Edition #31 regtech

You Audit Your Customers. You Do Not Audit Your Stack. That Is the Gap Regulators Will Close Next.

Financial institutions subject customers to rigorous KYC — but the technology stack those institutions run on has never received equivalent scrutiny. A typical mid-stage fintech now runs across 15–40 third-party services touching regulated data and fund flows. Most have never been formally assessed for compliance risk. Know Your Vendor (KYV) is the compliance obligation that regulators will formalise next.

auditcompliancekyvvendor-riskai-governancemodel-riskregtechoutsourcingthird-party-risk

FinSaAIstra Intelligence | Compliance Series | May 2026

The Premise That No Longer Holds

The compliance architecture of financial services was built on a single premise: know your customer. Every obligation, every control, every attestation flows from the assumption that the regulated entity’s primary risk sits on the demand side of its business.

That premise was correct for its era. It is no longer sufficient for this one.

A typical mid-stage fintech now runs across fifteen to forty third-party services: cloud infrastructure, identity verification APIs, payment processing layers, AI-driven underwriting models, fraud detection engines, and a growing layer of generative AI services embedded in customer-facing workflows. Each of these vendors touches regulated data. Many touch fund flows. Most have never been formally assessed for compliance risk by the institutions that depend on them.

This is not a gap in execution. It is a gap in the compliance framework itself.

The Asymmetry at the Centre of Modern Compliance

KYC was designed for a world where the institution controlled its own infrastructure. The bank owned its servers, ran its own code, and employed the people who processed transactions. The compliance boundary and the technology boundary were the same line.

That line no longer exists.

When a fintech routes a payment through a third-party processor, verifies an identity through an external API, and scores credit risk through a vendor’s machine learning model, the compliance surface has expanded far beyond anything KYC was designed to cover. The institution remains liable for the regulatory outcome, but the technology stack that produces that outcome is distributed across dozens of independent companies, each with its own security posture, data handling practices, and jurisdictional exposure.

The compliance team that cannot audit this stack cannot attest to its own controls.

Know Your Vendor: The Missing Compliance Obligation

Know Your Vendor (KYV) is the compliance obligation to verify, monitor, and attest to the risk posture of every third-party service that touches a regulated institution’s infrastructure, data, or fund flows.

KYC tells you who your customer is. KYV tells you whether your stack is safe to serve them.

The distinction matters because vendors are not neutral infrastructure — they are compliance counterparties. When a KYC API provider suffers a data breach, the institution faces the regulatory consequence. When a cloud provider’s data residency practices conflict with local data protection law, the institution bears the liability. When an AI model embedded in an underwriting workflow produces discriminatory outcomes, the institution answers to the regulator.

The vendor’s failure becomes the institution’s compliance failure. This is already the regulatory position across multiple jurisdictions, even where the term KYV does not yet appear in formal guidance.

The Regulatory Signal Is Already Present

Data protection legislation and central bank outsourcing guidelines across the region already imply KYV obligations. They have not named it yet.

The pattern is consistent. Data protection frameworks hold data fiduciaries accountable for the actions of their data processors. Security obligations cascade through the processing chain. Penalties for vendor-side failures attach to the institution, not the vendor.

Central bank outsourcing directions have moved in the same direction. Board-level oversight of material outsourcing arrangements is now mandatory. Regulated entities remain fully responsible for the confidentiality, integrity, and availability of customer data, regardless of where the processing occurs. Existing IT outsourcing contracts are being given transition windows to align with new requirements, signalling that legacy vendor arrangements are no longer acceptable in their current form.

The obligations exist. The unified framework does not. That is where KYV sits.

Why AI Services Accelerate the Urgency

Traditional vendor relationships involved well-understood services with bounded compliance risks. An institution could assess a cloud provider’s security posture, review its certifications, and establish contractual controls with reasonable confidence.

AI vendors introduce a qualitatively different challenge. A generative AI model embedded in a customer service workflow may produce outputs that constitute regulated advice. An AI underwriting model may encode biases the institution has no visibility into. And the compliance-relevant behaviour of the vendor’s product may change without the institution’s knowledge, because model updates and retraining cycles can alter outputs without any change to the API contract.

The institution cannot audit what it cannot see. Global examination priorities for 2026 have explicitly flagged AI governance and vendor oversight as converging areas of regulatory focus. The timeline for KYV to become a formal obligation has compressed.

What a KYV Programme Looks Like

A mature KYV programme mirrors the structural rigour of a mature KYC programme, adapted for the vendor context. It operates across four layers:

  1. Vendor identification and risk classification — map every third-party service touching regulated data, fund flows, or customer-facing outputs
  2. Initial compliance-grade due diligence — assess each vendor’s security posture, data handling, jurisdictional exposure, and AI governance
  3. Continuous monitoring of vendor risk posture — not annual reviews, but real-time tracking of changes in vendor behaviour, ownership, and regulatory standing
  4. Attestation and reporting — audit-ready documentation of the vendor stack that can withstand regulatory scrutiny on demand

The institution that treats vendor onboarding as a procurement exercise rather than a compliance assessment is already behind. The one that reviews vendor risk annually rather than continuously is operating on assumptions that no longer hold.

The Closing Argument

The compliance industry spent three decades refining KYC. It built technology platforms, trained professionals, and created an entire ecosystem around the principle that you cannot serve a customer you have not verified.

The same principle applies to vendors. You cannot be compliant with a vendor you cannot audit.

KYV is the compliance obligation that regulators will formalise next. The institutions that build it now will define the standard. The ones that wait will inherit someone else’s framework, on someone else’s timeline, at a cost they did not plan for.