Know Your Customer (KYC) is creaking under the weight of data breaches. 

In 2024, finance overtook healthcare as the most hacked industry, accounting for a tenth (around 152.2 million) of all data breaches, according to research by Verizon. 

When you can’t trust KYC data, it effectively triples the workloads of compliance teams. Not only do they need to ensure that customers’ source of funds is legitimate, but they must also verify if the person exists and whether their data has been stolen (or is a synthetic identity based on real stolen credentials). 

Data sold on the dark web passes KYC checks 

In just the third quarter of 2024 alone, data breaches exposed more than 422 million records worldwide and counting. 

• Hacker group BlackCat claimed credit for data theft from 2,000 companies, including 60 banks, in the June 2023 MOVEIt hack. 
• This meant that an estimated 2.85 million (3% of the 95 million) records of KYC information fell into the hands of criminals. 
• Verizon research uncovered that the data stolen from the MOVEIt attack was further leveraged to commit even more crimes, accounting for 8% of all financial system intrusions in 2024.

Organized criminals monetize sensitive data with ransomware or sell it to other bad actors. In Q2 2024, Singaporean research revealed a 230% annual increase in stolen data sold on the dark web. As well as copies of real identification documents, criminals can buy biometric information such as fingerprints, facial data, and even selfies for as little as $8. 

The stolen data is being used in different ways, but within finance, it's mostly used for account creation (90% of credit fraud cases). Criminals take out auto loans to buy cars or open and max out numerous credit accounts. 

Since 2023, account takeover cases have also increased by 13%. More than 300,000 cases of credit theft from existing accounts were reported to the FTC in the third quarter of 2024 alone. 

A new wave of KYC risks for compliance officers

More than 60% of compliance officers report data breaches as a top stressor. The costs of shielding against hacks are also significant. Most (60%) mid-market commercial banks in the USA now spend over one-third of their compliance on KYC alone. And the cost of reviewing cases is adding up, too, hitting an average of $2,598 each time. 

With data breaches becoming more prevalent, it's only a matter of time before the regulators begin to catch up. 

Last year, Bank of America was held responsible for a breach, even though Infosys held the data. As one reporter put it, “for regulators, the picture of responsibility when it comes to third-party cybersecurity risk is black and white; banks are the ones responsible."

In the UK, the FCA is already debating new rules around whether banks can be held accountable for fraud committed by third parties. This could potentially include technology regulation partners who are not resistant enough against the relentless data hacks. 

Being underprepared is not a risk financial services can afford to take. 

Manual processes can miss stolen credentials or synthetic identities

A late 2023 study found that “KYC remains largely a manual process". This problem has persisted for years, and criminals know it. In 2022, Thomson Reuters reported, "...banks’ continued reliance on spreadsheets and other manual processes means their approach to financial crime compliance and detection lacks coherence and consistency”. 

The risks include

• Relying on static data points: Such as social security numbers or national IDs, there is a high chance that stolen credentials could pass the KYC checks. 
• The inability to trust photo IDs: It is now trivial to generate a believable photo ID. If this data is widely compromised, merely verifying it against a database or comparing a photo ID no longer assures legitimacy. 

Manual processes, overreliance on document authenticity, and limited contextual intelligence create dangerous hazards for KYC. 

