Choose KYC (Know Your Customer) software by mapping each MLR 2017 obligation (CDD, risk-based approach, ongoing monitoring, and record-keeping) to a software capability and a downloadable audit output you can produce on demand. This guide gives UK compliance teams a practical checklist and vendor due diligence questions to make that mapping possible.
What is AML software?
Anti-Money Laundering (AML) software is a system that helps regulated firms automate and evidence customer due diligence (CDD), screening (sanctions/PEP/adverse media), risk assessment, ongoing monitoring, and record-keeping in line with AML laws and guidance.
How long must KYC records be kept in the UK?
Under Regulation 40 of the Money Laundering Regulations 2017, relevant persons must keep CDD records for at least five years after a transaction or the end of a business relationship, and must not keep them for more than ten years.
Minimum checklist for MLR 2017-ready KYC software
CDD support with decision logging, configurable risk scoring, EDD escalation workflows, sanctions/PEP/adverse media screening, ongoing monitoring, and record-keeping with exports that meet Regulation 40 retention requirements.
Why KYC software selection is a key compliance decision
Picture this. A regulator arrives for a scheduled inspection, requests CDD files for 20 customer relationships, and asks your team to explain why Enhanced Due Diligence was not applied to three of them. Your compliance officer opens the system, clicks around, and realises there is no exportable record showing the risk assessment outcome or the rationale behind each decision. The meeting goes downhill from there.
This scenario plays out at firms of all sizes. KYC software is technology that helps a firm identify and verify customers, assess risk, and document decisions so it can demonstrate compliance with AML obligations. Selecting the right tool is not simply a technology procurement exercise. It is a compliance decision with direct regulatory consequences.
The outcomes you should target are specific: lower manual workload, stronger fraud resistance, fewer false positives in screening, and audit trails you can defend under scrutiny. According to PwC’s EMEA AML Survey, 84% of EMEA financial institutions now prioritise thorough KYC processes to meet evolving AML compliance requirements. That figure reflects how seriously regulators and firms now treat compliance infrastructure.
This guide is UK-focused and anchored to the Money Laundering Regulations 2017 (MLR 2017). Under Regulation 40, firms must keep CDD records for at least five years and not more than ten. We cover this in detail later. If your KYC tool can’t export an end-to-end audit trail, it’s not a compliance system. It’s just a workflow. If you need a broader AML refresher before continuing, read our ultimate AML compliance guide.
UK AML obligations in plain English
MLR 2017 sets the baseline obligations your organisation must meet. Your supervisor expects a risk-based approach, consistent application of that approach across all customers, and records that prove it. The KYC software UK firms select must support all three.
The risk-based approach
A risk-based approach is not optional under MLR 2017. Regulated firms must assess the money laundering and terrorist financing risks they face, then apply proportionate controls. Your software must enable configurable risk scoring, so higher-risk customers receive stronger checks while lower-risk customers go through a simpler process. One-size-fits-all policies will not satisfy supervisors. Tools that hard-code a single verification workflow will leave you exposed.
The customer lifecycle
AML compliance follows a lifecycle, and your software needs to support every stage. That lifecycle runs from onboarding customer due diligence (see the CDD definition) through risk assessment, escalation to Enhanced Due Diligence where warranted, ongoing monitoring, periodic review, and finally offboarding with proper record retention.
Ongoing monitoring is the continuous review of customer risk and activity after onboarding so that changes (for example, a new sanctions listing or adverse media) are identified and acted on. Many firms treat onboarding as the finish line. Supervisors do not. They want to see that your monitoring catches changes throughout the relationship, not only at the start.
Record-keeping as an operational requirement
Under Regulation 40 of the Money Laundering Regulations 2017, relevant persons must keep CDD records for at least five years after a transaction or the end of a business relationship, and must not keep them for more than ten years. This makes retention a direct software requirement. Your tool needs searchable storage, configurable retention controls, and the ability to export complete files for supervisory review. For a wider overview of UK rules, see our UK AML regulations guide.
