Hero background
Compliance Updates18 min read

KYC for Lenders: Trends, Challenges, and What 2026 Demands

By Michael Dunleavey
July 10, 2026Updated July 10, 2026
aml kyc requirementscustomer due diligence requirementsidentity verification for lenders
KYC for lenders compliance framework showing customer identification due diligence transaction monitoring and 2026 regulatory demands

KYC Has Never Been More Operationally Demanding — or More Consequential

Know Your Customer compliance has been a foundational requirement for financial institutions for decades. But the version of KYC that lenders are managing in 2026 looks significantly different from the one that existed five years ago — and the gap between a compliant KYC program and an exposed one has never been wider.

The pressures are converging from multiple directions simultaneously. The May 2026 Executive Order on financial system integrity is driving new suspicious activity red-flag guidance, proposed BSA customer due diligence amendments, and potential changes to Customer Identification Program rules for foreign identity documents — all on an accelerated 60- to 180-day agency action timeline. State attorneys general are expanding enforcement into areas where federal oversight has narrowed. AI-generated synthetic identities are outpacing traditional verification methods. And a 2025 Celent study found that 93% of lenders now believe fraud losses are directly embedded in their credit portfolios, with 61% identifying synthetic identity fraud as the fastest-growing threat.

For KYC, this environment demands more than policy updates. It demands operational infrastructure that connects customer identification, due diligence, transaction monitoring, and compliance documentation in a single, auditable workflow — and that can adapt as guidance evolves across multiple agency actions in real time. Lenders using Salesforce-native compliance tools can build that infrastructure around the platform they already operate from, rather than layering additional systems on top of a fragmented technology stack. If you are evaluating whether your current KYC program is built for what 2026 actually requires, a compliance discussion is the right place to start.

KYC Defined: What the Obligation Actually Covers for Lenders

Know Your Customer is the process by which financial institutions verify customer identities, assess the risk each customer presents, and monitor the relationship on an ongoing basis for activity inconsistent with the customer's stated profile. The regulatory framework is built on three interlocking obligations: Customer Identification Program (CIP), Customer Due Diligence (CDD), and Enhanced Due Diligence (EDD) for higher-risk relationships.

Customer Identification Program (CIP) — codified at 31 C.F.R. § 1020.220 and implemented under the Bank Secrecy Act — requires covered financial institutions to collect and verify specific identity information at account opening: name, date of birth, address, and an identification number (SSN, EIN, or — for non-U.S. persons — a passport number or other government-issued document number). The verification must be conducted before or promptly after account opening, using documentary or non-documentary methods, and must be documented in a way that can be produced during a regulatory examination.

Customer Due Diligence (CDD) — codified at 31 C.F.R. § 1010.230 — requires covered institutions to understand the nature and purpose of customer relationships in order to develop a customer risk profile, and to maintain and update that profile on an ongoing basis. For legal entity customers, CDD also requires the identification and verification of beneficial owners — individuals who own 25% or more of the entity, plus one individual with significant responsibility for managing or directing the entity.

Enhanced Due Diligence (EDD) applies to higher-risk customers — politically exposed persons, customers in high-risk jurisdictions, those whose transaction patterns are inconsistent with their stated purpose, and others — and requires additional verification, deeper understanding of the source of funds, and more frequent ongoing monitoring.

In the lending context, KYC obligations attach at account opening and extend through the full life of the lending relationship. A commercial borrower who was low-risk at origination can become higher-risk through changes in ownership, business activity, or transaction behavior. A KYC program that treats identity verification as a one-time event at origination — rather than an ongoing relationship management function — is not compliant with current BSA expectations.

So what does this mean for your institution? KYC is not a pre-closing checklist. It is a continuous operational function that requires your loan management platform to capture identity information at origination, update risk profiles as customer circumstances change, and flag transaction patterns that are inconsistent with the customer's established profile — all in a way that produces the documentation trail examiners expect to find.

Diagram showing KYC three-pillar framework of CIP, CDD, and Enhanced Due Diligence obligations for lenders under BSA compliance

KYC rests on three obligations — Customer Identification, Customer Due Diligence, and Enhanced Due Diligence — each documented at the account level.

AML Defined: Where KYC Data Becomes Compliance Action

Anti-Money Laundering compliance is the operational layer that sits on top of KYC — using the customer identity and risk profile information that KYC produces to detect, investigate, and report suspicious financial activity. The two frameworks are inseparable in practice: a KYC program without an AML transaction monitoring function has incomplete compliance coverage, and an AML monitoring program without accurate KYC data produces excessive false positives and misses real risks.

