{"id":1730,"date":"2026-05-21T06:10:34","date_gmt":"2026-05-21T06:10:34","guid":{"rendered":"https:\/\/trackwizz.com\/knowledge-hub\/?p=1730"},"modified":"2026-05-26T06:10:54","modified_gmt":"2026-05-26T06:10:54","slug":"the-risk-of-unknown-unknowns-in-kyc","status":"publish","type":"post","link":"https:\/\/trackwizz.com\/knowledge-hub\/the-risk-of-unknown-unknowns-in-kyc\/","title":{"rendered":"The Risk of Unknown Unknowns in KYC"},"content":{"rendered":"

In the context of risk management; the infamous epistemology of uncertainty \u2013 \u201cthere are known knowns, known unknowns, and unknown unknowns<\/em>\u201d is well understood. This maps seamlessly with the unsettling precision onto the world of Know Your Customer (KYC) compliance in Indian financial services. The known knowns<\/em> are the KYC documents<\/strong> we collect. The known unknowns<\/em> are the gaps we acknowledge \u2013 incomplete CDD, stale risk ratings, unverified beneficial owners. But it is the third category \u2013 the unknown unknowns<\/em> that should keep Chief Compliance Officers awake at night.<\/p>\n

India\u2019s financial system now processes over 22 million<\/a> UPI transactions per month. Against this backdrop, the assumption that KYC as currently practised provides meaningful visibility into financial crime risk deserves serious scrutiny. The greatest KYC failure is not the document you failed to collect. It is the customer you never truly understood and the risk you never knew existed.<\/p>\n

The Conceptual Frame: What Do We Mean by \u201cUnknown Unknowns\u201d KYC Risks?<\/strong><\/h3>\n

KYC compliance in India governed by the Prevention of Money Laundering Act 2002, the RBI Master Direction on KYC, SEBI\u2019s KYC Registration Agency framework, and sector-specific guidance from IRDAI, PFRDA, and IFSCA is fundamentally a documentation exercise. Collect identity proof. Verify address. Classify risk. Conduct enhanced due diligence where required. Refresh periodically. The architecture is sound in design.<\/p>\n

But documentation captures a snapshot of identity, not a living understanding of a customer. The unknown unknowns<\/em> of KYC are the things we cannot anticipate asking about, cannot find in any document, and may not even conceptually be recognized as risks at the moment of onboarding or review.<\/p>\n

They fall into four categories:<\/strong><\/p>\n

(i) Structural unknown unknowns \u2013<\/strong> risks embedded in the customer\u2019s network, not the customer themselves. A legitimate individual who is the conduit for a criminal beneficial owner three layers removed.<\/p>\n

(ii) Temporal unknown unknowns<\/strong> \u2013 risks that did not exist at onboarding but emerged through life events: a client who becomes a Politically Exposed Person following a state election; a business whose ownership structure is silently restructured.<\/p>\n

(iii) Behavioural unknown unknowns<\/strong> \u2013 transaction patterns that deviate from declared purpose in ways no CDD form anticipated, invisible until volume crosses a threshold that triggers no rule.<\/p>\n

(iv) Technological unknown unknowns<\/strong> \u2013 new criminal methodologies that exploit the gap between how the financial system was designed to work and how it actually does: crypto-to-fiat layering, AI-generated synthetic identities, deepfake-assisted Video KYC evasion.<\/p>\n

The Onboarding Illusion: The Moment You Think You Know Someone \u2013 and You Don\u2019t<\/strong><\/h3>\n

India\u2019s digital KYC revolution \u2013 Video KYC, DigiLocker integration, Aadhaar-based e-KYC, Account Aggregator-enabled financial data flows has made onboarding faster, cheaper, and more inclusive than at any point in the country\u2019s financial history. This is, overwhelmingly, a positive development. But speed has a shadow side: velocity compresses deliberation.<\/p>\n

When an NBFC can onboard a borrower in seven minutes, or a broker can open a demat account in under twenty, the compliance infrastructure must work at the same speed. AI-assisted document verification, automated PEP and sanctions screening, and rule-based risk classification have partially kept pace. But the unknown problem is precisely what automation cannot solve because you cannot automate a question you have not thought to ask.<\/em><\/p>\n

