For several years, perpetual KYC (pKYC) has been pitched as the next evolution of traditional KYC methods, but firms still have misconceptions around what it really means.
Unlike traditional KYC methods that have static and periodic checks, pKYC focuses on a continuous and automated process. The aim is to help firms become more reactive to changes, rather than compliance issues going undetected for a lengthy period of time. For instance, if a customer suddenly becomes listed in a sanction or PEPS list, pKYC would instantly identify the change and alert the firm to take necessary measures. However, in a traditional KYC process, the financial institution could be oblivious to the change for months, potentially leading to penalties from regulators.
Not only does the technology help to avoid compliance failures but can save companies money on operations. A report from PwC claimed that medium-sized banks could save between 60-80% in operating costs on customers.
With these significant benefits, it is no surprise the sector is growing in popularity. Research from Market Intelo claimed the global pKYC market was valued at $1.2bn in 2024 and is projected to grow at a CAGR of 20.3% to reach $6.5bn by 2033.
While many firms might be eager to start leveraging the technology, Stephen Platt, founder & CEO at KYC360 (a part of Experian), believes many underestimate the work needed to get it working correctly.
He said, “Many firms expect automation to be a quick fix without accurately assessing the fundamentals first, especially around data quality and getting internal buy-in for automated workflows. If the underlying data is poor or teams are not aligned, automation can just scale the challenge. A Perpetual KYC approach should not mean more monitoring for the sake of it. It should mean faster, more informed decisions made with the right context around current risk.”
In a similar vein, Jon Elvin, strategic risk advisor at Saifr—Fidelity Labs, also argued that many firms fail to understand the overhaul required to get pKYC operational. For instance, many firms make slight adjustments to their legacy processes and describe them as perpetual in nature. Too few programmes also adopt fully reimagined practices that utilise automation, context analytics or AI to analyse richer data sets. Ultimately, this limits the full potential of a pKYC program.
Elvin said, “While a great vision to strive for, very few firms have truly architected an effective ecosystem or real-time connectivity to their enterprise master data management orchestration. Similarly, few others have achieved tri-connectivity cohesion with full integration harmony to other AML and fraud program activities that would certainly yield more complete understanding and reactivity to risk signals. The vision is there, but achieving it in practice requires commitment, time, and creativity. The outlook, however, is promising and is driving greater investment.”
A troubled KYC past
Before looking at how firms are interpreting pKYC, it is important to take a step back and look at how traditional KYC was often viewed. Historically, most firms considered the processes a tick-box exercise, according to Elvin. Teams would have unforgiving, inefficient tasks with static and typically limited datasets and rule-based triggers. Once a client was onboarded and a risk score, often low, medium and high, would be attributed to their profile.
Elvin noted that most risk executives were forced to accept incomplete coverage and blind spots, caused by limitations of technology, manpower and costs. “Program leaders crossed their fingers and hoped for limited exposure to events that surfaced during those dormant periods and that regulators/auditors would find this approach acceptable,” Elvin explained.
He added, “It almost never truly mattered if the exercise effectively and tangibly managed risk in the portfolio itself. In fact, my experience and those of many truly experienced practitioners, was that the higher risk-labelled profiles were usually well-managed and not the problem. The hidden risk often manifested in customers with initially lower- or medium-risk clients, where activity and profile attributes changed but went undiscovered due to blind spots from dormant review periods. This forced programs to keep moving the bar and, thus, led to even greater inefficiency, driving up cost and frustration.
“The time sequencing “window of vulnerability,” which was easy to identify in hindsight, became a key focus of scrutiny after an event surfaced in a negative format. It did not matter if the effort spent on others was good, bad, or worth it. “
These processes were fraught with annoyance, Elvin noted, contributing to the de-banking evolution. “Risk tolerance conclusions drove business acceptance/exit decisions that are now part of major recent regulatory and congressional concerns.” Elsewhere back-office analysts became frustrated with poor employee experiences and being used as scapegoats for compliance oversights or customer complaint remediation, he added.
