What is perpetual KYC?

The full answer

Perpetual KYC (pKYC) is an event-driven customer due diligence model. It replaces the traditional approach, where banks review customer files on a fixed schedule based on risk tier, with continuous monitoring that triggers a review only when something material changes in a customer's profile.

The event catalogue at the core of a pKYC program typically covers:

• Adverse media: court filings, criminal charges, sanctions designations, enforcement actions, negative press
• Beneficial ownership changes: new UBOs, ownership threshold crossings, corporate restructuring, shell company additions
• PEP status changes: new political appointments, family relationship changes, de-listings
• Transaction behavior shifts: patterns that break sharply from the customer's established behavioral baseline
• Sanctions and watchlist alerts: OFAC, EU, UN, and national watchlist additions or modifications
• Geographic risk changes: new transactions with high-risk or blacklisted jurisdiction counterparties
• Account reactivation: dormant accounts resuming activity at unexpectedly high volumes

Under a periodic model, a high-risk customer file due for annual review gets reviewed on schedule, regardless of whether anything has changed. Under perpetual KYC, that same customer gets reviewed when something actually changes. If nothing triggers for eighteen months, the file isn't touched. If three triggers fire in a week, it gets reviewed three times.

This is directly connected to how often customer risk ratings should be refreshed. The perpetual KYC model's answer is: when a trigger warrants it, not on a calendar.

Regulatory grounding

FATF Recommendation 10 requires financial institutions to keep CDD information "up to date and relevant." That's the requirement pKYC satisfies. The FinCEN Customer Due Diligence Rule (31 CFR 1020.220), effective 2018, requires ongoing monitoring and risk-based updates of customer information. Neither document uses the term "perpetual KYC," but both describe what it accomplishes.

Understanding the difference between CDD and EDD matters here. pKYC applies to both tiers. Standard CDD customers get reviewed on event triggers. EDD customers receive more intensive scrutiny, but the triggering principle is the same. Perpetual KYC doesn't replace EDD; it makes EDD reviews event-scoped rather than calendar-scoped.

Why this matters

Periodic KYC creates a structural backlog problem. We've seen compliance teams working through queues of thousands of overdue customer files, with analyst capacity nowhere near sufficient to clear them. The problem isn't a failure of effort. It's a failure of model design: scheduling reviews based on tier size rather than risk signals means volume is driven by the number of customers in each bucket, not by what's actually happening with those customers.

Stale customer data is one of the patterns that trigger a regulatory exam. The OCC's 2024 consent order against TD Bank cited systemic AML failures across customer due diligence and transaction monitoring. What happens to a bank that fails an AML exam is serious: formal enforcement actions, civil money penalties, and in severe cases, monitorships and growth restrictions. The cost of maintaining an adequate CDD program is substantially lower than the cost of cleaning one up under regulatory supervision.

AML compliance costs mid-market banks substantially in headcount and technology spend. Perpetual KYC doesn't reduce that cost in year one, but it reallocates analyst time from routine file maintenance to genuine risk events. That reallocation matters, both for program quality and for examiner perception.

AI-driven transaction monitoring feeds directly into perpetual KYC. Behavioral baseline detection, anomaly scoring, and false positive reduction all improve the quality of the event triggers that drive pKYC reviews. Better monitoring signals mean better-calibrated triggers, which means analysts reviewing files where something actually changed rather than responding to noise.

Beneficial ownership monitoring is central to any pKYC program. Corporate structures change. A UBO who was clean at onboarding can appear on a sanctions list six months later, or transfer control to a sanctioned entity through a shell layer. A program monitoring UBO changes continuously will catch that in time. One running annual reviews won't.

What pKYC requires in practice

1. Real-time data feeds: adverse media providers, corporate registry APIs, government watchlists, PEP databases
2. An event trigger engine that aggregates signals and routes them to the right review queue
3. Case management tooling for analysts to document triggered reviews with full decision records
4. An audit trail recording what triggered each review, what was assessed, and what outcome was reached

The audit trail is what examiners ask for first. "We monitor continuously" is not a sufficient response without documentation showing that specific events led to specific reviews with recorded outcomes. This adds process overhead, but less than maintaining a large periodic review backlog that grows faster than your team can clear it.

Related questions

• How often should customer risk ratings be refreshed?
• What is the difference between CDD and EDD?
• What triggers a regulatory exam?
• What happens when a bank fails an AML exam?

Related concepts and regulations

• What is a beneficial owner?
• Can AI be used for AML transaction monitoring?
• What percentage of AML alerts are false positives?
• How much does AML compliance cost a mid-market bank?