Know Your Customer (KYC) isn’t so much more than ajust a regulatory checkbox—it’s the cornerstone of effective risk management. But it's under threat. In 2024, finance overtook healthcare as the most hacked industry, accounting for a tenth (around 152.2 million) of all data breaches, according to research by Verizon. When it comes to finance, system intrusion is the most common type of cyber attack. 

By hacking onto the books with fake or stolen credentials, criminals are stretching KYC protocols to the limits. This is a huge and growing problem for financial services, which effectively triples the workloads of compliance teams. Not only do they need to ensure that customers’ source of funds is legitimate, but they must also verify if the person exists and whether their data has been stolen. 

Data sold on the dark web passes KYC checks 

In just the third quarter of 2024 alone, data breaches exposed more than 422 million records worldwide and counting. The United Kingdom, United States, and Canada are amongamoung the top most targetedtargetted locations. 

Hacker group BlackCat claimed credit for the theft data from 2,000 companies, including 60 banks in the June 2023 MOVEIt hack. This meant that an estimated 2.85 million (3% of the 95 million) records of KYC information resulted hands of criminals. Verizon research uncovered that the data stolen from the MOVEIt attack was further leveraged to commit even more crimes, accouting for 8% of all financial system intrusions in 2024.

As criminals use stolen data to harvest more stolen data, the attacks are snowballing. Breaches around the world have almost doubled (increased 1.7 times) since 2019, compromising 1.522 billion records, up from 883 million. 

OrganizedOrganised criminals monetizemonetise sensitive data with ransomware or by selling it to other bad actors. In Q2 2024, Singaporean research revealed a 230% annual increase in stolen data sold on the dark web. As well as copies of real identificationidentitification documents, criminals can buy biometric information such as fingerprints, facial data and even selfies for as little as $8. 

After hacking Santander bank, the cCriminal gang, ShinyHunters isare openly selling the personal data of 30 million customers, numbers for 28 million credit cards, balances for 6 million accounts and personal information on employees. 

The stolen data is being used in different ways, but within finance it'sits mostly used for account creation (90% of credit fraud cases). Criminals take out autofinance to buy cars, or open and max out numerous credit accounts. Since 2023, account takeover cases have also increased by 13%. More than 300,000 cases of credit theft from existing accounts were reported to the FTC in the third quarter of 2024 alone. 

A new wave of KYC risks for compliance officers

The rise of data hacks and stolen credentials presents a tsunamitsnami of new challenges for compliance offers. In a recent survey, more than 60% reported data breaches as a top stressor. 

Stolen identity can take many forms, including employer impersonation. Notoriously, one Hong Kong employee was tricked into sending $24 million to scammers who were using deepfake technology to impersonate senior leaders on a video call. This risk is increasing globally. One in ten companies hashave suffered deep fake and stolen credentials attacks in the past year. 

The costs of shielding against hacks are also significant. Most (60%) mid-market commercial banks in the USA are now spending over one third of their entire compliancecomplaicme on KYC alone. And to cost of reviewing cases is adding up too, hitting an average of $2,598 each time. 

In addition to the stolen funds comes an inevitable loss of trust and reputation. And the risks for this are multi-fold. For example, some global companies tried to mask the extent of the data breaches, leading to multi-million dollar fines from the SEC. 

With data breaches become more prevalent, its only a matter of time before the regulators begin to catch up. In the UK, the FCA is already debating new rules around whether banks can be held accountable for fraud committed by third parties. This could potentially include technology regulation partners who are not resistant enough against the relentless data hacks. Last year, Bank of America was held responsible for a breach, even though the data was held by Infosys McCamish. As one reporter put it, “for regulators, the picture of responsibility when it comes to third-party cybersecurity risk is black and white; banks are the ones responsible". The costs can be eyewatering. Equifax was recently ordered to reimburse customers $425 million for a data breach that occurred in 2017. In the UK, it was also forced to pay out over £11 million. Being underprepared is not a risk financial services can afford to take. 

Outdated KYC processes are no match for today's criminals 

Yet, a concerningly large proportion of financial services are taking monumental risks. Worryingly,  a late 2023 study found that “KYC remains largely a manual process". This problem has persisted for years and criminals are well aware of it. In 2022, Thomson Reuters reported, "...banks’ continued reliance on spreadsheets and other manual processes means their approach to financial crime compliance and detection lacks coherence and consistency”. Likewise, This approach plays directly into scammers’ hands, as criminals increasingly rely on bias in human nature and social engineering to steal data. 

Social engineering is one of the top-three tactics used in finance, against both staff and customers. It's little surprise that its risen significantly over the past two years. 

In Southeast Asia, criminal organization GoldFactory set up a fake app that requires facial recognition to enter. Using stolen facial recognition data, it accessed real customer accounts at more than fifty Vietnamese online banks. This same data could be leveraged against employees at banks to unlock hoards of sensitive data files, especially if they are stored on spreadsheets. 

For the banks that do use technology, but do not update it constantly, there are also significant risks. Firstly, if they rely heavily on static data points, such social security numbers or national IDs, there is a high chance that stolen credentials could pass the KYC checks. If this data is widely compromised, merely verifying it against a database or comparing a photo ID no longer assures legitimacy. Sure enough, this seems to be the case, as account creation fraud is on the increase. One TransUnion report found that a whopping 13.5% of all new digital accounts is fraudulent. 