Effectiveness of KYC was largely dependent on the opinion of the observer, Elvin explained. Common metrics were adherence to review timelines, supporting exhibits, and reasonable comments placed on profile forms. While backlogs, missed scheduling and inconsistent execution caused regulatory risk and if a single item was identified as not being acted upon timely, it could cause a wake of scrutiny and questions about program effectiveness.
“The tradeoff shaped generalized acceptance of less-than-ideal practices, including spending more time on manual work to document that a firm’s “good” customers were actually good. This diverted too large a percentage of seasoned investigators away from more proactive tasks.”
This paved the way for pKYC, which Elvin describes as “the silent necessity of serving customers, identifying needs or uncertainty, and preserving risk positioning important to a firm’s reputation,” when implemented correctly.
Interpreting pKYC
While true pKYC means continuous monitoring for changes, several in the industry believe pKYC refers to more frequent scheduled checks. Instead of conducting a search every year or two, they change it to be twice a year.
Scott Nice, CRO at Label, explained, “Many firms interpret perpetual KYC as increased frequency. Instead of rethinking architecture, they compress review cycles and increase outreach. Perpetual KYC becomes annual remediation on a faster treadmill. True perpetual KYC is event-driven. It is based on signal detection, not calendar cycles. If the operating model still revolves around periodic refresh campaigns, the transition has not been made.”
The important distinction is the notion of being event-driven rather than a fixed task that is run. Even if a firm is running the process daily, it still does not constitute effective pKYC. MCO (MyComplianceOffice) product director Daragh Tracey explained, “Too many firms are running a daily check for Sanctions or PEPs matches on customers and calling it Perpetual KYC.
“This leads to duplication of effort across related entities, too many false positives and alerts, and an incomplete view of KYC risk. This drags down efficiency, increases costs, and leaves the firm exposed to greater risk of financial crime. A fragmented approach to KYC review also damages customer relationships and impacts the firm’s bottom line, as ineffective and inefficient screening slows down business processes.”
Instead, pKYC is about becoming an always-on-network monitor, Tracey noted, ensuring firms can dynamically respond to risks in real-time through embedded ongoing assessment and monitoring throughout the customer lifecycle. By continuously monitoring customers and their related networks for any signals, whether it is entity data, adverse media, transactional activity, changes in corporate structure, as well as updates on Sanction and PEP data, are the ones generating real automation, efficiency and cost saving benefits.
Tracey added, “At any point in time, the firm can look to the risk profile and know that it reflects a real-time risk, accounting for the latest information since onboarding. Where risks are detected in the network, this is instantly flagged by the system, assessed for relevance and severity, and escalated to a team for review.”
A correct pKYC system, according to Tracey, leverages advanced analytics and real-time data to continuously monitor customers and their related entities to identify changes in risk profiles and unusual activity. Additionally, enhanced due diligence should be leveraged where compliance requirements dictate, but also anywhere else a customer or transaction could trigger red flags.
Not only is there a misconception around the frequency of monitoring, but also the scope of its search. Declan OhAnnrachain, managing director of Cascade, noted that many boards and decisionmakers can understand the value of pKYC and the real-time analysis of clients’ actions and changes, such as its ability to reduce fraud risk, protect clients and identify dealings with sanctioned parties or countries. However, many believe the route to this comes from increasing the amount of data captured.
OhAnnrachain said, “Too many believe that the fact of capturing more data, typically via various third party providers, is the solution and invest heavily in additional software to do this. In reality, though, this often leads to the existing compliance teams being overwhelmed with new data spread amongst different applications and no longer being able to focus on what is relevant or even crucial.”
Collecting data is vital for pKYC, but OhAnnrachain urges any extension of data collection is done through a fully integrated manner. This means feeding the data to existing systems and having alerts trigger when there are real shifts in risk. “Having a central system holding your golden truth and ensuring it is only updated with relevant information is the starting point. Before signing up to fancy, and usually expensive new software, ensure it can be integrated and that the changes triggered, causing alerts, are only those that really require action. Otherwise, the organisation may come to regret the shift.”
Interestingly, Elvin believes that firms should not just view pKYC as a compliance process. Instead, it should be viewed as a way to better understand customers and drive business opportunities. This includes shaping messages and promoting trust across the ecosystem. He added, “Perpetual KYC effectiveness is grounded in recognition and reaction with facts in real time.”
