Banks do not typically fail at KYC because they are short of data. They fail because customer risk too often stops evolving once onboarding is complete, leaving institutions anchored to an initial profile even as exposure changes in the months and years that follow.
According to Consilient, at the point of onboarding, firms build a baseline view of risk using factors such as ownership structure, geography, industry, and inherent sector exposure.
That assessment then dictates control intensity and review cadence, with higher-risk areas such as crypto often receiving closer scrutiny, while lower-risk customers are revisited on longer cycles.
The problem is that once those assumptions are set, they can become sticky. A customer’s risk understanding tends to remain fixed between formal reviews, even as behaviour shifts, counterparties change, or new exposures emerge that would materially alter the institution’s view if they were incorporated in time.
Recent enforcement patterns have made the strain on this model harder to ignore. The $3bn fine handed to TD Bank in the US drew widespread attention in 2024, but scrutiny has not been limited to one jurisdiction. In mid-2025, Swiss regulators penalised firms including Pictet and Julius Baer millions of francs for shortcomings tied to due diligence that failed to respond to red flags surfacing well after onboarding.
At the heart of traditional Enhanced Due Diligence (EDD) is a mismatch between how quickly financial crime evolves and how slowly many institutions reassess customer risk. Criminal methods iterate fast; customer understanding in many KYC programmes updates far more gradually, creating a window where old assumptions can persist despite new signals.
Standard risk-based approaches, including the Wolfsberg Group guidance, can mean low- to medium-risk corporate customers are only fully refreshed every three to five years. That interval assumes risk changes slowly. In practice, risk can shift dramatically in weeks, particularly when ownership or control changes hands, business models pivot, or a legitimate entity is compromised after onboarding.
A common scenario is a business that looks ordinary at onboarding, then becomes exposed months later through a shelf-company acquisition or similar manoeuvre. Transaction monitoring might flag isolated incidents. An event-led review may even be triggered. Yet the customer’s underlying risk rating often remains tied to the original onboarding classification, producing a disconnect where activity is handled tactically while the customer file continues to describe a “low-risk” entity.
That lag is not just theoretical. It can allow suspicious behaviour to accumulate under outdated assumptions, pushing teams into reactive workflows rather than adaptive ones. It also collides with operational reality: periodic reviews can be punishing to deliver at scale. Fenergo’s 2024 research suggests a single corporate KYC review can take between 61 and 150 days, with investigators spending weeks gathering documents and validating static attributes that may already be stale by the time the work is signed off.
Regulators, meanwhile, are shifting expectations away from “technical compliance” and towards demonstrable effectiveness. The focus is increasingly on whether frameworks learn as customers change, rather than whether a firm can point to a policy document, a checklist, or a calendar of reviews. FATF’s digital transformation guidance has called for movement away from rigid, rules-based approaches and towards data-driven systems that can respond to evolving and emerging risk. In the UK, the FCA has also warned against static or generic risk assessments that fail to reflect how a customer’s business evolves over time.
This is where Perpetual KYC (pKYC) has become the industry’s headline response, promising to replace infrequent, calendar-driven reviews with continuous, event-led oversight. However, two different approaches are now being labelled as pKYC, and they do not deliver the same outcome.
One approach focuses on running traditional checks more frequently—automating registry refreshes, sanctions screening, and ownership verification daily or near real time. This can be valuable for spotting identity drift, such as changes in directors, legal form, or registration status, but it does not necessarily explain how customer risk is evolving. A customer can remain stable “on paper” while behaviour shifts materially, with signals processed in isolation rather than feeding back into the customer’s core risk profile.
A more advanced approach treats pKYC as continuous customer risk understanding. Instead of repeatedly confirming who the customer is, it assesses how behaviour is changing and whether that change should re-weight the institution’s view of risk. Static data still matters, but it is no longer treated as sufficient on its own. The aim is to shrink the gap between emerging activity and updated customer risk by learning from multiple signals over time, at the customer level.
This ambition often collides with a familiar fear: false positives. Rules-based transaction monitoring can generate vast alert volumes, and research frequently cited by Datos Insights suggests 90% to 95% of alerts do not lead to suspicious activity. It is understandable that teams hesitate to add more monitoring if it simply creates more noise and more operational strain.
The distinction, however, is that dynamic EDD relies on learning systems that interpret patterns in context and translate insight into better risk assessment, not just more alerts. Without that learning layer, “continuous” oversight can become continuous alert fatigue—faster processing without better understanding.
One proposed engine for improving that learning is Federated Learning (FL), designed to help institutions gain context without pooling customer data. Instead of centralising sensitive information, a shared risk model operates within each bank’s secure environment, learns from local behavioural and transactional patterns, and then shares only mathematical updates rather than underlying customer data. The goal is a more up-to-date understanding of risk typologies informed by activity observed across institutions and geographies, while preserving privacy and avoiding data centralisation.
Positioned this way, Federated Learning is not framed as a replacement for transaction monitoring, pKYC tooling, or case management. It is presented as a mechanism to improve the intelligence feeding those systems—helping update typologies, sharpen prioritisation, and refresh risk weightings so customer risk assessments evolve continuously rather than episodically.
If the model works as intended, it could also reshape the human workload. Instead of spending disproportionate time on calendar-driven document gathering and static verification, investigators can be pulled into cases when behaviour indicates a genuine shift in risk trajectory. That changes the role from document collector to risk analyst, reserving judgement for complex, high-priority work where experience and intuition add the most value.
The broader business case is increasingly being framed as more than compliance spend. Dynamic, learning-led pKYC is positioned as a way to move from blunt de-risking towards more targeted, evidence-led exits, enabling firms to manage higher-risk sectors with greater precision rather than avoiding them entirely because manual review is too costly.
Periodic reviews were built for an era when customer files were comparatively static and reassessment depended on slow, manual processes. They may still have a role, but the direction of travel is towards perpetual, adaptive risk understanding—where risk learning is continuous, risk weightings evolve, and institutions can show supervisors that new information is incorporated as it emerges.
Copyright © 2026 RegTech Analyst
Copyright © 2018 RegTech Analyst
