DISPATCH ·

KYC + AML pre-consolidation 2026: vendor landscape, M&A signal, and the two-vendor procurement pattern

Fourteenth and closing per-pillar Phase 3 dispatch. Phase 1 covered Chapter III KYC + AML for brokers with a Cyprus + August 2025 CySEC sanctions regime + EU AMLR July 2027 transition framing. The KYC vendor segment has accumulated material M&A activity through 2024-2025 with several pending closes expected in 2026 H2; the procurement-relevant implication for operators making KYC decisions in 2026 H1 is forward-compatibility with the consolidated landscape rather than the current pre-consolidation vendor mix. This dispatch covers the pre-consolidation vendor positioning, the M&A signals that have surfaced, the two-vendor procurement pattern that the CySEC and DMCC archetype dispatches surfaced, CASP-specific KYC requirements, the Travel Rule plus KYC bundling question, per-archetype KYC procurement patterns, and three procurement implications. Closes the per-pillar sub-series at fourteen dispatches.

tags · per-pillar · kyc · aml · consolidation · phase-3-closing

Why this dispatch exists

This is the twentieth Phase 3 dispatch and the fourteenth and closing per-pillar deep-dive. The earlier per-pillar dispatches covered payments, RegTech, crypto exchange WL, LP procurement, risk management, broker CRM, IB management, trading platform, broker analytics, copy trading, turnkey suites, prop firm tech, and alt-WL platforms. This one covers Chapter III KYC and AML for brokers.

The KYC chapter was the Phase 1 chapter anchored to Cyprus with the August 2025 CySEC sanctions regime and the EU AMLR July 2027 transition framing. Phase 2 extended corpus coverage but did not return to the KYC chapter for fresh research because the vendor mix and procurement framework remained stable through the chapter research window. Through 2024-2025 material M&A activity has accumulated across the KYC vendor segment with several pending closes expected in 2026 H2. Earlier per-pillar dispatches signposted the KYC consolidation dispatch as deferred until the M&A activity settled. The 2026 H1 procurement reality is that operators making KYC decisions now need to evaluate forward-compatibility with the consolidated landscape rather than the current pre-consolidation vendor mix; deferring the dispatch further would leave operators without editorial coverage during the procurement window when the decision matters most.

This dispatch covers the pre-consolidation KYC vendor positioning at 2026 H1 detail, the M&A signals that have accumulated, the two-vendor procurement pattern (primary KYC for onboarding plus separate ongoing screening) that the CySEC and DMCC archetype dispatches surfaced, the CASP-specific KYC requirements beyond the CFD broker baseline, the Travel Rule plus KYC bundling question, per-archetype KYC procurement patterns, and three procurement implications. The dispatch closes the per-pillar deep-dive sub-series at fourteen dispatches; the broader Phase 3 work pivots to additional vendor refresh cycles, new operator archetype dispatches, and cross-pillar synthesis updates.

The KYC + AML procurement landscape state in 2026

Three structural realities shape KYC procurement through 2026:

The EU AMLR transition through July 2027 is the binding regulatory frame. The EU Anti-Money Laundering Regulation (AMLR) entered into force in 2024 with a July 2027 transition deadline for the harmonised framework to be operationally binding across all member states. Through 2025-2026 EU member state national supervisors have continued operationalising the AMLR alongside the existing national AML frameworks; the consolidated framework will be binding from July 2027. The procurement-relevant implication is that KYC procurement decisions made in 2026 should be forward-compatible with the AMLR framework rather than calibrated only for the current national AML frameworks.

The August 2025 CySEC sanctions regime crystallised the ongoing-screening procurement requirement. CySEC has been the most active EU sanctions enforcement jurisdiction since 2022; the August 2025 sanctions regime explicitly codified ongoing PEP and sanctions screening as a distinct supervisory expectation separate from onboarding-time identity verification. The Phase 1 chapter covered this; the 2026 procurement-action-stage implication is that the two-vendor procurement pattern (primary KYC vendor for onboarding plus separate vendor for ongoing screening) is the operational baseline for CySEC operators and increasingly for operators in other EU jurisdictions where supervisors are aligning with the CySEC enforcement posture.

CASP-specific KYC requirements have crystallised under MiCAR plus EU TFR. The Phase 3 CASP archetype dispatch and the RegTech post-MiCAR dispatch covered the CASP-specific KYC requirements including wallet ownership verification, counterparty risk scoring on incoming and outgoing transfer addresses, and Travel Rule integration. Through 2025-2026 the CASP KYC procurement landscape has crystallised around vendors with explicit MiCAR-aligned product capability versus vendors positioned for CFD broker KYC procurement.

