KYC Published: Updated: By

What is perpetual KYC?

Quick answer

Perpetual KYC (pKYC) is continuous, event-driven customer due diligence where risk profiles update automatically as new information arrives. It replaces fixed annual or triennial review cycles. FATF Recommendation 10 requires ongoing customer monitoring; pKYC is the operational model banks use to meet that requirement. ---

The full answer

Perpetual KYC replaces the fixed-cycle review model with continuous, event-driven monitoring of customer risk profiles. Traditional programs assign review frequencies by risk tier: annual for high-risk, every three years for medium, every five for low. The problem is that risk doesn't move on a calendar. A customer clean at review time can be added to a sanctions list the following week, and the bank is exposed until the next scheduled cycle.

pKYC solves that by connecting customer profiles to live data feeds. When a feed produces a change linked to a customer, the system evaluates whether the change affects their risk classification. If it does, the profile updates. If the shift is material, a case routes to an analyst. The review happens because something changed.

The regulatory foundation is FATF Recommendation 10, which requires ongoing due diligence on business relationships, including scrutiny of transactions against the bank's knowledge of the customer. FinCEN's Customer Due Diligence Rule (effective May 2018) made ongoing monitoring an explicit fifth pillar of AML compliance in the US. The EBA Guidelines on ML/TF Risk Factors (EBA/GL/2021/02) take the same position for EU firms: any material change in a customer's circumstances triggers an immediate review, regardless of where the customer sits in the scheduled cycle.

What typically triggers a pKYC update:

  • Adverse media hits against the customer, their associates, or connected entities
  • Sanctions or PEP list additions (or removals that change existing controls)
  • Beneficial ownership changes at the 25% disclosure threshold
  • Transaction patterns that diverge materially from the established baseline
  • Account activity appearing in a high-risk jurisdiction for the first time
  • Customer-submitted changes to address, employer, or declared business purpose

For context on beneficial owner identification rules, which pKYC must monitor continuously, the definition and disclosure thresholds vary by jurisdiction. Most pKYC systems flag corporate registry changes as one of the highest-signal trigger types.

Most programs also set a backstop review interval for stable, dormant accounts. Even if nothing triggers, a low-risk customer gets reviewed at least every five years. This handles the edge case while preserving the efficiency gains for the rest of the book. How often customer risk ratings should be refreshed breaks down the interval expectations regulators have published by jurisdiction.

pKYC applies across both standard CDD and enhanced due diligence tiers. High-risk customers subject to EDD don't escape continuous monitoring; they get more intensive scrutiny when events trigger, including deeper source-of-funds checks and more frequent manual review.

Why this matters

Annual KYC cycles made sense when information moved slowly. They don't anymore. A customer added to a sanctions list in March isn't a risk the bank can afford to discover in February of the following year.

Regulators have noticed. The FCA's Financial Crime Guide identifies inadequate ongoing monitoring as a material control gap, and exam findings from the OCC, FinCEN, and European supervisors consistently cite outdated customer data as a recurring deficiency. Banks running pure calendar-based reviews with no event-driven triggers have a harder conversation when examiners ask how quickly risk changes get reflected in customer profiles.

AI-powered transaction monitoring fits naturally into pKYC architecture. The same behavioral models detecting anomalous transactions can feed signals into the customer risk assessment layer. When a transaction pattern shifts, the monitoring system can trigger a profile review rather than generating a standalone alert in isolation. That integration gives analysts richer context and reduces false positive rates, which already run above 90% in conventional monitoring programs.

From an exam preparation standpoint, institutions should be ready to answer two specific questions: what events trigger a customer profile review outside the standard cycle, and how quickly those reviews complete. A bank without clear answers to both is likely to have findings. What triggers a regulatory exam and what happens when a bank fails an AML exam are both worth reviewing before examination season.

The practical constraint on pKYC is data infrastructure. You need real-time or near-real-time feeds from adverse media providers, structured corporate registry data, sanctions list updates, and clean internal transaction signals. Institutions without that connectivity can't operationalize pKYC properly. Partial monitoring that creates a false sense of coverage is worse than honest calendar-based reviews, because it suggests a control capability that isn't there.

Related questions

Related concepts and regulations

← All compliance questions