The solution: data, machine learning, and AI Agents

• Deep fakes can beat liveness checks but not human behavior checks: Humans use their device differently than a device that is being attacked with a deep fake. Look for keystroke dynamics, typing rhythm, mouse movements, mobile device handling, and other subtle characteristics of users and flag anomalies. 
• Baseline good behavior: If we baseline a “normal user” and “normal for this user,” our machine learning and AI-driven behavior analysis can then spot anomalies. Academic research indicates that it has a success rate of 92%. Sardine's behavioral biometrics regularly matches or exceeds this with our “same user score.” 
• Anomaly detection: A behavior baseline analysis should also pick up sudden changes in transactional activity or unusual login locations, as standard. It should also alert compliance officers to account relationships, for example, if one account holder has a history of transacting with a known money mule or scammer. 
• LLM-powered Optical Character Recognition (OCR) for documents: LLMs have become remarkably performant at document verification, and can spot inconsistencies in fonts, holograms, or micro-text. While this improves the detection of counterfeit documents, coupling it with transaction monitoring and user behavior analytics further strengthens credibility. Breach intelligence software can warn firms of potential fraud and vulnerable accounts before any crime is even attempted. 
• Step up KYC AI Agents: With the increasing volume of alerts generated by KYC systems due to data breaches, AI Agents can help to triage a step-up KYC case quickly. Sardine’s AI Agents have access to the secure Sardine platform, with documentary KYC data, trusted 3rd party data sources, and proprietary device and behavior signals. In testing, we’ve found it is 100% effective at identifying false positives stuck in the KYC queue, leaving compliance officers to investigate the harder cases.

We must continue to add protective layers to KYC

With sensitive personal data readily available on illicit markets, traditional KYC approaches are increasingly vulnerable. The key is to augment it with additional layers of verification, continuous monitoring, and context-driven insights. Sardine is constantly adding new shields to build multi-faceted security across every stage. 

Institutions can restore confidence in their customer verification processes by leveraging behavioral analytics, real-time intelligence, and LLM OCR capabilities designed to detect anomalies. The truth is, KYC is a job that’s never done. 

Together, we must continue steadily strengthening the trustworthiness of KYC results, ensuring that both regulators and legitimate customers can rely on the ever-evolving safeguards. 

Frequently Asked Questions (FAQ)

Is enhanced KYC enough if the underlying personal data is widely compromised? If we're dealing with a case where there may be a risk of compromised data onboarded onto a bank's system, there are several strategies we can follow to detect and remove it. We'd need to talk to you and understand your unique situation to find the best one for your firm. 

We'd use a blend of device intelligence, behavior biometrics, and data enrichment to filter out suspicious accounts. Our technology can swiftly identify bot activity, proxy or VPN usage, remote access tools, tampered apps, rooted devices, location compliance, and more. Simultaneously, we also track typing, mouse movement, scrolling, swiping, long-term memory field input, hesitation, and distraction to measure how authentic the user is. Going deep into the data, Sardine digs into IP addresses, credit reports, social security numbers, mailing addresses, geolocations, and more to look for anomalies. 

Implementing enhanced KYC is essential for new account onboarding. Prevention is better than a cure. We continually strive to improve features faster or quicker than organized criminals. 

How can we ensure continuous monitoring doesn’t create a poor customer experience? Advanced analytics often operate behind the scenes, only escalating cases that truly warrant additional checks. Dynamic monitoring can enhance security without imposing unnecessary friction on legitimate customers when well-calibrated.

How do regulators view the shift from traditional to more sophisticated KYC tools? Financial services are mandated to protect customers against identity theft, for example, with the USA's Fair and Accurate Credit Transactions (FACT) Act. Regulators expect firms to implement robust protections and proactively address evolving risks.  

In the UK, the FCA is actively pushing financial firms to innovate in data protection and recommends collaborations. As the regulator states, “it is up to all of us to take action to protect our consumers, our firms and our markets. Together, we can shift the dial decisively to reduce and prevent financial crime". 

We've yet to find a regulator that does not want to strengthen KYC protocols. Across the world, as data breaches intensify, banks must reinforce their safety mechanisms to restore trust. 

What’s the best way to start integrating these new technologies? At Sardine, we'd happily handle this for you. We're just a click or call away. If you'd prefer the in-house DIY approach, which we do not recommend, you could begin with incremental pilots—test behavioral biometrics on a subset of accounts, add device reputation checks at onboarding, or integrate breach intelligence data. Measure the impact, refine parameters, and scale up once you confirm improved risk metrics.

Can manual reviews still be part of the KYC process in this new landscape? Absolutely. Human judgment remains critical. These tools help focus skilled analysts where they’re most needed—on complex, high-risk cases—rather than sifting through routine transactions. The synergy of human expertise and advanced analytics delivers the most vigorous defense. We need to use all our skills to conquer criminal activity, together.