The Synthetic Identity Challenge<\/strong><\/p>\n

Synthetic identity fraud is the fraud vector compliance teams underestimate most consistently<\/strong>; synthetic identity attacks grew approximately 31% year-on-year, making it the fastest-growing detected attack class. Unlike traditional identity fraud, synthetic identity victims may not even exist as natural persons. Tools that once required significant resources can now produce convincing synthetic identities for a pittance using generative AI and 2% of all detected fake documents globally in 2025 were created using tools such as ChatGPT and Gemini. No watchlist will flag them. No adverse media search will return results. They are, by definition, unknown unknowns<\/em>: the KYC system has no reference point against which to detect the anomaly.<\/p>\n

Between 2023 and 2025, the number of deepfake files exploded from 500,000 to over 8 million globally, with fraud attempts involving deepfakes surging 3,000% in a single year. India, with its remote-first onboarding infrastructure serving hundreds of millions, presents an attack surface of historically unprecedented scale. The World Economic Forum\u2019s January 2026 Cybercrime Atlas examined face-swapping tools and camera injection tools and found that most were able to bypass standard biometric onboarding checks. The gap between regulatory awareness of this threat and industry-level detection capability is itself a systemic vulnerability.<\/p>\n

The Beneficial Ownership Labyrinth<\/strong><\/p>\n

For non-individual customers; companies, trusts, partnerships, HUFs \u2013 Indian KYC requirements mandate identification of the Ultimate Beneficial Owner. In theory. In practice, the UBO verification chain is frequently broken at the first or second remove. A private limited company presents its directors; the holding company above it is not scrutinised; the offshore trust that controls the holding company is invisible. The regulated entity has technically complied. The criminal beneficial owner remains undiscovered not a known unknown, but an unknown unknown<\/em>, because no one thought to look past the document presented.<\/p>\n

The RBI\u2019s action against one of the largest payments banks leading to the cancellation of its license citing inter alia<\/em> KYC deficiencies and concerns about fund flows through the platform, is the most visible recent signal that regulators view KYC failures as systemic rather than merely operational risks. The core issue was not missing documents. It was structural blindness to how customers were actually using the platform at scale. This is the unknown unknown<\/em> in action: a compliance architecture formally adequate but practically inadequate to the reality it was supposed to monitor.<\/p>\n

Scale as a Risk Multiplier: When Volume Overwhelms Vigilance<\/strong><\/h3>\n

Millions of Indian bank & demat account holders coupled with a rapidly expanding universe of fintech-served customers are interacting with multiple regulated entities simultaneously. At this scale, even a fraction of a percent of customers with concealed risk profiles represents millions of accounts.<\/p>\n\n\n\n\n\n\n\n\n\n
Unknown Unknown Category<\/strong><\/td>\nWhy It Escapes Detection<\/strong><\/td>\nIndian Context Signal<\/strong><\/td>\n<\/tr>\n
Synthetic Identities<\/td>\nNo watchlist match; AI-generated documents pass liveness checks<\/td>\nRising fintech lending fraud; SFB onboarding gaps<\/td>\n<\/tr>\n
Layered UBO Structures<\/td>\nCDD stops at first-level directors; offshore chains invisible<\/td>\nShell company abuse via conduits<\/td>\n<\/tr>\n
Post-Onboarding PEP Emergence<\/td>\nStatic risk classification; no event-triggered refresh<\/td>\nState election cycles create new PEP exposures annually<\/td>\n<\/tr>\n
Crypto-to-Fiat Layering<\/td>\nCrypto leg invisible to banking layer<\/td>\nP2P exchanges, informal hawala-crypto convergence<\/td>\n<\/tr>\n
Mule Account Networks<\/td>\nIndividual accounts appear legitimate; network pattern hidden<\/td>\nUPI-based mule chains; cybercrime proceeds<\/td>\n<\/tr>\n
Deepfake Video KYC Evasion<\/td>\nAI-generated video passes human and automated review<\/td>\nRBI\u2019s August 2025 amendment now mandates deepfake detection<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Transaction monitoring systems calibrated for manageable alert volumes at lower customer counts become overwhelmed; either generating thousands of false positives that desensitize compliance teams, or being recalibrated to suppress alerts and inadvertently creating blind spots. Neither outcome is acceptable. Both are common.<\/p>\n

