What AMLA Actually Means by Ongoing Customer Due Diligence

Most compliance functions treat ongoing customer due diligence as a refresh schedule — annual for low-risk customers, more frequent for high-risk customers, triggered by events in between. That is the operating reality of most customer due diligence (CDD) programmes. The architectural failure is quieter: the refresh schedule is a property of the document copy at the verifying institution, not of the customers whose risk profile it describes. That gap is where periodic-refresh CDD breaks.

AMLA’s draft Guidelines on ongoing monitoring under AMLR Article 26(5) opened for consultation on 3 June 2026; consultation closes 3 September (1). The Guidelines tell obliged entities how to monitor business relationships and identify the ML/TF risk shifts warranting a fresh review — framing ongoing monitoring as a continuously-current state, not a periodic refresh cycle. On the US side, the parallel CDD-reform direction lands through a different vehicle (see our coverage of the Trump executive order on BSA CDD reform). The regulatory direction-of-travel is the same: continuously-current understanding of customers is the new floor.

What “ongoing customer due diligence” actually requires under AMLR Article 26(5)

AMLR Article 26, the operative AML section on ongoing monitoring, obliges firms to monitor business relationships and the customers’ transactions to ensure those transactions are consistent with the firm’s knowledge of customers, business activity and risk profile, and where necessary the source and destination of funds (2). The obligation is to monitor “throughout the course of the relationship” — not “at refresh time”. Article 26(5) instructs AMLA to issue Guidelines for consistent customer monitoring, ML/TF risk-shift identification, and current CDD records.

AMLA’s draft Guidelines describe ongoing monitoring as maintaining “a clear and current understanding of a business relationship after it has been established” (1). The shift is from a refresh-event model to a continuously-current one. AMLR application is 10 July 2027; the operational design window is now.

Why periodic refresh fails — the architectural failure mode of CDD evidence

Periodic refresh is not the obligation. It is one implementation of it. The customer due diligence file under that implementation is a document time-stamped at collection and re-collected on a schedule. Two things break the model. First, customers’ circumstances change continuously between refreshes — new address, new beneficial ownership, new PEP exposure, new sanctions hit — and the file does not update until the next review. The institution cannot monitor identity changes between refreshes because the underlying CDD process samples evidence at refresh time. Second, every institution touching the same customer maintains its own evidence file: each onboarded venue is an independent PII liability for the same customers.

The customer due diligence process treats evidence as a one-time copy

The CDD process is structured around collection events: onboarding, trigger-based reviews, calendar refresh. Between events, the documents on file are the evidence in force, even when the underlying state has changed. The process is right for the evidence model it implements; the evidence model is the problem. A high-risk file may be touched multiple times a year, each touch re-collecting the same evidence.

UK MLR 2017 regulation 28, paragraph 11, requires firms to review existing records and keep the documents and information obtained for applying customer due diligence measures up-to-date — to monitor and verify the file on a continuing basis (4). Updating CDD records is part of the same statutory duty as collecting them. JMLSG Part I, Chapter 5.7 says ongoing monitoring “is not a once-a-year job” and controls must evolve with the customer’s risk profile (8). FCA Policy Statement PS24/17 flagged organisations with “low-quality CDD and KYC assessments and review backlogs, raising the risk of not identifying sanctioned individuals and entities” (9).

The regulator direction-of-travel beyond simplified due diligence and enhanced due diligence

FATF Recommendation 10 requires ongoing due diligence “throughout the course of [the business] relationship”. The Interpretive Note specifies that documents, data or information collected under the customer due diligence (CDD) process should be kept up-to-date by review of existing records, particularly for higher risk customer categories and their evolving risk profiles (3). Simplified due diligence and enhanced due diligence sit on either side of the standard tier, but the ongoing due diligence obligation applies across all three. Enhanced due diligence demands a deeper customer due diligence process for higher risk relationships, with higher-frequency review and additional CDD verify steps. The tier changes the depth of CDD measures; it does not turn the obligation off.

