Perpetual KYC: Continuous Customer Monitoring Guide 2026

Perpetual KYC (pKYC) means exactly what it says: customer due diligence that never stops. Rather than verifying a client's identity at onboarding and then scheduling a review every one to three years, financial institutions using pKYC monitor customer risk profiles in near real-time, updating them whenever material changes occur. This shift is driven by regulatory expectations under the EU AMLD6 (Directive 2024/1640), the AMLR Regulation (2024/1624), and the UK's Financial Conduct Authority (FCA) guidance on ongoing monitoring.

This article is provided for informational purposes and does not constitute legal or regulatory advice. Regulatory references reflect the position as of 24 May 2026. Consult a qualified professional for advice specific to your organisation.

Why periodic KYC is no longer sufficient

Periodic KYC reviews — annually for high-risk clients, every three years for standard-risk clients — carry a fundamental flaw: a customer's circumstances can change significantly between reviews without the institution being aware. A client who passes initial due diligence can be added to a sanctions list the following week, change their beneficial ownership structure, or begin operating in a high-risk jurisdiction. Under a purely periodic model, the institution may remain unaware for months.

The Financial Action Task Force (FATF) Recommendations (revised 2023) are unambiguous: Recommendation 10 requires financial institutions to apply ongoing due diligence to the business relationship throughout its duration, not merely at onboarding. The word "ongoing" has a specific technical meaning: it is not satisfied by infrequent periodic reviews alone.

Compliance professionals on forums such as r/compliance frequently ask: "What actually triggers a mandatory KYC review outside the periodic cycle?" The answer has become clearer with the AMLR: any material change in a customer's risk profile — a new sanctions listing, a change of beneficial owner, a flagged transaction pattern — must trigger immediate re-assessment.

According to the ACFE 2024 Report to the Nations, manual periodic checks detect only 37% of fraud cases on average, with a median detection delay of 87 days. Continuous monitoring substantially compresses that delay.

Periodic vs. perpetual KYC: a direct comparison

Regulatory framework: FCA, AMLD6, and AMLR requirements for ongoing monitoring

Article 21 of AMLR (2024/1624), directly applicable across all EU member states from July 2027, requires ongoing monitoring of all business relationships — not as an option but as a binding obligation. (EUR-Lex AMLR)

In the UK, the Money Laundering Regulations 2017 (MLR 2017), Regulation 28 already requires ongoing monitoring of business relationships and the periodic updating of customer due diligence records. The FCA has consistently emphasised in its Dear CEO letters and supervisory notices that "ongoing" means exactly that: static risk assessments that are not updated in response to new information fail to meet the standard.

Key regulatory triggers for a mandatory KYC review in the UK:

• The institution becomes aware of a material change in the customer's circumstances.
• The customer appears on a new sanctions listing (OFSI, UN, EU).
• Transactional behaviour deviates significantly from the established profile.
• A Suspicious Activity Report (SAR) is filed relating to the customer.
• A new beneficial owner is identified or declared.

For a broader overview of AML obligations, see our complete KYC guide for businesses and our AMLD6 compliance guide for obliged entities.

The four pillars of an effective pKYC programme

1. Event-driven trigger management

The core of pKYC is replacing the calendar with events. When something materially changes — in the client's own data, in external registries, in sanctions databases, or in transactional behaviour — the system triggers a targeted review. This event-driven logic avoids both the gap risk of purely periodic review and the operational overload of re-verifying every client simultaneously.

Common triggers include: new sanctions list entry (OFSI, UN, EU, OFAC), change in the beneficial ownership register (Companies House), adverse media alert, unusual transaction flagged by monitoring systems, and expiry of key verification documents.

2. Continuous sanctions and PEP screening

Sanctions lists are updated multiple times per week. A client who was clean at onboarding may appear on a list the following day. Continuous screening — ideally near real-time — against OFSI, UN, and EU consolidated lists is no longer a best practice but a regulatory expectation.

The European Banking Authority's guidelines on AML/CTF risk management explicitly require that screening covers not only the direct customer but also their beneficial owners, authorised signatories, and significant counterparties.

