pKYC vs. periodic reviews: The future of Enhanced Due Diligence
Banks don’t fail at KYC because they lack data. They fail because customer risk stops learning once onboarding is complete.
At onboarding, banks build an initial risk profile based on factors such as ownership, geography, industry, and inherent sector risk. That profile then drives the intensity of controls and review frequency, with higher-risk sectors like crypto subject to closer scrutiny, and lower-risk clients reviewed on longer cycles.
And once set, these assumptions tend to anchor the customer’s risk understanding, even as behavior and exposure evolve in between formal reviews.
The strain on this model is evident in the enforcement actions of the last twelve months. While the record-breaking $3 billion fine against TD Bank in the US dominated headlines in 2024, the crackdown is global. In mid-2025, Swiss regulators penalized institutions like Pictet and Julius Baer millions of francs for failures that hinged specifically on insufficient due diligence, ignoring red flags that emerged long after the initial onboarding was complete.
| TL;DR This post covers how: 🟣Customer risk signals exist continuously, but risk understanding still updates episodically. 🟣Perpetual KYC enables ongoing, customer-level risk reassessment rather than calendar-driven refreshes. 🟣Federated Learning allows risk models to learn continuously across institutions, without sharing customer data. |
The asymmetry of time
The fundamental weakness of traditional Enhanced Due Diligence (EDD) lies in how customer risk evolves compared to how it is reassessed. Financial crime adapts quickly, yet customer risk understanding updates slowly.
Under standard risk-based approaches, including the Wolfsberg Group guidance, many low- to medium-risk corporate entities are subject to full EDD refreshes only every 3 to 5 years. That cadence assumes risk changes gradually. In reality, it can change in weeks.
Consider a legitimate business compromised six months after onboarding through a classic shelf-company acquisition. Transaction monitoring may well surface individual alerts during that period. An event-driven review may even be triggered. But the customer’s core risk rating (the assumptions set at onboarding) often remains anchored to its original classification.
The result is a prolonged disconnect. Suspicious activity is handled on a case-by-case, local, and tactical basis, while the customer file continues to describe a “low-risk” entity. Risk signals exist, but risk understanding lags. And that lag creates exposure. It allows criminal activity to accumulate under outdated assumptions, while teams respond reactively rather than adaptively.
At the same time, periodic reviews themselves are operationally punishing. Fenergo’s 2024 research shows a single corporate KYC review can take between 61 and 150 days to complete. Investigators spend weeks gathering documentation and validating static attributes, often to confirm what is already obsolete by the time the review closes.
We are trying to manage high-velocity risk with low-frequency recalibration.
The regulatory pivot: From “technical compliance” to “demonstrable effectiveness”
For decades, regulatory scrutiny focused on technical compliance, whether firms had the right policies, controls, and governance structures in place. But the bar has moved. Supervisors now focus on effectiveness: whether risk frameworks actually adapt as customer behavior and exposure change.
The Financial Action Task Force (FATF), in its recent digital transformation guidance, has called for a move away from rigid, rules-based approaches toward data-driven systems capable of responding to evolving and emerging risk. Similarly, in the UK, the Financial Conduct Authority (FCA)has reinforced the same expectation, warning firms against static or generic risk assessments that fail to reflect how a customer’s business changes over time.
Crucially, this is not just about being “dynamic” in name. Regulators increasingly expect firms to demonstrate that new information is incorporated into customer risk assessments, that risk weightings evolve, and that learning is not ignored or siloed. An understanding of a customer that remains anchored to onboarding assumptions for years at a time is difficult to reconcile with supervisory expectations of effectiveness.
The great pKYC misunderstanding
The industry’s response to these pressures has been Perpetual KYC (pKYC). The idea is compelling: replace infrequent, calendar-driven reviews with continuous, event-led oversight.
However, in practice, two distinct approaches to pKYC are emerging, and many institutions are investing in the wrong one:
1. The “static” trap (faster administration)
Many pKYC solutions focus on automating traditional checks. Instead of refreshing corporate registries, sanctions lists, or ownership data annually, those checks are run daily or in near-real time.
Of course, these controls matter. They are effective at detecting identity drift, including changes in ownership, directors, legal form, or registration status. But on their own, they do not explain how risk is evolving.
A customer can remain unchanged on paper while their transactional behavior changes materially. Unusual activity may already trigger alerts, source-of-funds queries, or even account restrictions. Yet those signals are typically handled in isolation. They rarely result in the customer’s underlying risk profile being recalibrated in real time. The outcome is speed without learning.
2. The dynamic approach (continuous customer risk understanding)
More advanced pKYC focuses on continuously reassessing customer risk at the customer level. Rather than repeatedly validating who the customer is, it evaluates how the customer’s behavior is changing and whether that behavior meaningfully alters the institution’s understanding of their risk exposure.
Behavioral signals are interpreted in context, aggregated over time, and used to re-weight customer risk dynamically. Static data remains part of the picture, but it is no longer treated as sufficient.
Closing the gap between emerging activity and updated customer risk requires incorporating different data and learning from it continuously.
The false positive paradox
Of course, what we tend to find is that the moment institutions talk about deeper behavioral monitoring, the same concern crops up: false positives.
Banks already know this problem well. Rules-based transaction monitoring generates vast volumes of alerts, with industry research from Datos Insights consistently showing that 90% to 95% of alerts do not result in suspicious activity. Investigators spend enormous effort reviewing legitimate behavior to isolate a small number of genuine risks.
