
KYC Ongoing Monitoring Requirements: Periodic to Event-Driven
Many compliance teams treat ongoing monitoring as a periodic process organised around a risk-tier calendar — high risk customers every 12 months, medium risk customers every 24 months, low risk customers every 36 months — supplemented by trigger refreshes. That is the legacy KYC operating model regulator-handbook and RegTech-explainer pages document for financial institutions. AMLR Recital 69, framing the intent of Article 26 (applying across EU Member States from 10 July 2027), writes reviews must be "conducted on a periodic basis but shall also be triggered by changes in relevant circumstances of the customer." The FCA's 8 April 2026 findings record institutions have "a lack of clarity over what they should do if an event-driven review happens." The direction runs toward event-driven re-attestation, and the cryptographic mechanism that makes that destination tractable is what we walk in §5.
AML compliance under the legacy periodic operating model
The periodic model is the inherited shape of ongoing monitoring across the AML regulations spanning FATF, JMLSG and the FCA Handbook — the AML programme most institutions still document. It runs the KYC monitoring process as a cadence keyed to customer risk profiles, supplemented by triggers. Most institutions can articulate the cadence; many cannot say what it is for. That confusion is the AML compliance gap regulators keep finding across the customers financial institutions onboard.
Periodic refresh on a risk-tier calendar
The bank sorts customers into risk profiles — high risk, medium risk, low risk — and sets monitoring requirements per risk-tier on a risk-based approach, pairing each band with the AML process the firm has documented. JMLSG Part I, §5.7 (board-approved December 2021) describes ongoing monitoring of customers as "scrutiny of transactions undertaken throughout the course of the relationship" with documents and information "kept up to date" (9). FCA Handbook FCG 3.2 mirrors it: a firm "must conduct ongoing monitoring of its business relationships on a risk-sensitive basis, with enhanced due diligence and ongoing monitoring required in higher risk situations" (7). Both formulations assume the bank holds copies of identifying documents and verifies its customers on the schedule the risk profiles dictate, reflecting the AML procedures documented under the money laundering regulations.
Where the periodic process cracks
Two failure modes follow. First, customer data between cycles goes stale: customers' circumstances can change materially the day after a periodic review and remain undetected for up to 36 months. Second, document-warehousing re-verifies the customer's PII at every monitoring cycle — the same documents the bank already holds. The Wolfsberg Group's July 2024 Statement on Effective Monitoring for Suspicious Activity, Part I: Moving Beyond Automated Transaction Monitoring names the cost: "efficiency could be gained by enabling data exchange between the periodic/perpetual CDD review and the MSA control" (10). The periodic review process should detect changes in customers' risk profile and surface money laundering risk between cycles; a periodic cadence does not.
AMLR Article 26 and the direction of travel in AML regulations
The legal anchor for the next operating model is AMLR Article 26, titled "Ongoing monitoring of the business relationship and monitoring of transactions performed by customers." AMLA, established under Regulation (EU) 2024/1620 (2) and seated in Frankfurt, will issue the regulatory standards operationalising what AML regulations require of the EU AML estate.
Article 26(1): the monitoring-system obligation
Article 26(1) writes "Obliged entities shall conduct ongoing monitoring of business relationships, including transactions undertaken by the customer throughout the course of a business relationship, to ensure that those transactions are consistent with the obliged entity's knowledge of the customer" (1). The framing is ongoing-monitoring-first; the obligation is continuous across the customer relationship, with the transactions inside that relationship as the monitored stream — not a periodic snapshot. A periodic schedule is not a monitoring system in the sense Article 26(1) intends. The risk-based approach drops into Article 26(2)-(3), requiring obliged entities to apply the depth and frequency the relationship merits.
Recital 69 and Article 26(3): periodic plus event-triggered
The operative passage in Recital 69 — the recital that frames Article 26's intent — reads: "Reviews shall be conducted on a periodic basis but shall also be triggered by changes in relevant circumstances of the customer" (1). Two words carry the weight — "but shall also." Article 26(3) then enumerates the trigger events: a change in the relevant circumstances of a customer, a legal obligation to contact the customer in the calendar year, and others. The regulatory expectation is that reviews are not exclusively periodic; they are also event-triggered. The regulatory requirements address both: the periodic cadence is one rail, the trigger rail is the other, and the KYC monitoring process must run both, responding to changes in customers' risk profile as Article 26(3) anticipates.
