Continuous know your customer (KYC) monitoring is widely endorsed as a best practice and trendily labeled perpetual KYC (pKYC). Although it promises significant operational and competitive benefits, it is more complex and transformational than a simple upgrade.
Samar Pratt of Capgemini puts it in terms of an “operational reset,” recognizing that the legacy practice of periodic compliance reviews does not align with the requirements – and evolving regulations – of a world in which ownership structures, digital identities, geopolitical exposures and transactional behaviors can shift rapidly, in turn affecting risk profiles and exposures.
"Instead of rediscovering risk during a scheduled KYC review, firms should be able to proactively detect meaningful changes in a customer’s risk profile in near-real-time," says Pratt, global leader, Financial Crime Compliance Advisory Solutions, and a contributor to a Capgemini Reimagining KYC white paper. It posits a “pKYC triad” of data modernization, intelligent automation and intelligent analytics.
“The pKYC triad – data modernization, intelligent automation and intelligent analytics – forms the operating core of the perpetual model,” says Capgemini.
"Over the next three to five years,” Pratt continues, “we can expect KYC programs to move toward continuous risk assessment architectures combining external data feeds, AI-driven anomaly detection, and regulatory intelligence platforms that translate regulatory change directly into updated controls.
“The future of KYC is not periodic remediation; it’s always-on awareness."
The transition from traditional, calendar‑based KYC refresh cycles “is no longer a theoretical future state, but a rapidly maturing expectation reinforced by regulators, global supervisory bodies, and the market’s most advanced institutions,” observes Crystal Trout of Baker Tilly’s Risk Advisory practice.
For decades, she says, financial institutions typically conducted KYC reviews every three or five years depending on assigned risk tiers. “Material changes in beneficial ownership, sanctions exposure, transaction activity, or adverse mediacan go undetected.”
Crystal Trout of Baker Tilly
“Institutions such as TD Bank have faced large‑scale regulatory scrutiny tied to deficient monitoring and delayed detection of suspicious activity – clear indicators that static KYC frameworks are no longer defensible," the Baker Tilly expert adds. “Always-on” pKYC monitoring “triggers updates the moment risk‑relevant information changes.”
Braden Perry, co-founder and partner of the Kennyhertz Perry law firm, says that annual or less frequent due diligence may have been sufficient for a slower, less interconnected financial world “when customer profiles changed gradually, and transaction volumes and product offerings were more manageable.
"The fundamental flaw is that risk doesn’t operate on a schedule. A customer ownership structure can change overnight; a politically exposed person can assume or vacate a government role between review cycles; and sanction designations can be imposed or removed on a whim. These are changes in real time that can leave a risk gap and lead to a compliance or regulatory issue.”
Capgemini's Pratt says that clinging to the old model, with heavy reliance on manual processes, cost institutions more and produce weaker risk outcomes than “automated monitoring frameworks [that] can detect live changes in customer behavior, ownership structures” and other key data points.
Early pKYC adopters report “70% reduction in investigative backlogs,” she says. “Compliance teams spend less time chasing paperwork and more time investigating meaningful risk signals. The choice becomes increasingly stark: Automate KYC and achieve visibility into risk, or maintain legacy processes and accept higher costs, slower detection, and greater regulatory exposure."
Emily Griffin of Moody’s
Emily Griffin, director of Moody’s Financial Crimes Compliance practice, says that “unexpected backlogs stemming from time-based reviews, failure to identify changes and new risks, and delayed response times can result in a range of adverse outcomes, including the need to rapidly deploy additional resources, hastily onboard new vendors, and increased exposure to regulatory findings or enforcement actions.
“These challenges are particularly applicable to large, global financial institutions that operate across multiple jurisdictions, manage diverse client populations, and support varied business segments."
Although global financial institutions have strongly advocated a more risk-based approach, Griffin notes, “they may also face the greatest obstacles to adoption due to legacy infrastructure, the high cost of technology transformation, and institutional risk aversion.
"Concerns about the possibility of a compliance 'miss' will persist, as the risk of failing to identify a genuine threat can never be fully eliminated," she elaborates. “As a result, banks are unlikely to completely abandon periodic client reviews and refreshes. Nevertheless, the continued push to modernize programs, reduce redundancy, and respond more rapidly to emerging risks will be a defining driver of the next generation of KYC and CDD [customer due diligence] CDD."
A sluggish modernization pace is a competitive liability, Pratt asserts. That is an implication of an emerging wave of Bank Secrecy Act/anti-money laundering rules and Financial Crimes Enforcement Network (FinCEN) reforms.
"In practice, that expectation pushes firms toward” pKYC and dynamic risk assessment, Pratt states. "While U.S. regulators have rarely used the term 'pKYC,' the direction of supervision increasingly points toward firms making decisions that are traceable, timely, and evidence-based.”
The Capgemini advisor warns that the cost and competitive gap can widen between pKYC adopters and those that are slower to ramp up: "Institutions that build the organizational muscle to make these changes now will compound their advantages over time. Those that delay modernization risk falling behind both regulators and competitors.”