Source: https://cli.nylas.com/guides/kyc-document-collection-agent

# Build a KYC Document-Collection Agent

An AI agent on a dedicated inbox requests KYC documents, reads each upload, chases what's missing, and routes the complete files to your compliance team.

Written by [Prem Keshari](https://cli.nylas.com/authors/prem-keshari) Senior SRE

Updated June 14, 2026

> **TL;DR:** A KYC agent on a dedicated `kyc@` inbox emails the document request, reads each upload with `nylas email attachments download`, checks it against the required checklist, chases anything missing, and routes the complete file to compliance. A human makes the identity decision — the agent only collects and tracks.

## What is a KYC document-collection agent?

A KYC document-collection agent is a dedicated intake inbox that gathers the identity documents a new customer must submit, tracks which are still outstanding, and routes the complete set to a compliance reviewer. It handles the slow back-and-forth of collection while a human makes every verification decision.

KYC collection flow: request documents, read each upload, check it against the required checklist, then route the complete file to complianceRequestemail sendRead uploadsattachmentsCheck completevs checklistRoutecompliance

The customer-due-diligence requirements it supports come from rules like the [FinCEN CDD rule (31 CFR 1010.230)](https://www.ecfr.gov/current/title-31/section-1010.230). Collection is the part worth automating because it stalls. An applicant sends a passport but forgets proof of address, a scan is unreadable, an email sits unopened for days — and onboarding drags from minutes into a week. The agent reads each upload the moment it lands and chases the gap the same hour, so a file that used to take 5 days to complete closes in 1.

## Why run KYC collection on an agent account?

Identity documents should land in their own inbox, never a shared support queue where sensitive scans mix with unrelated mail. On an agent account, `kyc@yourcompany.nylas.email` is the single channel for every submission, each carrying a clean timestamp and audit trail. You can run up to 5 such inboxes on the free tier, one per product or region.

A dedicated inbox also enforces data minimization. The [GDPR (Article 5)](https://gdpr-info.eu/art-5-gdpr/) requires collecting only the personal data a purpose needs, and a single-purpose KYC inbox makes that boundary concrete: the agent sees identity documents and nothing else, so there's no wider mailbox of personal data to over-collect or leak.

## How does the agent request and read documents?

The agent sends the request, then reads whatever comes back. The `nylas email send` command delivers the document checklist from the KYC inbox, and `nylas email attachments download` pulls each uploaded file off the reply. A model then classifies each file by type — passport, utility bill, proof of address — in 1 to 2 seconds.

```bash
# Find replies that carry uploaded documents, then download them
nylas email search "*" --has-attachment --unread --json
nylas email attachments list msg_abc123 --json
nylas email attachments download att_x1y2z3 msg_abc123 --output ./kyc/
```

Treat the classification as a sorting step, not a verification. The model labels a file “passport” so the agent can tick it off the checklist, but whether that passport is genuine and matches the applicant is a decision a compliance officer makes — never the agent.

## How does it chase missing documents?

The agent keeps a per-applicant checklist and compares what's arrived against what's required. When a submission is incomplete, it sends one targeted reminder naming exactly the missing items rather than a generic “please complete your application.” Specific reminders close gaps faster, and the agent re-checks the list every time a new reply lands.

```bash
# Email the applicant the exact items still outstanding
nylas email send \
  --to applicant@example.com \
  --subject "One document left for verification" \
  --body "We have your passport. We still need a proof of address dated within 90 days."
```

Drive the checklist from your own store, not the agent's memory, so a restart never loses track of who still owes what. When every required item is present and readable, the agent flips the file to complete and routes it on — typically after 1 or 2 reminder cycles.

## How do you keep document handling safe?

An uploaded document is untrusted content: a PDF can carry text crafted to steer the model, the [prompt-injection risk (OWASP LLM01)](https://genai.owasp.org/llmrisk/llm01-prompt-injection/) ranks #1 in the OWASP LLM Top 10 (2025). Run collection on an agent account so the model reading the file has no other mailbox in scope, and treat every classification as data to check, never a command to obey.

The agent also has no power to approve an identity, by design. It collects, classifies, and routes; a human verifies and decides. That boundary matters most here — an agent that could approve KYC could be talked into clearing a fraudster by a crafted document, so that capability simply does not exist in its tool set.

## Next steps

- [Extract Attachment Data With an AI Agent](https://cli.nylas.com/guides/agent-attachment-data-extraction) — pull structured fields out of each uploaded document
- [Build a GDPR Data-Request Agent](https://cli.nylas.com/guides/gdpr-data-request-agent) — handle access and deletion requests for the data you collect here
- [Getting Started with Agent Accounts](https://cli.nylas.com/guides/getting-started-agent-accounts) — the workspace model behind the KYC inbox
- [Stop Your AI Agent From Going Rogue](https://cli.nylas.com/guides/stop-ai-agent-going-rogue) — why the agent has no tool to approve an identity
- [Full command reference](https://cli.nylas.com/docs/commands) — every `nylas email` subcommand and flag

## Try Nylas CLI

Install the CLI with `curl -fsSL https://cli.nylas.com/install.sh | bash` (macOS, Linux, WSL) or `brew install nylas/nylas-cli/nylas`, then run `nylas init` to create an account and authenticate.

**Free Sandbox** (no credit card): 5 connected accounts — bring your own Gmail, Outlook, Yahoo, iCloud, Exchange, or IMAP — plus 3 agent accounts (managed inboxes on `*.nylas.email`). Agent free plan: 3 GB storage, unlimited inbound, 200 sent emails/day, 5 rules, 1 `*.nylas.email` subdomain, and unlimited custom domains. Production is uncapped and requires a credit card: https://www.nylas.com/pricing/