Enhanced ongoing monitoring for higher-risk customers
AMLR Article 28 raises the bar for higher-risk customers under the enhanced customer due diligence regime. FCG 3.2 is identical: "enhanced due diligence and ongoing monitoring required in higher risk situations" (7). The Article 28 compliance requirements run more frequent cycles, broader signal coverage, and enhanced ongoing monitoring for the high risk customers — the procedures financial institutions must build their high risk customer process around. The full AMLR architecture for ongoing CDD is in our piece on What AMLA Actually Means by Ongoing Customer Due Diligence.
What the FCA's recurring findings reveal
The supervisory record maps the same gap onto financial institutions the FCA supervises; AML monitoring expectations land on the same four-anchor pattern across the customers those institutions onboard. Two thematic reviews, one Dear CEO letter, one Final Notice and one Policy Statement form a continuity: periodic apparatus underdefined, trigger rail undefined, customer data unreliable.
Customer due diligence processes and controls — FCA findings 8 April 2026
The FCA's Firms' customer due diligence processes and controls: our findings, published 8 April 2026, is the headline anchor. It reports "some firms didn't have enough detail on how often periodic reviews should take place, and a lack of clarity over what they should do if an event-driven review happens" (4). Monitoring cycles were inconsistently defined across firms (4). Institutions knew the cadence existed; they did not know which signals counted or what each cycle should produce — the ongoing monitoring requirements firms must articulate around the periodic review process were never defined clearly enough to verify, leaving the ongoing monitoring obligation unevidenced and the FCA unable to detect the gap.
Where customer data goes stale — sanctions findings 28 May 2026
The FCA's Sanctions systems and controls in our firms: our findings, published 28 May 2026, is the corollary. The same gap appears: "Ongoing monitoring could be limited or focused on PEPs, rather than taking a broader view of sanctions risk" (8). The deeper finding is data-quality: the FCA found "gaps in firms' internal customer records, such as dates of birth that were missing, incomplete, or entered as placeholder values" (8). When records carry placeholders, a real-time screening feed cannot reliably identify a designated person against the bank's onboarded customers; the screening process output becomes noise across financial institutions the FCA supervises.
The Starling Bank pattern — Final Notice 2 October 2024
The FCA's £28,959,426 Final Notice against Starling Bank Limited, dated 2 October 2024, is the enforcement exemplar. Starling grew from 43,000 customers in 2017 to 3.6 million in 2023, and "measures to tackle financial crime did not keep pace with its business growth" (6). Its automated screening system "had only been screening customers against a fraction of the full list of those subject to financial sanctions" since 2017. Despite a 2021 Voluntary Requirement, Starling opened over 54,000 accounts for 49,000 high risk customers between September 2021 and November 2023 (6) — a customer-tier failure the monitoring requirements should have flagged. The same pattern shows up in our research on Synthetic Identity Fraud.
Supervisory direction of travel — PS24/17 and Dear CEO 5 March 2024
The FCA's Policy Statement PS24/17 — Financial Crime Guide Changes, published 29 November 2024, formalises the Handbook direction. PS24/17 "encourages firms to adopt advanced transaction monitoring systems to improve efficiencies in detecting suspicious activity" (7) and references AI's emerging role. The Dear CEO letter to Annex 1 entities had already named the pattern: common failings "in relation to due diligence, ongoing monitoring, policies and procedures, governance" and "financial crime controls which had not kept pace with business growth" (5). PS24/17, the Dear CEO letter and the two 2026 findings are the same regulatory standards expectation made four times.

From periodic refresh to event-driven re-attestation: the KYC operating model in transit
Closing the FCA's identified gap requires a defined trigger set, data feeds carrying the trigger signals, and a refresh mechanism for the response when a trigger lands.
