07 July 2026 5 min

Your AI KYC tool won't save you in an audit.

Written by: Tinyiko Nkuna Save to Instapaper
Your AI KYC tool won't save you in an audit.

South African companies are buying AI-powered compliance tools faster than they're reading the regulation those tools are supposed to satisfy.

That gap is about to become very expensive.

Bradley Elliott, CEO, RelyComply

Directive 11 is live.

SARS is chasing R44 billion in unpaid taxes from companies still holding state contracts.

A cabinet minister just lost her job over undisclosed benefits.

The regulatory environment in South Africa has shifted – not gradually, but all at once.

The question isn't whether your organisation is compliant.

The question is whether you can prove it.

Most AI KYC vendors are selling the first part.

Far fewer can help you with the second, and that distinction matters more than most procurement teams realise.

Compliance Has a Documentation Problem, Not Just a Detection One

For years, "we have a system" was good enough.

You ran due diligence checks, you onboarded customers, and as long as suspicious transaction reports were filed without triggering further investigation or regulatory scrutiny – the audit was largely a box-ticking exercise.

The system existed.

The paperwork existed.

Nobody looked too hard at either.

That era is over.

Directive 11 of 2026, issued by the Financial Intelligence Centre, doesn't just ask accountable institutions whether they have AML and CTF controls.

It requires a detailed Risk and Compliance Return: documented evidence of how those controls function, how risks are assessed, and how the programme is managed over time.

The market’s response has been predictable: rebrand existing onboarding tools as "AI-powered compliance solutions" and sell on speed.

We've seen vendors leading with conversion metrics and friction reduction.

Useful things, but not compliance things.

AI can accelerate compliance.

It cannot replace it.

The companies confusing the two are going to find out the hard way.

Speed Is a Sales Argument. Auditability Is a Regulatory One.

There's a meaningful distinction that most procurement decisions are currently ignoring: the difference between an AI tool that accelerates a compliance process and one that constitutes a compliance programme.

The first is genuinely useful.

The second is a liability dressed as a solution.

KYC products are being sold on faster onboarding, lower friction, and better UX.

The FIC doesn't care about your NPS score.

It cares whether your validation journey is complete, your risk ratings are defensible, and the logic behind every decision is documented and auditable.

If AI is generating those decisions – flagging risk, scoring customers, approving or declining – that AI needs to be explainable.

A model that produces an output without a traceable, human-readable rationale isn't a compliance tool.

It's a black box sitting inside a process that regulators expect to be transparent.

The warning signs are already there.

Deepfake fraud in South Africa increased by over 269% year-on-year in 2025.

BioCatch data shows South African banks losing close to R85 million annually to fraud, with most banking leaders acknowledging that attacks are escalating faster than existing defences can respond.

Meanwhile, the broader fraud rate declined, which means the fraud that's getting through is more sophisticated, not less.

What this tells us is that bad actors are already probing the seams between AI-powered onboarding tools and the human oversight layers meant to catch what the models miss.

When those seams are wide – because the tool was bought for speed, not rigour – the exposure compounds.

First you take the financial hit.

Then you take the regulatory one.

The Instructure/ShinyHunters incident last month is instructive even outside of financial services: the assumption that a third-party platform handles your compliance obligations doesn't hold when the audit, or the breach, arrives.

Accountability doesn't transfer with the contract.

Technology Adoption Is Not Compliance Maturity, and AI Governance Matters

The industry needs to stop conflating the two.

Buying an AI KYC product is not a compliance programme.

It is, at best, a component of one and only if that component produces auditable outputs, aligns with FIC definitions and thresholds, and sits in a governance framework a regulator can inspect.

Part of that governance framework increasingly means asking how your vendor manages its AI.

ISO 42001, the international standard for AI management systems, sets out requirements for risk management, transparency, accountability, and ongoing oversight.

It's still emerging in adoption, but it's the right question to ask.

When you're evaluating a compliance vendor whose core product is an AI system, ISO 42001 alignment belongs on your checklist alongside SOC 2 and ISO 27001.

If they haven't thought about it, that tells you something.

So, What Does Good AI Actually Look Like?

Good AI in compliance does a few things: it scales human decision-making without replacing human judgment, it surfaces risk signals faster and more consistently than manual review, and it documents its own reasoning in a way that can be reviewed, challenged, and presented to a regulator.

That means audit trails that capture not just what decision was made, but why, based on what inputs, weighted how.

The companies that navigate the next 12 months well aren't the ones that avoided AI.

They're the ones that deployed it with rigour, as a tool that makes their compliance programme faster, sharper, and more defensible.

Not as a shortcut around having one.

Ask what your technology produces at audit time.

Ask whether every decision can be explained and evidenced.

Ask how your customer onboarding and risk assessment processes align with Directive 11's requirements.

If those answers aren't clear, neither is your compliance position.

The regulator isn't coming for the companies that bought AI.

It's coming for the companies that bought AI and thought that was enough.

About RelyComply

RelyComply is a compliance technology company that provides AI-driven anti-money laundering (AML) and know-your-customer (KYC) solutions for banks, fintechs, and financial institutions.

Founded in 2020, their unified platform helps companies automate risk assessments, identity verification, and suspicious transaction detection.

Total Words: 988

Submitted on behalf of

Press Release Submitted By

  • Agency/PR Company: JNPR
  • Contact person: Tinyiko Nkuna
  • Contact #: 0658673768
  • Website
  • LinkedIn

JNPR

2 Press Release Articles

Jenni Newman Public Relations (JNPR) is a premier, full-service boutique communications and reputation management firm based in South Africa. Established in 2003 by renowned communications industry veteran Jenni Newman, the agency has evolved into one of the country's most respected independent professional services public relations firms.