Perpetual KYC vs periodic review: The case for Always-on Compliance™

A strategic guide for MLROs and KYC operations leaders evaluating the shift from scheduled customer due diligence to continuous, event-driven customer risk monitoring

Executive Summary

The annual know your customer (KYC) refresh cycle is one of the most resource-intensive, risk-creating, and regulatorily outdated practices in financial crime compliance. What the industry calls perpetual KYC (pKYC) or continuous compliance, we call Always-on Compliance™, because the distinction isn’t just continuous monitoring, it’s that your compliance posture never lapses. This article explains why periodic KYC review fails, how event-driven customer risk assessment works in practice, what FATF Recommendation 10 and the EU AMLR require, and how to build the operational and business case for making the transition. It draws on the SymphonyAI FinCrime Frontier 2025–26 survey report and documented evidence from live deployments.

Introduction

There is a ritual familiar to almost every KYC operations team in financial services. Sometime each year (or every three years, or every five, depending on your customer risk segmentation) a large cohort of customers lands in the review queue. Files are pulled. Documents are chased. Analysts work through the backlog. Risk scores are refreshed, decisions are logged, and the cycle resets.

Until the next review.

This is periodic KYC and for most institutions, it is simultaneously one of the largest consumers of compliance resources and one of the weakest links in their financial crime control framework.

The weakness isn’t the intent, but the underlying assumption. Periodic KYC assumes that customer risk is stable enough between reviews that the compliance posture established at the last check remains adequate. In a world of static customer relationships, slow-moving typologies, and predictable financial crime patterns, that assumption was defensible. But things have changed.

As an example, a customer who passed their annual review in January may be named in adverse media in March, become the subject of a law enforcement inquiry in June, be designated under a new sanctions regime in September, and significantly changed their transaction behavior throughout. Yes, this is an extreme example but entirely possible. Under a periodic model, the compliance team may not know any of this until the next scheduled review comes around, which can be potentially years away.

This is the point-in-time compliance failure that perpetual KYC, continuous compliance, and what we call Always-on Compliance are designed to solve.

Why the periodic KYC review is structurally broken

The failure mode in periodic KYC reviews is structural rather than operational. Better-trained analysts, faster document processing, and more efficient workflow tools don’t fix it. The problem is the model itself:

Risk changes continuously but reviews happen periodically. As noted in the example above, customer risk profiles are dynamic. This means that adverse media emerges, beneficial ownership structures change, and PEP status is conferred or removed. In addition to these, sanctions designations are added and transaction behavior shifts. None of these developments wait for the compliance calendar. A review cycle that checks customer risk once every one, three, or five years creates a gap (potentially a very long gap!) during which significant risk changes go undetected and, as a result, remain unacted upon.

KYC backlogs are endemic and self-reinforcing. The FinCrime Frontier 2025–26 survey identifies KYC and customer due diligence / enhanced due diligence (CDD / EDD) as the most manually intensive areas in the compliance lifecycle. This isn’t a surprise to anyone who has managed a KYC operations team. Large periodic review programs consume enormous analyst time on document gathering, data validation, and file updating. This is all work that is largely administrative rather than analytical. The result is persistent backlogs that force triage decisions like which customers get properly reviewed, and which get a lighter-touch process because there isn’t time to do more? That triage introduces risk that the review program is supposed to eliminate.

Resource allocation is structurally inefficient. Periodic programs apply roughly similar review effort to all customers in a cohort regardless of whether anything material has changed since the last review. A low-risk retail customer whose circumstances haven’t changed gets the same calendar-driven review as a high-risk correspondent banking relationship that has just triggered multiple transaction monitoring alerts. This is the inverse of the risk-based approach that FATF, the FCA, FinCEN, and the EU AMLR all mandate.

Point-in-time reviews create regulatory exposure. Regulators increasingly examine not just whether KYC reviews were conducted, but whether the compliance program was capable of detecting and responding to material risk changes between reviews. An institution that can demonstrate only that it completed a scheduled review but cannot show what happened to a customer’s risk profile in the intervening period is poorly positioned in an examination. From our experience, the question regulators are beginning to ask is: “What would your program have done if this customer became a PEP six months after their last review?”

What FATF, the FCA, and the EU AMLR require

The regulatory case for moving beyond periodic review is sometimes presented as aspirational, which regulators might prefer but haven’t mandated. This hugely understates the actual regulatory position.