The mule account problem deserves particular attention. India\u2019s cybercrime ecosystem has made the recruitment of mule account holders a near-industrialised process. Each individual account, viewed in isolation, appears entirely unremarkable. The criminality is visible only at the network level and many Indian regulated entities are yet to conduct network-level analysis as a routine component of their CDD or ongoing monitoring programmes.<\/p>\n

The Digital Paradox: More Data, Deeper Blind Spots<\/strong><\/h3>\n

The digital era presents a paradox for KYC: we have more data about customers than at any previous point in history, and yet the intelligence derived from that data in terms of genuine understanding of financial crime risk may not have kept pace. Data abundance and insight scarcity coexist.<\/p>\n

Consider the digital footprint available to a bank for a retail customer today: Aadhaar-verified identity, PAN-linked transaction history, Account Aggregator-pulled financial data across institutions, UPI transaction metadata, device intelligence from mobile banking apps. A sophisticated analytical layer applied to this data could generate a genuinely dynamic risk profile. In practice, quite a few regulated entities are still running batch-mode KYC refresh cycles and rule-based transaction monitoring designed for a different era.<\/p>\n

The same generative AI tools that compliance teams are beginning to use for risk assessment are simultaneously being weaponised for KYC evasion. Extant video KYC guidelines were progressive when introduced; the technology for deepfake generation has since seemingly outrun the verification protocols those guidelines contemplated. KYC compliance and genuine customer understanding have diverged. One is a regulatory obligation met on paper; the other is an intelligence capability that some Indian regulated entities have not yet fully built.<\/p>\n

Ongoing Monitoring: The Wider Blind Spot<\/strong><\/h3>\n

If onboarding KYC captures a static snapshot, ongoing monitoring is supposed to provide the dynamic film. RBI\u2019s Master Direction requires periodic updation; every two years for high-risk customers, every ten years for low-risk. But criminality does not respect update cycles.<\/p>\n

In practice, the gap between the two is vast. Periodic KYC refresh is largely a document-collection exercise. Transaction monitoring generates alerts. Adverse news screening runs on schedules. But true ongoing understanding \u2013 the kind that would surface an unknown unknown<\/em> before it crystallises into a reportable suspicion requires something more: asking whether this customer\u2019s behaviour has changed in ways inconsistent with their declared purpose; whether their counterparty network has evolved; whether something in their industry, geography, or political environment has changed their risk profile. These are not questions that a compliance checklist asks. They are questions an intelligence-led AML programme asks.<\/p>\n

The PEP Time Lag<\/strong><\/p>\n

India conducts state assembly elections across its 28 states and 8 union territories on a rolling basis. Every election cycle creates new PEPs \u2013 politicians, their family members, their associates who were, at the time of their initial KYC, ordinary private citizens. The regulated entity may have no mechanism to detect this change in status between periodic reviews, save for regular screening with the right databases for it.The customer\u2019s risk profile has transformed; the compliance system\u2019s understanding of them has not. A known unknown made operational through institutional inertia.<\/p>\n

The MSME Opacity Problem<\/strong><\/p>\n

India\u2019s MSME sector comprises over 63 million enterprises, the overwhelming majority unincorporated that represents a substantial portion of the customer base of banks, NBFCs, and payment system operators. The beneficial ownership, ultimate controllers, and actual business activities of these enterprises are frequently opaque. CDD conducted at onboarding captures what the promoter chooses to disclose. Ongoing monitoring may surface anomalies but only if the baseline understanding of what \u201cnormal\u201d looks like for that enterprise is sufficiently granular. In most cases, it is not.<\/p>\n

Towards a Response: From Compliance Theatre to Genuine Intelligence<\/strong><\/h3>\n

Acknowledging the unknown unknown<\/em> is not an invitation to despair,\u00a0 it is the beginning of a more honest conversation about what KYC can and cannot do, and what investments are needed to close the gap.<\/p>\n

    \n
  • Network-Level Intelligence as a Necessity<\/strong><\/strong>\u00a0\n

    The mule account challenge, the layered UBO problem, and the crypto-fiat layering typology share a common feature: the risk is invisible at the individual account level and only visible at the network level. Graph analytics and network monitoring capabilities are not a future aspiration. They are a present operational requirement.<\/li>\n<\/ul>\n