Manual processes, overreliance on document authenticity and limited contextual intelligence are creating dangerous hazards for KYC. 

Behavioral biometrics and advanced document screening become business critical

Illegally obtained facial recognition can bypass some technologies, but there should always be other locks and measures to prevent access. One of these is behavioral biometrics. If a fraudster had the same (digital) face as one a loved one, we might think it was them initially… but after a few seconds or minutes we’d clock that something is not right with their mannerisms, words and body language. This is what behavioral biometrics does. In the background, it analyses the keystroke dynamics, typing rhythm, mouse movements, mobile device handling and other subtle characteristics of users and flags anomalies. 

In the event of a stolen biometric identity, it would be almost impossible for a criminal to fake these behaviors and enter the account. Machine learning and AI-driven behavior analysis is an emerging technology, but early academic research indicates that it has a success rate of 92%. Sardine's behavioralbehavioural software has a fraud prevention rate of XX%. 

In addition to the unique traits of customers, the behavioral analysis should also pick up sudden changes in transactional activity or unusual login locations, as standard. It should also alert compliance officers of account relationships, for example, if one account holder has a history of transacting to a known money mule or scammer. 

With 416,986 financial records stolen every day from banks (152.2 million in 2024), the risk of fraudulent transactions and account creation is a business critical risks for financial services. This is why enhanced document verification is vital. Advanced AI-driven document verification can spot inconsistencies in fonts, holograms, or micro-text. While this improves the detection of counterfeit documents, coupling it with transaction monitoring and user behavior analytics further strengthens credibility. Breach intelligence software can also warn firms of potential fraud and vulnerable accounts before any crime is even attempted. 

With identity fraud costing banks and consumers $43 billion in 2023, defending against it is business critical. As regulators sharpen their pencils and direct their focus towards banks, delaying upgrades could be a devastatingly high risk. 

We must continue to add protective layers to KYC

With sensitive personal data readily available on illicit markets, traditional KYC approaches are increasingly vulnerable. For experienced compliance professionals, this doesn’t come as a shock—it’s an evolution of the threat landscape they’ve long been navigating. The key is not to abandon standard KYC, but to augment it with additional layers of verification, continuous monitoring, and context-driven insights. Sardine is constantly adding new shields, to build multi-faceted security across every stage. 

By leveraging behavioral analytics, real-time intelligence, and sophisticated technologies designed to detect anomalies, institutions can restore confidence in their customer verification processes. The truth is that banks should never have a finished product. Together we must continue steadily strengthening the trustworthiness of KYC results, ensuring that both regulators and legitimate customers can rely on the ever-evolving safeguards. 

Frequently Asked Questions (FAQ)

Q1: Is enhanced KYC enough if the underlying personal data is widely compromised?

A: If we're dealing with a case where there may be a risk of compromised data onboarded onto a bank's system, there are several strategies we can follow to detect and remove it. To find the best one for your firm, we'd need to talk to you and understand your unique situation. 

Broadly speaking, we'd use a blend of device intelligence, behavior biometrics and data enrichment to filter out suspicious accounts. Our technology can swiftly identify bot activity, proxy or VPN usage, remote access tools, tampered apps, rooted devices, location compliance and more. SimultaneouslySimultanously, we also track typing, mouse movement, scrolling, swiping, long-term memory field inputinut, hesitation and distraction to measure how authentic the user is. Going deep into the data, Sardine digs into IP addresses, credit reports, social security numbers, mailing addresses, geolocations and more to look for anomalies. 

For new account onboarding, implementing enhanced KYC is essential. Prevention is better than cure. We always strive to continue improving features, as fast or quicker than organised criminals. 

Q2: How can we ensure continuous monitoring doesn’t create a poor customer experience?
A: Advanced analytics often operate behind the scenes, only escalating cases that truly warrant additional checks. When well-calibrated, dynamic monitoring can enhance security without imposing unnecessary friction on legitimate customers.

Q3: How do regulators view the shift from traditional to more sophisticated KYC tools?
A: Financial services are mandated to protect customers against identity theft, for example with the USA's Fair and Accurate Credit Transactions (FACT) Act. Regulators expect firms to implement robust protections and proactively address evolving risks.  

In the UK, the FCA is actively pushing financial firms to innovate in the areas of data protection, and recommends collaborations. As the regulator states, “it is up to all of us to take action to protect our consumers, our firms and our markets. Together, we can shift the dial decisively to reduce and prevent financial crime". 

We've yet to find a regulator that does not want to strengthen KYC protocols. Across the world, as data breaches intensify, banks must reinforce their safety mechanisms to restore trust. 

Q4: What’s the best way to start integrating these new technologies?
A: At Sardine, we'd be happy to take care of this for you. We're just a click or call away. If you'd prefer the in-house DIY approach, which we do not recommend, you could begin with incremental pilots—test behavioral biometrics on a subset of accounts, add device reputation checks at onboarding, or integrate breach intelligence data. Measure the impact, refine parameters, and scale up once you confirm improved risk metrics.

Q5: Can manual reviews still be part of the KYC process in this new landscape?
A: Absolutely. Human judgment remains critical. These tools help focus skilled analysts where they’re most needed—on complex, high-risk cases—rather than sifting through routine transactions. The synergy of human expertise and advanced analytics delivers the strongest defense. We need to use all skills to conquer criminal activity, together. 

‍