Neobank and Digital Bank KYC/AML Compliance Guide 2026

Neobanks and digital banks must meet the same KYC and AML obligations as traditional financial institutions — in many cases under stricter operational conditions because every customer interaction happens remotely. In the UK, the relevant framework is the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) supervised by the FCA; across the EU, Regulation (EU) 2024/1624 (the AMLR) becomes directly applicable from 10 July 2027 alongside Directive (EU) 2024/1640 (AMLD6). Regulatory penalties against neobanks — including N26's €4.25 million BaFin fine in 2021 and Starling Bank's £29 million FCA fine in October 2024 — confirm that speed-to-market cannot come at the cost of compliance infrastructure.

This article is for informational purposes only and does not constitute legal, financial, or regulatory advice.

For a broader view of document verification in banking onboarding workflows, see how UK banks structure their KYC processes.

Regulatory Framework for Neobanks in 2026

The regulatory landscape for digital banks is converging across jurisdictions. The EU's three-part AML Package, the UK's post-Brexit MLR framework, and the US Bank Secrecy Act all impose materially similar obligations — identity verification, transaction monitoring, and suspicious activity reporting — but with important structural differences that cross-border neobanks must track separately.

AMLD6 (Directive (EU) 2024/1640) must be transposed by EU member states by 10 July 2027, after which the AMLR's directly applicable rulebook removes the compliance variance that allowed some institutions to operate under looser national implementations of earlier directives.

For a complete overview of the EU AML Package, see the AML compliance guide for obliged entities.

AMLA and Direct Supervision

The Anti-Money Laundering Authority (AMLA), established by Regulation (EU) 2024/1620, becomes fully operational for direct supervision from 1 January 2028. It will directly supervise up to 40 cross-border financial institutions operating in six or more EU member states. For most neobanks, indirect supervision via national competent authorities (NCAs) will continue — but the AMLR's uniform rulebook applies to all obliged entities regardless of whether they fall within AMLA's direct supervision remit.

KYC Requirements for Digital Onboarding

Remote digital onboarding creates specific compliance obligations that branch-based banks do not face. When no human agent is present during identity verification, the risk of synthetic identity fraud, document manipulation, and deepfakes is materially higher.

Identity Verification Documents

Under both MLR 2017 (UK) and the forthcoming AMLR (EU), the minimum standard for individual customer onboarding requires:

• Primary identity document: current passport, national identity card, or photocard driving licence
• Proof of address: utility bill, bank statement, or government-issued correspondence dated within three months
• Beneficial ownership: for business accounts, articles of association, certificate of incorporation, and identification of all UBOs holding 25% or more

For corporate customers, verification complexity increases substantially. The FCA's Financial Crime Guide (FCG 3.2) requires banks to look through corporate structures to identify ultimate beneficial owners, a process that may involve document chains spanning multiple jurisdictions.

Liveness Detection: A Mandatory Control

EBA/GL/2021/21, updated in October 2023, requires liveness detection during remote or digital onboarding when no human agent is present. This is not guidance — it is a supervisory expectation enforced through FCA and EBA review processes. Liveness detection must confirm that the person presenting the document is physically present, not a photograph, video replay, or deepfake. Passive and active liveness checks both satisfy the standard, provided they meet ISO/IEC 30107-3 (Presentation Attack Detection) criteria.

Neobanks that rely solely on document upload without a liveness check are materially non-compliant with EBA/GL/2021/21 and are exposed to supervisory challenge under MLR 2017 (UK) and the AMLR (EU).

Risk-Based Approach to CDD

Standard CDD applies to the majority of retail customers. Enhanced due diligence (EDD) is mandatory for:

• Politically exposed persons (PEPs) and their associates
• Customers from FATF high-risk jurisdictions (FATF High-Risk Jurisdictions list)
• Customers whose transaction patterns are inconsistent with their stated purpose of account
• Correspondent banking relationships

Simplified due diligence (SDD) is permissible only where risk is demonstrably low — for instance, low-value e-money products with transaction caps. AMLR Article 22 sets the conditions for SDD explicitly, replacing the discretionary national approaches that varied across the EU.

