For three decades, the payments industry has relied on a foundational rule: Know Your Customer. Banks and payment processors gathered identity documents, verified addresses, ran background checks, and filed those KYC data points into static compliance folders. Once approved, the customer moved through the system with the assumption that risk assessment was complete. That assumption is now obsolete.
Mastercard's recent articulation of a strategic shift—from KYC (Know Your Customer) to KYA (Know Your Activity)—reflects a fundamental restructuring of payment risk architecture. The thesis is straightforward: in a world where artificial intelligence can process dozens of behavioral signals in milliseconds, the static snapshot of who a customer is matters far less than the continuous, real-time assessment of what they are actually doing.
This is not merely a semantic rebranding. It represents a shift in the locus of control in the payment ecosystem. For decades, compliance teams operated as gatekeepers at the door—admit or deny entry based on background and documentation. Transaction monitoring came later, as a secondary check. Under the KYA model, transaction monitoring becomes the primary control surface. Every millisecond of activity becomes data; every data point becomes an input signal for algorithmic risk assessment.
The implications for the broader payments infrastructure are profound. Card issuing platforms, Banking-as-a-Service providers, and embedded finance rails now face a technical and operational imperative to instrument their transaction flows with continuous behavioral analytics. Static KYC data—name, address, occupation, source of funds declaration—no longer suffices as the basis for ongoing approval decisions. Instead, issuers and acquirers must wire real-time activity feeds into machine learning models that can recognize patterns, anomalies, and contextual behavioral shifts in the moment.
Regulatory authorities have already begun signaling this expectation. The European Banking Authority's guidance on AI and machine learning in financial services, and the Financial Conduct Authority's ongoing monitoring of algorithmic decision-making, reflect a growing consensus that static compliance checks are insufficient. Fintechs and traditional banks alike are caught between competing pressures: tighten KYC documentation (a Sisyphean task in the age of synthetic identity fraud) or accept the regulatory inevitability of behavioral monitoring as the primary control.
The economic incentive cuts both ways. On one side, faster, more accurate risk detection means fewer false positives—customers wrongly declined or blocked—and lower fraud losses. On the other, it demands substantial capital investment in data infrastructure, model training, and ongoing validation. A mid-sized payment processor or card issuer cannot simply flip a switch to KYA. They must rebuild their transaction monitoring stacks from the ground up, integrate multiple data sources, maintain explainability for regulatory audits, and manage the model drift that inevitably accompanies algorithmic decision-making at scale.
For BaaS operators and embedded finance platforms, the KYA shift creates both opportunity and obligation. Those with existing transaction intelligence capabilities can layer behavioral analytics as a competitive differentiator. Those without will face pressure to acquire or partner. The fragmented landscape of smaller BaaS providers—already burdened by proportionality requirements under PSD2 and equivalent regimes—faces the prospect of yet another capital-intensive infrastructure modernization.
What Mastercard is articulating, in effect, is that the future of payments compliance is not a document-checking operation grafted onto a transaction-processing engine. It is an integrated, continuous risk assessment machine in which every transaction generates new information about customer behavior, and every millisecond of latency represents a potential gap in detection. The customer profile does not disappear; it becomes a baseline. The transaction itself becomes the primary signal.
Regulators and financial crime specialists should welcome this shift. KYC, as historically practiced, is retrospective—it catches what customers said about themselves at onboarding, then hopes transaction monitoring catches what they actually do. KYA inverts that logic: it makes actual behavior the governing signal, and lets the customer's stated identity serve as context rather than command. For fraud and money laundering detection, this is an enormous step forward.
The question now is execution. Can payment networks, card issuers, and processors deploy the data infrastructure, model governance, and audit trails necessary to make KYA operational at scale without creating a panopticon of transaction surveillance that erodes legitimate privacy expectations? Can regulators establish clear standards for what constitutes explainable, auditable behavioral risk assessment? And can smaller players in the ecosystem—the independent fintech innovators and regional payment processors—afford the infrastructure cost of entry to this new regime?
The industry is unlikely to wait for perfect answers. Mastercard's public statement will be read as permission and as pressure. Larger networks have the capital and data science teams to move fast. Smaller operators will consolidate or depend on infrastructure partners. The regulatory window for KYC as the primary compliance signal is closing.
Written by the Codego Press editor — independent banking and fintech journalism powered by Codego, European banking infrastructure provider since 2012.
Sources: PYMNTS — Mastercard Sees Data Moving Payments From KYC to KYA · 1 May 2026