The pre-consolidation KYC vendor positioning

The Phase 1 chapter covered 10 KYC vendors with Cyprus anchoring. The 2026 pre-consolidation positioning:

Sumsub continues as the strongest universal KYC vendor for CFD broker and CASP procurement across all four operator archetypes. The Phase 1 verdict held; through 2024-2025 the vendor has continued expanding crypto-specific KYC features including wallet attribution layers, Travel Rule integration (Sumsub TRP module), and supported asset configuration. Procurement-appropriate for CySEC, DMCC, hybrid, and CASP operators.

Veriff continues as a SOLID option with strong identity verification depth and biometric liveness check capability. The Phase 1 verdict held; through 2024-2025 the vendor has continued growth and expanded crypto-asset support. Procurement-appropriate across archetypes with explicit evaluation of Veriff’s CASP-specific feature depth.

ShuftiPro continues as a SOLID option with strong multilingual support including Arabic-script ID documents. The Phase 1 verdict held; through 2024-2025 the vendor has continued expansion in MENA markets. Procurement-appropriate for DMCC operators specifically and for any operator with material Arabic-language client onboarding.

Onfido (now Entrust) completed acquisition by Entrust in 2024. The Phase 1 verdict held operationally; the procurement context shifted with the Entrust parent integration similar to the Cappitech under S&P Global pattern covered in the vendor refresh dispatch. Operators with existing Onfido contracts should verify Entrust enterprise contract framework migration; new procurement should evaluate the post-acquisition product positioning.

Jumio continues with similar positioning to Phase 1 coverage; through 2024-2025 the vendor has not materially shifted.

Trulioo continues with similar positioning to Phase 1 coverage; through 2024-2025 the vendor has not materially shifted.

ComplyAdvantage continues as the strongest specialist option for ongoing screening (PEP, sanctions, adverse media). The Phase 1 verdict held; through 2024-2025 the vendor has continued expanding the screening data set. Procurement-appropriate as the secondary vendor in the two-vendor procurement pattern.

IDnow continues as a SOLID option with strong EU regulatory positioning and bank-grade integration capability. The Phase 1 verdict held.

Other Phase 1 vendors continue with the chapter verdicts. The vendor landscape is broader than the consolidated future state will be; the procurement-relevant question is forward-compatibility with the M&A activity covered below.

The M&A signals accumulated through 2024-2025

Material M&A activity has accumulated across the KYC segment. The signals that have surfaced:

Onfido acquired by Entrust (closed 2024). The Onfido acquisition completed in 2024 with Entrust as the parent. The integration is now operationally maturing through 2025-2026. The procurement-relevant implication is that Onfido procurement now operates under Entrust enterprise contract frameworks; existing customers should verify contract migration status.

Sumsub fundraising and continued expansion. Sumsub has continued raising capital and expanding product capability through 2024-2025. The procurement-relevant implication is that Sumsub’s continued growth strengthens the vendor’s procurement positioning as the universal CFD broker plus CASP KYC choice; the vendor is unlikely to be a consolidation target through 2026 H2 absent material market events.

ComplyAdvantage funding rounds. ComplyAdvantage has raised additional capital through 2024-2025 supporting continued expansion of the ongoing screening data set. The procurement-relevant implication is that ComplyAdvantage continues as the specialist option for ongoing screening; the vendor is unlikely to be a consolidation target through 2026 H2.

Veriff continued growth. Veriff has continued expanding through 2024-2025 with strong identity verification depth. The procurement-relevant implication is similar to Sumsub: continued growth strengthens the vendor’s procurement positioning.

Smaller vendor consolidation expected through 2026 H2. Several smaller KYC vendors are expected to close consolidation transactions through 2026 H2. The specific transaction details are not public at the dispatch date; the procurement-relevant implication is that operators procuring from smaller specialist KYC vendors should evaluate consolidation risk explicitly during the procurement decision. Vendors at risk of being acquired may experience product integration friction post-acquisition; operators with existing contracts to such vendors should monitor M&A signals and plan procurement transitions if consolidation occurs.

The procurement-relevant implication across the M&A signals is that operators making KYC procurement decisions in 2026 H1 should weight forward-compatibility with the consolidated landscape rather than evaluating only the current pre-consolidation vendor mix. The procurement decision horizon (3-5 year typical contracts for KYC procurement) likely extends past the consolidation window; operators should plan for that explicitly.

The two-vendor procurement pattern

The CySEC and DMCC archetype dispatches surfaced the two-vendor procurement pattern as the operational baseline. The 2026 procurement-action-stage framing:

Primary KYC vendor for onboarding. The primary vendor handles identity verification, address verification, document verification, and biometric liveness check at the onboarding flow level. The procurement-relevant question is depth across the verification surface including jurisdiction-specific document support, multilingual processing, and liveness check robustness against deepfake and synthetic identity attacks. Sumsub, Veriff, ShuftiPro, Onfido (Entrust), and Jumio are the typical primary KYC vendor options.

