Channel is the largest single driver of both the CIP/CDD feature set and the regulatory control inventory — a corporate onboarding with a 5-tier UBO chain touches fundamentally different data sources and regulations than a retail digital applicant. Most agentic KYC programs underestimate how different the document, data, and verification primitives are across channels, and end up rebuilding the agent for each channel. Inventory every channel up front, including ones product is planning to add in the next 12 months, or the agent tooling will not transfer.

FATF Recommendation 10 and the FinCEN CDD Rule both expect a risk-based approach — not a uniform treatment — and examiners increasingly test that CDD depth actually varies with risk tier rather than being a paper distinction. The agentic layer must encode the tier-to-tooling mapping explicitly: which data sources, which verification depth, which escalation gates. A uniform-depth agent is a regulatory finding waiting to happen once an EDD case slips through as standard CDD.

EDD triggers are where most agentic KYC programs either over- or under-fire. Under-firing means PEPs and high-risk geographies slip through as standard CDD — an examination finding and a material AML risk. Over-firing means the EDD queue balloons with false positives and the human review team becomes the actual bottleneck, defeating the agent. FATF R.12 on PEPs and R.19 on higher-risk countries expect these triggers to be explicit and documented; the agent's trigger logic must match the written CDD policy exactly.

The FinCEN CDD Rule (31 CFR 1020.230) sets the baseline at 25% ownership plus a separate control prong — and the AML Act 2020 / Corporate Transparency Act layered on BOI reporting to FinCEN that reshapes the institutional BO picture (though CTA enforcement has been subject to litigation and a Treasury policy pivot in 2025 reducing domestic reporting scope for US companies). EU AMLD 5 and AMLD 6 align at 25% but give member states discretion to lower it in higher-risk sectors. The agent must encode the right threshold per jurisdiction and per customer type, and must unwind ownership through at least the intermediate legal entities — stopping at the first legal-entity layer is the most common UBO failure mode.

The EU AI Act treats AML/KYC decisioning as high-risk AI with Article 12 logging obligations taking full force in August 2026, and penalties of €15M or 3% of global revenue. Beyond compliance, the autonomy envelope is the single biggest lever on both ROI and regulatory defensibility: too narrow and the agent delivers no throughput gain; too wide and the institution is defending autonomous approvals of cases that turn out to be PEPs or sanctions adjacencies. The envelope should be defined in writing and encoded as explicit guardrails in the agent — not implicit in prompt wording.

The FinCEN CDD Rule made ongoing monitoring an explicit fifth pillar of the AML program, and FATF R.10 requires ongoing DD including scrutiny of transactions to ensure consistency with the customer profile. Perpetual KYC — where sanctions, adverse media, and BO changes trigger reviews in real time — is rapidly becoming the expected operating model, and is where agentic architectures have the largest efficiency advantage over manual periodic refresh. Scoping this in at the start determines whether the agent needs event-driven triggers and persistent case state, or only one-shot onboarding orchestration.

Goldman Sachs reduced onboarding time by 30% through agentic CDD, and institutions targeting same-day retail onboarding are seeing meaningful revenue uplift from reduced applicant abandonment. But the SLA must be set against the depth-of-DD policy — a 30-minute target is incompatible with a real UBO unwind on a corporate applicant, and the right answer is tiered targets per customer type. A single uniform SLA will force the agent to short-cut either speed or depth, and neither is defensible.