Ongoing Monitoring & Periodic Review

A common beginner mistake is thinking KYC ends when the account opens. It doesn't. FinCEN's CDD Rule made ongoing monitoring an explicit fifth pillar, and 31 CFR 1010.

230 requires institutions to conduct ongoing monitoring to maintain and update customer information and to identify and report suspicious activity. FATF Recommendation 10 says the same: due diligence is continuous. The reason is simple — a customer who was low risk at onboarding might start a cash-intensive business, take public office, move to a sanctioned country, or get arrested.

The file you built captures a moment; ongoing monitoring keeps it true over time.

Ongoing monitoring really has two engines, and you should keep them straight. The first is transaction monitoring: systems that watch account behavior, more or less in real time, and alert when activity deviates from the expected profile you established at onboarding. The second is the KYC review, also called the refresh — a periodic re-examination of the customer's profile itself: are the documents still valid, has the ownership changed, is the risk rating still right, do the screening results still hold.

Transaction monitoring asks 'is the behavior normal?' The KYC refresh asks 'is what we know about this customer still accurate?' You need both.

A subtle but important point: these two engines should talk to each other. A transaction-monitoring alert can trigger a KYC refresh, and a refresh that uncovers new risk can tighten monitoring. They're a loop, not two silos.

How often do you refresh? On a risk-based cycle, consistent with FATF Recommendation 1. A common industry pattern — and I'll stress these are typical policy choices, not numbers fixed in the regulation — is to review high-risk customers about once a year, medium-risk customers every two to three years, and low-risk customers every three to five.

The higher the risk, the shorter the cycle. Each institution sets its own periods in policy and must apply them consistently. As an analyst, periodic reviews will be a large share of your queue: pulling the file, re-verifying what's stale, re-screening, and re-rating.

The exam-style point to remember is that the driver is risk, not the calendar alone.

You don't always wait for the scheduled date. An event-driven review is triggered the moment something material changes. Classic triggers: fresh adverse media on the customer or an owner; the customer or a relative becoming a PEP; a change in beneficial ownership; a hit on a newly updated sanctions list; a transaction-monitoring alert that suggests the profile has shifted; or the customer moving funds or address to a higher-risk jurisdiction.

When a trigger fires, you review now — not in three years. Event-driven review is what closes the gap between scheduled cycles, and it's where a lot of real risk actually gets caught.

The industry is moving from fixed cycles toward perpetual KYC, often written as p-K-Y-C. Instead of waiting years for a scheduled refresh, perpetual KYC continuously ingests data — screening updates, registry changes, transaction signals, adverse media — and triggers a review the instant something relevant changes. Done well, it means files are never badly out of date, and analysts spend less time mechanically re-papering low-risk customers who haven't changed at all.

But be clear-eyed: perpetual KYC doesn't remove the analyst. It changes your work from calendar-driven to alert-driven, and a human still has to judge what each triggered alert actually means. The technology surfaces change; you still decide what it's worth.

So treat perpetual KYC as an amplifier of your judgment, not a replacement for it — the better the data, the more your reasoning matters.

Let's recap. KYC is continuous: ongoing monitoring is a required pillar under FinCEN's CDD Rule, run by two engines — transaction monitoring of behavior and periodic KYC refresh of the profile. Refresh cycles are risk-based, and material trigger events force event-driven reviews off-cycle.

The frontier is perpetual KYC, which trades fixed calendars for continuous, data-driven review while still leaning on your judgment. Sometimes, though, monitoring reveals that a relationship can't continue. What you do then — offboarding, escalation, and the rules around reporting — is the subject of lecture eight.

Test yourself first, then meet me there. In short, the file is a living document — your job is to keep it honest as the customer's world changes around it.