Wolfsberg’s 2024 Statement on Effective Monitoring for Suspicious Activity reframes ongoing CDD as part of a wider Monitoring for Suspicious Activity programme — a single suspicious-activity architecture rather than a separate periodic-refresh process (5). The 2025 Second Statement adds a responsible-transition framework for innovation (6). The architectural cousin is the perpetual-KYC argument we have set out before.

EBA amending Guidelines EBA/GL/2024/01 (applicable 30 December 2024) extended the customer due diligence (CDD) and ML/TF risk-factor framework to crypto-asset service providers, adding risk factors for customers’ transactions to or from self-hosted addresses, decentralised platforms, or providers not authorised under MiCA (7). CASPs must now apply the same monitoring duty as banks; the regulatory perimeter has widened, but the architectural challenge has not. Every new venue holds another PII copy of the customers it onboards.

Continuously current is not transaction surveillance — and not suspicious activity monitoring

“Continuously current” describes the evidence the firm holds about customers’ identity, risk profile, and screening status. It does not describe a real-time surveillance posture over customers’ transactions. The two controls are adjacent — Wolfsberg nests ongoing CDD inside Monitoring for Suspicious Activity (5) — but they are not the same. Transaction monitoring asks whether a transaction is consistent with what the firm knows about its customers’ activities. Continuously-current ongoing CDD asks whether what the firm knows about customers is still current. Firms typically deploy one engine for the activities and a separate process to ensure CDD information stays up-to-date; both need to be in sync to monitor high-risk transactions.

Anti money laundering vs continuously-current evidence

Inside an AML/CTF programme — the anti-money-laundering and counter-terrorism-financing framework — transaction monitoring detects unusual transactions and suspicious activities warranting a suspicious matter report (10). Ongoing CDD keeps the customer profile against which “unusual” is computed current, so AML monitoring rules identify the right baseline of customers’ activities. A monitoring engine running against a stale profile flags noise. A continuously-current profile sharpens the AML signal before the engine sees the customers’ transactions. Both halves of the programme have to work for the firm to identify suspicious activities reliably.

We build identity verification infrastructure at Verifyo, not transaction-monitoring infrastructure. RegTech tools like ComplyAdvantage, Chainalysis and Elliptic monitor customers’ transactions; we verify the identity behind the wallet. Our work sits earlier in the chain than the AML transaction-monitoring layer — the identity-and-screening evidence on which the monitoring rules depend. The two are separate procurement decisions.

The architectural property that delivers it — reusable verifier-private attestations refreshed against the original issuer

A continuously-current evidence model requires two things periodic refresh lacks: an evidence form refreshable without re-collecting documents from customers, and a refresh source more authoritative than the verifier’s file copy. The architectural property that delivers both is a reusable verifier-private attestation. The verifier issues a cryptographic proof against customers’ original identity documents at verification time. When the proof needs refreshing — a screening source updated, a document expired, a risk-relevant attribute changed — the refresh runs against the issuer source. We made the reusable-identity argument at greater depth in our piece on ending the re-KYC nightmare.

We must be precise about what this means for Verifyo. We do not run ongoing transaction monitoring at any tier. We do not run continuous adverse-media or sanctions re-screening on an existing attestation — the attestation reflects screening done at verification time and remains valid until documented expiry. We do not run KYB or counterparty verification. What we do offer is the reusable-attestation architecture itself: a single Zero-Knowledge KYC attestation that integrating platforms verify against without holding the underlying PII, refreshable on an expiry cadence that does not require re-collecting documents from customers per venue. The customer identification programme runs once at verification — the advanced technology of Zero-Knowledge KYC proofs against verified identity documents; the risk profile assessment refreshes against the issuer source, and the receiving venue holds proof, not customer data. AMLR Article 26 multi-product coverage is what makes this architecture relevant: one verification, many integrated venues.

Record keeping in a continuously-current evidence model

AML/CTF programmes require record keeping under MLR 2017 and AMLR for a defined retention period — typically five years after the end of the relationship. Under periodic refresh, records kept on customers are document copies and screening outputs. Under reusable attestation, the records kept are cryptographic proofs and issuer-source refresh logs — sufficient to demonstrate, on supervisory request, that the firm held current evidence on customers across the relationship lifetime without storing the documents that produced it. Supervisors receive the attestation chain plus the refresh ledger — evidence the firm’s view was current throughout.

