In October 2024, TD Bank agreed to pay $3.09 billion to resolve U.S. Department of Justice, FinCEN, OCC, and Federal Reserve allegations that its AML program let roughly $18.3 trillion in transactions go unmonitored between 2018 and 2024. It is the largest Bank Secrecy Act penalty on record, and it reshaped what regulators expect from a Know Your Customer (KYC) program. KYC remediation is the operational answer to that expectation, a structured, file-by-file review of existing customer due diligence records that brings them up to current regulatory standards.
Every bank watching the TD Bank settlement is asking the same operational question: would our customer files pass that examination? The answer depends on analyst capacity. A financial services BPO partner that can deploy 40 to 80 trained analysts in 60 to 90 days, with the right nearshore BPO operations model behind them, is what makes a KYC remediation program land on schedule.
Banks across the U.S. and Canada now spend more than $61 billion a year on financial crime compliance, according to LexisNexis Risk Solutions. Much of that spend goes to a single operational question. Do your customer files hold up when an examiner pulls one and tests it against today's rules? KYC remediation is how you answer with a defensible yes.
This article walks you through why remediation projects are accelerating right now, what the end-to-end process looks like operationally, how to resource it realistically, and the practical lessons most compliance teams pick up only after a project is underway.
KYC remediation is a systematic process that reviews, validates, and re-rates an existing customer’s due diligence (CDD) records. Remediation is different from:
Remediation is also distinct from a KYC refresh. You schedule a refresh as a proactive measure to run periodic reviews on a defined cycle. Remediation is reactive. Regulatory findings trigger it, typically during audits or after material changes in the regulatory environment that raise the bar for existing records.
The Federal Financial Institutions Examination Council (FFIEC) Bank Secrecy Act / Anti-Money Laundering (BSA/AML) examination manual's Customer Due Diligence section sets the bar. Banks maintain current, accurate customer information and update CDD records whenever risk indicators change.
Your full remediation project should cover the entire customer file:
Higher-risk customers require enhanced due diligence (EDD). Files that surface new red flags during review trigger suspicious activity report (SAR) filing decisions. KYC software supports parts of this work, and every stage still requires trained analysts to make judgment calls. The team model behind your KYC remediation program determines whether the project finishes on schedule.
Three forces make remediation a current priority for compliance leaders. Regulators now test outcomes rather than policies, rising headcount demand runs ahead of compliance budgets, and customer files from five years ago need updating to current standards.
The TD Bank settlement is the most-cited example, and it sits inside a broader pattern. The Financial Crimes Enforcement Network (FinCEN) enforcement actions index logs continued AML penalties through 2025 and 2026, including Brink's Global Services, Paxful, and Canaccord Genuity. The Comptroller of the Currency (OCC) enforcement actions search tool shows the same direction across national banks.
Regulators now evaluate whether a bank’s process produces accurate, current records that surface illicit activity. Whether the documented KYC process exists on paper is no longer the test.
Ten years ago, examiners reviewed policies. Today, they pull your individual customer files and test whether those files would flag a suspicious transaction. That shift changes what a remediation project needs to deliver. A remediation project that updates policy language and updates customer records closes the compliance loop.
The practical consequence is that compliance officers now produce file-level evidence of CDD and EDD completion. Your compliance team’s evidence lives in individual customer records, which is exactly where a KYC remediation project does its work.
A November 2025 Bank Policy Institute and Clearing House Association submission to the FDIC notes that AML/CFT compliance costs are highly variable across years, depending on annual budgets and shifting regulatory needs. Each new regulation, guidance update, and examination cycle adds analyst hours to the workload.
The cost-versus-headcount gap creates a resourcing math challenge specific to remediation projects. A full-book remediation at a mid-sized bank requires 40 to 80 analysts working for nine to 18 months. Confirm against your file count and risk-tier mix before finalizing the headcount target.
Hiring that team on a full-time basis means carrying headcount through a project that ends, then managing the transition that follows. Nearshore BPO partners offer a cleaner path. Dedicated project teams scale up at the start and release when the queue clears.