FATF Recommendation 10 on customer due diligence includes an explicit ongoing monitoring requirement. It calls on financial institutions to conduct ongoing due diligence on business relationships, including scrutiny of transactions undertaken throughout the course of the relationship to ensure they are consistent with the institution’s knowledge of the customer, their business, and risk profile. The FATF guidance notes on Recommendation 10 are clear that ongoing monitoring must be risk-sensitive (more intensive for higher-risk customers and relationships) and must include mechanisms for detecting material changes that would affect the customer’s risk classification.

The EU Anti-Money Laundering Regulation (AMLR), which will apply directly across EU member states, builds on this foundation with specific CDD obligations that go beyond point-in-time verification. The AMLR requires financial institutions to keep customer information up to date, to monitor business relationships on an ongoing basis, and to ensure that CDD is reviewed when the institution becomes aware of a change in circumstances that may affect the customer’s risk profile. The establishment of the Anti-Money Laundering Authority (AMLA) adds enforcement teeth to these requirements, which were previously applied inconsistently across member states.

In the United Kingdom, the FCA’s financial crime guidance and supervisory focus make clear that ongoing CDD is not a periodic administrative exercise but a continuous obligation. The FCA expects institutions to have systems capable of detecting changes in customer risk, not just systems capable of conducting scheduled reviews. The FCA’s own financial crime guide for firms explicitly addresses ongoing monitoring as a distinct and substantive requirement, separate from initial CDD at onboarding.

What this adds up to is a regulatory environment that has already moved beyond periodic review in its expectations. The question for MLROs and KYC operations leaders, then, is how to operationalize the continuous monitoring that regulators require.

pKYC vs periodic KYC: Understanding the operational difference

The terms perpetual KYC, continuous KYC, continuous compliance, and Always-on Compliance are sometimes used interchangeably, or perhaps used loosely to mean little more than “doing KYC more often.” It’s worth being precise about what genuine continuous KYC looks like operationally, because the distinction matters both for program design and for regulatory defensibility.

Periodic KYC operates on a calendar or cohort basis. Every customer in each risk tier is reviewed on a fixed schedule. This is normally annually for high risk, every three years for medium risk, or every five years for low risk. Reviews are triggered by the passage of time, not by changes in the customer’s risk profile.

Perpetual KYC / Always-on Compliance operates on an event-driven basis. Rather than waiting for the review calendar, monitoring runs continuously across a defined set of data sources and signals. When a defined trigger event occurs, the system flags the change and assesses its risk significance before initiating the appropriate response. Trigger events include:

• An adverse media hit linking the customer to financial crime, sanctions evasion, or reputational risk
• A match against an updated sanction or watchlist
• A significant change in transaction behavior that is inconsistent with the customer’s known profile
• A PEP designation being assigned or removed
• A change in beneficial ownership structure
• A law enforcement inquiry or enforcement action involving the customer or a connected party

For low-significance changes, the response might mean updating a data field and re-scoring the customer automatically. For more significant changes, it might mean initiating a full enhanced due diligence review.

The distinction between these two approaches is significant. In a periodic model, the review determines whether anything has changed. In an event-driven model, the monitoring layer is always running and when it detects that something has changed, it triggers the appropriate action. This difference in detection time – from potentially years to just hours – is the core risk management argument for pKYC.

What data sources feed a continuous monitoring layer?

A credible pKYC program draws from multiple streams simultaneously:

• Automated adverse media monitoring – Continuous scanning of news sources, regulatory publications, and open-source intelligence for negative mentions, enforcement actions, or reputational risk signals
• Continuous PEP and sanctions list monitoring – Real-time matching against updated lists rather than batch processes run at review intervals
• Transaction behavior monitoring – Detection of significant deviations from a customer’s expected activity patterns, flagging changes that may indicate altered risk profile or criminal exposure
• Internal trigger events – New product applications, relationship changes, complaints, or escalations from other compliance functions that may indicate elevated risk
• External event feeds – Beneficial ownership registry updates, company filing changes, and law enforcement advisories from bodies such as FinCEN that may affect customer risk status

The monitoring layer must integrate these signals in a unified view, not as separate alerts from separate systems. In this way, the combined picture of a customer’s risk profile at any given moment is visible in a single place.

How do risk scores update in a pKYC model?

In a periodic model, risk scores update at review time. With perpetual KYC, risk scores are dynamic meaning that they update as new information becomes available. As such, a customer’s risk score on Tuesday afternoon may be different from their risk score on Tuesday morning if an adverse media hit was detected and processed during that time. This change requires a different data architecture, which needs to be an entity-centric, event-sourced model where the customer’s risk profile is a continuously maintained state rather than a periodically updated static piece of information.

