talos Blog

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
What KYB regulations actually demand (and where most implementations quietly fail)
Stuart Watkins · 2026-06-28 · via DEV Community

TL;DR: Global organisations faced £1.23 billion in KYC/AML penalties in H1 2025. TD Bank's £3 billion fine was not really about money laundering. It was about a verification system that could not answer basic questions when regulators asked. This is a breakdown of what KYB regulations actually demand at the system level, where most implementations break, and the architecture decisions that hold up under scrutiny.

We have spent six years building compliance infrastructure, and the thing I have learned is that regulations do not care about your architecture. They care about outcomes. You can have clean code and still fail an audit if your system cannot retrieve evidence when someone asks for it.

That is exactly what happened to TD Bank.

The incident that defines the requirement

TD Bank's £3 billion penalty came with operational restrictions, leadership changes, and decade-long compliance monitoring. When regulators asked about beneficial ownership structures, the bank's fragmented KYB processes could not provide coherent answers. The data existed somewhere. They just could not assemble it into a story that held together.

That is not an exotic failure. When you dig into the £1.23 billion in global KYC/AML penalties from H1 2025, the pattern is boringly consistent. Organisations either did not collect the right data, did not verify it properly, or could not retrieve it when asked. None of these are hard problems on their own. They become hard when you treat KYB as a series of disconnected checks instead of one coherent system.

So if you are building verification infrastructure, your real design constraint is this: every component you build needs to produce an auditable, coherent record of how you verified a business entity. Everything else flows from that.

The four obligations every framework checks

Whether you are working under EU AMLD5 and AMLD6, the US Corporate Transparency Act, or the UK's Money Laundering Regulations 2017, the substance converges on four things. The naming varies. The obligations do not.

Obligation What it means in practice
Customer Identification Programme (CIP) Collect and verify incorporation, registration, ownership structure, and UBO details for anyone with 25% or more ownership or control
Customer Due Diligence (CDD) Score risk across industry, geography, UBO nationality, and source of funds
Sanctions and AML screening Screen every entity and every UBO against OFAC, UN, and EU lists, then keep screening
Recordkeeping and audit readiness Retrieve the full evidence trail on demand, fast

The interesting engineering happens in how these interact, not in any single one.

CIP is a data quality problem, not a collection problem

Most teams build CIP as an upload form. Certificate of incorporation, business registration, proof of address, done. The hard part is not collecting documents. It is validating them.

Here is a data point that should worry anyone building these systems. Kenyan KYB checks reveal that 3% of CR12 documents contain mismatched shareholder or director data versus Business Registration Service records. Three percent sounds like a rounding error until you do the volume maths. Process 10,000 business verifications a year and 300 of them carry documents that do not match the registry. If your validation relies on an analyst spotting a discrepancy in a PDF, you will miss most of them.

This is not a Kenya thing. Every jurisdiction has data quality issues in its business registries. Your system needs to cross-reference uploaded documents against official registry sources programmatically, comparing each field (director names, shareholder percentages, registered address) and flagging mismatches by type: spelling, outdated, conflicting, or missing.

One field that is not optional: document age. Most jurisdictions enforce a 3-month limit for proof of address. If your system happily accepts a utility bill from eight months ago, you have a compliance gap baked into your schema. Track the document age in days and enforce the limit at validation time, not as an afterthought.

The UK is trying to close some of these gaps. Under the Economic Crime and Corporate Transparency Act 2023, from 18 November 2025 Companies House mandates ID verification for new and existing directors and persons with significant control. Existing entities have 12 months to comply. That helps domestically. It does nothing for cross-border verification, where you are pulling from registries with wildly different data quality standards.

The UBO bottleneck is where systems collapse under volume

Here is the number that reframes the whole problem. Manual UBO retrieval takes 24 to 30 days. With AI-powered automation, the same process completes in 2 to 3 minutes.

That is not a typo. 30 days versus 3 minutes.

The delay is not laziness. It is chasing documents across multiple registries, waiting on responses from foreign jurisdictions, and manually tracing ownership chains. When a business has a multi-layered holding structure spanning three countries, an analyst can spend weeks tracing UBOs back to natural persons. That is genuinely hard work, and it does not scale.

The automated path does the same work differently. It pulls registry data via API, cross-references against multiple sources in parallel, flags discrepancies for human review, and auto-approves clean cases. The verification timeline then spreads across a spectrum: automated approvals in minutes, manual reviews in 1 to 3 business days, and complex cases extending longer.

What determines where a case lands is predictable: jurisdiction transparency, ownership complexity, document availability, and whether the entity operates in a high-risk sector. If you can classify those four factors early, you can route most cases automatically and reserve human analysts for the genuinely hard ownership graphs.

The architectural mistake here is storing only the final result. You need the full ownership graph, not just the natural persons at the end of it. AMLD6 adds personal criminal liability for compliance officers who get this wrong. When a compliance head can face prosecution, your system had better be defensible, not just functional. A defensible system shows its working.

