KYC Banks vs Fintechs: Requirements Compared in 2026
KYC requirements for banks vs fintechs compared: FCA licensing, PSD2, UK MLR 2017 obligations, compliance processes and technology differences explained.
Summarize this article with
ChatGPT
Claude
Perplexity
Gemini
GrokBanks and fintechs in the UK are subject to the same anti-money laundering laws, but operate under different licensing regimes that shape how those obligations are met in practice. The Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 (MLR 2017) apply equally to fully licensed banks and to firms authorised as electronic money institutions (EMIs) or payment institutions. The FCA supervises both, but the scope of permitted activities, and therefore the risk profile, differs significantly. This article provides a detailed comparison of KYC requirements for traditional banks and fintechs operating in the UK, covering licensing, due diligence, reporting, technology, and the impact of upcoming regulatory changes.
Licensing and regulatory framework
The UK distinguishes between several types of financial services authorisation, each carrying the same AML obligations but differing in the activities permitted and the prudential requirements imposed.
A traditional bank such as Barclays, HSBC or Lloyds holds a full banking licence from the PRA and FCA, authorising it to accept deposits, grant credit and provide a full range of financial services. This licence carries the highest prudential capital requirements and the broadest scope of FCA supervision.
A fintech like Revolut, Monzo or Starling may operate under an EMI licence, a payment institution licence, or in some cases a full banking licence. Monzo and Starling hold full banking licences, which means their obligations are identical to those of established banks. Revolut operated under an EMI licence for years before receiving its UK banking licence in 2025, illustrating how the boundary between banks and fintechs is increasingly blurred.
PSD2 and open banking
The Payment Services Regulations 2017, which implemented PSD2 in UK law, created new categories of regulated firms: Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs). These firms must comply with MLR 2017 in full, including KYC requirements. Open banking has expanded the ecosystem of regulated entities, but has not reduced the AML obligations for any participant.
Detailed comparison: banks vs fintechs
The table below compares the operational KYC requirements for traditional banks and fintechs in the UK.
| Criteria | Traditional banks (Barclays, HSBC, Lloyds) | Fintechs (Revolut, Monzo, Starling) |
|---|---|---|
| Licence type | Full banking licence (PRA/FCA) | EMI licence, payment institution licence, or full banking licence (FCA) |
| Supervisory authority | FCA + PRA | FCA (+ PRA if banking licence held) |
| Customer identification (CDD) | In-branch or remote, mix of manual and automated verification | Fully digital: OCR, biometric selfie, automated checks |
| Identity verification | Photo ID + proof of address, often in-person check | Photo ID + video selfie, algorithmic comparison with human review for edge cases |
| Beneficial ownership (UBO) | Companies House search + manual review of PSC register | Automated PSC register lookup via API, algorithmic verification |
| Risk profiling | Multi-criteria internal classification, periodic review by compliance team | Automated risk scoring, configurable rules, real-time alerts |
| Enhanced due diligence (EDD) | Dedicated team, in-depth review, committee approval | Digital-first enhanced process, human review for complex cases |
| PEP and sanctions screening | Commercial databases (World-Check, Dow Jones), daily batch screening | Same databases, real-time API screening |
| Suspicious activity reports (SARs) | Filed with NCA via MLRO | Same obligation, MLRO appointed internally |
| Onboarding time | 3 to 14 business days (branch visit often required) | Minutes to 48 hours (fully online) |
| Compliance team size | 500 to 5,000+ FTEs for large groups | 10 to 100 FTEs depending on scale |
| Technology investment | Legacy modernisation programmes, gradual automation | Cloud-native infrastructure, API-first architecture |
| Data retention | 5 years after end of relationship (MLR 2017 reg. 40) | 5 years after end of relationship (same requirement) |
| FCA enforcement action | Regular supervisory reviews, thematic reviews | Increasing scrutiny since 2023, several enforcement actions on EMIs |
For a comprehensive overview of document verification processes, see our document verification guide.
Onboarding processes: digital vs traditional
Traditional bank onboarding
Opening an account at a traditional UK bank has historically required an in-branch visit. The customer presents original photo ID (passport or driving licence), a recent utility bill or bank statement as proof of address, and for business accounts, a certificate of incorporation and details of persons with significant control (PSCs). The bank officer conducts a visual document check, enters the data into the core banking system, and triggers compliance workflows.
Major UK banks have invested heavily in digital onboarding since 2020. HSBC and Barclays now offer fully remote account opening for personal accounts, using document scanning and video verification. However, business account onboarding typically takes longer due to the complexity of UBO verification and multi-layered approval processes.