In the UK, the most practical test of KYC software is whether it helps you apply a risk-based approach and prove it with records.
MLR 2017 obligations mapped to software capabilities
The following table maps each regulatory obligation to the capability you should look for.
| MLR 2017 obligation | Software capability |
|---|---|
| Customer Due Diligence (Reg 28) | Identity verification (document + biometric + database), data capture, decision logging |
| Risk Assessment (Reg 18) | Configurable risk scoring with weighted factors, override capability, rationale capture |
| Enhanced Due Diligence (Reg 33-35) | Trigger rules for higher-risk scenarios, additional evidence collection, approval workflows |
| Screening (sanctions, PEP, adverse media) | Real-time and ongoing screening against relevant lists, fuzzy matching, false positive management |
| Ongoing Monitoring (Reg 28(11)) | Periodic review scheduling, event-driven re-screening, alert workflows |
| Record-Keeping (Reg 40) | Searchable storage, retention clocks (5-year minimum, 10-year maximum), automated deletion |
What Is AML software and how it differs from KYC tools
AML software is a system that helps regulated firms automate and evidence customer due diligence (CDD), screening (sanctions/PEP/adverse media), risk assessment, ongoing monitoring, and record-keeping in line with AML laws and guidance.
AML software typically includes these modules:
- Identity verification (IDV)
- Know Your Business (KYB) and beneficial ownership checks
- Sanctions, PEP, and adverse media screening
- Risk scoring and decisioning engine
- Case management and workflow tools
- Ongoing monitoring and alerts
- Reporting and audit file generation
A KYC tool verifies identity; an AML system adds screening, risk decisions, ongoing monitoring, and evidence that those steps happened.
AML software, KYC software, and IDV software are not the same thing
Buyers often use these terms interchangeably, and that creates confusion during procurement. Identity verification is the process of confirming a customer is who they claim to be, typically using document checks, biometric or liveness checks, and database matches. It answers one question: “Is this person real?”
KYC software (see the full KYC software definition) goes further. It combines identity verification with risk assessment and decision workflows. AML software goes further still. It wraps KYC into a broader programme that includes screening, ongoing monitoring, suspicious activity reporting, and governance.
Screening databases sit at another level entirely. They provide the data (sanctions lists, PEP registers, adverse media feeds) but no workflow, no decisioning, and no audit output.
Evidence, audit trails, and retention
Audit Readiness Test: Could your team produce these 10 ietns within 24 hours of a regulator’s request?
- Customer verification summary with document type and match scores
- Liveness detection outcome with method used
- Screening results (sanctions, PEP, adverse media) with clearance rationale
- Risk score breakdown with factor weights
- EDD trigger record and approval (where applied)
- Manual override log with rationale
- Ongoing monitoring alerts and resolution history
- Reviewer actions with timestamps
- Change history for all case updates
- Complete case file export in PDF or structured format
An audit trail is a time-stamped record of every action, data source, decision, and reviewer involved in a KYC case, preserved so it can be reconstructed later. If your software cannot produce the artefacts listed above, you will struggle in a supervisory review.
What to retain
Your system should store ID images (both sides of documents), extracted data fields, liveness detection outcomes, screening hits and clearance decisions, risk scores with the factors that produced them, rationale notes, reviewer approvals, timestamps for every action, and a complete change history. Each piece of evidence should be linked to a single customer record, not scattered across separate systems or spreadsheets.
How long to keep records
Regulation 40 makes retention a software requirement: you need tools that can retain, search, and export KYC evidence for years, not days. Under MLR 2017, records must be kept for at least five years after the relevant transaction or the end of the business relationship. They must not be kept for more than ten years. Your software needs retention clocks that start automatically when a relationship ends or a transaction completes. It must also enforce the ten-year maximum with automated deletion workflows.
