Ongoing Monitoring: What It Is, What Regulators Expect, and What Gets You Cited

What is Ongoing Monitoring?

Ongoing monitoring is a core AML/CFT control requiring financial institutions to continuously review customer transactions, relationship activity, and risk profiles across the full account lifecycle. Also called perpetual KYC, it sits between the initial Know Your Customer (KYC) onboarding process and the downstream SAR (Suspicious Activity Report) filing obligation. It connects static identity verification with behavioral surveillance.

The control has two jobs. First, it detects activity that doesn't fit the expected pattern for a customer, their peer group, or their product type. Second, it catches changes to the customer's risk profile: a new beneficial owner, a change in business activity, or fresh exposure to sanctions or PEP designations.

"Perpetual KYC" is the industry term for the automated, event-driven variant. Traditional models relied on scheduled periodic reviews, typically annual for high-risk customers and every three years for standard-risk relationships. Perpetual KYC replaces the calendar trigger with a data trigger: the review fires when something material changes, not when the clock says so.

The control sits at the intersection of static profile management and behavioral analytics. It connects to Customer Due Diligence (CDD) at the front end and to Transaction Monitoring at the behavioral end. A complete program covers both dimensions: changes to the customer's static record (beneficial owners, business type, risk classification) and changes in transactional behavior. Institutions that treat these as separate programs frequently find gaps at the handoff point when examiners arrive.

Why is Ongoing Monitoring required?

FATF Recommendation 10 is the foundational international standard. It requires financial institutions to conduct ongoing due diligence on business relationships and scrutinize transactions throughout the course of those relationships to ensure consistency with the institution's knowledge of the customer, their business, and their risk profile. The FATF guidance on Recommendation 10 makes clear that the obligation doesn't end at onboarding.

In the EU, the Fourth Anti-Money Laundering Directive (4AMLD, 2015/849/EU) and the Fifth Directive (5AMLD, 2018/843/EU) both list ongoing monitoring as a mandatory CDD measure. The UK's Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 (MLR 2017) carries the same requirement. The FCA has cited monitoring failures in multiple thematic reviews, including its 2022 Financial Crime Thematic Review of retail banks, which found that many firms hadn't updated customer risk profiles in years.

In the US, FinCEN's Customer Due Diligence Rule (31 CFR Part 1010, finalized May 2016) requires covered financial institutions to implement risk-based procedures for ongoing customer due diligence and links this obligation directly to beneficial ownership requirements. If ownership changes, monitoring should catch it.

The risk-based approach under FATF Recommendation 1 means monitoring intensity must scale with customer risk. Customers subject to Enhanced Due Diligence (EDD) require more frequent and more granular review than standard-risk customers. PEPs carry specific enhanced monitoring obligations under FATF Recommendation 12. Record-keeping rules require that documentation underlying monitoring decisions be retained, not just the outcomes.

What do regulators expect to see?

Examiners want six things when they review an ongoing monitoring program.

A documented, risk-based policy with explicit triggers. The policy must define what events prompt a review (transaction threshold breach, address change, sanctions alert, adverse media hit) and how frequently each risk tier is reviewed. Policies that say "as needed" without specifying triggers are a standard finding. The OCC's Supervisory Guidance on Model Risk Management (OCC Bulletin 2011-12) now extends to AML alert models, which means monitoring programs must meet model risk standards, not just compliance standards.

Calibration records. Alert rules and thresholds must be documented, tested, and periodically reviewed. Examiners ask for tuning logs: what parameters changed, when, why, and who approved the change. "We adjusted the model" is not an acceptable answer without the supporting documentation.

SLA tracking and backlog reporting. Open alert volumes, average time-to-disposition, and backlog against SLA targets must be tracked and reported to senior management. Examiners look for board or committee evidence that this data is being received and acted on.

Escalation trails. When a review triggers a referral to the MLRO, that decision and its rationale must be documented. Silent escalation drops are a recurring exam finding across multiple jurisdictions.

EDD and PEP linkage. Customers subject to Enhanced Due Diligence (EDD) must have evidence of more frequent and granular monitoring. The same applies to customers flagged through PEP Screening.

Annual coverage testing. Second-line risk or internal audit must verify that the program actually covers the full customer population and product set. Gaps in coverage are among the most common exam findings, and they're often invisible until examiners specifically test for them.

What does good Ongoing Monitoring look like?

Effective programs are event-driven, risk-proportionate, and documented at every step.

1. Replace calendar triggers with data triggers. Reviews should fire when something material changes: a transaction spike, a sanctions hit, a new beneficial owner disclosure, or an adverse media alert. The Wolfsberg Group's Correspondent Banking Due Diligence guidance treats event-driven review as the baseline expectation for managing high-risk relationships. Calendar-only approaches don't meet that bar for complex or elevated-risk customer segments.

2. Segment by risk and calibrate accordingly. High-risk customers, including those flagged through Adverse Media Screening, receive more frequent reviews with a lower alert threshold. Standard-risk customers get broader, less frequent monitoring. The calibration difference between segments must be documented and defensible.

3. Close the loop with CDD. When monitoring flags a material change, the customer's Customer Due Diligence record must be updated. An alert that fires and produces no change to the risk classification, with no documentation explaining why, is a process failure that examiners will cite.