The real cost of periodic KYC: Building the business case

For MLROs evaluating whether to make the case for moving to continuous compliance, the business case has several components that are worth quantifying.

Direct operational cost

Large KYC remediation programs (the kind that institutions periodically run to work through accumulated backlogs) routinely cost tens of millions of pounds or dollars and take years to complete. The analyst time consumed by periodic reviews (document chasing, file updating, and the actual review itself) is also substantial and recurring, with most customers’ risk profile not materially changing.

The cost of delayed risk detection

This is harder to quantify but is potentially the most significant. A high-risk customer whose circumstances change between periodic reviews represents an undetected exposure for the duration of that time. The regulatory and reputational consequences of failing to detect and respond quickly enough can be severe.

Regulatory examination risk

Institutions that cannot demonstrate continuous monitoring capability are increasingly exposed in regulatory examinations. A compliance program that can only point to its periodic review schedule is clearly weaker than one that can demonstrate continuous monitoring with documented trigger events and responses.

The hidden cost of false positives in periodic reviews

Periodic reviews often generate substantial volumes of information requests from customers whose circumstances haven’t changed. This creates friction in the customer relationship, consumes operational resources, and may drive customer churn.

Adding to all this, the FinCrime Frontier 2025–26 survey found that KYC operations modernization (including perpetual KYC monitoring) is among the top desired AI outcomes for compliance leaders, second only to false positive reduction and smarter alert triage. With demand high, confidence in the implementation is the main constraint holding institutions back from investing.

How Always-on Compliance™ works in practice

Moving from periodic to continuous CDD is not as simple as flipping a switch. It requires meaningful changes across data, systems, processes, and governance. Acknowledging this is important both for realistic planning and for credibility with regulators that have seen vendors oversell pKYC as simpler than it is.

Continuous monitoring is only as good as the data it monitors. Fragmented customer data (where the same customer exists as multiple records across different systems, or where transaction data and KYC data are held in separate, disconnected systems) creates blind spots. The prerequisite for effective pKYC is an entity-centric data model in the form of a unified golden record for each customer. This consolidates identity information, transaction behavior, relationship data, and external signals into a single, coherent view.

Event-driven triggers need definition and governance. The transition to continuous monitoring requires defining:

• What constitutes a trigger event
• What changes are significant enough to initiate a CDD response
• What responses are proportionate to different trigger types

This is as much a policy and governance challenge as it is a technology one, requiring clear regulatory alignment and defensible trigger frameworks with the FATF risk-based approach guidance being particularly helpful.

The monitoring layer must be explainable. AI-powered customer due diligence systems that cannot produce clear, auditable reasoning trails for their outputs create as many examination challenges as they solve. This is a regulatory expectation that the Federal Reserve’s SR 11-7 model risk management guidance and equivalent frameworks make explicit.

The change management effort requires focus. As KYC teams shift from predictable periodic review cycles to event-driven workflows, analysts spend less time processing documents and more time making risk-based decisions. This requires significant investment in training, process redesign, and operational management.

With all this in mind, incremental adoption of Always-on Compliance is the most realistic approach for many institutions. Most are not able to decommission periodic reviews and replace them with fully automated pKYC immediately. As such, a phased approach is the most likely path to pKYC, with institutions typically starting with high-risk monitoring such as adverse media and sanctions changes, then gradually expanding into event-driven behavioral monitoring and selective automation while retaining human oversight for material risk decisions.

What live deployments show

Real-world implementation evidence supports the business case for continuous compliance. This is critical in a market where technology claims have often outpaced proven operational results.

Metro Bank, one of the UK’s leading challenger banks, made dynamic Customer Risk Assessment (CRA) a core objective of its financial crime transformation. Rather than maintaining separate KYC and transaction monitoring systems, Metro Bank embedded CRA into the same platform as monitoring and screening, enabling the bank to capture and act on internal and external triggers dynamically. This was structurally impossible with separate legacy systems. The deployment reduced transaction monitoring alerts by 20% shortly after go-live, while creating a more integrated architecture capable of supporting continuous customer risk assessment using both internal and external data sources.

By treating customer risk assessment not as a separate periodic function but as a continuously maintained state within the same platform as detection and investigation, Metro Bank created the data integration and workflow infrastructure that pKYC requires. As Mark McDavitt, Director of Financial Crime Operations & Financial Crime Risk Compliance at Metro Bank, noted, the deployment gives the bank a world-class strategic capability to manage its key financial crime risks, with a platform that enables agile, controlled updates as the regulatory and threat environment evolves.

