
KYC Remediation: Why Compliance Debt Always Comes With Interest
KYC remediation is what happens when compliance debt gets called in. The shortcuts taken at onboarding, the reviews pushed into next quarter, and the screening gaps left unresolved do not disappear; they sit quietly on the books until an auditor or regulator demands payment. And when that happens, the debt is not repaid at face value, but with interest: the cost of fixing the original issue, the cost of reworking every file the weakness touched, and often the cost of a fine on top.
Few public documents show this arithmetic as clearly as the FCA’s Final Notice against Starling Bank, published on 27 September 2024. It is worth reading not for the headline penalty but for what it reveals about the scale, duration and cost of the AML remediation programme that followed. This article uses it as a case study to make a structural argument: KYC remediation is not a one-off compliance project. It is what happens by design when customer due diligence is treated as a point-in-time event rather than a continuously maintained state.
What actually triggers a KYC remediation programme
Remediation programmes rarely start with a single dramatic failure. They start with a gap between the pace of a firm’s growth and the pace at which its financial crime controls are allowed to mature. According to the FCA’s Final Notice, Starling’s customer base grew from around 43,000 in 2017 to approximately 3.6 million in 2023, while revenue rose from £13,000 in 2016 to £452.8 million in 2023. Cross-border payment volumes told the same story: inbound cross-border payments rose from 385 in 2017 to 236,527 in 2020 and then to over one million by 2023. The Notice is explicit that “its financial crime controls, however, failed to keep pace with its growth.”
That gap is the precondition for almost every remediation programme, in banking and in fund management alike. Onboarding volumes, transaction complexity and customer risk profiles change faster than policies, screening configurations and periodic review capacity can be re-engineered to match. The backlog does not appear on day one. It accumulates, file by file, until someone counts it.
Anatomy of a remediation programme: the Starling Bank case
Hypergrowth outpacing financial crime controls
The FCA’s 2021 review of financial crime controls across six challenger banks, covering a sample of over 8 million customers, found that resources, processes and technology needed to be commensurate with a bank’s expansion, and flagged weaknesses in customer due diligence and enhanced due diligence documentation across the sector. Starling was one of the banks reviewed. In March 2021, the FCA wrote to Starling setting out wide-ranging concerns, including that an internal audit report from November 2018 had already identified significant gaps in its financial crime framework that had not been properly escalated to the Board or the regulator.
A voluntary requirement, and a requirement breached
Following a section 166 Skilled Person review requirement imposed in May 2021, Starling voluntarily accepted a requirement (the VREQ) in September 2021 not to open new accounts for high or higher-risk customers until its AML control framework improved. This is the moment a firm effectively self-declares that its customer due diligence remediation cannot keep pace with new business, and chooses to stop the bleeding rather than let the backlog grow further.
It did not work as intended. According to the Final Notice, Starling failed to implement the VREQ’s requirements properly and did not adequately monitor its own compliance with it. Between 17 September 2021 and the date of the Notice, Starling opened 54,359 accounts for 49,183 high or higher-risk customers in breach of the VREQ it had itself agreed to. An independent consultancy engaged by Starling in 2023 later found that senior management lacked the AML experience to implement the VREQ properly, that no single senior manager held clear accountability for it, that engineering teams responsible for the underlying system changes were never told the VREQ existed, and that the firm’s third line of defence was unaware of the VREQ until late 2022.
A screening gap open since 2017
Separately, Starling identified in January 2023 that its automated financial sanctions screening system, in place since 2017, had been checking customers against only a fraction of the names on OFSI’s Consolidated List: specifically, only Designated Persons with UK citizenship or UK residency, which the Notice records as 39 of the 3,088 Designated Persons on the list at the time. Between 1 July 2022 and 30 January 2023, the system generated no sanctions alerts for individual customers at all. Screening also ran only once every 14 days rather than daily, and only after a customer had already been onboarded.
The remediation exercise itself
This is where the scale of KYC remediation becomes visible. Once the screening fault was found, Starling ran an expedited back-book review of its entire active customer base at the time, roughly 3.5 million customers, between 10 and 24 February 2023. That review alone generated approximately 48,000 alerts requiring review by financial crime operations. Separately, because Starling had been using the wrong tool to screen payments against the Consolidated List, it launched a historic payments review covering 3,988,143 transactions processed between 24 May 2017 and 9 November 2023. That review generated 795,712 alerts and was not completed until September 2024, more than sixteen months after it began. Alongside this, Starling ran the separate VREQ remediation exercise for the tens of thousands of accounts opened in breach, commissioned third-party testing of both its customer and payment screening systems, and rebuilt its sanctions policies, testing methodology, MI and staff training essentially from scratch.
