Data Cleansing for Financial Services: AML, KYC and Customer Record Quality

How UK financial services firms can improve customer data quality to meet FCA expectations, strengthen AML and KYC processes, and reduce regulatory risk.

The Regulatory Stakes of Poor Customer Data in Financial Services

For UK financial services firms — banks, building societies, credit unions, wealth managers, insurance intermediaries, and payment processors — customer data quality is not a back-office housekeeping matter. It sits at the heart of regulatory compliance. The Financial Conduct Authority (FCA) has been unambiguous: firms that cannot maintain accurate, complete customer records are in a poor position to meet their obligations under Anti-Money Laundering (AML) regulations, the Senior Managers and Certification Regime (SM&CR), Consumer Duty, and the broader requirements of the Proceeds of Crime Act 2002.

Enforcement actions in recent years have repeatedly cited inadequate customer data as a contributing factor in AML failures. Fines running into tens or hundreds of millions of pounds have been issued against firms that could not demonstrate that they genuinely knew who their customers were — in part because their customer records were fragmented, duplicated, or out of date. The lesson for smaller regulated firms is clear: data quality is a compliance function, not merely an operational one.

What KYC and AML Actually Require From Your Data

Know Your Customer (KYC) obligations under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 — the UK's primary AML legislation — require firms to collect, verify, and maintain accurate customer identity information. Specifically, regulated firms must:

• Identify customers using reliable, independent source documents (e.g., passport, driving licence)
• Verify that the customer is who they claim to be, using documentary or electronic verification
• Understand the nature and purpose of the business relationship
• Apply enhanced due diligence for higher-risk customers, including politically exposed persons (PEPs)
• Keep CDD records up to date and conduct ongoing monitoring of business relationships

Each of these requirements depends on the underlying customer record being accurate, complete, and current. A customer whose address is three years out of date, whose date of birth has been entered incorrectly, or whose name exists in multiple variant forms across different systems cannot be effectively screened against sanctions lists or monitored for unusual transaction activity.

Deduplicating Customer Records Across Banking Systems

Legacy banking infrastructure has a well-documented tendency to generate duplicate customer records. When a customer holds a current account, a savings account, a mortgage, and a credit card — potentially opened at different branches over different decades, and on different iterations of the core banking platform — they may exist as four separate entity records with no programmatic link between them. Add to this the impact of bank mergers, the integration of acquired building societies, and migrations from legacy platforms such as MIDAS or Phoenix to modern cores, and it becomes apparent why many UK banks are still wrestling with customer master data problems that originated in the 1990s.

The consequences are not merely cosmetic. A customer who appears as four separate records cannot be assessed for their total exposure to the firm, cannot be effectively screened as a single entity against the HM Treasury Consolidated Sanctions List, and cannot receive coherent communications about their overall relationship with the firm.

Effective deduplication in a financial services context requires:

• Deterministic matching: Exact matching on regulated identifiers — National Insurance number, date of birth combined with full name and postcode — where these are available and reliably recorded.
• Probabilistic matching: Fuzzy matching algorithms that account for name variations, address formatting differences, and historical addresses, weighted and scored to produce match confidence levels.
• Analyst review: High-confidence matches can be auto-merged with appropriate audit logging; medium-confidence matches should be reviewed by a data analyst before any consolidation takes place.
• Golden record creation: The merged record should draw on the best available data from each source, not simply overwrite with the most recent entry — the most recent address is not necessarily the most accurate one.

Address Standardisation for Regulatory Reporting

Address data in financial services customer records serves multiple regulatory functions: it underpins sanctions screening, supports suspicious activity reporting (SARs) to the National Crime Agency (NCA), enables Suspicious Transaction Reports under the Market Abuse Regulation, and is required for reporting obligations under CRS, FATCA, and domestic tax reporting frameworks.

UK address standardisation should be performed against the Royal Mail Postcode Address File (PAF), which is the definitive record of all deliverable addresses in the United Kingdom. PAF standardisation ensures that address components — building number, street name, locality, town, and postcode — are correctly structured and formatted to a consistent standard. This matters for automated sanctions screening tools, which typically perform address-based matching as part of their logic.

For customers with international addresses, address validation becomes more complex. The ISO 3166-1 country code standard provides a consistent framework for country identification, but address structure varies significantly by jurisdiction. Firms with significant international customer bases should maintain country-specific address validation rules and ensure that address fields are mapped correctly when migrating data between systems.

Companies House Verification for B2B Financial Data

For financial services firms dealing with business customers — whether providing commercial lending, trade finance, business insurance, or corporate banking — the accuracy of company data is a distinct compliance requirement. AML regulations require firms to identify and verify the legal entity they are dealing with, understand its ownership and control structure, and identify beneficial owners holding 25% or more of shares or voting rights.

Companies House provides the authoritative register of UK incorporated companies, and its free API offers real-time access to registered company names, numbers, registered addresses, officer details, and persons with significant control (PSC) records. A structured B2B data cleansing exercise should include:

• Matching existing business customer records against Companies House to confirm the legal entity name and registered number
• Identifying discrepancies between the trading name used in your records and the legal registered name
• Flagging companies that have been dissolved, struck off, or subject to insolvency proceedings
• Validating registered addresses and comparing these against operating addresses held in your records
• Cross-referencing PSC records to support beneficial ownership verification

Companies that have changed their registered name since onboarding — common following mergers, rebrands, or restructures — may sit dormant in your system under a name that no longer matches the entity you believe yourself to be dealing with. This creates both a KYC gap and a practical risk management problem.

Building a Data Quality Framework for Financial Services

Reactive cleansing — addressing data quality problems after they have caused a compliance failure or operational issue — is inherently more costly than building quality in from the outset. Financial services firms should aim to establish a continuous data quality management framework that addresses data at the point of entry, monitors quality over time, and triggers remediation workflows when quality thresholds are breached.

The key components of such a framework include:

• Validation at onboarding: Real-time address validation, name format standardisation, and National Insurance number format checks at the point of customer record creation.
• Duplicate detection at point of entry: Checking new records against existing customers before creation, to prevent duplicates being introduced in the first place.
• Periodic batch cleansing: Scheduled runs against PAF for address validation, Companies House for business customer verification, and mortality screening against the NHS Deaths Register for deceased individuals.
• Change event processing: Consuming notification feeds (address changes, company events, electoral roll updates) to proactively update records rather than waiting for customers to notify you.

The FCA's Data Strategy, published in 2022 and updated since, makes clear that the regulator expects firms to treat data as a strategic asset and to invest in the infrastructure and governance needed to maintain its quality. For firms subject to SM&CR, the accountability for data quality sits with named senior managers — typically the Chief Risk Officer or Chief Operating Officer — making this a board-level concern rather than purely an IT one.