KYC has a reputation problem. Ask the people who actually run it inside large banks and the word that comes up again and again isn’t fraud, or regulation, or even AI — it’s friction. A panel featuring Marjoleine Appelboom, Regional Head of Financial Crime Prevention EMEA at ING, Ibrahim Nijad, Senior Risk Control Partner at Rabobank, Jörg Heidenreich, SVP Sales and Business Development at WebID Solutions, and Dhritiman Mukherjee, Managing Partner for Financial Services at DXC Technology, spent the session unpacking why know-your-customer processes remain so hard to get right, and where artificial intelligence genuinely changes the picture versus where it’s simply automation with better branding.
Why KYC Still Feels Broken
Appelboom set the tone early: KYC is time-consuming and, from a client’s perspective, adds little visible value. For a global bank like ING, the deeper issue is fragmentation — clients operating across multiple jurisdictions run into different regulatory requirements in each one, turning onboarding into a patchwork rather than a single coherent process. She pointed to the EU’s Anti-Money Laundering Regulation as a potential source of relief, since harmonizing requirements across Europe could ease some of that fragmentation, but the recurring complaint from clients is more specific than “this is annoying”: they want their data reused rather than re-collected every time, and they experience KYC as an opaque black box.
Nijad framed the shift differently. The challenge isn’t only fragmentation, it’s tempo. Onboarding and customer due diligence used to be point-in-time exercises; the direction now is toward something closer to continuous, real-time KYC, which raises its own question: is that actually an AI problem, or just an automation problem with AI layered on top? His answer was clear — it’s automation first, with AI folded in as a component, not a replacement for the underlying need to modernize how identity and risk get assessed continuously rather than at a single checkpoint.
Heidenreich brought a sharper, more commercial lens, recalling a moment when his own marketing team wanted WebID to position itself as a “love brand.” His response: that’s not the goal, because identity verification should function as a commodity — reliable, fast, and unremarkable. He used Germany’s live video identification requirement as an example of friction that exists for good reason but tests patience: a four-to-five-minute video call is not what customers want, yet it remains, in his data, the best-converting and least fraud-prone onboarding method available. His broader point was that every onboarding decision is really a risk decision, and the right balance depends on context — a low-risk account opening can tolerate a fully automated path, while a hundred-thousand-currency-unit mortgage application may justify the heavier, human-verified route. He also flagged a structural condition often skipped over: AI only helps once your underlying data is genuinely structured. WebID’s own scale, with millions of stored identities and hundreds of millions of data points, is what makes machine learning over behavioral patterns useful at all; without that foundation, leaning on AI is premature.
Where AI Actually Earns Its Place
Mukherjee offered the panel’s most structured walkthrough of where generative and agentic AI fit into financial crime work, tracing a clear evolution. Early generative AI use cases, several years back, were elemental: helping a compliance officer pull information from multiple systems, or drafting a first version of a Suspicious Activity Report. He cited a striking statistic — aggregated across UK banks, SAR report creation was estimated at roughly a million person-hours a year — to illustrate why even modest efficiency gains in that single task matter enormously at scale.
The frontier now, in his view, has moved to agentic solutions tackling more complex problems. Perpetual KYC is one: rather than waiting for a scheduled review, an agent can flag a triggering event, after which other agents gather the necessary information from internal and external sources to complete the reassessment. A second example came from his own prior experience trying to build a consortium for regulatory horizon-scanning — tracking new and changing regulation, running impact analysis, and feeding that analysis back into bank policy and process. That effort didn’t get off the ground previously, but he argued agentic AI now makes a genuine horizon-scanning-and-policy-
The moderator’s response captured a tension that ran through the room: reducing false positives is good, but the same systems risk quietly reducing true positives too — the scenario where AI gets more efficient at clearing cases without anyone noticing it’s also getting worse at catching the right ones, which is precisely why the human-in-the-loop isn’t optional.
Nijad widened the lens beyond any single institution, noting that financial crime is itself becoming AI-enabled — bad actors are using the same tools to attempt to penetrate systems, which is part of why a human-only approach can’t keep pace. He pushed back on framing AI purely as a threat to oversight, calling it instead a “pro-human” tool: one that compresses detection time, helps models stay current against geopolitical shifts and emerging fraud patterns, and addresses the real risk of model drift, where a system trained in 2023 simply isn’t tuned for the conditions of 2026 unless it’s continuously retrained.
