As costs and compliance requirements around customer due diligence have mounted up, so has demand for automated solutions. But these, too, have struggled to keep Know Your Customer operations up to speed and ahead of regulatory changes and risk exposures.
Enter pKYC – perpetual Know Your Customer – a relatively new technological iteration for continuous monitoring and updating by leveraging real-time data and advanced analytics, and in the process reducing reliance on labor-intensive periodic reviews while improving risk detection and enhancing the customer experience.
Commenting on a warning from OpenAI chief executive Sam Altman that artificial intelligence threatens to defeat security measures and controls, longtime financial technology trend-watcher Chris Skinner said in a blog that facial recognition and voice prints will have to be rethought.
“The answer is always-on KYC compliance checks, or perpetual KYC,” Skinner wrote. To verify that contacts are with humans and not with bots, and to ensure that “every touch and call is real” and not a deepfake, “is quite a challenge, but always-on authentication, verification and identification using always-on analytics to deliver perpetual KYC is the new order of the day.”
According to PwC, KYC processes can account for as much as 3% of a bank’s operational costs. Automating these processes can cut costs by 60% to 80%, or $14.4 million annually for a medium-sized bank’s book of corporate customers and $13.2 million for retail.
Four of 10 pKYC process steps with applied technologies, as mapped out by PwC.
Beyond cost savings, automation reduces human error in repetitive tasks by leveraging machine learning to capture and store regulatory data. Entire workflows can be automated while ensuring compliance, efficiency and scalability.
Pushing this technology frontier, Capgemini in April rolled out a “first-of-its-kind” sandbox – “a safe and secure test environment for firms to visualize how they can transition to a pKYC process and demonstrate its effectiveness to senior management and regulators.”
“Static KYC processes present opportunities for financial criminals to exploit gaps and weaknesses for money laundering and other fraudulent activities,” Manish Chopra, global head of risk and financial crime compliance, said in a statement. “We firmly believe that perpetual KYC is the approach needed to protect financial institutions from undue risk, enforcement actions and large fines.
Manish Chopra of Capgemini
“The pKYC sandbox capability marks a significant advance for industry compliance, meeting regulators’ growing expectations of responsible innovation. It is an actionable measure for financial institutions to demonstrate how they are mitigating inherent risk exposure more effectively.”
Ivar Lammers, ING’s global head of financial crime prevention for wholesale banking, said that “as traditional KYC models struggle to address real-world challenges, perpetual KYC is the shift required to rapidly respond to customer behavior changes and drive smarter compliance. Capgemini’s pKYC sandbox is an impressive blend of visualizing the effectiveness of KYC processes in action and experimenting with new tools in a secure environment, all without risking customer data and optimizing infrastructure cost.”
Ty Francis, chief advisory officer at LRN Corp., remarks that as KYC is a foundational element of anti-money laundering (AML) and countering the financing of terrorism (CFT), “It will come as no surprise that regulatory expectations in this area are continuously evolving and growing. There is a definitive shift from traditional, static, periodic KYC reviews to more dynamic, risk-based and data-driven approaches – event-driven monitoring that triggers alerts when significant changes occur in a customer's profile.”
As an example of regulatory escalation, Francis points out that the European Banking Authority explicitly states that "AI-driven transaction monitoring, automated risk scoring, and real-time data analytics will be non-negotiable" for firms to keep up with requirements.
Data, pulled in and processed from multiple sources, is a key part of the pKYC equation. Karin Yuklea, an AML and customer due diligence expert with antifraud fintech Feedzai, says that bank KYC processes are called in early for client onboarding – when initial information is gathered, verified and evaluated. They continue with periodic (or perpetual) data refreshes and monitoring of risks throughout the customer life cycle.
Karin Yuklea of Feedzai
“Implementation can become very complex, especially when involving business entities and higher-risk individuals, and include many disparate data sources that need to be collated and correlated,” Yuklea explains. “A big challenge for banks is balancing the need for robust compliance processes with business considerations, as inefficient KYC processes can negatively impact client experience and result in loss of business.”
Another challenge lies in keeping KYC information updated in periodic reviews that traditionally may have taken place between quarterly and every few years.
At those frequencies, risk changes may go undetected, or labor-intensive reviews may be deemed necessary. “This is why the industry is increasingly moving [to pKYC], which is based on ongoing monitoring of KYC data and triggers reviews when a significant change in risk is identified,” Yuklea adds.
“Event-driven triggers, such as ownership changes or regulatory shifts, can be effectively managed only if banks have access to accurate and complete client data,” Alex Ford of Encompass Corp. wrote in a December 2024 GARP article. “To fully leverage CDI [corporate digital identity] and pKYC, financial institutions need to invest in an ecosystem of technology. This might include in-house solutions, third-party regulatory technology or a hybrid of both.”
Beth Herron, Americas AML lead at SAS, cites multiple factors driving pKYC, including emerging financial crime threats, geopolitical uncertainty, and the pace of the financial industry’s digital transformation.
“One of the biggest pain points we’re hearing from financial institutions is scale,” Herron says. “When customer data lives across disconnected systems . . . manual processes aren’t only time-consuming, they’re prone to error. Add to that the issue of inconsistent risk scoring models and the pressure to deliver a smooth customer experience, and you’ve got a real balancing act.”
"Synthetic identities and account takeovers are harder to detect with traditional KYC tools," Herron observes. "Spotting modern-day threats often requires integrating third-party data, behavioral analytics and signals that most banks haven’t historically tapped into – or, worse, don’t yet have the infrastructure to use effectively."
Don Johnson, principal in EY’s Financial Crimes Compliance practice, notes that virtually every institution risk-rates customers based on various attributes and heightens due-diligence for higher risk profiles. The complexity is especially great for organizations with sizable international footprints.
Don Johnson of EY
"For an institutional business, and to a lesser extent for a wealth management business, current periodic KYC review processes are very labor-intensive, operationally burdensome and not particularly effective,” Johnson asserts.
Review periods might be every five years for low-risk customers, three years for medium-risk and annually for high-risk. Requests for information (RFIs) can cause friction, with customers slow to respond. PKYC can ease trigger-based reviews, but global banks can’t depend on it entirely “as some jurisdictions require periodic reviews, and the availability of reliable trigger sources is not widespread,” Johnson says.
Len Zhang, director of fraud solutions, DataVisor, mentions predictive and preventive anti-crime and -fraud benefits from continuous KYC, adding, "The costs of post-breach remediation, including financial losses, legal fees, and regulatory penalties, far exceed the investment in prevention. Plus, there is an enhanced benefit of customer trust, whereby proactive, invisible security measures that protect customers without creating friction build trust and maintain a seamless customer journey.”
"While many financial institutions are still reliant on legacy systems and manual processes, the most effective approach to identity verification today involves shifting from validating 'who you claim to be' to analyzing 'how you actually behave," Zhang says. “This means implementing robust transaction monitoring and analyzing behaviors like typing patterns, navigation and transaction histories to create unique identity footprints. This is especially crucial for stopping sophisticated criminal groups that use machine learning to identify high-value targets and create convincing deepfakes or synthetic identities."