The core AML compliance obligations for lenders:

Under the Bank Secrecy Act (31 U.S.C. §§ 5311 et seq.) and FinCEN's implementing regulations, covered financial institutions must maintain a written AML program with four mandatory elements: internal policies, procedures, and controls; designation of a compliance officer; ongoing employee training; and independent audit of the AML program.

Within that program, the specific functional requirements include:

AML FunctionRegulatory BasisOperational Requirement
Currency Transaction Reports (CTRs)31 C.F.R. § 1010.311File within 15 days for cash transactions over $10,000
Suspicious Activity Reports (SARs)31 C.F.R. § 1020.320File within 30 days of detection of suspicious activity; 60 days if no identified suspect
Transaction monitoringBSA / FinCEN AML program requirementsOngoing monitoring for patterns inconsistent with customer risk profile
Recordkeeping31 C.F.R. §§ 1010.400–1010.430Minimum 5-year retention for most BSA records
OFAC screeningExecutive Order 13224 and OFAC regulationsScreen customers and transactions against SDN and other OFAC lists
Customer risk ratingFinCEN CDD RuleAssign and maintain risk ratings informed by customer profile and transaction behavior

The AML risk landscape in 2026 is materially more complex than the one that existed when most lenders last rebuilt their AML programs. Generative AI tools are enabling fraudsters to create synthetic identities that clear traditional CIP checks. Application stacking — submitting simultaneous loan applications across multiple lenders — is exploiting the fact that each lender's monitoring is limited to its own portfolio. And the May 2026 Executive Order's red-flag advisory is expected to add specific SAR escalation criteria for payroll structuring, ITIN-based account risk, and labor trafficking-related financial flows.

Understanding AML KYC requirements and how they are evolving under the 2026 regulatory framework is essential context for any institution that has not reviewed its AML program in light of the Executive Order's agency action timeline.

So what does this mean for your institution? AML compliance in 2026 is not the same program that passed your last examination. The tools fraudsters are using, the red flags regulators expect you to monitor for, and the documentation standard examiners apply to SAR investigations have all shifted. An AML program calibrated to prior-cycle expectations is carrying exposure that a current-cycle examination will find.

Ten KYC Trends and Challenges Every Lender Must Address

The KYC landscape in 2026 is being shaped by ten intersecting developments. Each one represents both an operational challenge and a compliance obligation that lenders cannot defer.

1. Digital Onboarding and Remote Identity Verification

The majority of loan applications now begin digitally, and many borrowers expect to complete the full KYC verification process without ever visiting a branch. This creates both an opportunity — faster onboarding and wider geographic reach — and a verification challenge. Remote identity verification must produce the same documentation and reliability standard as in-person verification under CIP rules, while also contending with AI-generated identity documents, deepfake biometrics, and synthetic identity constructions that did not exist at the previous scale even three years ago.

Lenders implementing digital onboarding must ensure that their verification methodology — whether documentary or non-documentary — is described in their written CIP, that verification results are documented at the time of account opening, and that the method used is capable of distinguishing between real and AI-generated identity documents.

2. Risk-Based CDD and Customer Segmentation

Regulators and supervisory guidance consistently expect lenders to take a risk-based approach to CDD — focusing enhanced diligence resources on higher-risk customers rather than applying a uniform standard across all relationships. In practice, this requires a customer risk rating methodology that is documented, consistently applied, and capable of producing an updated risk rating when customer circumstances or transaction behavior changes.

The risk-based approach is not a justification for lighter treatment of lower-risk customers — it is a framework for demonstrating that enhanced resources are deployed appropriately. A risk-rating methodology that is not documented, not consistently applied, or not updated when customer profiles change fails the risk-based standard regardless of how thorough the initial onboarding process was.

3. Beneficial Ownership Verification for Legal Entity Borrowers

FinCEN's CDD Rule requires covered institutions to identify and verify beneficial owners of legal entity customers — individuals owning 25% or more of the entity, plus one control person. For commercial lenders, this means that every new business loan origination must include a beneficial ownership certification and verification process, documented in the loan file.

The proposed BSA CDD amendments expected from the May 2026 Executive Order may expand what is required beyond the current 25% threshold and may add immigration-related due diligence elements for certain customer risk profiles. Lenders whose beneficial ownership workflows are configured in their loan management system — rather than collected on paper forms and filed manually — will be able to adapt those workflows as the proposed rule is finalized.

