For years, financial crime compliance has followed a familiar rhythm. A customer is onboarded. A risk rating is assigned. A file is reviewed every 12, 24, or 36 months, depending on whether they’re high, medium, or low risk. The box gets ticked. The cycle repeats.
This approach, commonly referred to as ongoing Customer Due Diligence (CDD), has been the backbone of AML compliance frameworks across the financial services industry. It answers a regulatory requirement, but often fails to address the underlying risk management challenge. It is increasingly being recognised for what it is: a structured process built for a slower, less mature AML world, designed to assess risk-based data at a single snapshot in time.
Thankfully, this rigid model is starting to break. Firms are evolving towards a new standard: “Perpetual KYC”, also called Continuous KYC – a smarter, event-driven, always-on approach to customer due diligence. As firms and the industry have matured and embraced their risk assessments, they have started to understand the risks that are impacting their clients and ultimately the firm. Instead of refreshing customer data on a fixed schedule, firms monitor customer risk continuously and update due diligence when something meaningful actually changes.
It is a relatively new approach that presents an opportunity for Senior Management to set the tone and culture for addressing this ever-present risk.
Why evolve the traditional CDD model?
Client risk associated with financial crime is an ever-constant and continually evolving threat. Regulatory expectations, including those set out in the UK National Risk Assessment, emphasise the importance of a risk-based approach. The approach is about getting the most out of what firms are already doing and reducing ineffective tick box exercises.
When reviews are driven by calendar deadlines, teams naturally focus on completion rather than insight with the goal becoming clearing review backlogs rather than understanding the customer. That leads to repeated work, duplicated checks, and compliance fatigue.
In contrast, a perpetual approach embeds risk assessment into BAU activity. For example, when a client manager meets their client for a catch up, they are learning what has changed since the last meeting. By simply considering if this data has any impact on their understanding, they are essentially reviewing the clients risk. In capturing this, firm’s will have a far more live and up-to-date understanding of the client’s risk.
Similarly when a client gets in contact to change the data the firm holds, such as an address, it provides a trigger to reassess the risk impact of the change.
This is a solution for firms of all sizes. However, it is not yet fully understood across the industry.
What is Perpetual KYC?
Ultimately, Perpetual KYC moves CDD from a static file stored in a case management system to a living risk profile: continuously refreshed, dynamically scored, and aligned with the customer’s real-world risk. This approach typically combines:
- Ongoing monitoring.
- Trigger-based review workflows.
- Dynamic risk scoring.
- Clear governance and audit trails.
How the Perpetual KYC model works:
Perpetual KYC typically relies on a combination of automation, monitoring, and dynamic risk scoring. Common triggers include:
- A customer becomes a PEP.
- A beneficial owner changes.
- New adverse media appears.
- Sanctions or watchlist hits emerge.
- Corporate structure changes
- Address / jurisdiction changes.
- Transaction patterns shift materially.
- Financial behaviour diverges from the expected profile.
When these triggers fire, the system/process flags the customer for review – and risk scores are updated. This enables firms to apply enhanced due diligence when it actually matters. However, this does not need to be a solution limited to firms with the resources to implement bespoke systems. With appropriate levels of record keeping and data management, this solution can be implemented within any firm across the industry.
The benefits of a Perpetual KYC approach:
- Risk does not wait for your review date: Continuous monitoring enables earlier detection of emerging threats.
- Resources are allocated more efficiently: Effort is directed towards higher-risk customers rather than evenly distributed across a fixed cycle.
- Stronger audit trail and rationale: Reviews are conducted because of a documented trigger, not simply because of elapsed time.
- Improved client experience: Firms can clearly explain why information or documentation is required, linking requests to specific changes rather than generic policy.
- A cultural shift towards risk ownership: Compliance teams move from review schedulers to active risk managers.
What are the challenges?
Despite the benefits, Perpetual KYC is not without complexity. Done poorly, it can create new issues:
- Alert overload.
- Data quality issues.
- Governance and threshold design challenges.
A mindset shift for mature AML frameworks
The move to Perpetual KYC is more than an operational upgrade – it represents a mindset shift.
Instead of asking “Is this customer due a review?” firms begin asking, “Has this customer changed in a way that matters?” That is a more risk-intelligent approach – and one increasingly adopted across the industry.
Perpetual KYC will not replace human judgement. Rather, it ensures that human judgement is applied where it adds the most value. The firms that get this right won’t just reduce compliance burden, they will build more mature risk frameworks, respond faster to threats, and create more resilient AML frameworks.
Modern risk doesn’t operate on a timetable; neither should CDD.
How fscom can help
fscom supports firms in designing and implementing proportionate, risk-based AML frameworks, including transitions from fixed CDD refresh cycles to Perpetual KYC models.
If you would like to assess the maturity of your AML framework or explore whether a perpetual model is appropriate for your business, our team would be happy to discuss this further.
This post contains a general summary of advice and is not a complete or definitive statement of the law. Specific advice should be obtained where appropriate.