AML Obligations: Transaction Monitoring and SAR Filing

Transaction monitoring is the operational heart of an AML programme. For neobanks processing high volumes of real-time payments, the challenge is not collecting transaction data but building alert logic that produces actionable signals without generating an unmanageable volume of false positives.

Transaction Monitoring Programme Design

An effective transaction monitoring programme for a neobank must cover:

1. Rule-based alerts: velocity rules (e.g., five or more cash deposits in 24 hours), structuring detection (transactions just below reporting thresholds), and unusual payment corridors
2. Behavioural analytics: deviations from a customer's established transaction pattern, flagging accounts that suddenly transact with high-risk counterparties
3. Sanctions screening: real-time matching against OFAC, HM Treasury, and EU consolidated sanctions lists
4. PEP and adverse media screening: ongoing monitoring, not just at onboarding

Under MLR 2017 Regulation 19, UK firms must apply ongoing monitoring to the business relationship, which includes scrutinising transactions against the customer's risk profile and keeping CDD records current. The equivalent obligation under AMLR Article 42 requires continuous transaction monitoring proportionate to risk.

Suspicious Activity Reports (SARs)

In the UK, SARs are submitted to the National Crime Agency (NCA) via the UKFIU portal. The MLRO is responsible for reviewing internal disclosures, making filing decisions, and maintaining an audit trail. Failure to file a SAR when a suspicion arises is a criminal offence under POCA 2002 s.330.

In the EU, Financial Intelligence Units (FIUs) are national bodies coordinated under AMLD6 and the Egmont Group. AMLR Article 69 sets mandatory time limits for SAR filing once suspicion is identified.

In the US, Suspicious Activity Reports are filed with FinCEN under 31 CFR §1020.320. FinCEN's proposed rulemaking of 7 April 2026 proposes to revise AML/CFT programme requirements under 31 USC §5318, with an emphasis on risk assessment documentation and programme effectiveness measurement.

Common Compliance Failures and Regulatory Penalties

The enforcement record against neobanks and challenger banks is now substantial enough to draw clear lessons. Regulatory actions are not primarily about bad intent — they reflect structural programme deficiencies that persist as organisations scale.

N26: BaFin Capped Growth at 50,000 New Customers Per Month

BaFin fined N26 €4.25 million in 2021 for deficiencies in AML reporting and capped the bank's customer acquisition at 50,000 new accounts per month until remediation was complete. The underlying failures included delayed SAR filing, incomplete transaction monitoring coverage, and KYC files that did not meet the required standard. The growth cap — rather than the fine — was the commercially significant sanction: it directly constrained N26's expansion at a critical phase of its development.

Starling Bank: £29 Million FCA Fine in October 2024

The FCA fined Starling Bank £29 million in October 2024 for financial crime control failings. The FCA's investigation found that Starling's financial sanctions screening did not cover all customers on its books and that its financial crime control framework had not kept pace with its rapid customer growth. The FCA identified the firm's systems as inadequate relative to the risk posed by its customer base. This case is directly instructive for any neobank scaling under the assumption that compliance infrastructure can be retrofitted after growth.

Revolut: UK Banking Licence Granted July 2024

Revolut received its UK banking licence from the PRA and FCA in July 2024, after a protracted application process that included significant scrutiny of its compliance and financial crime frameworks. The licence grant confirms that regulatory authorisation is achievable for neobanks — but the timeline illustrates the compliance investment required.

Structural Patterns in Neobank Enforcement

Building a Compliant Neobank Compliance Programme

A compliant programme is not a collection of point solutions — it is an integrated framework that connects onboarding verification, ongoing monitoring, alert triage, and regulatory reporting into a defensible system with clear ownership.

Programme Components

1. Policies and risk appetite statement The compliance programme must begin with a written risk appetite statement that defines which customer types, geographies, and products the firm will and will not accept. This document anchors every subsequent control decision and demonstrates to regulators that the compliance programme reflects genuine risk management, not checkbox compliance.

2. Customer due diligence workflow The CDD workflow must be documented, version-controlled, and tested. It should specify: what documents are acceptable for each customer type, how document authenticity is verified, what triggers EDD, and how decisions are recorded. CheckFile's multi-layer analysis (structural, metadata, cross-document consistency) approach — covering 3,200+ document types across 32 jurisdictions — supports consistent CDD execution at scale, including documents from markets where neobanks frequently onboard customers remotely.