4. Ongoing Monitoring and Periodic Review

KYC is not complete at onboarding. BSA expectations require ongoing monitoring of customer relationships to detect changes in risk profile, transaction patterns inconsistent with the customer's stated purpose, and indicators of potential money laundering or fraud. For commercial borrowers, this includes periodic review of business financials, ownership structure changes, and transaction activity.

In practice, ongoing monitoring is the most difficult KYC function to operationalize at scale because it requires the loan management system to surface the right signal at the right time — flagging an account for review when transaction patterns shift, not waiting for a scheduled annual review cycle that may arrive six months after the signal appeared.

5. Cross-Border Customer Complexity

Lenders with borrowers in multiple states or with international business relationships face layered KYC obligations. Different states impose different requirements on top of the federal BSA baseline. OFAC sanctions screening must cover not only direct customers but also beneficial owners and counterparties in transactions. Correspondent banking relationships require additional due diligence under FinCEN's correspondent account rules.

The May 2026 Executive Order's expected CIP amendments — addressing acceptable identification for non-U.S. citizen customers, including changes to the treatment of foreign consular ID cards — will add another layer of complexity for lenders serving immigrant communities or international business borrowers. Compliance programs built on paper-based, manual CIP procedures are particularly exposed to these changes because they cannot be updated systematically.

6. Privacy, Data Governance, and PII Management

KYC requires the collection, storage, and periodic review of sensitive personally identifiable information — government-issued ID numbers, dates of birth, addresses, financial records, and, potentially, immigration documentation. Each of these data elements is subject to privacy and data protection obligations under GLBA, state privacy laws, and, for certain customer populations, additional federal requirements.

For lenders using AI-assisted identity verification tools, data governance obligations extend to how the AI model processes, stores, and potentially uses customer data for training. Ensuring that vendor agreements govern data retention, data use for model training, and consumer notification is not optional — it is part of the third-party risk management framework that BSA program requirements encompass.

7. Synthetic Identity Fraud and AI-Enhanced Threats

Synthetic identity fraud — constructing a new identity using a combination of real and fabricated information — has become the fastest-growing fraud type in lending, identified by 61% of lenders in a 2026 Celent study as their top fraud concern. AI tools are enabling fraudsters to generate supporting documentation — government IDs, pay stubs, bank statements — that passes traditional documentary verification checks.

This trend directly undermines the reliability of documentary verification methods under CIP. Lenders who depend primarily on document review for identity verification without supplementing it with non-documentary verification methods — credit history checks, database verification, behavioral analytics — are running a CIP program that fraudsters have already learned to circumvent.

8. Emerging Technology Adoption and Validation

AI, machine learning, and biometric identity verification technologies offer genuine improvements in KYC efficiency and accuracy. But they also require validation before deployment and ongoing monitoring after deployment — the same model risk management framework that the OCC/FRB/FDIC Supervisory Guidance on Model Risk Management (amended April 2026) expects for any model used in consequential financial decisions.

Lenders deploying AI-assisted KYC tools must document how the model was validated, what its false positive and false negative rates are, how it performs across different customer demographic groups (fair lending analysis), and how often it is reviewed and updated. A KYC tool that is commercially available and widely used is not exempt from the validation requirement — it is the lender's responsibility, not the vendor's.

9. Regulatory Change Management

KYC and AML regulations are not static. FinCEN has issued multiple rounds of CDD guidance, the May 2026 Executive Order is driving proposed rule amendments across CIP, CDD, and SAR standards, and state-level requirements continue to evolve independently of the federal framework. A KYC compliance program built around a fixed set of procedures is structurally incapable of keeping pace with this environment.

Effective regulatory change management requires a documented process for monitoring new guidance and proposed rules, assessing their impact on current procedures, updating those procedures before the effective date, and training staff on the changes. For lenders whose compliance workflows are embedded in their loan management platform, regulatory updates can be reflected in workflow configuration — making the change systematic rather than dependent on staff remembering to do something differently.

10. Customer Experience and Compliance Balance

Robust KYC creates friction. Collecting identity documentation, verifying beneficial ownership, risk-rating customers, and periodically requesting updated information all add steps to the customer relationship. The challenge is making that friction proportionate to the risk — applying enhanced procedures where the risk justifies them, and keeping the experience streamlined for lower-risk customers who should not bear the burden of a one-size-fits-all verification process.

The lenders who manage this balance most effectively are those whose KYC workflows are configured to apply the right procedure to the right customer automatically — based on the customer's risk profile — rather than applying maximum friction to everyone or minimum friction to everyone.

