kyccost

Independent reference. Not legal or regulatory advice. Consult a qualified compliance specialist for advice specific to your jurisdiction and risk profile. See methodology.

Cluster 7 / Decision-stage

Build vs buy KYC: when does in-house pay?

Vendor blogs argue buy. Consultant blogs argue build. The honest crossover sits at roughly 250,000-500,000 onboardings a year for a single-jurisdiction fintech, lower for multi-jurisdictional, materially higher for low-EDD retail. Hybrid is usually the right answer.

Buy TCO at 50k onboardings: £15-£35 per customer | Build MVP: £200k-£800k + 25-40% maintenance

The decision frame.

Three honest variables determine the answer: annual onboarding volume, internal engineering capacity, and regulatory complexity (multi-jurisdictional, multi-product, high-EDD population). Cost only follows from those three. A 100,000-onboardings UK-only retail challenger has a different answer to a 100,000-onboardings multi-jurisdictional crypto exchange, even though both have the same headline volume.

The hybrid model has emerged as the dominant pattern for scale fintechs precisely because it splits the decision: buy where vendors have meaningful scale advantage (identity verification, sanctions data), build where workflow and decisioning logic create competitive differentiation. Pure-build is rare; pure-buy has friction at scale.

Buy: TCO at three volume points.

Component50k onboardings250k onboardings1M onboardings
Vendor platform + per-verification commercials£90k - £200k£280k - £550k£700k - £1.4M
Sanctions / PEP / adverse media data feed£40k - £80k£90k - £180k£180k - £350k
Ongoing monitoring add-ons£30k - £60k£90k - £160k£280k - £500k
EDD module (where licensed)£15k - £40k£35k - £70k£70k - £120k
Integration / SI cost£25k - £80k£50k - £120k£80k - £180k
Ops labour (alert review, EDD case work)£200k - £550k£950k - £2.6M£3.5M - £9M

Vendor commercials reflect typical enterprise contract levels at each volume tier; ops labour reflects industry-typical FTE sizing. Multi-jurisdictional or multi-product builds add 30-60% to each line.

Build: what it costs at scale.

One-off engineering build

Identity verification API integration (still bought)£40k - £100k
Workflow / decisioning engine (built)£80k - £280k
Case management / audit trail (built)£60k - £180k
Ops tooling / analyst console (built)£40k - £120k
Initial integration + SI / consulting£30k - £100k
MVP build total£200k - £800k

Annual recurring

Maintenance (25-40% of build)£50k - £320k
Sanctions / PEP / adverse media data licence£40k - £200k
Cloud / infra£20k - £80k
Ops labour (per-customer line)£15-£30 / customer
Vendor due diligence (KYC + adjacent SaaS)£8k - £30k
Maintenance figure is the line that surprises CFOs most; defensible bespoke KYC demands ongoing engineering attention.

The crossover threshold.

For a single-jurisdiction UK fintech with a sub-10% EDD population, build TCO drops below buy TCO at roughly 250,000-500,000 annual onboardings, on a three-year horizon. Multi-jurisdictional or multi-product books move the threshold materially down because vendor commercials include per-jurisdiction premiums that build can absorb at the workflow layer. High-EDD books move the threshold up because EDD case-work labour dominates either way; build adds engineering cost that does not pay back in EDD-heavy ops.

The crossover is rarely the right framing. Most scale fintechs settle on hybrid (buy identity verification, buy sanctions data, build workflow plus decisioning plus case management) precisely because the hybrid TCO sits below both pure-buy and pure-build above the threshold.

Per-customer TCO at volume
50k onboardings, buy£15 - £35
50k onboardings, build£40 - £70
250k onboardings, buy£8 - £16
250k onboardings, build£10 - £20
1M onboardings, buy£6 - £12
1M onboardings, build£4 - £8

Hybrid is usually right.

Buy: identity verification

Document, biometric, network ID. Vendor-side scale economics dominate; build rarely beats commercial APIs.

Buy: sanctions / PEP / adverse media data

World-Check, Dow Jones, ComplyAdvantage. Data quality is the moat; in-house list management is regulatory exposure.

Build: workflow / decisioning

Risk scoring, EDD trigger logic, journey orchestration. Differentiation lives here; vendor workflow rarely fits exactly.

Build: case management

Analyst console, audit trail, escalation queue, MLRO sign-off. Operational integration matters more than vendor breadth.