3. Technology and liveness controls Automated document verification, liveness detection, and sanctions screening must be integrated at the onboarding stage rather than run as manual post-hoc checks. The EBA/GL/2021/21 requirement for liveness detection during remote onboarding means this is a compliance obligation, not an optional enhancement.

4. MLRO and governance MLR 2017 (UK) requires the appointment of a Money Laundering Reporting Officer (MLRO) with sufficient seniority and resources to discharge the role. The MLRO must have direct access to the board and the ability to escalate concerns without organisational interference. Under AMLR Article 10, EU firms must designate a member of management body responsible for AML compliance — a similar structural requirement.

5. Training All staff who interact with customers or process transactions must receive AML training appropriate to their role. Training records must be maintained and updated when regulations change.

6. Audit and assurance Independent internal audit of the AML programme should occur at least annually, with findings reported to the board audit committee. The scope must cover CDD quality, SAR process, transaction monitoring effectiveness, and training completion rates.

For a detailed guide on structuring document verification within a broader compliance programme, see the documentary compliance guide.

Choosing a KYC/AML Technology Partner

When evaluating technology vendors, compliance teams should assess:

• Document type coverage relative to the firm's actual customer geography
• Liveness detection certification against ISO/IEC 30107-3 PAD Level 2 or higher
• API integration capability with existing onboarding and core banking platforms
• Audit trail and data retention functionality that satisfies MLR 2017 Regulation 40 (five-year retention)
• CheckFile provides structured verification workflows for financial institutions, with coverage across 3,200+ document types in 32 jurisdictions

The CheckFile platform maintains robust data security controls aligned with financial sector requirements. For pricing and programme design consultation, see CheckFile pricing.

Frequently Asked Questions

What KYC documents must a neobank collect during onboarding?

At a minimum, neobanks must collect a government-issued photo identity document (passport, national identity card, or driving licence) and proof of address from each individual customer. For business accounts, the requirement extends to incorporation documents, evidence of registered address, and identity verification for all ultimate beneficial owners holding 25% or more. The specific documents acceptable may vary by jurisdiction, but the standard of verification — reliable and independent sources — applies uniformly under MLR 2017 and the forthcoming AMLR.

Is liveness detection mandatory for neobanks?

EBA/GL/2021/21 (updated October 2023) requires liveness detection during remote digital onboarding when no human agent is present. For virtually all neobank onboarding journeys, this means liveness checks are mandatory, not discretionary. Supervisors in both the UK and EU have identified digital onboarding without liveness controls as a material compliance deficiency.

How does AMLD6 affect neobanks operating across the EU?

AMLD6 (Directive (EU) 2024/1640) must be transposed into national law by 10 July 2027. It works alongside the AMLR (Regulation (EU) 2024/1624), which is directly applicable from the same date. Together, these instruments create a uniform AML rulebook across all EU member states, eliminating the regulatory arbitrage that previously allowed neobanks to structure their EU operations around the most permissive national implementation. Neobanks licensed in any EU member state must comply with the AMLR from 10 July 2027.

What are the SAR filing obligations for UK neobanks?

UK neobanks must file a Suspicious Activity Report with the National Crime Agency via the UKFIU portal whenever the MLRO determines that there are reasonable grounds to suspect money laundering or terrorist financing. There is no minimum transaction threshold for SAR filing — the trigger is suspicion, not value. Failure to file when a suspicion arises is a criminal offence under the Proceeds of Crime Act 2002 s.330. The MLRO must maintain records of all internal disclosures received and all filing decisions made.

Can a neobank apply simplified due diligence to all retail customers?

No. Simplified due diligence (SDD) is only permissible where the customer and the product present demonstrably low ML/TF risk. AMLR Article 22 sets explicit conditions for SDD — including low transaction limits and restrictions on the types of transaction the account can be used for. A standard current account or payments account with no value or geographic restrictions does not qualify for SDD. Most neobank retail accounts require standard CDD as a minimum.