Why regulators care less about being right and more about knowing why you're wrong

Once confined to biometric accuracy discussions, False Accept Rate (FAR) and False Reject Rate (FRR) have quietly become some of the most consequential metrics in digital onboarding and KYC. They now describe a broader reality: how often automated onboarding decisions get it wrong, and in which direction.

In the UK and European regulatory context, FAR and FRR are no longer technical footnotes. They sit at the intersection of financial crime prevention, customer fairness, growth strategy, and operational resilience – concerns that the FCA has elevated through Consumer Duty, whilst European supervisors including BaFin, the ACPR, and the EBA have reinforced through enhanced AML frameworks and the Digital Operational Resilience Act (DORA). In onboarding and KYC, FAR represents customers who should never have entered the system: impersonators, synthetic identities, sanctioned individuals, or money mules. FRR, by contrast, represents legitimate customers who are incorrectly rejected, delayed, or pushed into abandonment.

These errors are not equal. A false accept at onboarding creates persistent AML and supervisory risk that is costly to remediate, particularly as UK Finance and the European Banking Federation continue to report significant fraud losses linked to account misuse and identity fraud across the sector. A false reject primarily creates growth, conduct, and inclusion risk, but one that regulators increasingly scrutinise in fully digital channels. In the UK this happens through the lens of Consumer Duty’s customer outcomes, and across Europe through evolving consumer protection frameworks.

Digital-only retail banks tend to face a more acute FAR/FRR trade-off than large, multi-channel banks. Reliance on remote onboarding as the primary customer entry point, combined with rapid account activation and cross-border functionality, increases both exposure to organized fraud and the cost of false acceptances.

In response, digital banks often operate with stricter onboarding thresholds and a higher tolerance for false rejections, particularly during growth phases. Large, multi-channel banks, supported by legacy customer data, diversified customer touchpoints, and established remediation processes, can absorb greater levels of digital friction, even as regulatory expectations across institution types continue to converge.

**What Regulators Actually Want to See **

UK and European supervisors do not prescribe acceptable FAR or FRR levels. Instead, they look for evidence that institutions understand the trade-off they are making, govern onboarding thresholds deliberately, monitor errors and drift over time, retain accountability when decisions are automated or outsourced, and can explain how customer harm is identified and mitigated. In this context, FAR and FRR function as supporting evidence, not optimisation goals.

In the European context, this accountability principle is particularly pronounced. The EBA has consistently reinforced through its AML/CFT risk factor guidelines that institutions cannot delegate their responsibility for customer due diligence, even when using automated systems or third-party providers. DORA further crystallises this through its ICT third-party risk management framework, requiring financial entities to maintain full oversight and control over critical operational functions – including identity verification and onboarding – regardless of outsourcing arrangements. National supervisors including BaFin and the ACPR have similarly emphasized in supervisory communications that algorithmic decision-making in AML and onboarding must remain fully governed, explainable, and subject to human oversight, with institutions required to demonstrate continuous monitoring of automated system performance and error rates.

Mature institutions explicitly connect onboarding FAR and FRR to their Risk Appetite Framework. This means establishing low tolerance for onboarding errors linked to serious financial crime, whilst defining acceptable levels of rejection, abandonment, and manual review. It requires clear rules for overrides and compensating controls, alongside board-level visibility into trade-offs made. Institutions that articulate these choices clearly – whether regulated by the FCA, BaFin, De Nederlandsche Bank, or other national competent authorities – tend to have far smoother regulatory conversations than those that treat FAR and FRR as purely technical artefacts.

FAR and FRR in onboarding are not about finding the “right” number. They are about making defensible choices and being able to explain them to regulators, boards, and customers alike.