KYC and eIDV FAQ: 35 answers to your essential questions in 2026
Category 1: Definitions and concepts
What is KYC (Know Your Customer)?
KYC (Know Your Customer) is a regulatory framework that requires financial institutions and regulated businesses to identify, verify and monitor their customers throughout the business relationship. It rests on four pillars: identification, verification, risk assessment (CDD/EDD — standard and enhanced due diligence) and ongoing monitoring. In France, this framework is set out in the Monetary and Financial Code, supervised by the ACPR (the French prudential supervisor), and feeds the suspicious activity reports transmitted to Tracfin. KYC is not a product — it is a process that mobilizes compliance, operations, audit and IT.
What is eIDV (electronic identity verification)?
eIDV (Electronic Identity Verification) is a technology that confirms, within seconds via an API call, that a user is indeed the person they claim to be at a given moment. Three families coexist: document verification (OCR on an identity document), biometric verification (facial recognition with liveness check) and verification by transactional data (real-life sources from an individual's life). eIDV is framed by the European eIDAS 2.0 regulation (electronic IDentification, Authentication and trust Services) and is one of the technical building blocks of KYC.
What is the difference between KYC and eIDV?
KYC is a global regulatory framework that covers the entire customer lifecycle. eIDV is one of its punctual technical building blocks: an API call that confirms an identity at time T. The two are not competitors — eIDV is a complement that fits inside KYC as a verification method, never as a replacement. A complete KYC framework adds PEP screening (politically exposed persons), sanctions checks, risk assessment, transaction monitoring and regulatory reporting. For more depth, see our detailed KYC vs eIDV comparison.
What is AML/CFT?
AML/CFT (anti-money-laundering and counter-financing of terrorism) brings together all the regulatory obligations aimed at preventing the use of the financial system for criminal purposes. It is based on the recommendations of the FATF (Financial Action Task Force), transposed into European law via the AMLD directives (Anti-Money Laundering Directive). The latest, AMLD6 (the 6th anti-money-laundering directive), was finalized in June 2025. In France, the framework is steered by the ACPR, the AMF (the French financial markets authority) and Tracfin. KYC is its central operational tool.
What is enhanced due diligence (EDD)?
Enhanced due diligence (EDD) applies to high-risk customers: politically exposed persons (PEPs), residents of non-cooperative jurisdictions, atypical transactional patterns, high-value operations. It requires additional information collection (source of funds, proof of wealth), hierarchical approval before entering into the relationship and close ongoing monitoring. It complements standard due diligence, applicable by default, and simplified due diligence, reserved for low-risk profiles. The risk-based approach is laid out in the FATF recommendations.
What is KYB (Know Your Business)?
KYB (Know Your Business — business client verification) is the equivalent of KYC applied to legal entities. It identifies the company (registered name, registration, status), its directors, its beneficial owners (threshold of more than 25% of capital or voting rights) and its business context. It relies on official registers (RCS, RBE in France, Companies House in the UK, international equivalents) along with sanctions and PEP screening applied to directors and beneficial owners. KYB is mandatory for any B2B relationship entered into by AML/CFT-regulated actors.
Category 2: Regulatory obligations
Who is subject to KYC obligations?
All AML/CFT-regulated actors listed in Article L561-2 of the French Monetary and Financial Code are subject to KYC: banks, payment institutions and electronic money institutions, insurers, mutuals, asset management firms, investment advisors, PSAN entities (French digital asset service providers), notaries, lawyers on certain operations, real estate agents above thresholds, art dealers and antique dealers, casinos. The AMLD6 transposition extends the scope to CASPs (Crypto-Asset Service Providers) under the MiCA regime (Markets in Crypto-Assets, the EU regulation on crypto markets) since 2024.
What thresholds trigger KYC?
Thresholds depend on the sector and the type of operation. In real estate, agents apply KYC from initial contact for operations above €10,000. For occasional payments outside a business relationship, the threshold is €15,000 (€8,000 for crypto operations). For MiCA CASPs, the obligation applies from account opening. Banks and regulated fintechs apply systematic onboarding KYC, with no threshold. For the full list, see our article KYC mandatory in 2026.
What are the sanctions for AML/CFT breaches?