Amalga Group’s nearshore operational model delivers 40% to 50% cost savings versus comparable U.S. in-house analyst teams, with a 96.8% employee retention rate and ramp times of 60 to 90 days for new project teams. For a time-boxed remediation project, the combination of cost efficiency and team flexibility is the practical answer to a tight budget.
Three regulatory developments since 2020 have materially raised the bar for what a complete customer file looks like. First, FinCEN's Customer Due Diligence Rule requires banks to identify and verify the controlling owners of legal entity customers, and beneficial ownership has been a sustained examiner focus through the Corporate Transparency Act years. Files opened under earlier standards often lack the ownership structure documentation examiners expect.
The OFAC Specially Designated Nationals list has grown substantially since 2022, driven by Russia-Ukraine and Middle East sanctions programs. A customer who cleared sanctions screening in 2020 may need a fresh screening against the 2026 list.
PEP databases and adverse media expectations now cover more ground than they did five years ago. A customer relationship that appeared standard at onboarding may now warrant the higher-risk category that triggers EDD. Banks identify which customers have moved into that category by running the files. KYC remediation is how you find out.
A specific event almost always triggers a remediation project. Six events account for nearly all programs banks run today.
Regardless of which trigger applies, the execution path is the same.
Every KYC remediation project, regardless of trigger, moves through the same five operational stages.
Different types of customers require different levels of review. The first stage decides which customers move into remediation, in what order, and to what depth. You’ll prioritize four high-risk customer groups first, PEPs, customers with high-risk jurisdiction exposure, customers with complex beneficial ownership structures, and high-transaction-volume accounts.
Risk segmentation does two things at once. It sorts your project queue by regulatory exposure, and it establishes the governance framework for the project. You'll want clarity on three ownership lines:
Establishing those ownership lines before analysts start processing files keeps handoffs clean and the timeline on track. A well-scoped project is a well-paced one.
The second stage is where most banks discover that customer data lives in more places than the core banking system. You'll pull customer data from five places: the core banking system, the CRM, a KYC platform, a document management system, and a legacy case management tool.
Some files also live in spreadsheets maintained by individual relationship managers. The regulatory implication is that no single platform holds the complete customer file. Examiners pull whichever fragment they pull first, and that fragment is what they evaluate.
Data inventory maps where all your required data elements live for every customer. A gap analysis compares what you have against what your risk policy and current regulatory expectations require.
During this phase, you determine whether the customer outreach phase in the third stage runs cleanly or generates rework. Analysts who know what document they need for each customer make cleaner outreach decisions and close files faster.
Customer outreach is the rate-limiting step in almost every KYC remediation project. Response rates vary widely. A March 2026 Fintech Global analysis of KYC remediation trends pegs typical first-pass response rates between 20% and 60%, with the rest requiring multiple follow-up touchpoints to close.
Allocate enough time to this phase. Effective outreach plans use multiple contact channels, including email, secure document portals, branch contact for retail customers, and phone outreach for high-value or high-risk accounts.
Every customer communication should state what document you need, why you need it, and what happens if the customer does not respond. Clear consequences improve response rates because the customer understands the stakes.
Once analysts have collected all the required documents from customers, they verify them against issuing authorities where possible and re-rate the customer based on the updated information. File-by-file analyst work drives the total headcount for the project.
Verification is where analyst quality earns its return. An analyst who catches a sanctions match or correctly re-rates a complex file protects the bank from downstream liability. Quality assurance protocols and clear escalation paths to your AML team keep that quality consistent across the project.
Your analyst sends any file that raises a new red flag during verification, such as a PEP match, an adverse media hit, or a sanctions match, to the AML team for a SAR filing decision. That handoff is a defined process step, and the documentation supporting the escalation becomes part of the audit trail that the fifth stage captures.