4. Backtest alert coverage. The Basel Committee's 2017 Guidelines for Sound Management of Risks Related to Money Laundering and Financing of Terrorism calls for periodic backtesting to confirm that alert logic would have caught known historical cases. Most institutions do forward testing. Fewer do backtesting, and the gap shows up in exams.

5. Report to governance. Boards and senior management should see regular MI on program effectiveness: alert volumes, disposition rates, backlog trends, and SAR conversion rates. Monthly reporting is the minimum. Quarterly is too slow for a material escalation.

6. Document every suppression and tuning decision. Every threshold change and every alert suppression needs a written rationale and a named approver. This is where most programs fall short of model risk expectations.

Common audit findings and exam citations

The most common citation for ongoing monitoring failures is incomplete coverage. Alert rules don't apply to the full product set, or the monitoring population excludes low-balance accounts, or wire transfers through correspondent relationships are out of scope. Partial coverage is arguably the biggest gap in practice, and it's frequently invisible until examiners specifically test for it.

Calibration documentation failures are the second most common finding. Institutions change alert parameters in production without generating a proper audit trail. A threshold shift approved verbally in a meeting but never written up is a problem under both AML and model risk standards.

Backlogs are the third category. The HSBC 2012 enforcement action remains the defining example. HSBC accumulated a backlog of 17,000 unreviewed transaction monitoring alerts in its US operations. The $1.9 billion penalty and deferred prosecution agreement that followed defined what "systemic failure" in ongoing monitoring means to a US regulator.

The Danske Bank 2018 case showed a different failure mode. The monitoring program existed on paper, but roughly €200 billion flowed through the Estonian branch from high-risk non-resident customers with minimal scrutiny. The core problem was that parameters weren't calibrated for the actual risk profile of that customer segment.

The Deutsche Bank 2017 mirror trades case cost the bank $630 million and showed how Layering can persist for years when monitoring isn't configured to detect offsetting trades across linked entities. Those trades ran from 2011 to 2015. Four years of missed signals.

Metrics and KPIs

A healthy ongoing monitoring program tracks these metrics consistently and reports them to governance.

Alert volume and trend. Total alerts generated per month, broken down by rule, customer segment, and product type. A sudden spike or an unexpected drop in alert volume is a signal that something in the model has changed or broken. Neither direction is automatically bad, but both warrant investigation.

False-positive rate. The proportion of alerts that close without escalation. Industry benchmarks sit between 90% and 99%. Anything above 99% suggests miscalibration and analyst fatigue. A steep drop may indicate threshold changes that are missing genuine activity.

Alert disposition SLA. What percentage of alerts are resolved within the target window, typically 5, 10, or 30 business days depending on risk tier. Backlog against SLA is a direct exam risk indicator. Institutions with persistent backlog problems usually have a resource or calibration problem, not a process problem.

Periodic review completion rate. For calendar-based programs, what percentage of high-risk customers received their scheduled annual review on time. Below 95% is a common finding in retail bank examinations.

SAR conversion rate. Of escalated alerts, how many result in a SAR (Suspicious Activity Report) filing. Very low rates can indicate alert fatigue or poorly scoped rules. Very high rates may mean thresholds are set too low for the customer population.

Model tuning frequency. How often alert thresholds are reviewed and updated. Best practice is at least annually, with event-driven reviews after significant changes in customer mix, product mix, or business activity. A program that hasn't been tuned in three years is a program that will have findings.

Mature institutions also track analyst productivity, time-to-escalation, and re-alert rates after threshold changes.

How Ongoing Monitoring connects to other controls

Ongoing monitoring doesn't operate independently. It draws from upstream controls and feeds into downstream ones, and the connections between programs need to be explicit and operationally active.

Transaction Monitoring is the behavioral detection engine that generates the raw alerts. The distinction matters: transaction monitoring produces signals, ongoing monitoring decides what to do with them and updates the customer record accordingly. Treating the two as a single program creates accountability gaps.

Sanctions Screening is a trigger. A sanctions hit on a customer or counterparty should immediately prompt an enhanced monitoring review, not just a screening disposition. These two programs need to be operationally connected at the workflow level.

When monitoring finds a material change in risk, the output feeds back into Customer Due Diligence. The customer's CDD record must reflect what monitoring found. If it doesn't, the institution has disconnected its two most fundamental AML controls.

The typologies most frequently caught by well-calibrated ongoing monitoring include Money Mule Networks, Smurfing and Structuring, and layering activity. These patterns emerge from behavioral data over time, not from any single transaction. That's precisely why ongoing monitoring exists as a control separate from real-time screening.

Monitoring outcomes should also inform upstream controls. An increase in mule activity caught through monitoring is a signal that onboarding controls for certain customer segments need tightening.

How FluxForce supports Ongoing Monitoring

FluxForce's AI agents run continuous behavioral monitoring across customer portfolios. Activity deviating from established patterns triggers alerts in real time, with a full evidence trail for every decision: what fired, why, and what action was taken. Automated risk profile updates flow from monitoring outcomes and feed back into CDD records without manual handoffs. Board and committee reports are generated without manual compilation.

For institutions managing large retail books or complex correspondent relationships, Regulatory Compliance Automation through FluxForce reduces analyst time on low-risk alert disposition and gives compliance teams cleaner signal to work with. Book a demo to see it in practice.