Politically Exposed Persons (PEPs) require enhanced ongoing due diligence: under AMLD6, PEP status must be re-assessed at least every six months, and any change in political exposure — appointment, resignation, or the expiry of the 12-month post-exit period — must trigger a risk re-evaluation.

3. Transaction monitoring and behavioural analytics

Transaction monitoring detects the gap between what a client was expected to do and what they actually do. A business declared as a low-volume import trader suddenly processing high-frequency international wire transfers represents a profile deviation requiring investigation — regardless of when the last periodic review occurred.

Modern pKYC platforms integrate transaction monitoring as a data source feeding the overall risk score, rather than operating it as a separate silo. Alerts from transaction monitoring automatically queue the affected customer for a profile review.

4. Intelligent document orchestration

When an event triggers a mandatory update, a well-designed pKYC system requests only the specific documents needed — not a complete re-verification package. This reduces client friction significantly and focuses human review on genuine risk events.

CheckFile's platform covers over 3,200 document types across 32 jurisdictions, enabling continuous verification in complex cross-border contexts. For technical integration details, see our document validation API guide.

Implementing pKYC: a practical roadmap

Step 1: Segment your customer portfolio by risk tier

Before deploying continuous monitoring, classify your portfolio: high risk (PEPs, customers in high-risk jurisdictions, complex corporate structures), standard risk, and simplified risk (where applicable). Monitoring intensity, alert thresholds, and residual review frequency all vary by tier.

Step 2: Connect external data feeds

A pKYC system is only as good as its data inputs. Connect to: sanctions databases (OFSI, UN, EU, OFAC), beneficial ownership registries (Companies House), adverse media feeds, and internal transaction monitoring outputs. Automating these connections eliminates manual batch runs and provides the real-time or near-real-time awareness that regulators expect.

Step 3: Define escalation and documentation standards

Every alert generated, every decision taken, and every document update must be logged with a timestamp and rationale. The FCA expects firms to demonstrate that their ongoing monitoring is systematic, risk-proportionate, and fully auditable. Paper trails are not optional; they are the primary evidence in a supervisory review.

Step 4: Train your compliance team

Automated systems detect events and queue them for review; human judgment determines appropriate action. Compliance teams must understand what constitutes a material change, when to escalate to a Nominated Officer, and how to document decisions in a way that survives regulatory scrutiny.

Frequently Asked Questions

What is the difference between perpetual KYC and transaction monitoring?

Transaction monitoring analyses the transactions a customer makes — looking for unusual volumes, patterns, or counterparties. Perpetual KYC monitors the customer's identity, beneficial ownership, and sanctions status, independently of specific transactions. Both are required under the Money Laundering Regulations 2017 and are complementary, not alternatives.

Does pKYC replace periodic reviews entirely?

No. Minimum periodic review frequencies remain in force — annually for high-risk customers, every three years for standard-risk under AMLR. pKYC adds an event-driven layer on top of these minima, so that customers are reviewed whenever material changes occur rather than waiting for the next scheduled review.

Can pKYC data processing comply with UK GDPR?

Yes. Processing personal data for AML/CTF purposes has a clear legal basis under the UK Money Laundering Regulations 2017, which constitute a legal obligation under UK GDPR Article 6(1)(c). Data minimisation principles still apply: collect and process only the data necessary for the specific AML purpose, and retain it for the legally required period (typically five years from the end of the relationship).

What evidence does the FCA expect to see from a pKYC programme?

The FCA expects: documented risk-based policies explaining how trigger events are defined and escalated; complete audit logs of alerts, reviews, and decisions; evidence that alerts are resolved within defined timeframes; and training records showing that compliance staff understand the programme. In supervisory visits, inspectors typically request a sample of recent customer files to trace the decision trail from initial onboarding through ongoing review.

---

To build a complete compliance programme, see our document compliance guide and our compliance audit checklist. For pricing and platform details, visit CheckFile, explore our security architecture, or review our pricing plans.