Why Always-on Compliance™

The market uses several terms for what we are describing. These include perpetual KYC, continuous KYC, continuous compliance, and dynamic customer due diligence. These terms broadly point to the same operational model, which is event-driven customer risk monitoring.

At SymphonyAI, we use the term Always-on Compliance™ because it captures something the other terms don’t quite reach. Perpetual KYC focuses on the KYC process itself while continuous compliance focuses on the monitoring activity. Always-on Compliance though, describes the state of the institution’s compliance posture:

• It never lapses
• There is no gap between reviews (during which the institution is operating on stale information)
• Risk detection is a continuously maintained capability rather than a periodic exercise.

That distinction matters.

An institution that can demonstrate Always-on Compliance can detect a material change in risk as soon as it occurs, putting it in a fundamentally stronger position with examiners than one that has reduced its review cycle from five years to three.

The MLRO’s implementation checklist

If an MLRO is evaluating or beginning to implement a move toward continuous customer due diligence, the following questions structure the practical assessment:

Current state:

• What is your actual detection lag, i.e. the average time between a material change in a customer’s risk profile and the point at which your program would detect it?
• How large is your current periodic review backlog, and what is the cost of maintaining it?
• What proportion of your periodic reviews result in a material risk finding versus no change?
• What is the regulator’s view of your ongoing monitoring capability?

Data foundation:

• Do you have a unified, entity-centric customer record that consolidates identity, transaction, and relationship data?
• How are adverse media and PEP/sanctions changes currently surfaced (manually, through automated feeds, or through periodic batch processes)?
• How quickly does a sanctions designation currently translate into a reviewed and actioned customer record?

Operating model:

• What trigger events would your continuous monitoring layer need to detect and respond to?
• What CDD responses are proportionate to different trigger types, and which can be automated versus which require human review?
• How will your operations team’s workflow change, and what training and management does that require?

Technology:

• Can your current platform support event-driven CDD workflows, or does it only support cohort-based review queues?
• Can the monitoring layer produce explainable, auditable outputs for regulatory examination?
• Does the system support human-in-the-loop governance for material risk decisions?

Business case:

• What is the fully-loaded cost of your current periodic review program?
• What is the estimated annual cost of the risk detection gap created by periodic reviews?
• What would a credible pKYC program cost, and over what timeframe does the investment pay back?

Key takeaways for KYC operations and compliance leaders

• Periodic KYC is structurally broken. The model creates systematic risk detection gaps that can only be fixed with a different model.
• The regulatory case is already made. FATF Recommendation 10, the EU AMLR, and FCA guidance all require ongoing monitoring that goes beyond periodic review, where every decision is fully explainable.
• Always-on Compliance™ is the right frame. What the industry calls perpetual KYC or continuous compliance, we call Always-on Compliance, because the goal is a compliance posture that never lapses, not just a more frequent review schedule.
• Event-driven triggers sit at the heart of continuous monitoring. Use signals such as adverse media, sanctions changes, PEP updates, and behavioral anomalies to launch proportionate compliance actions supported by strong governance and clearly defined escalation criteria.
• Data integration is the prerequisite. A unified, entity-centric customer record is the foundation of effective pKYC, turning fragmented signals into meaningful, actionable risk intelligence.
• Incremental implementation is most likely. Start with automated adverse media and sanctions monitoring, add event-driven behavioral signals, and progressively automate lower-complexity CDD responses. Each step delivers value and builds the foundation for the next stage.
• Explainability is non-negotiable. AI-powered CDD systems must produce auditable, examiner-ready reasoning for every monitoring decision. The efficiency gains of automation are undermined if findings cannot be explained.
• The ROI case is strong. The return on continuous compliance investment typically emerges from operational cost reduction, reduced regulatory examination risk, and improved customer experience through fewer false positive reviews.

Recent resources

Compliance modernization- why financial services can’t afford to stand still

From Theory to Action: AI Agents Transforming Financial Crime Compliance in Real-Time

Reinventing the compliance operating model

Agentic AI, Data, and Financial Crime Control

90% reduction in manual effort: The power of AI agents in sanctions compliance (Case study)

Re-engineering the Risk-Based Approach in AML compliance (Webinar)

Re-engineering the Risk-Based Approach with agentic AI (White paper)