The £28,959,426 penalty, reduced from £40,959,426 for early settlement, is the number that made headlines. It is not the number that should concern a Head of Compliance most. The FCA’s own five-step penalty calculation separately disgorged £959,426 of financial benefit Starling derived from the accounts opened in breach, a reminder that remediation failures carry a direct P&L cost independent of any fine. The section 166 Skilled Person review, the independent consultancy engagement, and the multi-year Economic Crime Enhancement Plan that followed all carried their own cost. The Notice does not itemise these in pounds, and firms rarely disclose them, which is itself telling: the fine is the only part of the bill a remediation programme is ever forced to publish.
What the Notice does make plain is the shape of the hidden bill that every large remediation programme generates:
Restricted growth. The VREQ stopped Starling onboarding an entire category of customer for years, a direct constraint on commercial growth imposed as the price of catching up on financial crime controls.
Management distraction. A Skilled Person review, an independent consultancy review, a Board-level lessons-learned exercise and an investigation running into years pull senior time away from running the business.
Volume-driven headcount. A single back-book screening review generating 48,000 alerts, and a payments review generating nearly 800,000 alerts, cannot be triaged by an existing compliance team alongside business-as-usual work. Programmes of this scale are the reason remediation has historically meant hiring large temporary teams of contract due diligence analysts.
The quality problem. Remediation run at pace and under regulatory and media pressure is remediation done by people with the least context on the original files, working to a deadline. That is precisely the condition under which the next backlog gets seeded.
Why KYC remediation keeps happening
The deeper issue the Starling case exposes is structural, not specific to one bank. KYC has traditionally been treated as an event: a file is built at onboarding, signed off, and then left largely alone until a periodic review cycle, commonly annual, biennial or triennial depending on risk rating, brings it back into view. The moment that file is approved, it starts decaying. Ownership changes, a director is added, a new sanctions designation is published, a customer’s transaction pattern shifts. None of it is reflected until the next scheduled review, if the review capacity exists to process it on time.
Periodic review cycles are, in effect, batch processing. They collect a queue of files, hold them until a scheduled date, then attempt to clear the queue in a burst. That is precisely the operating model that produces a backlog whenever volume outpaces review capacity, which is exactly what happened across the challenger bank sector the FCA reviewed in 2021, and it is why the FCA’s own findings from that review stressed that firms should “continuously ensure that their financial crime controls remain fit for purpose as their business develops and grows”, rather than relying on periodic catch-up. A remediation programme is simply what a KYC backlog looks like once it has grown too large to ignore.
How AI changes the economics of remediation
Remediation work of the kind described in the Starling Notice, re-screening millions of records, retesting alert configurations, re-reviewing tens of thousands of accounts against a defined rule set, is high-volume, document-heavy and rules-anchored. That is exactly the profile of work AI agents are well suited to perform, with human oversight retained on every material decision rather than removed from the process.
The economic shift is significant. Traditional remediation scales with headcount: more files means more contract analysts, hired temporarily and released once the backlog clears, taking their knowledge of the affected population with them. AI-driven remediation scales with compute and design, not with the size of a temporary workforce that has to be recruited, trained, supervised and then let go.
The more important shift, though, is not that remediation gets faster. It is that the category shrinks towards zero. A backlog exists because files stop being reviewed the moment they leave onboarding. If every file is instead kept continuously current, screened on a rolling basis rather than every fourteen days or once a year, and re-assessed the moment a relevant trigger occurs, there is no batch to clear because nothing is ever allowed to fall behind in the first place. The end state worth building towards is not a faster remediation programme. It is a compliance environment with nothing left to remediate.
From remediation to continuous currency: where Steward fits
Steward is an AI-first AML and KYC compliance platform built for investment managers and financial firms, where AI agents perform onboarding, screening and periodic review work with human oversight on every decision. The relevance to remediation is direct: the same agents capable of reworking a backlog at volume are the ones keeping every file continuously current afterwards, so the backlog that made the remediation necessary in the first place has no opportunity to reform.
If a remediation programme is on your horizon, or you would prefer it never to be, book a demo to see how continuously current files work in practice.
From the blog
The latest industry news, interviews, technologies,
and resources.

Deepfakes Have Arrived at Investor Onboarding. Your Checks Haven't Noticed
Deepfake KYC fraud is surging - face swaps and camera injection now beat standard biometric onboarding. What funds, banks and wealth managers must change about identity verification.
Jul 17, 2026
arik oslerne
1 min read

AI KYC Remediation: How AI Agents Clear a Backlog, Task by Task
See how AI KYC remediation works task by task: alert adjudication, entity resolution, and perpetual KYC that stops backlogs reforming
Jul 16, 2026
Geoffrey Safar
1 min read

What Europe's New AML Regime (AMLA) Means for Funds
The EU's AMLR applies from 10 July 2027 and AMLA is already writing the rulebook. What the new EU AML regime means for funds, fund admins and private banks - and why waiting is a mistake
Jul 15, 2026
arik oslerne
1 min read

How to Reduce False Positives in AML Screening
Cut sanctions and PEP false positives in AML screening: why they happen, how to tune matching, and how to keep every dismissal auditable and defensible.
Jul 15, 2026
Geoffrey Safar
1 min read
Product