AML/CFT sanctions in France can reach 5% of turnover or €100 million, whichever is higher, issued by the sanctions commission of the ACPR or the AMF. The AMLR6 regulation (Anti-Money Laundering Regulation, the directly applicable counterpart of AMLD6) now harmonizes ceilings at the European level with a maximum of 10% of consolidated turnover. Criminal risk (up to 10 years' imprisonment for aggravated laundering), license withdrawal risk and major reputational risk are added on top. Sanctions can be published (name and shame).
Is KYC compatible with the GDPR?
Yes, but the articulation requires particular rigor. GDPR (General Data Protection Regulation, the EU's personal-data law) requires minimization of data and an explicit purpose. KYC, on the contrary, requires extensive collection (identity document, supporting documents, transactional data). Compatibility relies on the legal obligation legal basis (Article 6.1.c of the GDPR), a retention period aligned with the 5 years post-relationship imposed by the Monetary and Financial Code, and transparent client information. The CNIL publishes sector-specific frameworks that secure this articulation.
How do you reconcile KYC and GDPR in practice?
Practical articulation rests on four principles. First, identify the relevant GDPR legal basis (legal obligation for AML/CFT, legitimate interest for anti-fraud). Second, document differentiated retention durations (5 years for AML/CFT, shorter for marketing). Third, frame transfers outside the EU with standard contractual clauses or binding corporate rules. Fourth, allow exercise of GDPR rights (access, rectification) without compromising the confidentiality of suspicious activity reports, which remain secret vis-à-vis the client concerned.
What is a politically exposed person (PEP)?
A PEP (Politically Exposed Person) is a person holding or having held an important political, judicial or administrative function (head of state, minister, parliamentarian, supreme magistrate, leader of a public company, ambassador). PEP status extends to direct family members (spouse, children, parents) and close associates. A business relationship with a PEP automatically triggers enhanced due diligence (EDD), hierarchical approval and close monitoring of transactions. PEP status persists 12 months after leaving the function, sometimes longer depending on the risk profile.
Category 3: Costs and ROI
How much does a KYC solution cost?
The cost of a KYC solution varies from a few thousand euros for a regulated SME up to several million euros annually for a universal bank. Three major posts structure the TCO (Total Cost of Ownership): technology (eIDV, sanctions/PEP screening, transaction monitoring, KYC refresh), human resources (compliance, operations, audit teams) and indirect costs (audit, training, regulatory updates). For a detailed benchmark by company size and sector, see our article cost of a KYC solution.
What is the ROI of eIDV?
The ROI of eIDV is measurable and significant. On an online-bank client case supported by Euroleads, 60,000 yearly onboardings saw their abandonment rate fall from 25% to 5%, generating a ROI of 220:1 over the contract duration. The levers: onboarding churn reduction, lower support costs, incremental acquisition on previously document-friction-filtered targets, fraud reduction. eIDV by transactional data reduces user friction without degrading compliance.
Pay-per-call or flat fee: which pricing model should you choose?
Pay-per-call (usage-based billing) charges for each eIDV verification individually (typically between €0.30 and €2.00 depending on the sources mobilized — verified transactions, government, telecoms, media — and the eIDAS assurance level targeted). Suited to variable or low volumes, and to pilots. The monthly or annual flat fee includes a pre-purchased volume with reduced marginal cost, suited to stable and high volumes (beyond a few tens of thousands of monthly verifications). We support the transition from pay-per-call to flat fee as soon as your volume justifies an economic switch.
How much does a KYC audit cost?
An external KYC audit costs between €15,000 and €80,000 depending on the scope (audit targeted on one framework vs. full audit of multiple entities), the size of the organization and the depth of testing (document review, file sampling, intrusion testing on processes). ACPR regulatory audits are free for the audited company, but they often trigger costly remediation plans. Investing in an annual preventive audit remains far more economical than a post-sanction remediation.
How can I reduce the cost of my KYC framework?
Three structuring levers. First, automation through eIDV on standard profiles, which reduces the marginal cost of an onboarding from several euros to a few tens of cents. Second, mutualization of screening and monitoring tools between entities of the same group, which dilutes fixed costs. Third, the rigorously applied risk-based approach, which concentrates human resources on high-value files (EDD, complex alerts) and frees up the processing of standard profiles. A well-sized initial framing avoids costly subsequent remediations.
Category 4: Implementation
How do you integrate an eIDV API?