Every decision in stages one through four deserves a defensible written record. The regulator who reviews your KYC remediation program may do so months or years after the project closes, and often after the analyst who made the call has moved on. Build the audit trail as you go:
Documentation built as the work happens gives you a defensible record that holds up when examiners review the project months or years later. With the five stages mapped, the next question is how to resource them on the right calendar.
Resourcing a remediation project starts with three numbers: your analyst count, your throughput rate, and your cost per file. Each one builds on the previous one, and together they tell you whether your target close date is realistic.
Start with your file count and your target close date. A mid-sized bank running a full-book remediation across 200,000 to 500,000 customer files typically needs 40 to 80 analysts working nine to 18 months.
The range reflects three variables: file complexity, the share of high-risk accounts requiring enhanced due diligence, and the response rate during customer outreach. A book heavy on PEPs, complex beneficial ownership structures, or international wire activity moves the headcount toward the top of the range.
A simple way to set your target is to multiply your file count by an average review time per file, then divide by the working hours available in your project window. Build in a 20% to 30% buffer for QA cycles, escalations, and customer outreach follow-up. The result is your minimum analyst count.
Analyst throughput depends on the file risk tier. A standard low-risk file with current documentation typically takes 30 to 60 minutes to review, verify, and close. A medium-risk file with partial documentation runs 60 to 120 minutes.
A high-risk file requiring enhanced due diligence, beneficial ownership tracing, and PEP or adverse media review can take three to six hours per file, sometimes longer when source documents arrive in multiple languages or require translation.
When you weight these throughput rates against your file mix, you get a realistic daily output per analyst. A useful planning figure is four to eight files per analyst per day for a balanced book. High-risk books trend lower. Build your team plan from this throughput rather than from an aspirational close date.
Cost per file is where the in-house vs. nearshore comparison becomes concrete. In-house analyst teams in the U.S. typically run $25 to $100 per file fully loaded, depending on risk tier and document complexity. Nearshore analyst teams in Mexico and Latin America typically deliver the same scope at $12 to $50 per file, a 40% to 50% reduction in fully-loaded cost.
Amalga Group's nearshore operational model is built for this math. Dedicated project teams ramp in 60 to 90 days, hold a 96.8% retention rate so that the team that starts the project finishes it, and release when the queue clears.
For a remediation project running nine to 18 months, that combination of cost efficiency, ramp speed, and team continuity translates directly to a project calendar your compliance team can commit to and a budget your CFO can defend.
Every lesson below is predictable, which means every one of them is something you can plan for. The five sections that follow capture what experienced remediation leads build into the project plan from day one.
Customer outreach absorbs more calendar time than almost any project plan anticipates. Banks consistently estimate a first-pass response window of 30 days and find that the remaining outreach extends across 60 to 90 days, sometimes longer for international or low-engagement accounts. The fix is to build the outreach timeline before committing to a project close date.
Effective outreach plans set a first-contact deadline, a second-contact deadline at 14 days, and an escalation deadline at 30 days. They also pre-define the consequence for non-response, typically account restriction or closure, and disclose that consequence in the first communication. Customers respond faster when they understand the stakes, and the regulator sees a documented escalation pattern when the project closes.
Remediation closes known gaps in existing records. Continuous KYC processes, including trigger-based reviews and periodic refresh cycles, keep those gaps closed. Banks that finish a KYC remediation project and return to static CDD see the same examination finding three years later.
The fix is to build the continuous KYC layer into the project plan itself. As stage five documentation closes each customer file, that file enters the refresh cycle on a tier-based schedule, annually for high-risk customers, every two to three years for medium-risk, and every three to five years for low-risk.
Pair the schedule with trigger-based reviews driven by transaction monitoring alerts, beneficial ownership changes, and updates to your sanctions or PEP screening sources. The result is a customer book that stays current after the project closes.
Analysts clearing your files make judgment calls about what constitutes acceptable documentation. When those judgment calls match the compliance team’s standards, files clear QA on the first pass. When they don't, files reopen and the project calendar slips.
The fix is calibration sessions between operations and compliance at the start of the project, plus weekly QA feedback loops throughout. The calibration sessions should walk through 10 to 20 sample files from each risk tier, with operations explaining the call and compliance confirming or adjusting.
