By Stuart Watkins, CEO, Zenoo
Every year, we talk to half a dozen companies that have built their KYC system in-house and are now looking to replace it. The conversation always starts the same way: "We built it because we thought it would be cheaper and give us more control. It was neither."
Building KYC in-house is one of those decisions that looks rational on a spreadsheet and falls apart in practice. Not always, and not for every company. But far more often than the industry admits. The reason is that most build-vs-buy analyses dramatically undercount the true cost of the "build" option.
This article is not a pitch for buying over building. It is an honest accounting of what in-house KYC actually costs, based on what we have seen from companies that have done it. If you are considering building, these are the numbers you need before you make the decision.
The visible costs: engineering and infrastructure
The cost that everyone accounts for is engineering time. Building a basic KYC workflow (identity verification, document collection, risk scoring, case management, and a compliance dashboard) typically requires 3 to 5 engineers working for 6 to 12 months. At fully loaded costs of £90,000 to £140,000 per engineer per year in the UK (salary, benefits, equipment, office space, management overhead), the initial build costs £270,000 to £700,000.
Infrastructure costs add another layer. Hosting, databases, monitoring tools, security infrastructure, and CI/CD pipelines for a compliance-critical system are not trivial. Budget £30,000 to £80,000 per year for infrastructure, depending on your scale and hosting choices.
So far, the build option looks expensive but manageable: roughly £300,000 to £780,000 for the initial build, plus ongoing infrastructure costs. This is usually where internal business cases stop. It is also where the real costs begin.
The first hidden cost: data provider integrations
Your KYC system is only as good as the data it accesses. At minimum, you need identity verification data, document verification, sanctions screening, PEP databases, adverse media, and company registry data. Each of these requires a separate integration with a separate provider.
A single data provider API integration typically takes 2 to 6 weeks of engineering time, depending on the quality of the provider's documentation and the complexity of the data format. At 4 to 6 providers (the minimum for a credible KYC operation), you are looking at 12 to 36 weeks of additional engineering time. That is another £60,000 to £180,000 before you run a single check.
But the real cost is ongoing maintenance. APIs change. Providers update their data formats, deprecate endpoints, and change authentication methods. Each provider requires monitoring for uptime, error rates, and data quality. Budget 20 to 30% of the initial integration cost per year for maintenance. Across 4 to 6 providers, that is £12,000 to £54,000 per year in engineering time just to keep the integrations working.
"We integrated with five data providers in our first year. By year two, we had spent more engineering time maintaining those integrations than building new product features. One provider changed their API version and gave us six weeks' notice. That single change took our team three weeks to implement and test."
The second hidden cost: regulatory change
AML regulations change. KYC requirements evolve. Screening list formats update. New jurisdictions come into scope. Each regulatory change that affects your KYC process requires engineering work to implement, testing to validate, and compliance review to sign off.
In the past three years, we have tracked over 40 regulatory changes that affected KYC processes for firms operating in the UK and EU. These range from minor (list format changes, threshold adjustments) to major (new EDD requirements, expanded scope of obliged entities, changes to beneficial ownership rules). Each major change requires 2 to 8 weeks of engineering work. Each minor change requires 1 to 5 days.
If you are maintaining your own system, every one of these changes hits your engineering backlog. It competes with product features, bug fixes, and infrastructure improvements. And unlike product features, regulatory changes have non-negotiable deadlines. When a regulation says you must comply by a specific date, your engineering capacity does not factor into the calculation.
Budget £80,000 to £200,000 per year for regulatory change management. This is the cost that in-house KYC builders consistently underestimate, and it is the cost that compounds over time as the regulatory landscape grows more complex.
The third hidden cost: compliance expertise on your engineering team
Building a KYC system requires engineering skills. Maintaining a KYC system that keeps up with regulatory requirements requires compliance expertise. These are different skill sets, and they need to coexist on the same team.
The engineers building your system need to understand what "risk-based approach" means in practice. They need to know the difference between CDD and EDD triggers. They need to understand why a sanctions screening threshold of 80% might be too low and 95% might generate unmanageable false positives. This is specialist knowledge that most software engineers do not have.
You have two options: hire engineers with compliance domain knowledge (rare and expensive), or embed compliance expertise within your engineering team (which means pulling compliance staff away from their primary responsibilities). Either way, it costs money and creates dependencies.
"We had a brilliant engineering team build our KYC system. They built exactly what we specified. The problem was that what we specified was based on our understanding of the regulations at the time. When the regulations changed, we needed the engineering team and the compliance team to work together on every update. That coordination cost was never in the original business case."
The fourth hidden cost: audit and assurance
When you use a third-party KYC platform, the vendor maintains security certifications (SOC 2, ISO 27001), undergoes regular audits, and provides compliance documentation that your auditors can review. When you build in-house, all of that falls on you.
Security audits for a compliance-critical system run £20,000 to £60,000 per year. Penetration testing adds £10,000 to £30,000. Maintaining SOC 2 or ISO 27001 certification for your in-house system requires dedicated resources and ongoing investment. And your external auditors will scrutinise an in-house system far more intensely than a certified third-party platform, because they cannot rely on the vendor's certifications.
The fifth hidden cost: opportunity cost
This is the cost that never appears on a spreadsheet but is often the most significant. Every engineering hour spent on KYC maintenance, regulatory updates, and data provider integrations is an hour not spent on your core product.
For fintechs, the engineering team is your scarcest resource. If 20 to 30% of your engineering capacity is consumed by compliance infrastructure (which is typical for in-house KYC builds after the first year), that is 20 to 30% less capacity for the features that generate revenue, differentiate your product, and attract investment.
We have seen companies where the in-house KYC system became the single largest consumer of engineering time, not because it was badly built, but because the regulatory landscape kept changing and the maintenance requirements kept growing. The system that was supposed to give them control ended up controlling their engineering roadmap.
The three-year total cost of ownership
Here is a realistic three-year TCO for an in-house KYC system at a mid-market financial services company processing 1,000 verifications per month.
Year 1 (build + launch): Initial build: £300K to £700K. Data provider integrations: £60K to £180K. Infrastructure: £30K to £80K. Total: £390K to £960K.
Year 2 (operate + maintain): Engineering maintenance (2 to 3 FTEs): £180K to £420K. Data provider costs: £60K to £120K. Integration maintenance: £12K to £54K. Regulatory changes: £80K to £200K. Security and audit: £30K to £90K. Infrastructure: £30K to £80K. Total: £392K to £964K.
Year 3 (scale + evolve): Ongoing engineering: £180K to £420K. Data providers: £60K to £120K. Integration maintenance: £12K to £54K. Regulatory changes: £80K to £200K. Security and audit: £30K to £90K. Infrastructure: £40K to £100K. Feature development for new requirements: £80K to £200K. Total: £482K to £1.18M.
Three-year total: £1.26M to £3.1M.
Compare this to a third-party platform at £5 to £15 per check (1,000 checks per month) plus annual platform fees: roughly £100K to £250K per year, or £300K to £750K over three years. Even at the high end, the buy option is less than a quarter of the build option.
When building makes sense
In fairness, there are scenarios where building in-house is the right decision. If your compliance workflows are so unique that no commercial platform can accommodate them. If you are processing millions of verifications per month and the per-unit economics of a commercial platform do not work at your scale. If compliance technology is a core differentiator for your business, not just a cost centre.
But these are edge cases. For the vast majority of financial institutions, KYC is a necessary operational function, not a competitive advantage. Building it in-house consumes resources that could be better deployed elsewhere.