This is why many compliance teams are cautious about expanding continuous monitoring at the customer level. (The concern is signal quality.) Turning more data into more alerts simply increases operational strain without improving understanding.
This might be justified when monitoring relies on static thresholds and fixed rules.
However, dynamic EDD depends on learning systems that can interpret patterns over time, across customers, and in context. It then translates that learning into improved risk assessment rather than more noise. Without that capability, “continuous” monitoring becomes continuous alert fatigue.
The engine of intelligence: Federated Learning
Dynamic customer risk assessment has always struggled with one fundamental constraint: context. To interpret behavior accurately, institutions need to understand what emerging risk actually looks like, i.e. beyond their own four walls.
Criminals operate in global networks while banks operate in data islands. This isolation is the single greatest advantage the money launderer possesses.
Federated Learning (FL) changes how institutions learn. It enables banks to collaborate on risk intelligence without sharing customer data, breaching privacy, or centralising sensitive information. Rather than pooling data, the learning is distributed. Here is how it works:
- The model travels: a shared risk model is deployed within each bank’s secure environment
- The learning happens: the model learns from local transactional and behavioral patterns
- The insight returns: only mathematical updates are shared, never customer data
What emerges is a continuously evolving understanding of risk patterns, informed by activity observed across institutions and geographies.
Crucially, Federated Learning is not an alerting engine. It does not replace transaction monitoring, pKYC tooling, or case management. Instead, it feeds those systems with learned intelligence, such as newly discovered typologies, shifting behavioral patterns, and updated risk weightings, allowing customer risk assessments to evolve continuously rather than episodically.
This collective learning effect is sometimes described as “collective immunity.” When a new risk pattern emerges in one part of the network, that insight can be incorporated elsewhere without delay. Over time, this improves signal quality, sharpens prioritization, and supports earlier, evidence-led intervention.
| A quick note on ISO 20022 and real-time payments: The urgency for this change in approach is compounded by the global migration to ISO 20022. Payments are becoming richer in data, more structured, and increasingly real-time.As money moves in milliseconds, customer risk understanding must evolve at a comparable pace. A framework that refreshes risk assumptions every few years is structurally misaligned with instant payments and continuously changing exposure.Dynamic, continuously learned customer risk assessment is a powerful approach that can fully exploit ISO 20022 data and keep pace with modern payment rails. It allows institutions to incorporate new information as it arrives and demonstrate that learning is occurring. |
The human element: freeing the investigator
One of the most persistent myths about automation in financial crime is that it replaces human judgment. In practice, it determines where that judgment is applied.
Today, highly skilled investigators spend a disproportionate amount of time on low-value work. Calendar-driven reviews require teams to gather documents, verify static information, and reconfirm low-risk assumptions, even when customer behavior has not meaningfully changed.
Dynamic customer risk assessment changes this allocation of effort. The system continuously evaluates behavioral signals across the customer base and updates risk understanding in the background. Static checks and transaction monitoring continue to operate, but emerging patterns are interpreted in context rather than handled in isolation.
Investigators are engaged when behavior indicates a genuine shift in risk trajectory, not simply because a review date has arrived or an isolated threshold has been crossed.
This moves the investigator’s role from document collector to risk analyst. Time is spent on complex, high-priority cases where judgment, experience, and intuition add real value, rather than working through routine refresh cycles with limited risk return.
| The business case for perpetual KYC (pKYC) Perpetual KYC is often framed as a compliance cost. Implemented as a dynamic, learning-led capability, it becomes a strategic control that addresses long-standing structural problems in AML. 1. From blunt de-risking to precision exits Banks already exit customers. The challenge is how exits are used. In many cases, exits serve to reduce exposure when signal quality is poor or alert volumes overwhelm teams. Entire sectors or regions are sometimes avoided because periodic EDD and manual review are too costly to sustain. Dynamic risk assessment enables a different approach. Customer exits remain part of the toolkit, but they become evidence-led, earlier, and more targeted. Institutions can retain higher-risk sectors while intervening precisely where behavior justifies it, supporting both risk management and financial inclusion. 2. Customer experience as a control outcome Few things damage trust faster than unexplained account freezes or repeated requests for outdated documentation. Calendar-driven reviews create friction for low-risk customers while failing to surface emerging risk quickly enough. Dynamic EDD reverses this. Customers whose behavior remains consistent with their profile experience minimal disruption. Engagement is reserved for when behavior genuinely changes, and risk understanding must be updated. In this way, customer experience becomes a byproduct of better risk intelligence, not a trade-off against compliance. |
From periodic reviews to perpetual KYC (pKYC)
Periodic reviews were designed for an earlier era, when customer files were static, information moved slowly, and reassessment depended on manual effort. They still have a role, but they were never built to carry the full weight of modern financial crime risk.
Perpetual KYC reflects a different operating model. Customer risk is continuously reassessed as new information emerges, behavior evolves, and typologies change. Learning becomes ongoing rather than episodic.
Federated Learning makes this model viable at scale. It allows institutions to incorporate global risk intelligence, update customer understanding continuously, and demonstrate that risk assessments evolve over time. And it does this without sharing customer data or centralising sensitive information.Talk to us and see Federated Learning in action, and learn how to gain global intelligence without ever sharing client data.