Build: ops tooling

Triage queues, SLA monitoring, QA sampling, manager dashboards. Vendor offerings here are inconsistent.

Hybrid: ML triage

Build where volume justifies; buy where it does not. The 100k onboardings break-even on adverse media triage applies.

Vendor due diligence cost.

A small but real line. Most KYC platforms a UK or EU fintech evaluates are SaaS providers, which means their own SOC 2 Type II report becomes part of your vendor due diligence file. Where that overlaps a fintech's own SOC 2 budget, see soc2certificationcost.com. Per-vendor annual review cost is typically £2,000-£8,000 of internal compliance and engineering time, but the cumulative line across the wider compliance stack is material at a 15-vendor footprint.

Crossover tool.

Three inputs return a buy / build / hybrid recommendation with three-year TCO for buy and build. Indicative only; the assumption set is the model in methodology.

Inputs
250,000
1
15%
Output
Recommendation
hybrid
Buy TCO Yr 1£3,800,000
Build TCO Yr 1£2,192,500
Buy TCO 3yr£11,400,000
Build TCO 3yr£5,877,500
Indicative model. Build cost £200k-£800k MVP plus 25-40% annual maintenance, plus sanctions data licence, plus ops labour. Hybrid splits identity verification (buy) from workflow (build).

Build vs buy questions

Should fintechs build or buy KYC?+
Below roughly 250,000 onboardings a year, buy almost always wins. Above 500,000 onboardings a year on a single jurisdiction with sub-10% EDD population, build can win on TCO. The realistic answer for most scale fintechs is hybrid: buy identity verification, buy sanctions data, build workflow plus decisioning plus case management. Pure-build engagements are rare; the engineering and maintenance commitments rarely pencil out below the volume threshold.
How much does it cost to build an in-house KYC system?+
Engineering build cost £200,000-£800,000 for a defensible MVP, plus 25-40% annual maintenance, plus sanctions data feed licence £40,000-£200,000 annually, plus ops labour £15-£30 per onboarded customer. Multi-jurisdictional builds add £150,000-£250,000 per additional jurisdiction. The maintenance figure is the line that surprises CFOs most; built systems demand ongoing engineering attention indefinitely.
Is KYC outsourcing cheaper than in-house?+
At low to mid volume yes; at very high volume no. At 50,000 onboardings a year, vendor TCO typically lands £15-£35 per customer fully loaded vs build TCO £40-£70. At 1,000,000 onboardings a year, vendor TCO typically lands £6-£12 per customer vs build TCO £4-£8. The crossover threshold sits between 250,000 and 500,000 for a single-jurisdiction fintech. Multi-jurisdictional or multi-product books move the threshold materially down.
When is bespoke KYC worth the cost?+
When customer volume justifies the engineering build, when the firm has multiple products with different risk profiles, when regulatory complexity creates vendor-lock-in friction, or when the firm wants to monetise its KYC stack as a product line. Most scale fintechs do not meet all four. The hybrid model (buy identity + sanctions, build workflow + decisioning + case management) is increasingly common because it captures the unit-economics benefit of build above the crossover threshold without the full engineering commitment.
How does maintenance cost work on a built system?+
Industry-standard 25-40% of original build cost annually for a defensible bespoke KYC stack. The figure covers regulatory updates (new sanctions lists, new EDD triggers, new jurisdictions), platform-engineering refresh, model retraining where ML triage exists, and the engineering on-call coverage that the system requires once it sits in the customer onboarding path. Lower maintenance budgets typically produce regulatory-exposure backlogs that show up in supervisory visits.
Should we factor SOC 2 of our vendors into the budget?+
Yes. Most KYC platforms a UK or EU fintech evaluates are SaaS providers, which means their own SOC 2 Type II report becomes part of your vendor due diligence file. The annual review cost is small per vendor (typically £2,000-£8,000 of internal time per vendor) but cumulative across the wider compliance stack. Where that overlaps a fintech's own SOC 2 budget, see soc2certificationcost.com.

Sources cited on this page

  1. Industry RFP benchmarks for KYC platform contracts (2025-2026)
  2. Fenergo KYC Compliance For Banks series
  3. Standard industry maintenance benchmarks for bespoke compliance systems (25-40% annual)
  4. soc2certificationcost.com - SOC 2 Type II cost reference for KYC vendor due diligence