KYC/AML in Virtual Cards: Automation Handbook for Incumbents and Digital-Only Newcomers

This article was co-authored with Stacy Dubovik, ScienceSoft's Financial Technology and Blockchain Researcher, and Alex Bekker, ScienceSoft's Head of Data Analytics Department.

While bringing much-demanded speed and security into payment flows, virtual cards raise unique concerns associated with identity fraud and money laundering. Given the strict regulations and evolving financial crime mechanisms, digital-only customer due diligence becomes extremely challenging for virtual card providers operating exclusively online. The question I repeatedly hear from domain entrants is how to organize remote KYC for compliant access to virtual card products while minimizing friction for both customers and internal teams.

Drawing on my experience in payment IT, I'll attempt to answer this question from the technology perspective and share some insights into the must-have solutions for effective screening and controls. Spoiler: basic automation is definitely not enough.

What's So Challenging about KYC/AML for Virtual Cards?

With consumers citing better fraud and identity theft protection as their number-one expectation from payment service providers (PSP), digital card issuers look to develop a KYC/AML program that would drive customer loyalty, not just address regulatory requirements. As quick issuance, ease of use, and geographically-agnostic nature make virtual debit cards a go-to instrument for layering, most of my virtual card clients name spotting deliberate transactional fraud as their main challenge.

One-time cards let money launderers seamlessly move small money portions across various jurisdictions, making it easier to obscure dirty funds' origin and destination. Due to limited personal data exposure and minimized time lags between the card issuance and transaction, identifying fraudulent patterns using conventional monitoring tools can be extremely complex.

While KYC/AML screening procedures are basically the same for physical and digital cards, face-to-face interaction with a customer – an ultimate source of liveness and identity truth – is missing in purely digital settings. As such, there's vaster room for identity fraud in the virtual-only card space.

Recent advancements in AI-powered deepfakes are magnifying identity-associated risks. With technology now able to instantly clone faces and voices, it may be impossible for digital-only card providers to confidently say who's behind the screen, even during real-time video checks. Latest domain incidents show that realistic deepfakes can be successfully exploited to extort million-dollar funds. Risks will likely proliferate in the years ahead. In its 2024 Financial Services Industry Predictions report, Deloitte names GenAI the biggest emerging threat to the payment sector, potentially enabling fraud losses to triple by 2027 and reach $40 billion in the US only.

KYC Automation Tasks and Approaches

Manual KYC checks and perpetual due diligence would be a forensic nightmare for any PSP. With banks spending, on average, $1,500–$3,000 to complete just one client's KYC review, it's no surprise over 60% of institutions are investing heavily in technology to maximize automation. Potential benefits from automated screenings are rewarding: midsized institutions would experience up to 6x quicker initial checks and a 60–80% reduction in post-KYC review costs.

Good news for traditional banks: a large portion of KYC/AML activities for virtual cards can be automated through the tools used for physical cards. Digitally mature institutions enjoy minimized economic and technical barriers to entering the virtual card market. The biggest automation intricacy comes to providers planning solely online cardholder onboarding. Remote customer liveness and identity verification require dedicated policies and advanced specialized software.

The table below gives an intuitive glance into the KYC areas that can be automated using card-agnostic tools and the areas requiring specific software in the case of virtual cards.

Presumably, incumbents looking to add virtual cards to their product range already have some of the general tools implemented. Yet, check to discover emerging solutions offering deeper KYC automation. Startups entering the virtual card market are welcome to use the entire table as their handbook for automating KYC/AML from the onset.

Source: ScienceSoft 

Must-Have Technology Investments for Digital-Only Card Providers

In the virtual-only domain, where the expectations for service speed are natively high, televerification of each applicant's persona and lengthy manual checks are not an option. Can KYC for virtual cards be automated effectively without AI? A short answer is no. AI-supported tools are what actually make fully digital financial services feasible.

For KYC verification, my paytech clients usually ask virtual card applicants to take a selfie, provide a live photo of an applicant showing specific signs, or record a video where an applicant performs certain actions like turning the head, blinking, or smiling. ML-powered image/video analysis and pattern recognition algorithms then come into play to handle two major tasks. First, they automatically match the obtained biometrics to the source data (e.g., a photo on the customer's ID) and conclude whether the customer is the same person stated in the application documents. Second, they validate customer media records for authenticity and reason on whether the customer is physically present.

It's not just a matter of efficiency. With staggering deepfake realness, fraudulent biometric patterns may simply be non-recognizable by the human eye. Intelligent models trained on petabytes of 2D/3D images can quickly and accurately spot fake media. Ironically, the same mechanisms fraudsters use for impersonification work to reveal identity forgery in virtual card providers' favor.