The weekly feedback loops keep both teams aligned as edge cases surface in production. A small upfront investment in alignment saves 10% to 20% of project hours that would otherwise go to file reopens.
An audit trail reconstructed after the fact rarely survives examiner scrutiny. Date-stamped logs, document version control, and standardized escalation records built into the workflow from day one produce a defensible record that holds up months or years later, when the examiner actually looks.
The fix is to define audit trail requirements alongside the analyst workflow, then enforce them through the case management system rather than relying on analyst discipline. Required fields, mandatory rationale text on every risk re-rating, and an unalterable timestamp on every decision are the three elements that turn the audit trail from a documentation chore into an automatic byproduct of the work.
Regulators have signaled in recent examination findings and guidance that automated decision-making works well for low-risk file clearing, and works less well as a stand-alone control for high-risk customer segments. Your KYC remediation program benefits from a clear policy on which file types require a human analyst's sign-off, regardless of what the automated screening results show.
The fix is a documented escalation matrix. Define which combinations of risk score, transaction volume, jurisdiction, and beneficial ownership complexity require a senior analyst review; which require AML team review; and which can clear with QA sign-off alone.
The matrix becomes part of the audit trail, and the regulator sees both the automation efficiency and the human judgment exactly where each one belongs. The questions below address what compliance officers ask most frequently before and during a remediation project.
The answers below cover the operational and regulatory questions that come up most often.
A KYC refresh is scheduled and proactive. Your institution sets a periodic review cycle, and every customer in scope gets reviewed on that schedule, regardless of whether a specific event has triggered concern. KYC remediation is reactive, and specific events such as an enforcement finding trigger it. The FFIEC BSA/AML Examination Manual covers both obligations, and regulators evaluate refresh and remediation as separate programs.
Cost depends on file count, customer complexity, and whether you run the project in-house or with a BPO partner. In-house analyst teams in the U.S. typically run $25 to $100 per file fully loaded. Nearshore BPO teams typically deliver the same scope at $12 to $50 per file, a 40% to 50% reduction. A targeted high-risk segment review costs a fraction of a full-book program. Both approaches require dedicated analyst time across nine to 18 months for a full-book scope.
A KYC remediation timeline typically runs nine to 18 months for a full-book program at a mid-sized bank. Scope and customer outreach response rate drive most of the variance. Targeted segment reviews close faster, often in three to six months. Customer outreach absorbs 40% to 60% of the calendar in most projects, so the outreach plan is where realistic timelines start.
Customers may decline to provide updated documentation, and that response carries consequences for the account relationship. Banks have a contractual and regulatory obligation to keep customer information current as a condition of the account. Every customer communication should specify three things:
When customers have all the information on hand, they’re more likely to respond. The documented communication record also gives the bank a defensible basis to restrict or close the account when a customer declines to engage.
In-house compliance teams typically run at capacity on ongoing CDD and regulatory reporting. Adding a full-book KYC remediation project on top often pushes service levels and retention in the wrong direction. Dedicated nearshore BPO project teams handle the file-by-file KYC remediation work while your in-house team retains ownership of escalation decisions and regulatory relationships. Amalga Group maintains a 96.8% employee retention rate across its nearshore teams, which translates to project continuity rather than re-training mid-project.
Remediation closes known gaps in your existing records as of the date the project completes. Regulatory expectations continue to evolve, beneficial ownership and sanctions rules will be updated again, and your customer book will generate new transactions and new risk indicators after the project closes. The continuous KYC layer built on top of the remediation foundation is what keeps the program current.
KYC remediation turns the compliance work that defines TD Bank’s $3.09 billion settlement into a closed, documented file that holds up under examination. That settlement opened this article as a ceiling. A well-scoped, well-resourced KYC remediation program is how your institution builds the floor:
Book a discovery call with Amalga Group to scope a realistic team model for your KYC remediation program, including scope and a target timeline your compliance team can commit to.