Separate vendor for ongoing screening. The secondary vendor handles ongoing PEP screening, sanctions screening, and adverse media monitoring post-onboarding. The procurement-relevant question is screening data set depth (which jurisdictions, which sanction lists, which adverse media sources) and screening frequency configurability. ComplyAdvantage and dedicated screening vendors are typical secondary procurement options.

Manual case management for ambiguous cases. Most regulated operators run a manual case management team for ambiguous KYC and ongoing screening cases that the automated vendors flag for human review. The procurement-relevant question is whether the operator’s case management infrastructure (typically operator-built rather than vendor-procured) integrates cleanly with the primary and secondary KYC vendors.

Why two vendors rather than bundled procurement. Single-vendor KYC procurement covering both onboarding and ongoing screening is technically available from some vendors. The two-vendor procurement pattern persists because the operational requirements differ: onboarding KYC optimises for completion rate and conversion funnel friction; ongoing screening optimises for screening data set comprehensiveness and update frequency. Vendors optimised for one rarely match best-in-class on the other. The CySEC archetype dispatch noted this trade-off; the 2026 procurement reality has not consolidated around bundled procurement.

The procurement-relevant implication is that operators procuring KYC in 2026 should plan for two-vendor procurement explicitly even when single-vendor bundled offerings are available. The procurement decision is which primary vendor and which secondary vendor rather than which single bundled vendor.

CASP-specific KYC requirements

The CASP archetype dispatch identified CASP-specific KYC requirements beyond the CFD broker baseline. The 2026 procurement-action-stage framing:

Wallet ownership verification. CASPs need to verify that clients control the blockchain wallet addresses they claim to control. The procurement-relevant question is verification methodology depth: signature verification (the client signs a challenge message with the wallet’s private key), Travel Rule attestation (the wallet ownership is attested through the operator’s Travel Rule infrastructure), and ongoing wallet activity monitoring. Sumsub, Veriff, and ShuftiPro all offer wallet attribution layers; the specific methodology and depth varies.

Counterparty risk scoring on transfer addresses. CASPs need to score incoming and outgoing transfer addresses against blockchain analytics data sets (sanctioned addresses, mixer addresses, addresses associated with known illicit activity). The procurement-relevant question is integration with chain analytics providers (Chainalysis, Elliptic, TRM Labs covered in the RegTech post-MiCAR dispatch). Some KYC vendors offer integrated chain analytics; others require separate procurement.

Travel Rule integration. The EU TFR requires Travel Rule infrastructure separately covered in the RegTech post-MiCAR dispatch. The procurement-relevant question is whether the operator’s primary KYC vendor offers integrated Travel Rule capability or whether Travel Rule is procured separately from a specialist (Notabene, TRP Network, Coinbase TRUST).

Crypto-specific PEP and sanctions screening. Some PEP and sanctions screening data sets are crypto-specific (addresses associated with sanctioned entities, addresses associated with PEPs). The procurement-relevant question is whether the secondary screening vendor’s data set extends to crypto-specific entities or remains traditional-finance-focused.

The procurement-relevant implication for CASP KYC procurement is that the CASP-specific requirements add procurement complexity beyond the CFD broker baseline. CASPs should evaluate KYC vendors against the CASP-specific requirements explicitly rather than accepting vendor positioning at category level. Sumsub continues as the strongest universal CFD broker plus CASP option because of native crypto-asset feature depth; CFD-only KYC vendors require explicit add-on modules or third-party integration for CASP procurement.

The Travel Rule plus KYC bundling question

The RegTech post-MiCAR dispatch covered Travel Rule infrastructure as a standalone procurement category. The KYC procurement decision interacts with the Travel Rule procurement decision in two patterns:

Bundled Travel Rule plus KYC from primary KYC vendor. Sumsub TRP module is the most-procured bundled offering combining primary KYC with Travel Rule capability under a single vendor relationship. The procurement-relevant advantage is operational simplicity; the procurement-relevant disadvantage is Travel Rule counterparty network coverage may be narrower than dedicated Travel Rule specialist vendors (Notabene, TRP Network). The CASP RegTech dispatch covered this trade-off.

Separate Travel Rule procurement from specialist vendor. Notabene or TRP Network as the primary Travel Rule infrastructure plus a separate KYC vendor for primary identity verification. The procurement-relevant advantage is best-of-breed across both categories; the procurement-relevant disadvantage is integration complexity.