Deletion and data subject rights
Record-keeping obligations sit alongside UK GDPR requirements. Your software should support automated retention clocks, legal hold capabilities (to pause deletion during investigations), and data subject request handling. The key tension is straightforward: you must keep records for at least five years for AML purposes, but you should not hold personal data longer than necessary. Systems that manage both obligations simultaneously will save your compliance team significant effort.
Vendor due diligence questions
Use these questions to prevent demo-driven decisions. A strong KYC vendor can explain their data sources, matching logic, and audit outputs as clearly as their UI. Capgemini’s benchmark study found that 85% of respondents recognise analytics and automation as a high priority for KYC success. The questions below will help you assess whether a vendor delivers on that promise or simply automates the easy parts.
| Category | Question | Evidence to request | Red flags |
|---|---|---|---|
| Compliance | How do you support CDD, EDD, and ongoing monitoring workflows? | Workflow documentation, demo of EDD escalation | No EDD workflow; fixed risk model |
| Data sources | Which sanctions, PEP, and adverse media lists do you use, and how often are they updated? | List of sources, update frequency documentation | Cannot name specific lists; infrequent updates |
| Matching logic | How does your matching work (fuzzy, transliteration, configurable thresholds)? | Matching algorithm documentation, false positive rate data | No fuzzy matching; no sensitivity adjustment |
| Identity verification | What is your liveness approach and how do you defend against injection attacks? | Liveness certification, injection detection documentation | Passive-only liveness; no injection detection |
| Audit exports | Can you export a complete case file that reconstructs a decision? | Sample export file, API documentation for data retrieval | Dashboard-only view; no downloadable evidence |
| Security | What certifications do you hold and when was your last penetration test? | ISO 27001 cert, SOC report, pen test summary | No pen test in 12+ months; no certifications |
| Data residency | Where is data processed and stored, and who are your subprocessors? | Data processing agreement, subprocessor list | Cannot confirm data location; no subprocessor list |
| Pricing | Is pricing per attempt or per successful verification, and what are retry/manual review costs? | Pricing schedule, volume discount tiers | Per-attempt pricing with no cap; hidden fees |
| Integration | Do you offer sandbox access, and what is typical time to integrate? | API docs, sandbox credentials, reference timelines | No sandbox available; vague estimates |
Score each vendor across all categories, then weight the scores according to your priorities. Vendor due diligence questions like these separate strong vendors from those who rely on polished demos to close deals.
A practical KYC software selection process
The fastest way to choose KYC software is to score vendors against evidence outputs, not marketing claims. This five-step process gives your team a repeatable framework from requirements through to contract.
- Write your risk-based requirements: Use the requirements checklist above to classify each requirement as Must, Should, or Could. A risk-based approach means applying stronger checks to higher-risk customers and simpler checks to lower-risk customers, while documenting why. Your requirements should reflect this principle. Share the requirements document with vendors before scheduling demos so they can prepare relevant demonstrations.
- Define your non-negotiable evidence outputs: Using the artefact list from the audit readiness section, specify which exports every vendor must produce. Make these a pass/fail criterion. If a vendor cannot generate a complete case file PDF with verification results, screening outcomes, risk assessment, and reviewer actions, they do not meet your minimum standard.
- Create a weighted scoring model: Assign weights to each evaluation category. A suggested starting point: Compliance fit 35%, security 25%, user experience and Conversion 15%, integration 15%, commercials 10%. Adjust these weights to match your organisation’s priorities.
- Run structured demo scenarios: Give each vendor identical test scripts. Include a PEP match that requires clearance, a borderline document with quality issues, a KYB case with complex ultimate beneficial owner structures, and a re-screening event triggered by a change in customer status. Score each vendor using the same rubric. Do not let vendors choose their own demo scenarios.
- Negotiate contracts with compliance in mind: Contract terms should cover SLAs for uptime and support response, incident notification obligations, audit support commitments, subprocessor change control procedures, and a clear exit plan with data portability provisions. Evaluate UK pricing structures carefully to understand total cost of ownership, including manual review queues and re-verification costs.