So what does this mean for your institution? These ten trends are not independent challenges. They intersect operationally: digital onboarding affects how CIP documentation is collected; risk-based CDD affects what documents are required; synthetic identity threats affect the reliability of those documents; and regulatory change management affects how all of the above must adapt. A compliance program that addresses each challenge in isolation — with separate procedures, separate systems, and separate documentation — is harder to examine, harder to update, and harder to defend than one that runs through a single, coherent workflow.

KYC trends and challenges diagram for lenders showing digital onboarding, beneficial ownership, synthetic fraud, and 2026 regulatory demands

Ten intersecting KYC pressures — from digital onboarding to synthetic identity fraud — that every lender's 2026 compliance program must address.

Why LASER for KYC and AML Compliance on Salesforce

KYC compliance for lenders is an operational function as much as a legal one. What matters is not only whether your policies describe the right procedures — it is whether your loan management platform enforces those procedures consistently, documents the results automatically, and produces the audit trail that examiners expect to find at the account level.

Salesforce-native credit access, built-in compliance, and decisioning — unified in a single app, ready from day one.

LASER Credit Access is built natively inside Salesforce, connecting lenders to Equifax, Experian, and TransUnion for the credit bureau access that supports both CIP non-documentary verification and ongoing customer risk monitoring. The COMPLY pillar provides the built-in compliance workflow infrastructure — permissible purpose documentation, identity verification event logging, adverse action notice triggers, and FCRA audit trail — as a natural output of the origination and servicing workflow, not a parallel compliance system that must be reconciled manually.

For lenders building or updating their KYC programs in response to the 2026 regulatory environment, LASER's native Salesforce architecture means that workflow updates — changes to CIP verification procedures, new EDD triggers, updated beneficial ownership documentation requirements — can be reflected in platform configuration rather than requiring a system rebuild. When the May 2026 Executive Order's proposed CDD rule amendments are finalized, lenders on LASER adapt through configuration, not crisis response.

The federal AML and KYC requirements that create pre-account-opening verification obligations are the baseline from which the 2026 regulatory changes are building. Understanding where your institution stands against that baseline is the starting point for assessing what the proposed amendments will require.

Explore LASER's built-in KYC and AML compliance tools for lenders on Salesforce and Salesforce-native credit bureau access supporting lender identity verification and KYC workflows to see how the platform enforces these controls as part of the everyday origination workflow.

Building a KYC Program That Can Adapt: Practical Steps for 2026

1. Document your CIP methodology explicitly. Your written CIP must describe the specific verification method — documentary, non-documentary, or both — used for each customer type. For digital onboarding channels, confirm that the method described can detect AI-generated identity documents and synthetic identity constructions, not only traditional forgeries.

2. Implement and document customer risk rating. Every covered customer should have a documented risk rating, based on defined criteria, that is applied consistently. The rating should be updated when ownership changes, transaction patterns shift, or new information is received. Risk rating that exists in a spreadsheet or individual underwriter judgment — rather than in your loan management system — cannot be consistently applied or consistently examined.

3. Configure EDD triggers for higher-risk customer segments. Politically exposed persons, customers in high-risk jurisdictions, ITIN account holders, and customers whose transaction patterns are inconsistent with their stated purpose should trigger documented EDD procedures automatically in your compliance workflow — not only when a compliance officer manually identifies the need.

4. Review your SAR escalation procedures against the May 2026 Executive Order's red-flag categories. Before the Treasury advisory is published, assess whether your current transaction monitoring rules would detect the six identified risk categories: payroll-related structuring, shell and nominee account structures, ITIN account risk, off-the-books P2P payment patterns, labor trafficking indicators, and beneficial ownership concealment. Document the assessment.

5. Build a regulatory change monitoring function. Assign responsibility for tracking proposed rulemaking in the BSA/CDD space, assessing impact on current procedures, and updating workflows before effective dates. The proposed CDD rule amendments from the May 2026 Executive Order will go through notice-and-comment rulemaking — the comment period is the window for assessing impact, not the effective date.

So what does this mean for your institution? How proper KYC timing strengthens compliance and prevents identity fraud is directly relevant to every step of this list: KYC controls applied at the right point in the customer relationship — not retrofitted after origination — are both more effective and more defensible in examination. The operational question is whether your platform enforces that timing automatically or relies on individual compliance staff to remember it.