The procurement-relevant implication is that operators procuring CASP KYC in 2026 should evaluate the bundling question explicitly. Lean CASPs typically procure bundled (Sumsub plus TRP module); mid-market and tier-1 CASPs increasingly procure separately (Sumsub plus Notabene) for the Travel Rule counterparty network coverage advantage.

Per-archetype KYC procurement patterns

The four operator archetype dispatches surfaced KYC procurement patterns. The 2026 explicit framing:

Archetype A (CySEC CFD broker). Two-vendor procurement: Sumsub or Veriff for primary onboarding plus ComplyAdvantage for ongoing screening. Manual case management for ambiguous cases. Forward-compatible with EU AMLR transition.

Archetype B (DMCC plus VARA UAE broker). Two-vendor procurement plus UAE Cabinet Resolution sanctions list coverage (some vendors require explicit add-on modules). ShuftiPro for Arabic-script ID document depth; Sumsub for CASP-side procurement if VARA-licensed. Biometric liveness check robustness for low-touch onboarding.

Archetype C (hybrid prop firm plus broker). Two-vendor procurement on the broker side; lightweight identity verification on the prop firm side. The broker CRM deep dive covered the architecture decision (two KYC vendors vs one vendor with two configurations).

Archetype D (CASP under MiCAR). Two-vendor procurement with CASP-specific requirements: Sumsub for primary KYC with wallet attribution layer plus Travel Rule (bundled TRP module or separate Notabene) plus secondary screening vendor (ComplyAdvantage or specialist) plus chain analytics integration (Chainalysis, Elliptic, TRM Labs).

Three procurement implications for 2026 operators

The above produces three concrete procurement implications:

Implication 1: Plan KYC procurement as two-vendor procurement explicitly rather than considering single-vendor bundled offerings. The two-vendor pattern is the operational baseline across CySEC and DMCC archetypes and increasingly across other EU jurisdictions where supervisors are aligning with CySEC enforcement posture. The procurement decision is which primary vendor and which secondary vendor rather than which single bundled vendor. Bundled offerings exist but rarely match best-in-class on both onboarding and ongoing screening simultaneously.

Implication 2: Weight forward-compatibility with the post-consolidation landscape in 2026 H1 procurement decisions. Material M&A activity is expected through 2026 H2 across smaller KYC vendors. Operators making procurement decisions in 2026 H1 should evaluate consolidation risk for the specific vendor shortlist and plan for procurement transitions if a vendor in the shortlist is acquired with product integration friction. The procurement decision horizon likely extends past the consolidation window.

Implication 3: CASP KYC procurement requires explicit evaluation against the CASP-specific requirements set rather than extending CFD broker KYC vendor procurement. The wallet ownership verification, counterparty risk scoring on transfer addresses, Travel Rule integration, and crypto-specific PEP and sanctions screening requirements add procurement complexity beyond the CFD broker baseline. CASPs should procure KYC vendors that demonstrate explicit MiCAR-aligned capability rather than CFD-focused KYC vendors with crypto add-on modules.

The per-pillar sub-series closes; what comes next

The per-pillar deep-dive sub-series closes at fourteen dispatches with this dispatch. The fourteen per-pillar dispatches covered:

  1. Payments and EU banking regime
  2. RegTech post-MiCAR
  3. Crypto exchange WL consolidation
  4. LP procurement
  5. Risk management
  6. Broker CRM
  7. IB management
  8. Trading platform
  9. Broker analytics
  10. Copy trading
  11. Turnkey suites
  12. Prop firm tech
  13. Alt-WL platforms
  14. KYC + AML pre-consolidation (this dispatch)

Combined with the four operator archetype dispatches (CySEC, DMCC plus VARA, hybrid, CASP), the cross-archetype matrix dispatch, and the vendor refresh dispatch, the Phase 3 corpus now covers twenty dispatches across the synthesis arc plus the maintenance sub-series plus the per-pillar sub-series.

The broader Phase 3 work pivots to:

  • Additional vendor refresh cycles. The first refresh covered six events; future refresh dispatches will be triggered by accumulated signal rather than scheduled cadence. The KYC consolidation closes expected in 2026 H2 will likely warrant a vendor refresh dispatch in 2026 H2 or 2027 H1.
  • New operator archetype dispatches. Candidates include CASP plus CFD broker hybrid under EU regulation, ADGM FSRA institutional broker, and LATAM or APAC CFD broker if procurement-relevant signal accumulates.
  • Cross-pillar synthesis updates. The cross-archetype matrix dispatch may receive periodic updates as vendor positioning shifts accumulate.

If you operate a broker or CASP stack with active KYC procurement consideration and the framing above does not match your direct procurement reality, that is the editorial signal we are looking for. The corpus improves through ground-truth from operators.