What this means for compliance teams running ongoing cdd today

Compliance teams running ongoing CDD on existing customers today have a planning window. AMLR application is 10 July 2027. The architectural question is whether your CDD evidence model delivers continuously-current understanding — or only periodic-refresh evidence currency. Higher risk relationships will be the hardest cases. If the answer is the second, three operator actions follow: audit which evidence on customers is genuinely refresh-bound (documents that expire) versus continuously changeable (sanctions, PEP, adverse media, risk-attribute changes); identify which refresh paths require re-collecting documents versus refreshing against the issuer source; and reduce per-venue PII liability where the same customers’ KYC sits in multiple places. The regulatory clock started running in June.

Periodic-refresh CDD is not the regulatory floor. It is the legacy implementation of an older obligation. The architecture that delivers the continuously-current floor without making every venue a data-residency liability is reusable verifier-private attestation refreshed against the issuer source. Compliance teams that design for it in the next twelve months will not be remediating to it in the next thirty-six.

Sources

(1) Authority for Anti-Money Laundering and Countering the Financing of Terrorism (AMLA). AMLA consults on draft Guidelines for ongoing monitoring of business relationships. 3 June 2026. https://www.amla.europa.eu/amla-consults-draft-guidelines-ongoing-monitoring-business-relationships_en

(2) European Parliament and Council of the European Union. Regulation (EU) 2024/1624 (AMLR) — Article 26 on ongoing monitoring of the business relationship and monitoring of transactions performed by customers. 31 May 2024. https://eur-lex.europa.eu/eli/reg/2024/1624/oj/eng

(3) Financial Action Task Force (FATF). International Standards on Combating Money Laundering and the Financing of Terrorism & Proliferation — The FATF Recommendations (Recommendation 10 and Interpretive Note). February 2012, last updated October 2025. https://www.fatf-gafi.org/content/dam/fatf-gafi/recommendations/FATF%20Recommendations%202012.pdf.coredownload.inline.pdf

(4) UK Government. The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (SI 2017/692), regulation 28. In force 26 June 2017. https://www.legislation.gov.uk/uksi/2017/692/regulation/28/made

(5) The Wolfsberg Group. Statement on Effective Monitoring for Suspicious Activity. 1 July 2024. https://wolfsberg-group.org/news/the-wolfsberg-group-statement-on-effective-monitoring-for-suspicious-activity

(6) The Wolfsberg Group. Second Statement on Effective Monitoring for Suspicious Activity (Responsible Transition Framework for Innovation). 27 August 2025. https://wolfsberg-group.org/news/the-wolfsberg-group-publishes-its-second-statement-on-effective-monitoring-for-suspicious-activity

(7) European Banking Authority (EBA). Guidelines amending Guidelines EBA/2021/02 on customer due diligence and ML/TF risk factors (EBA/GL/2024/01). 16 January 2024 (applicable from 30 December 2024). https://www.eba.europa.eu/sites/default/files/2024-01/a3e89f4f-fbf3-4bd6-9e07-35f3243555b3/Final%20Amending%20%20Guidelines%20on%20MLTF%20Risk%20Factors.pdf

(8) Joint Money Laundering Steering Group (JMLSG). Prevention of money laundering / combating terrorist financing — Guidance for the UK Financial Sector, Part I, Chapter 5.7. June 2023, updated November 2024. https://www.jmlsg.org.uk/wp-content/uploads/2025/08/JMLSG-Guidance-Part-I_June-2023-updated-Nov-2024.pdf

(9) Financial Conduct Authority (FCA). PS24/17 — Financial Crime Guide updates. 29 November 2024. https://www.fca.org.uk/publications/policy-statements/ps24-17-financial-crime-guide-updates

(10) AUSTRAC (Australian Transaction Reports and Analysis Centre). Ongoing customer due diligence — industry obligations and guidance. 2026. https://www.austrac.gov.au/industry-and-business/obligations-and-guidance/your-amlctf-program/customer-due-diligence/ongoing-customer-due-diligence