Integrating an eIDV API follows a five-step path. Step 1: framing the use cases (onboarding, sensitive transaction, refresh) and choice of the eIDAS assurance level targeted (substantial or high). Step 2: technical integration via REST/JSON, return code management and orchestration of fallback solutions. Step 3: functional acceptance testing on real datasets, measuring the match rate (the correspondence rate between client data and our sources). Step 4: progressive rollout (increasing percentage of traffic). Step 5: continuous monitoring (latency, match rate, fraud rate). Count from a few days to a few weeks depending on the complexity of your information system.
How long does deploying a KYC solution take?
The deployment of a complete KYC solution typically takes 3 to 6 months for an average regulated actor. Month 1: regulatory framing and risk mapping. Month 2: choice of tools (eIDV, screening, monitoring) and target architecture. Months 3-4: technical integrations and business rule configuration. Month 5: acceptance testing, training of compliance and operations teams, documentation. Month 6: progressive switch and production rollout. The integration of a single eIDV brick alone — added on top of an existing KYC framework — takes only a few days to a few weeks.
What are the steps of a KYC project?
A structured KYC project follows eight successive steps: regulatory framing (applicable texts, supervisory authorities), risk mapping (customer, product, geography classification), KYC policy definition (internal procedures), tool selection (eIDV, sanctions/PEP screening, monitoring), technical integration (API, orchestration), business configuration (thresholds, alerts, escalation), team training (compliance, operations, front-office) and production rollout with monitoring. A monthly steering committee ensures follow-up over time.
Do you need a dedicated team to run KYC?
Yes, a mature KYC framework requires dedicated resources. At a minimum: a compliance function (AML/CFT officer declared to the ACPR), KYC operators to handle alerts and escalated files, and an internal audit function that reviews the framework annually. The ratio depends on volume: an actor handling 10,000 onboardings per year typically mobilizes 3 to 5 FTEs (full-time equivalents), versus 30 to 50 FTEs for a universal bank. Automation through eIDV and intelligent monitoring reduce the share of manual processing.
Is KYC refresh (periodic update) mandatory?
Yes, KYC refresh is mandated by AMLD6 and by the FATF's risk-based approach. The frequency depends on the risk level assigned to the customer. High-risk profile: full annual review. Standard profile: review every 3 to 5 years. Simplified profile: review triggered by event (change of activity, transactional alert). Refresh combines updated identity verification, PEP/sanctions check, customer knowledge update (activity, income, wealth) and reassessment of the risk level. A poorly documented KYC refresh is one of the main grounds for ACPR sanctions.
Category 5: Sectors
How do banks apply KYC?
Banks apply the strictest KYC in the market: systematic onboarding, enhanced due diligence for sensitive profiles, periodic KYC refresh (1 to 5 years depending on risk), real-time transaction monitoring, suspicious activity reports to Tracfin. Online banks and neobanks favor eIDV by transactional data to reduce onboarding friction while complying with AMLD6 obligations. Discover our dedicated approach on the banking KYC page.
What are the KYC specifics for fintechs?
Fintechs combine a strong regulatory obligation (status of payment institution, electronic money institution or ACPR license) with a requirement for a fluid user experience. Fintech KYC relies on real-time eIDV at onboarding, continuous PEP/sanctions screening, flow monitoring and compliance with PSD2/PSD3 (Payment Services Directives, the EU rules on payment services). Fintechs operating across multiple jurisdictions must handle local specifics (European passport, equivalences outside the EU). See our fintech KYC page for the details.
What KYC obligations apply to crypto platforms (MiCA)?
Crypto exchanges (crypto-asset trading platforms) are now subject to the MiCA regime since late 2024. They apply full KYC at account opening, a Travel Rule (TFR) — the European rule requiring traceability of sender and recipient — on transfers above €1,000, reinforced sanctions screening and transactional monitoring adapted to on-chain flows. The CASP status imposes requirements close to those of payment institutions. The sector page crypto KYC details the specific obligations in 2026.
Is e-commerce concerned by KYC?
Non-regulated e-commerce is not subject to AML/CFT KYC, but often deploys an anti-fraud eIDV at order time to limit chargeback, impersonation and fraudulent returns. Regulated marketplaces (KYB on sellers) and platforms operating BNPL (Buy Now Pay Later) above thresholds fall into the AML/CFT scope and apply formal KYC. eIDV by transactional data brings frictionless verification suited to e-commerce volumes.
Are insurers subject to KYC?