      \n
    • Dynamic Risk Profiling Over Static Classification<\/strong><\/strong>\u00a0\n

      Risk classification conducted at onboarding and refreshed on two, eight or ten-year cycles is inadequate to the pace at which customer risk profiles actually change. A suitable framework, combined with behavioural analytics and event-triggered review protocols \u2013 elections, regulatory actions against connected entities, adverse news, significant transaction pattern changes, should form the basis of a genuinely dynamic risk model.<\/li>\n<\/ul>\n

        \n
      • Layered Identity Assurance at Onboarding<\/strong><\/strong>\u00a0\n

        Document-based identity checks on their own are no longer sufficient to prevent modern fraud \u2013 effective fraud prevention in 2026 requires a layered approach that makes fraud too costly to attempt at scale. OVSE-enabled Aadhaar offline verification, presentation attack detection in Video KYC, and document forensics must work together as a system, not as sequential checkboxes.<\/li>\n<\/ul>\n

          \n
        • Regulatory Intelligence as a Live Input<\/strong><\/strong>\u00a0\n

          Unknown unknowns cannot be anticipated in isolation but they can be surfaced more quickly through active engagement with FIU-IND typology reports, FATF mutual evaluation findings, RBI and SEBI enforcement actions, and IFSCA guidance for GIFT City entities. The regulated entity that proactively treats regulatory intelligence as a live compliance input rather than a periodic reference will convert unknown unknowns to known unknowns faster than its peers.<\/li>\n<\/ul>\n

          Concluding Remarks<\/strong><\/h3>\n

          India\u2019s regulatory framework for KYC and AML is, in its architecture, among the most comprehensive in the Asia-Pacific region. The PMLA\u2019s reach, FIU-IND\u2019s analytical mandate, and the sector-specific guidance of RBI, SEBI, IFSCA and all other regulators, collectively create a framework that, if genuinely implemented, would provide substantial protection against financial crime.<\/p>\n

          The gap is not in the framework. It is in the distance between formal compliance and genuine customer understanding, and in the institutional willingness to acknowledge that unknown unknowns are not a residual problem to be managed at the margins, but a central strategic challenge demanding board and leadership level attention, sustained investment in analytical infrastructure, and a culture of intelligent scepticism rather than document-collecting compliance.<\/p>\n

          The question for every Compliance Officer, every Board Risk Committee, and every Audit Function in Indian financial services is not \u201cAre we KYC-compliant?\u201d It is: \u201cDo we actually know our customers and do we know what we don\u2019t know?\u201d<\/p>\n","protected":false},"excerpt":{"rendered":"

          In the context of risk management; the infamous epistemology of uncertainty \u2013 \u201cthere are known knowns, known unknowns, and unknown unknowns\u201d is well understood. This maps seamlessly with the unsettling precision onto the world of Know Your Customer (KYC) compliance in Indian financial services. The known knowns are the KYC documents we collect. The known […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":"","_links_to":"","_links_to_target":""},"categories":[2],"tags":[],"class_list":["post-1730","post","type-post","status-publish","format-standard","hentry","category-ckyc"],"_links":{"self":[{"href":"https:\/\/trackwizz.com\/knowledge-hub\/wp-json\/wp\/v2\/posts\/1730","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/trackwizz.com\/knowledge-hub\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/trackwizz.com\/knowledge-hub\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/trackwizz.com\/knowledge-hub\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/trackwizz.com\/knowledge-hub\/wp-json\/wp\/v2\/comments?post=1730"}],"version-history":[{"count":2,"href":"https:\/\/trackwizz.com\/knowledge-hub\/wp-json\/wp\/v2\/posts\/1730\/revisions"}],"predecessor-version":[{"id":1732,"href":"https:\/\/trackwizz.com\/knowledge-hub\/wp-json\/wp\/v2\/posts\/1730\/revisions\/1732"}],"wp:attachment":[{"href":"https:\/\/trackwizz.com\/knowledge-hub\/wp-json\/wp\/v2\/media?parent=1730"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/trackwizz.com\/knowledge-hub\/wp-json\/wp\/v2\/categories?post=1730"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/trackwizz.com\/knowledge-hub\/wp-json\/wp\/v2\/tags?post=1730"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}