What good looks like in practice
The best UK identity verification software for KYC/AML is the one that fits your risk-based approach, supports UK-appropriate checks (KYC and, where needed, KYB), and produces a complete, exportable audit trail for every decision.
Multi-layered verification combines more than one method (for example, document authenticity, biometrics, and database checks) to reduce fraud risk and improve confidence. Platforms that implement multi-layered verification alongside integrated screening reduce evidence gaps by keeping all data points within a single customer record. ID-Pal’s approach to KYC and AML compliance brings identity verification, screening, and case management into one workflow, which simplifies audit file generation and reduces the risk of evidence falling between systems.
The global KYC software market is projected to grow from $2.54 billion in 2026 to $30.85 billion by 2035, according to Business Research Insights. That growth reflects the increasing maturity and adoption of these tools across regulated sectors. “Best” identity verification software UK organisations can rely on is not the most expensive or the most feature-rich. It is the tool that proves every step: who you checked, what you checked, what you decided, and why.
How long do you have to keep KYC records in the UK?
Under Regulation 40 of the Money Laundering Regulations 2017, relevant persons must keep CDD records for at least five years and must not keep them for more than ten years. The five-year clock starts at the end of a business relationship or the completion of a transaction. Your KYC software should have retention controls, searchable storage, and exportable audit files to evidence decisions throughout this window. Automated deletion workflows help you avoid exceeding the ten-year maximum, which is equally important under Regulation 40.
What is AML software?
AML software is a system that helps regulated firms automate and evidence customer due diligence (CDD), screening (sanctions/PEP/adverse media), risk assessment, ongoing monitoring, and record-keeping in line with AML laws and guidance. In practice, a good AML system should let you reconstruct any onboarding decision with time-stamped evidence and exports. Typical modules include identity verification, screening, risk scoring, case management, and reporting. Automation within these systems can reduce annual compliance costs, with KPMG noting average savings of 25%.
What is the difference between KYC and AML?
KYC is the identity and risk checking you do on customers, while AML is the wider programme that also includes ongoing monitoring, reporting, and governance. KYC is one component of AML. Your software should connect the identity checks at onboarding to the ongoing monitoring and record-keeping that AML obligations require throughout the customer relationship.
Do I need KYB features as well as KYC?
If you onboard business customers, you typically need KYB to verify the entity and identify beneficial owners and controllers. KYB becomes relevant whenever you deal with corporate accounts, complex ownership structures, partnerships, or trusts. The MLR 2017 requires you to understand who ultimately owns or controls a business customer, so your software should support corporate verification and ultimate beneficial owner identification.
What should I ask a KYC vendor about sanctions and PEP screening?
Ask which lists they use, how often they update them, how matching works (including fuzzy matching), and what evidence you can export to show clearance decisions. You should also ask about false positive management tools and ongoing re-screening capability. A vendor who cannot name their list sources or explain their matching algorithm is not giving you the transparency you need..
What evidence should KYC software produce for an audit?
At minimum, you should be able to export identity evidence, screening results, risk score and rationale, reviewer actions, and a time-stamped decision log. The obligation-to-capability table in this guide provides a complete mapping of MLR 2017 requirements to evidence outputs. A strong system will let you generate a single PDF case file per customer containing all of this information, ready for supervisor review.
Can automation reduce compliance costs?
Yes, industry research shows automation can reduce annual compliance costs, with KPMG citing average savings of 25%. These savings appear through reduced manual review volume, shorter decision times, and fewer rework loops caused by incomplete evidence capture. Automation does not replace human judgement. It handles the repetitive checks so your compliance team can focus on higher-risk decisions and complex cases.
If you want a walkthrough of what ‘audit-ready’ KYC outputs look like in practice, book a demo with ID-Pal to see multi-layered identity verification, AML screening, and exportable evidence in one workflow.