Abstract illustration guiding lenders toward Salesforce-native KYC and AML compliance tools and compliance discussion next steps

KYC, AML, and identity verification unified in one Salesforce-native workflow — enforced at the right point in every customer relationship.

Ready to Build KYC Compliance Into Your Salesforce Lending Workflow?

KYC for lenders in 2026 is not a compliance checkbox. It is a continuous operational function that requires your platform to enforce the right procedure at the right point in the customer relationship — automatically, consistently, and with a documentation trail that holds up under examination. The institutions best positioned to manage what the current regulatory environment is building toward are those whose KYC and AML workflows are embedded in the same platform they use to originate and service loans.

LASER Credit Access delivers Salesforce-native credit bureau access, built-in compliance workflow, and identity verification support in a single application. If your institution needs to assess its KYC readiness against the current regulatory environment — or needs to close gaps in CIP documentation, beneficial ownership verification, or transaction monitoring configuration — a compliance discussion is the right starting point.

Schedule a Compliance Discussion

Frequently Asked Questions

What is the difference between KYC and AML, and do lenders need both?

KYC — Know Your Customer — is the customer identification, verification, and risk assessment process. AML — Anti-Money Laundering — is the transaction monitoring, suspicious activity reporting, and ongoing oversight function that uses KYC data to detect and report illicit financial activity. The two are distinct but inseparable: KYC provides the customer profile that AML monitoring compares activity against, and AML monitoring surfaces the customer behavior that may require KYC to be updated. Every covered financial institution needs both — a KYC program without AML monitoring has no mechanism for detecting problems after onboarding, and an AML monitoring program without accurate KYC data cannot distinguish normal from suspicious activity for a given customer.

Which lenders are subject to BSA KYC and AML requirements?

The BSA's AML program requirements apply to a broad range of financial institutions — banks, savings associations, credit unions, trust companies, and certain non-bank financial institutions including mortgage companies, money services businesses, and broker-dealers. The specific requirements applicable to each institution type vary based on their regulatory charter and the nature of their activities. Non-bank lenders — including mortgage companies, auto finance companies, and consumer finance companies — are subject to BSA requirements through FinCEN's regulatory framework for non-bank financial institutions. Lenders should confirm with legal counsel which specific BSA program requirements apply to their institution type and lending activities.

How does synthetic identity fraud affect KYC compliance obligations?

Synthetic identity fraud — using a combination of real and fabricated information to construct a false identity — directly undermines the reliability of documentary CIP verification. When a fraudster presents a government-issued ID that has been AI-generated or legitimately associated with a manufactured credit profile, traditional document review may pass the verification. This does not relieve the lender of its CIP obligation — it raises the standard for what a reasonable verification methodology must include. Lenders whose CIP relies primarily on document review should assess whether supplementing with non-documentary verification methods (credit history checks, database comparison, behavioral analytics) is necessary to maintain a defensible verification standard against current fraud techniques.

What documentation should be maintained at the account level to support a KYC examination?

At minimum, the account-level KYC file should contain: the customer identification information collected at onboarding (name, address, DOB, identification number); the verification method used and the result (for documentary verification, a description of the document; for non-documentary, the method and information used); the customer risk rating and the criteria applied; beneficial ownership certification and verification for legal entity customers; any EDD documentation for higher-risk customers; records of ongoing monitoring reviews and the results; and any SAR-related documentation (note: the fact that a SAR was filed is confidential under 31 U.S.C. § 5318(g)(2) and should not be disclosed to the subject of the report). BSA recordkeeping requirements generally require a minimum five-year retention period for CIP and CDD records.

How will the May 2026 Executive Order change what our KYC program must do?

The Executive Order does not immediately amend BSA or CIP regulations. It directs agency action on an accelerated timeline — the Treasury's red-flag advisory (60 days), BSA CDD proposed rule (90 days), and CIP amendments for foreign consular ID cards (180 days). Each of these agency actions may produce new guidance or proposed rules that affect your KYC program. The appropriate response now is assessment — reviewing your current CIP verification methodology, beneficial ownership procedures, ITIN account practices, and transaction monitoring configurations against the risk categories the Order identifies — so that you can adapt quickly when guidance is published rather than discovering gaps during an examination.

Michael Dunleavey

Founder — LASER Credit Access

Michael Dunleavey brings over 15 years of experience in credit infrastructure and lending compliance, helping financial institutions streamline operations on Salesforce.

Ready to Transform Your Credit Operations?

Discover how LASER Credit Access streamlines compliance and decisioning natively inside Salesforce — unified in a single app, ready from day one.