He noted that pKYC should be viewed as a warning light on a car. Paying attention can ensure everything continues to run, but failing to act can cause major risk. He said, “I recall a CEO once telling me, “Our firm was not built on any one customer, but it certainly could be lost on the wrong one—or inattention to customers.” That has always stuck with me.”
A missed signal by a relationship manager is also a missed sale and opportunity to deepen the total share of wallet. By leveraging AI, advanced analytics and access to richer data inputs, firms can better identify risk and when customer needs change and a new opportunity presents itself.
“The importance of detecting and taking action to mitigate the presence of cyber security bad actors or a virus infecting your computers is well understood. But knowing valuable customer insights or dynamic changes when they occur can drive first-mover advantages in sales cycles and customer care outreach.”
Operational challenges
Transforming a static process to a continuous one is going to be met with a lot of challenges. There is no one single major issue, but a number of hurdles firms must address.
Label’s Nice noted that firms still rely on spreadsheet-based exception tracking, manual document validation, broad document refresh exercises and email-led remediation. By simply increasing the frequency, without redesigning the process can cause numerous problems. Alert fatigue, backlogs, raising headcounts and customer frustration, are just a few to name. Nice said, “Perpetual KYC was intended to reduce unnecessary intervention, not industrialise it.”
Another challenge that can arise from changing to a pKYC process is failing to get the right balance. KYC360’s Platt said, “Data and workflows are often split across teams and systems, which makes it harder to get a joined-up view of customer risk. At the same time, if firms generate too much noise, analysts can end up spending more time clearing alerts and false positives than assessing real risk. Firms also must be able to clearly explain and document why a decision was made to escalate, defer, or clear.”
In a similar vein, Tracey noted that continuous monitoring can go wrong without the right setup. “Without the right processes and technology, continuous monitoring can just mean more of everything you don’t want — a higher volume of false alerts, more fragmented data to sift through and increased duplication of effort, straining often under-resourced compliance teams.”
When implementing the technology, firms need to ensure they have solid KYC frameworks to ensure only relevant items are creating alerts. Tracey sees pKYC as an opportunity to embed risk evaluation across the whole customer lifecycle and this is something the MCO platform helps to do. “By unifying screening, risk scoring and case management on a single platform, our Know Your Third Party solution enables firms to automatically identify, assess, and act on the right events at the right time—without overwhelming already stretched compliance teams.”
Firms don’t only have to consider the internal operational challenges, but also external ones. For instance, could there be an increased customer friction created by the process. Platt noted that ongoing monitoring does not need to create more customer friction and in fact, proper pKYC workflows should help to improve the experience.
He said, “In many manual workflows, firms end up collecting the same information multiple times, which is frustrating for customers and inefficient for teams. CLM technology can help by automating outreach and triggering requests only when needed, so firms collect less, ask at the right time, and avoid unnecessary duplication.”
However, it can cause friction when the alerts are not acted upon in a timely manner. Nice explained in many firms, alerts are generated but not reviewed immediately. As a result, alerts accumulate and are then processed in batches. “By the time a customer is contacted, the triggering event may be weeks or months old.”
This, according to Nice, can create two major problems. The first being that outreach feels disconnected from the customer’s current activity. Secondly, institutions compensate for uncertainty by broadening the information request.
“When alert review is delayed, firms lose confidence in the precision of the signal. The response becomes defensive and expansive, which increases friction and perceived over-collection.”
The situation is also made worse by pKYC that is not really continuous but instead relies on scheduled screenings or periodic data refreshes. “In that model, alerts themselves are batch generated. That is remediation architecture, not perpetual monitoring.”
Nice emphasised the importance for pKYC processes to be implemented correctly, with event-driven alert generation, immediate risk reassessment, clear materiality thresholds and rapid, proportionate outreach only when justified. He added that customers will not be disgruntled when there is justified intervention. “They object to delayed, disproportionate intervention. When detection is timely and review is risk-prioritised, outreach becomes more targeted, and friction reduces naturally. If alerts are batch generated or batch reviewed, the institution is still operating an annual remediation mindset.”
Copyright © 2026 FinTech Global
Copyright © 2018 RegTech Analyst