Fintech onboarding
Monzo, Starling and Revolut built their customer journeys around mobile-first onboarding. The customer photographs their ID document, records a short selfie video, and an identity verification algorithm matches the two in real time. Document data is extracted automatically via OCR and fed directly into the KYC system. PEP and sanctions screening runs via API in seconds.
This speed does not equate to weaker controls. The FCA has made clear that digital verification must achieve the same standard as face-to-face checks. In its 2024 Dear CEO letter to EMIs, the FCA highlighted persistent weaknesses in some fintechs' financial crime controls and signalled increased supervisory attention. Several EMIs have faced restrictions on onboarding new customers due to AML deficiencies.
Reporting obligations
Suspicious activity reports
Both banks and fintechs must file SARs with the National Crime Agency (NCA) when they know or suspect that a transaction involves the proceeds of crime or terrorist financing. The NCA received over 900,000 SARs in the 2023-2024 reporting year. Banks remain the largest source of SARs by volume, but the proportion from EMIs and payment institutions is rising.
Each firm must appoint a Money Laundering Reporting Officer (MLRO) who is personally responsible for the SAR filing process. The MLRO must be approved by the FCA and have sufficient seniority to challenge business decisions.
Ongoing monitoring
Continuous transaction monitoring is required under MLR 2017 regulation 28(11). Traditional banks typically run batch-based monitoring systems that analyse transactions against predefined scenarios (unusual amounts, high-risk jurisdictions, rapid movements). Fintechs tend to use real-time monitoring systems that flag transactions as they occur, with machine learning models increasingly supplementing rule-based approaches.
The review frequency for KYC records follows the same risk-based logic for both types of institution: annual for standard-risk clients, semi-annual or more frequent for high-risk relationships. Our due diligence checklist by sector details these review cycles.
Upcoming regulatory changes
The UK government has signalled further AML reforms through the Economic Crime and Corporate Transparency Act 2023, which strengthens Companies House verification powers and expands the scope of information-sharing between regulated firms. The FCA's ongoing review of the MLR 2017 framework may introduce additional requirements around digital identity verification standards.
At the European level, the AMLD6 directive and the directly applicable AMLR regulation will not bind UK firms directly, but will influence standards through equivalence assessments and cross-border cooperation. UK firms operating in the EU will need to comply with both regimes. For more detail on the 2026 regulatory landscape, see our KYC 2026 requirements guide.
Technology and automation
Fintechs hold a structural advantage in KYC automation. Their systems were built from inception around APIs, cloud infrastructure and automated decision-making. A fintech can integrate a new identity verification provider or sanctions screening tool in days, while a legacy bank may take months to update its core systems.
That said, the gap is narrowing. Barclays, HSBC and Lloyds have each invested hundreds of millions of pounds in digital transformation programmes. HSBC's partnership with Onfido for digital identity verification and Lloyds' deployment of AI-powered transaction monitoring demonstrate the direction of travel.
For both banks and fintechs, the challenge is identical: automate without compromising control quality. A tool like CheckFile.ai enables automated verification of identity documents, proof of address and corporate documents regardless of firm size or licence type. For a comprehensive guide to KYC obligations, see our complete KYC guide for businesses.
Frequently asked questions
Are fintechs subject to the same KYC rules as banks in the UK
Yes. The MLR 2017 applies to all firms regulated by the FCA for financial services purposes, regardless of licence type. An EMI, a payment institution and a fully licensed bank all face the same core KYC obligations.
Why is fintech onboarding faster than at a traditional bank
Fintechs designed their infrastructure around digital-first processes. Identity verification, sanctions screening and document collection are automated from the outset. Traditional banks are retrofitting digital capabilities onto systems originally built for branch-based operations.
Does the FCA scrutinise fintechs less than banks
No. The FCA has increased its supervisory intensity on EMIs and payment institutions since 2023. Several fintechs have faced enforcement actions, voluntary requirements and restrictions on customer onboarding due to inadequate AML controls.
Can a fintech outsource its KYC processes
Yes, provided it retains ultimate responsibility for the adequacy of its AML controls. MLR 2017 regulation 39 permits reliance on third parties for CDD, but the regulated firm remains liable for any failures.
What happens when a fintech obtains a full banking licence
Its KYC obligations do not change materially, since MLR 2017 already applied. However, it becomes subject to PRA prudential supervision and additional capital and liquidity requirements. The AML framework remains the same.
Streamline KYC compliance for banks and fintechs
Whether you operate under a full banking licence or an EMI authorisation, KYC obligations are the same. The difference lies in execution speed and quality. CheckFile.ai automates identity document verification, proof of address checks and corporate document validation for banks and fintechs alike. Start your free trial or review our pricing to see how it works.