Perpetual KYC (pKYC) is the practice of maintaining accurate, up-to-date customer and counterparty records through an automated, integrated workflow of data checks that occur in near real-time. This continuous monitoring approach supports financial institutions to more promptly identify and respond to changes in customer-related risks that may warrant further due diligence.
Traditional “review and refresh” risk monitoring looks at re-running due diligence checks according to set time periods depending on the risk categorization a customer was assigned during onboarding or their last review. Categorized according to an institution’s risk appetite, a low risk customer may be reviewed after 5 years, a client assigned medium risk would be reviewed after 3 years, and high risk customers, 1 year.
The flaw in this prescribed monitoring approach is that risk factors can change within moments, so waiting years to uncover a material change could expose a financial institution to bad actors, compliance failings, and reputational harm.
As well as the ever-changing nature of risk and emerging threats, there are significant regulatory drivers that make a shift towards pKYC a sensible option for banks, fintech, and other financial institutions.
The European Union’s 6th Anti-Money Laundering Directive (6AMLD) for example mandates regular updates to customer information to mitigate risks associated with money laundering, terrorist financing, and other illicit activities. The UK's anti-money laundering (AML) regulation established in 2017 also requires businesses to carry out thorough customer due diligence (CDD), with regular reviews and monitoring of changes in customer behavior that may indicate risk. And the same can be said of the Bank Secrecy Act (BSA), which forms the foundation of the US’s approach to AML and requires ongoing CDD saying: “Financial institutions must verify customer identities and continuously monitor for suspicious activity.”
Non-compliance with AML and counter-terrorist financing (CTF) regulations can lead to severe penalties, as evidenced by fines imposed on banks, neobanks, and crypto providers. In 2024, global regulatory fines for failures and breaches reached more than $19 billion.
The regulatory requirements, as well as the financial and reputational risks of non-compliance, underscore how important it is to maintain a robust, current view of customer data and risk profiles.
One way to consider managing update of customer records and risk profiles throughout the client lifecycle is with perpetual KYC.
Each bank or financial institution will have its own compliance requirements, risk policies, and risk appetite, it will therefore have its own AML framework and approach to CDD. But there can be typical elements used to identify and screen customers to build a data profile and understand risk, during a client onboarding journey - an example is shown below.
While there may be challenges to overcome in terms of data quality and accuracy, integrating pKYC with existing systems, and allocating resources accordingly, each step presents opportunities for digitization, automation, and efficiency, which are central to achieving pKYC.
There are some key building blocks necessary for implementing pKYC, such as remediating customer data, digitizing the data capture process, mapping the phases of the journey, and defining risk-based customer data triggers, which may for example prompt enhanced due diligence (EDD) investigations.
However, banks adopting pKYC don’t need to start with everyone, everywhere, all at once. Beginning with low-risk profiles and embedding continuous quality assurance into the pKYC adoption process, financial institutions can gain confidence and gradually scale their approach. When the process is proven and trusted, pKYC can be scaled to more higher risk customer populations. A phased deployment can support the transition to pKYC and make it more manageable and effective in the long term.
As the workflow of data checks created for a pKYC approach are “always on”, monitoring appropriate risk triggers is a critical component. It is important to analyze, define and agree the changes that matter i.e. the material changes that affect a risk level or profile and mean a bank would want to know about them to investigate more closely.
Material changes that constitute a risk trigger might include:
But, in actuality, a financial institution could select any material risk factor they wanted for risk assessment. A full suite of data checks can be available and built into a workflow, it would simply be incumbent on the business to decide its own triggers based on risk tolerance and the ability to resource investigations.
By configuring trigger events appropriately and proportionately, then automating the perpetual monitoring workflows, financial institutions have the potential to achieve significant efficiency gains while controlling risk and compliance.
One of the most compelling aspects of pKYC is the potential for greater operational efficiency. If a team were to manually or “traditionally” monitor a customer population for changes in material risk factors on an ongoing basis, the task would be epic and, in all likelihood, unmanageable. However, if the team were only investigating specific customer or entity profiles when the pKYC workflow flagged a material change, this would have the potential to create significant efficiencies. It would also remove the need to track when clients were coming up to their renewed review period, which would require some vigilance without automation.
Re-screening a smaller percentage of customers who have had a change – for example of ultimate beneficial owner (UBO) – is vastly more efficient than investigating the whole population. Interrogating Moody’s data on private companies, it’s possible to begin to see how material risks can be zeroed in on to deliver greater efficiency.
Casting our minds back to the traditional “renew and refresh” approach, had each of these companies been assigned a medium risk categorization during onboarding in January 2022, these changes would only have been uncovered in 2025. If nearly 30% of companies in Africa, sometimes considered a region where it is more difficult to source entity data, had a change in the nature of their business that was uncovered after 3 years, and this required EDD, the task of investigation and remediation becomes significant.
Perpetual KYC represents the opportunity to innovate and transform the way third-party risk is managed by financial institutions. By continuously monitoring and updating customer records in near real-time, financial institutions can respond to changing in risk factors; promptly identify significant cases that require re-screening; make the most of resources; and enhance their ability to mitigate risks associated with money laundering, terrorist financing, and other illicit activities.
The adoption of pKYC can align compliance activity with regulatory requirements and offer efficiency gains by reducing time-consuming screening tasks that don't add value. If financial institutions gradually scale their pKYC approach, they can achieve an automated, more robust and efficient risk management and compliance framework.
Since Moody’s original study into pKYC in 2023, the concept has gained traction due to its transformative potential in anti-financial crime compliance and client lifecycle management (CLM). There are challenges in achieving pKYC, but there are also significant return on investment (ROI) opportunities that can be realized through productivity and efficiency gains.
Moody’s can support development of a pKYC approach providing access to crucial datasets, automating triggers on defined material risk events, and continuously monitoring changes throughout the client lifecycle.
Leveraging AI-powered, flexible, digital workflows integrated with leading sources of global data, financial institutions can transform risk management and compliance from customer onboarding onward. Automating ongoing, always-on monitoring processes and embedding insights from a unified risk platform into other CLM systems. This approach can support better decision-making.
By streamlining pKYC with other CLM platforms, banks, fintechs, and other financial institutions can orchestrate the client journey, automate case routing, and enhance internal touch points between KYC and other front office teams.
Moody’s solutions for pKYC are further enhanced by the integration of artificial intelligence (AI). Moody’s AI-led solutions leverage extensive datasets to uncover new insights and efficiencies. Combining intelligent screening to reduce false positives and AI with high-quality data, automation and analytics, Moody’s offers cutting-edge solutions to help financial institutions gain ROI, improve efficiency, and manage risks more effectively.
If you would like to discuss an approach to perpetual KYC (pKYC) for your organization, please get in touch with the team at Moody’s any time, we would love to hear from you.