Yes, insurers are subject to AML/CFT under Article L561-2 of the Monetary and Financial Code. Life insurance, particularly exposed to laundering via free-deposit contracts, applies KYC at onboarding, enhanced due diligence on high-value capitalization contracts, and continuous PEP/sanctions screening on beneficial owners. P&C insurers (property and casualty — non-life insurance) apply a lighter framework except in case of suspicion. Mutuals and provident institutions follow the same obligations.
Is real estate subject to KYC obligations?
Yes, since 2009 and the third AML directive, real estate agents have been subject to AML/CFT for transaction and rental operations above €10,000 per month. Real estate KYC verifies the identity of the parties, identifies beneficial owners in the case of a company, screens PEP/sanctions lists and collects information on the source of funds. Notaries apply a complementary KYC at the time of the authentic deed. Property developers and real estate dealers are also concerned on their significant operations.
Is Buy Now Pay Later (BNPL) subject to KYC?
BNPL and split-payment operators sit on the AML/CFT boundary. Below thresholds, they deploy instant eIDV coupled with credit scoring, with no formal KYC. Above thresholds (cumulated operations, high outstanding amounts, payment institution status), they switch to full KYC with PEP/sanctions screening, periodic refresh and flow monitoring. PSD3, currently being transposed, tightens payment fraud prevention obligations and clarifies the status applicable to BNPL actors in Europe.
Category 6: Euroleads specifics
How does Euroleads differ from Onfido, Sumsub, Jumio or Veriff?
Onfido, Sumsub, Jumio and Veriff are players specialized in document and biometric verification (identity document capture, facial recognition, liveness check). We take a complementary path: verification by transactional data, anchored in the real traces of an individual's life — verified transactions, government sources, telecoms and media. This approach reduces user friction, works without document capture and is deepfake-resistant. Our eIDV integrates as a complement to the other KYC building blocks (biometrics, document check), never as a head-on competitor.
What are the advantages of verification by transactional data?
Transactional data offers four structural advantages. First, it is frictionless: no document capture, no selfie, no waiting. Second, it is deepfake-resistant, where biometrics is increasingly threatened in 2026. Third, it covers cases where biometrics fails (users without a recent smartphone, degraded capture conditions). Fourth, it adapts to the 197 countries of the Euroleads scope, whereas document coverage varies from country to country. Transactional data remains complementary: a robust framework combines several methods depending on the risk level.
What is Euroleads' product philosophy?
“Because today, everything can be forged — except real life and what people actually buy.” That is the Euroleads product philosophy. A document can be forged, a face deepfaked, a phone number spoofed. By contrast, the sum of transactional traces generated by a real individual over several years (payments, subscriptions, telecom movements, administrative declarations) is impossible to fabricate artificially. Every act of consumption generates a data point. Every data point proves the real existence of an individual. That is the foundation of our eIDV by transactional data approach.
Does Euroleads collect or host data?
No, we neither collect nor host data. Our craft is the research and identification of the best sources among 4,000 worldwide sources (verified transactions, government, telecoms, media). This independence from database publishers guarantees the absence of conflict of interest and allows us to select, for each use case, the most relevant sources in terms of coverage, freshness and reliability. Data stays with the source publishers; Euroleads operates as a data orchestrator.
What compliance guarantees does Euroleads offer?
Euroleads is a subsidiary of MV Group (seven digital and data subsidiaries: Yumens, GoodBuy Media, Euroleads, Tribu, Avanci, Yes Indeed, Weaver-fi). We apply a compliance framework aligned with the standards of our regulated principals. Our 45 years of data expertise guarantee mastery of GDPR obligations (subcontracting, transfers outside the EU, exercise of rights), of sector-specific banking and fintech requirements, and of information security standards. The 5 million monthly verifications we operate are continuously audited by our regulated clients (banks, insurers, fintechs) under their own KYC framework. For the detail of contractual commitments, speak with our experts.
Which sectors does Euroleads support as a priority?
We support six priority sectors where the combination of international data marketing and eIDV brings the most value: banking and insurance (KYC, refresh, monitoring), fintech (frictionless onboarding, PSD3), crypto under MiCA (Travel Rule, on-chain monitoring), e-commerce (payment anti-fraud, marketplace), real estate (KYB and beneficial owners), and business equipment (B2B data marketing, prospecting). The expertise crosses over: a banking client will mobilize data marketing to target prospects, and eIDV to onboard them.
What is Euroleads' commercial approach?
Our job isn't to sell data at any cost. It's to find, for you, the data that resolves your specific case.
A question that didn't find its answer in this FAQ?