Three operating models for the ongoing monitoring obligation
Periodic refresh, trigger-based review and continuous monitoring are three distinct operating models — not three names for the same thing. Each carries different ongoing monitoring requirements and a different KYC process discipline. Periodic refresh schedules monitoring cycles on the calendar regardless of whether the customer's risk shifts between cycles. The trigger-based review process fires a response on identifiable triggers — sanctions listings, PEP designations, beneficial ownership changes, adverse media hits, transaction-pattern signals — each with a defined CDD response that lets the bank detect the trigger early and act on its customers between cycles. Continuous monitoring is the security-engineering term for a streaming-signal pipeline. Vendor pages describe perpetual KYC as continuous monitoring; the operational reality is closer to event-driven CDD on a defined trigger set, and the ongoing monitoring stack should reflect the distinction. Wolfsberg's July 2024 framing keeps it clean: transaction monitoring is "a sub-set of MSA, which might also include concepts such as ongoing Customer Due Diligence (CDD)" (10).
Reviews of existing records — what FATF Recommendation 10 requires
FATF Recommendation 10, in the consolidated October 2025 text, requires financial institutions to "conduct ongoing due diligence on the business relationship" including "undertaking reviews of existing records, particularly for higher risk categories of customers" (3). The engineering question the periodic model leaves implicit: when the bank reviews records, is it re-pulling underlying PII at every cycle, or re-verifying against the issuer source and updating firm-side only when the answer changes? The first is document-warehousing dressed up as monitoring; the second is what the obligation requires architecturally.
Trigger sets and falsifiable data feeds
A defensible trigger set typically includes real-time sanctions screening on OFAC, OFSI and EU consolidated-list updates; real-time PEP-list refresh against politically exposed person (PEP) databases; real-time adverse media feeds against the customer book; real-time registry changes surfacing beneficial ownership deltas; and transaction-pattern signals from the bank's automated monitoring system — ongoing monitoring trigger feeds that carry the signals between cycles. Each trigger pairs with a defined response, scoped to the change, and the customer's risk score is recomputed against the trigger set so the bank can detect the trigger when the signal lands. Per Liminal's Link Index Report — AML KYC Compliance 2025, "72% of institutions plan to adopt perpetual KYC within two years" (12). Automated alert triage and automated sanctions screening on the AML trigger sets is what automation delivers; financial institutions building trigger sets combine these feeds to match the customer book and identify the change as it surfaces. The transaction-monitoring side is treated in our analysis on Indirect Exposure Crypto Compliance.

Verifier-private re-attestation as the architectural answer
What does event-driven re-attestation look like as a compliance flow, not a process diagram? The answer rests on a cryptographic property the W3C codified on 15 May 2025.
The W3C verifier-private model in plain terms
The W3C Verifiable Credentials Data Model v2.0, a W3C Recommendation since 15 May 2025, defines a three-party ecosystem: an issuer signs a credential, a holder holds it, a verifier checks it. The mechanism that matters for ongoing monitoring is selective disclosure (11): holders of verifiable credentials can provide verifiers a subset of a credential rather than the whole, without re-presenting the underlying private data. A verifying institution can receive a fresh proof — that the customer remains not sanctioned, not PEP-listed, age-attested, document-verified — without receiving the PII the issuer holds. The bank verifies proof of compliance, not raw records.
Re-attestation without re-pulling PII
The mechanism that follows is event-driven re-attestation. When a trigger fires — a beneficial owner change at the corporate registry, a sanctions match, a PEP designation, a material change in customer behaviour — the holder re-presents the attestation, re-firing verification against the issuer source so the bank can verify the customer's current status. The verifying institution receives a fresh proof, cryptographically bound to the moment, without re-pulling customer data — the verifier can identify the current status without warehousing PII at every event. This is the mechanism that makes the AMLR Recital 69 and Article 26(3) destination tractable at scale.