Where the branching logic actually lives

The CDD layer is where most implementations get lazy. Collecting documents is mechanical. Assessing risk is a decision tree, and decision trees are where bugs hide.

The loop back from ongoing monitoring into risk reassessment is the part most teams skip. They build CDD as a one-shot onboarding event. AMLD5 says otherwise. The directive mandates periodic UBO reviews and data gap assessments beyond initial onboarding. A UBO who was clean at onboarding can appear on a sanctions list three months later. Your system has to handle that without a human remembering to check.

The compliance teams who understand this build event-driven architectures rather than batch processes. An ownership change triggers a reassessment automatically. It does not wait for a quarterly review cycle. The research backs the tiering: low-risk businesses refresh every 12 to 36 months, medium-risk every 6 to 12 months, and high-risk move to continuous, event-driven monitoring.

One more thing to build configurable from day one: risk thresholds by country and industry. Financial services face stricter requirements than crypto exchanges applying KYB to institutional clients, though the gap is narrowing. The EU's MiCA regulation, effective 2026, extends KYB obligations to virtual asset service providers under the FATF Travel Rule. Hardcode your risk rules and you are signing up for a refactor the moment a regulator moves.

The honest assessment of why this is hard

I will be straight about this. The hard part is not any single verification step. It is coordinating CIP, CDD, sanctions screening, and recordkeeping across multiple vendors and data sources in one coherent workflow. Most teams stitch five provider APIs together with custom glue code that nobody wants to maintain, and the audit trail fragments across all of them.

That fragmentation is exactly what caught TD Bank out. Each check ran fine in isolation. The system could not assemble them into a coherent answer.

A "Head of Compliance at a UK challenger bank" put it to us recently: "We could pass every individual check and still fail the audit, because the evidence lived in five different places and none of them agreed on what a customer was."

One thing to take away today

If you build nothing else this quarter, build retrieval. The organisations that avoid the TD Bank outcome are not the ones with the most expensive tools. They are the ones whose system can answer any question a regulator asks, quickly, accurately, and with a full audit trail. If your first verification of an entity takes 30 days and your second takes just as long because you cannot find the first one, you do not have a screening problem. You have an architecture problem.

Key takeaways

  • KYB failures are structural, not exotic. The £1.23 billion in H1 2025 penalties traces back to data not collected, not verified, or not retrievable.
  • Validate documents against registries programmatically. A 3% mismatch rate on CR12 documents means 300 bad records per 10,000 verifications.
  • Manual UBO retrieval takes 24 to 30 days. Automated retrieval takes 2 to 3 minutes. Route by jurisdiction, complexity, document availability, and sector.
  • Build perpetual KYB as event-driven, not batch. AMLD5 mandates ongoing review, and AMLD6 adds personal criminal liability for compliance officers.
  • Retrieval is the real test. If you cannot assemble a coherent audit trail on demand, every other check is wasted effort.

FAQ

What are the core KYB compliance requirements?
KYB compliance requires four things: a Customer Identification Programme that verifies incorporation and ownership documents, Customer Due Diligence that scores risk by industry and geography, sanctions and AML screening against OFAC, UN, and EU lists, and recordkeeping that produces a retrievable audit trail. UBOs holding 25% or more ownership or control must be identified and verified.

How long does UBO verification take?
Manual UBO retrieval takes 24 to 30 days because it involves chasing documents across registries and tracing ownership chains by hand. AI-powered automation completes the same process in 2 to 3 minutes for clean cases, with manual reviews taking 1 to 3 business days and complex multi-jurisdiction structures extending longer.

What is the UBO ownership threshold under AMLD5 and AMLD6?
EU AMLD5 and AMLD6 both require identifying individuals with 25% or more ownership or control of a business entity. AMLD6 additionally introduces personal criminal liability for compliance officers, which raises the bar for how defensible your verification logic needs to be.

Why did TD Bank receive a £3 billion fine?
TD Bank's £3 billion penalty stemmed from a fragmented KYB system that could not answer basic questions about beneficial ownership when regulators asked. The failure was structural: the checks may have run, but the evidence could not be assembled into a coherent, retrievable record.

Does KYB need to be ongoing or is onboarding enough?
KYB must be ongoing. AMLD5 mandates periodic UBO reviews and data gap assessments beyond initial onboarding. Low-risk businesses refresh every 12 to 36 months, medium-risk every 6 to 12 months, and high-risk entities require continuous, event-driven monitoring triggered by sanctions updates or ownership changes.


We built Zenoo to solve this orchestration problem. Instead of stitching five provider APIs together with glue code nobody wants to maintain, you configure the full verification flow in one place, the compliance logic stays consistent, and the audit trail stays complete. If you are building compliance flows and this resonates, it might save you the same pain. See it at zenoo.com. 30 minutes. Your data. No slides.

Stuart Watkins is CEO of Zenoo, the compliance orchestration platform that connects identity verification, screening, and risk decisioning in a single configurable workflow.