Appelboom described ING’s own trajectory: starting a few years ago with generative AI handling the least popular parts of analysts’ work — data gathering, document collection — and now expanding into agent-built policy checks initiated by teams across EMEA. The current frontier for ING is using agentic AI to support risk assessments and decision-making, while being explicit that this covers parts of the process, not the end-to-end journey, and that human oversight and a control framework remain essential. She was candid that the bank is still on a learning journey alongside its regulators and stakeholders, with no pretense that the path is fully mapped yet.
The People Question
The conversation’s most pointed moment came when the moderator raised recent public commentary about compliance headcount reduction through AI efficiency — and asked, bluntly, how banks keep large compliance workforces motivated and engaged when the public narrative suggests they’re being automated out of relevance.
Appelboom didn’t deflect. With thousands of people doing KYC work globally, she argued banks have an obligation to those employees built over decades of service, and that the right framing is role evolution, not replacement. She pointed to ING’s “AI for All” training initiative as a concrete example of trying to help staff understand what AI actually is and how to work alongside it, rather than leaving them to discover their own redundancy.
Nijad connected this to psychological safety, arguing that AI replaces people only if those people don’t invest in adding value to their own role. His framing was pointed: don’t be the professional who doesn’t keep pace and ends up sidelined; instead, treat responsible AI use — aligned with GDPR, DORA, and other governance frameworks — as a way to reclaim time previously lost to manual work and redirect it toward higher-value contributions. Used well, he argued, it becomes a basis for advancement rather than a threat to job security.
Mukherjee offered a historical analogy: a roughly 120-year-old newspaper story he’d read warned of a “bloodbath” in employment as automobiles threatened to wipe out the entire horse-drawn carriage industry — carriage makers, grooms, fodder suppliers. The actual outcome was the opposite: the number of jobs multiplied many times over once the automotive industry matured. His forecast for compliance roles followed the same logic — the jobs themselves will change, some will disappear, but new ones will emerge, and the better posture is treating this as retooling rather than as an existential threat.
Regulation: Brake or Guardrail?
Asked whether regulation is slowing AI adoption or enabling it safely, Nijad argued firmly for the latter. Without regulatory guardrails, he suggested, the absence of rules would effectively normalize bad behavior at scale. He acknowledged that financial AI regulation is genuinely young and still maturing — frameworks dated to 2023, 2024, and 2025 are still being refined as both regulators and institutions learn what actually works, in contrast to more settled standards like ISO 27001 for security, which now has an AI governance counterpart in ISO 42001. He also raised a competitive concern: the relative absence of major European large language models, which he linked partly to the weight of regulation in the region, arguing that regulators need to be partners in enabling innovation, not just enforcers of constraint, if European institutions are going to compete globally.
The moderator added a geopolitical dimension: regulatory harmonization within Europe, through frameworks like AMLA and AMLR, helps build something sustainable, but divergence between European and US regulatory regimes creates uneven competitive conditions that the industry isn’t yet fully comfortable navigating.
A question from the audience pressed further on whether banks are actually resourcing explainability and fairness requirements proportionately, or simply paying lip service to them. Mukherjee’s answer was candid: based on what he sees across clients, there is currently a gap between what the EU AI Act and adjacent regulations demand and the actual investment in budget and resourcing to meet those demands — though he noted the gap is narrowing, partly because continued inaction is no longer a viable option.
Closing Takeaways
Asked for one key takeaway each, the panel’s answers converged on a similar theme from different angles.
Heidenreich offered a grounding reality check from the fraud side: roughly 90 percent of WebID’s fraud cases currently involve social engineering rather than deepfake video, suggesting that while AI-generated fraud is a real future concern, today’s actual threat landscape is still dominated by older tactics — a reminder not to over-rotate toward the most novel risk at the expense of the most common one.
Appelboom’s takeaway was structural rather than technological: AI alone won’t fix KYC, because layering it onto processes that are already inefficient or client-unfriendly just scales the inefficiency. Her argument was that banks need to redesign the underlying process around a genuine risk-based approach before AI can deliver its full value — simplification has to come before automation, not after.
Nijad added standardization as a companion principle, cautioning against every institution reinventing its own approach to the same problem, and reframed the man-versus-machine question entirely: the goal isn’t humans against AI, but humans plus AI against the problem, with AI positioned as a partner rather than a replacement.
Mukherjee closed with an operational observation: the major AI-relevant regulations — the EU AI Act, model risk management requirements, DORA, and GDPR — overlap substantially, and he’s seen institutions inadvertently duplicate compliance effort by treating each framework in isolation rather than building one holistic strategy that satisfies all of them efficiently.
The moderator’s own closing reflection tied the threads together: for all the discussion of agents, automation, and AI-driven efficiency, people remain central to the picture — not as an obstacle to be managed around, but as the workforce whose skills, trust, and judgment the entire system still depends on.