What Verifyo does and what it does not do
Verifyo issues attestations at verification time and refreshes on the fixed expiry cadence; Verifyo does not run continuous monitoring. The architectural property of reusable verifier-private attestation is that re-verification can re-fire on event without re-pulling underlying PII — closer to what "continuously current customer-risk understanding" requires than periodic document-warehousing delivers. This is what the architecture delivers; Verifyo does not run continuous monitoring as a service. The verifying platform integrates against a Zero-Knowledge KYC attestation rather than a copy of the customer's documents — the attestation reflects screening at verification (sanctions, PEP, adverse media, criminal, barred, military) and remains valid until expiry.
Closing verdict
The operating-model transition is the substance. Periodic refresh is being retired by the same regulatory standards that wrote it into the MLR 2017 baseline a decade ago. Event-driven re-attestation is what AMLR Recital 69 and Article 26(3) together describe and what the FCA's 8 April 2026 findings expect institutions to articulate as ongoing monitoring requirements. The KYC ongoing monitoring requirements stack should let institutions state, in CDD operating-model documentation, which triggers fire a response, which feeds carry the signals, and how the process the architecture replaces resolves without re-pulling customer PII at every cycle — closer to customers' current risk understanding than periodic document-warehousing delivers. The architecture that reaches the risk-understanding obligation is the regulatory direction of travel, and it is what compliance teams should be asking of their ongoing monitoring stack.
Sources
- (1) European Parliament and Council. Regulation (EU) 2024/1624 — AMLR Article 26 — Ongoing monitoring of the business relationship and monitoring of transactions performed by customers. 19 June 2024. https://eur-lex.europa.eu/eli/reg/2024/1624/oj/eng
- (2) European Parliament and Council. Regulation (EU) 2024/1620 — AMLA Authority Regulation. 19 June 2024. https://eur-lex.europa.eu/eli/reg/2024/1620/oj/eng
- (3) Financial Action Task Force. The FATF Recommendations — Recommendation 10 (Customer due diligence). Updated October 2025. https://www.fatf-gafi.org/en/publications/Fatfrecommendations/Fatf-recommendations.html
- (4) Financial Conduct Authority. Firms' customer due diligence processes and controls: our findings. 8 April 2026. https://www.fca.org.uk/publications/good-and-poor-practice/firms-customer-due-diligence-processes-and-controls-our-findings
- (5) Financial Conduct Authority. Dear CEO letter — Common control failings identified in anti-money laundering frameworks (Annex 1 firms). 5 March 2024. https://www.fca.org.uk/publication/correspondence/dear-ceo-letter-action-response-common-control-failings-anti-money-laundering-frameworks.pdf
- (6) Financial Conduct Authority. Final Notice — Starling Bank Limited (Financial crime systems and controls failings). 2 October 2024. https://www.fca.org.uk/news/press-releases/fca-fines-starling-bank-failings-financial-crime-systems-and-controls
- (7) Financial Conduct Authority. Policy Statement PS24/17 — Financial Crime Guide Changes. 29 November 2024. https://www.fca.org.uk/publication/policy/ps24-17.pdf
- (8) Financial Conduct Authority. Sanctions systems and controls in our firms: our findings. 28 May 2026. https://www.fca.org.uk/publications/good-and-poor-practice/sanctions-systems-and-controls-our-firms-our-findings
- (9) Joint Money Laundering Steering Group. Prevention of money laundering / combating terrorist financing — Guidance for the UK Financial Sector, Part I, Chapter 5 §5.7 (Monitoring customer activity). Board-approved December 2021; consolidated July 2022. https://www.jmlsg.org.uk/wp-content/uploads/2021/12/Board-approved_Part-I-Chapter-5.7_December-2021.pdf
- (10) The Wolfsberg Group. Statement on Effective Monitoring for Suspicious Activity, Part I: Moving Beyond Automated Transaction Monitoring. July 2024. https://wolfsberg-group.org/resources/202/168
- (11) World Wide Web Consortium. Verifiable Credentials Data Model v2.0 — W3C Recommendation. 15 May 2025. https://www.w3.org/TR/vc-data-model-2.0/
- (12) Liminal. Link Index Report — AML KYC Compliance 2025. 2025. https://liminal.co/reports/link-index/kyc-compliance/
Want to learn more?
Explore our other articles and stay up to date with the latest in zero-knowledge KYC and identity verification.
Browse all articles