When it comes to the post-KYC landscape, regular multi-factor authentication and transaction eligibility checks can catch many fraudulent encounters. Conventional tools alone, however, may not be adequate to address emerging risks. Both virtual card market players and regulators (e.g., the US Department of Treasury in its recent report) recognize the importance of AI adoption for supporting perpetual anti-fraud operations.

Some incumbents are already reaping the benefits of AI-powered behavioral and transactional analytics. Early in 2024, Mastercard launched a GenAI-supported decisioning solution that scans an unprecedented one trillion data points in real time and predicts whether a cardholder's transaction is likely to be genuine. The solution helped Mastercard and its banking clients boost fraud detection rates, on average, by 20% and, in some cases, by as high as 300% while reducing false positives by 85%+. A recent AI fraud detection pilot of Pay.UK involving Visa proved to bring, on average, a 40% uplift in fraud detection. During a pilot run, the predictive intelligence tool correctly identified an additional 54% of fraud and APP scams beyond those spotted by the banks' non-AI systems.

I myself encourage PSPs to adopt intelligent fraud detection quickly yet cautiously. Modern AI services like Azure Machine Learning and Amazon SageMaker offer fast implementation (an MVP may be rolled out in 3–5 months).  However, preparing a comprehensive, bias-immune model training dataset to minimize KYC/AML false positives and false negatives requires additional time and effort. AI logic explainability is essential in achieving transparent and controllable KYC decisions. My colleagues from data science recommend applying techniques like LIME and SHAP to achieve high interpretability of AI analytics outputs while retaining their 95%+ accuracy.

Advanced Tools to Balance KYC Compliance with User Convenience

Screening requirements, by their nature, conflict with seamless customer experience. On the one hand, the more customer data a company can obtain, the higher its chances of spotting fraudulent activities early. On the other hand, intrusive questions and lengthy checkups can frustrate and even deter potential customers.

For virtual card providers, KYC is all about adequate balance. Luckily, some emerging technology solutions effectively address both in-depth verification and UX enhancement needs. From my experience, the following solutions would bring high value to both aspects:

Data access APIs

Using open APIs provided by banks and public authorities, a virtual card provider can easily collect much of the card applicant data required for prequalification and quickly bring the data to its internal systems. This frees new customers from tedious questionnaire filings and high-volume document submissions.

For incumbents relying on dated internal systems, implementing dedicated middleware may be required to bridge legacy software and APIs. Strategically, I'd recommend strangling legacy payment software to microservices to improve its interoperability with external solutions. 

Large language models (LLM) for document processing

A specialized class of generative AI, LLM can efficiently tackle the lengthiest and most cumbersome KYC tasks like multi-format customer document capture, validation, and summarizing for screening. Early adopters of compliance-focused LLM tools report up to 50x quicker document reviews, a 40% reduction in process costs, and 90% fewer false positives in AML checks.

My colleagues from data science have recently published a guide to implementing LLMs in financial services. Check it out to discover cost-effective development options and ways to mitigate project risks.

Biometric authentication tools

Unlike passwords, PINs, and access tokens, biometrics cannot be stolen, guessed, or replicated using current AI algorithms, so risks of unauthorized access are minimized. For customers, immediate biometric authentication eliminates login friction and cognitive strain.

Employing market-available solutions like CloudABIS and AimBrain may be a quick way to incorporate cardholder biometric verification. From a customer data privacy standpoint, though, custom development would be a safer approach.

Blockchain-based identity solutions

By providing advanced encryption and immutable recordkeeping of cardholder KYC data, blockchain ensures that identity details cannot be altered or tampered with. This eliminates the risks of data breaches, identity theft, and data misuse inherent to traditional identity management. In blockchain systems, KYC details for each customer get linked to the unique anonymized ID, which is further used for securely authenticating cardholders in their accounts with no additional checkups.

In interoperable scenarios, once recorded in the blockchain, cardholder KYC details can be securely shared between financial service providers, removing the strain of repetitive KYC checks for companies and customers. So, I'd recommend moving virtual card KYC to blockchain rails only to providers involved in or planning extensive partnerships with other financial market players. Implementation investments can then be distributed among the blockchain participants.

You're Not Alone in Your KYC/AML Automation Journey

The global volume of virtual card transactions is anticipated to grow by an impressive 380%+ by 2028. Hopefully, you will be among the ones reaping the market benefits and paving consumers' way to a sounder digital payment future. Consider the automation solutions to run virtual card KYC with minimal hassle, and don't hesitate to reach out to me for practical help with your endeavor.