How often should customer risk ratings be refreshed?

The full answer

No regulation specifies exact refresh intervals as hard statutory deadlines. FATF, FinCEN, and the FCA all require a risk-based approach: review frequency must be proportionate to the risk each customer presents. Industry practice has converged on three standard tiers.

FATF Recommendation 10 sets the principle: apply ongoing customer due diligence in proportion to risk. FinCEN's CDD Final Rule (effective May 2018) requires covered financial institutions to conduct ongoing monitoring on a risk basis and to maintain and update customer information accordingly. The FFIEC BSA/AML Examination Manual translates those obligations into the periodic review programs that examiners assess during audits.

These aren't arbitrary benchmarks. An institution that extends its high-risk review interval beyond 12 months needs a documented rationale. Without one, that gap becomes an exam finding.

Trigger-based reviews

Scheduled intervals only get you halfway there. Regulators also expect an out-of-cycle review whenever a material trigger event occurs:

• A beneficial owner changes or the ownership structure shifts materially
• The customer or a close associate becomes a politically exposed person
• A SAR is filed on the customer (see how FinCEN defines suspicious activity for context on what crosses the threshold)
• The customer's jurisdiction is added to the FATF grey list or FATF black list
• Adverse media connects the customer to financial crime
• Transaction patterns change materially: new products, unexplained volume spikes, new geographic counterparties
• A sanctions screening alert, even a cleared one, that indicates elevated exposure

The FFIEC calls this "event-driven CDD." Enforcement actions consistently cite failures here. Not simply a failure to run the annual cycle on time, but the failure to respond when the clock should have restarted.

What is the difference between CDD and EDD? matters for refresh frequency: enhanced due diligence applies to high-risk relationships and typically requires more frequent reviews and a deeper documentation standard than standard CDD. A customer upgraded from standard to enhanced status is a trigger for an immediate review, not just a note for the next scheduled cycle.

UK and EU standards

In the UK, Regulation 28 of the Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 (MLRs 2017) requires ongoing monitoring of all business relationships. The FCA expects documented refresh intervals and consistent application. Departing from annual reviews for high-risk customers requires written justification in the institution's risk policy.

Under the EU's AMLD4 and subsequent directives, enhanced due diligence applies to high-risk customers and jurisdictions. Review frequency must be proportionate to the assessed risk, with no fixed statutory intervals specified at the directive level. Member state implementations vary, so institutions operating across borders should document compliance with each applicable national transposition.

The case for perpetual KYC

Scheduled reviews have a structural problem. A customer who escalates in risk six months after a review stays at the old rating until the next cycle. Perpetual KYC replaces the calendar with event-driven reassessment. Each relevant signal (adverse media hit, PEP registry update, UBO change, transaction anomaly) triggers a targeted review of that customer's profile. We've seen institutions using this approach maintain near-zero stale-profile counts across customer bases of 500,000 or more.

The tradeoff: pKYC requires clean, integrated data feeds and a monitoring architecture capable of handling event volumes at scale. AI-based transaction monitoring is often part of the same infrastructure build, since both depend on the same real-time event streams.

Why this matters

Stale risk ratings aren't just a compliance gap. They're an enforcement target.

The OCC has cited inadequate periodic review programs as a primary deficiency in multiple enforcement actions in recent years. HSBC's 2012 deferred prosecution agreement (United States v. HSBC Bank USA N.A., E.D.N.Y.) specifically called out failure to identify and reassign customers to appropriate risk tiers in a timely manner as part of a broader systemic breakdown in AML controls.

If a customer commits fraud or laundering during a window when their risk rating was outdated, examiners will ask why the rating wasn't current. "We were on schedule" isn't a complete defense if a trigger event occurred in the interim and no out-of-cycle review was initiated.

What triggers a regulatory exam? Often: a pattern of missed signals that accumulates until it's visible in transaction data, third-party reports, or a peer institution's enforcement action. What happens when a bank fails an AML exam? The consequences start with matters requiring attention (MRAs), escalate to formal agreements and consent orders, and can extend to civil money penalties and monitorships.

For teams managing large portfolios, the operational cost of periodic reviews is real. KYC refresh programs consume a substantial share of total AML compliance spend. Automating trigger detection and event-based review initiation reduces that cost and the risk of missing a signal that should have restarted the clock.

One thing that doesn't get enough attention: the SAR filing as a trigger. How long do banks have to file a SAR? Typically 30 days from detection. But once a SAR is filed on a customer, their risk rating needs to be reassessed immediately. Many banks treat SAR filing and risk rating review as separate workflows. They shouldn't be.

Related questions

• What is the difference between CDD and EDD?
• What is perpetual KYC?
• What is a beneficial owner?
• What triggers a regulatory exam?
• What happens when a bank fails an AML exam?

Related concepts and regulations

• What is the FATF Grey List?
• Can AI be used for AML transaction monitoring?
• How does FinCEN define suspicious activity?
• How long do banks have to file a SAR?