Onboarding gets all the attention. Ask any compliance vendor what they do, and the first answer is almost always about onboarding: identity verification, document checks, risk scoring, customer acceptance. It is the part of KYC that is visible, measurable, and directly connected to revenue.
Ongoing monitoring, by contrast, is the part of compliance that most firms treat as an afterthought. A periodic re-screen against sanctions lists. An annual review for high-risk customers. A transaction monitoring system that generates alerts but rarely changes anyone's risk rating. The regulators have noticed, and they are not impressed.
In the past 18 months, a significant proportion of AML enforcement actions across the UK and EU have cited inadequate ongoing monitoring as a primary or contributing failure. Not the absence of monitoring. The inadequacy of it. Firms had monitoring in place, but it was not continuous, not risk-based, and not connected to the broader compliance lifecycle.
What regulators actually mean by "ongoing monitoring"
The regulatory expectation for ongoing monitoring has three distinct components, and most firms are only doing one of them.
| Component | What it covers | Current adoption |
|---|---|---|
| Transaction monitoring | Monitor customer transactions against expected patterns, sanctions lists, and risk indicators | Most firms have some form in place, though quality varies enormously |
| Customer risk review | Periodically reassess each customer's risk rating based on updated information: business changes, new jurisdictions, ownership structure, transaction behaviour deviations | Where most firms fall short; requires risk-based scheduling (annual for high-risk, every two to three years for medium-risk, every three to five years for low-risk) |
| Event-driven monitoring | Trigger a review when something changes: new sanctions designations, PEP status changes, negative media coverage, regulatory status changes | Largely absent; requires real-time connection between your customer base and external events |
"Our regulator asked us a simple question: 'When Russia invaded Ukraine and new sanctions were imposed, how long did it take you to screen your entire customer base against the updated lists?' We had done it within 48 hours, which they accepted. But then they asked: 'And how did you identify customers with indirect exposure to sanctioned entities through their supply chains?' We did not have an answer for that."
The periodic re-screening trap
The most common ongoing monitoring approach we see is periodic re-screening: running the customer database against updated sanctions and PEP lists on a daily or weekly cycle. This is necessary but insufficient.
Periodic re-screening catches changes to sanctions and PEP lists. It does not catch changes in the customer themselves. A customer who was low-risk at onboarding may have expanded into high-risk jurisdictions, changed their ownership structure, or begun transacting in ways that are inconsistent with their original risk profile. Periodic re-screening against external lists will not identify any of these changes.
The firms that do ongoing monitoring well treat it as a continuous process that integrates multiple data sources. Transaction monitoring flags behavioural changes. Sanctions and PEP screening catches list changes. Company registry monitoring identifies ownership changes. Adverse media monitoring catches reputational risks. And all of these inputs feed into a risk assessment that is updated continuously, not just at the next scheduled review date.
Building a continuous monitoring framework
Here is a practical framework for moving from periodic re-screening to genuine continuous monitoring.
| Layer | Function | Key capability |
|---|---|---|
| 1: Automated screening | Your baseline | Daily or real-time screening against sanctions, PEP, and adverse media sources with automated alerting |
| 2: Transaction behaviour analysis | Flag deviations | Monitor transactions against customer-specific baselines, not generic rules; flag unusual volumes, new counterparties in high-risk jurisdictions, activity inconsistent with declared business |
| 3: Corporate structure monitoring | Track ownership changes | Monitor director changes, shareholder changes, new subsidiaries, registered address changes via API-connected company registry data |
| 4: Jurisdictional risk monitoring | Monitor external risk shifts | Track FATF evaluations, grey list changes, Transparency International updates, sanctions regime changes; flag affected customers for review |
| 5: Risk recalculation | Tie it all together | Automatically recalculate customer risk rating when any signal occurs; queue for manual review if rating change is material |
"We implemented event-driven risk recalculation 18 months ago. In the first quarter, it identified 340 customers whose risk ratings needed to change. Under our old periodic review schedule, we would not have caught most of those changes for another six to twelve months. Three of them were genuine high-risk cases that needed immediate attention."
The technology requirements
Continuous monitoring at scale requires technology that most firms do not currently have. The key requirements are:
Real-time data ingestion. Your monitoring system needs to ingest updated screening data, transaction data, and corporate registry data in real time or near real time. Batch processing with overnight runs is not sufficient for a continuous monitoring framework.
Customer-specific baselines. Your transaction monitoring needs to understand what "normal" looks like for each customer, based on their declared business activity, risk profile, and transaction history. Generic rules ("flag any transaction over £10,000") generate noise. Customer-specific baselines generate signal.
Automated risk scoring. When a monitoring event occurs, the system needs to automatically recalculate the customer's risk score and determine whether the change is material enough to trigger a manual review. This requires a risk model that is configurable, transparent, and auditable.
Case management integration. When a review is triggered, it needs to flow into your case management system with all the relevant context: what triggered the review, what data changed, what the previous risk assessment said, and what information the analyst needs to make a decision. If your monitoring and case management systems are not integrated, reviews will fall through the gaps.
Audit trail. Every monitoring event, every risk recalculation, and every review decision needs to be logged with a timestamp, the data that informed it, and the outcome. This is not optional. It is the evidence that your monitoring programme works.
Resourcing continuous monitoring
One of the most common objections we hear is that continuous monitoring will overwhelm compliance teams with reviews. The concern is understandable but misplaced. A well-calibrated continuous monitoring framework actually reduces the total review burden by focusing human attention on the cases that matter.
Under a periodic review model, every customer in a risk tier is reviewed on the same schedule, regardless of whether anything has changed. This means analysts spend significant time reviewing customers where nothing has changed and everything is as expected. That is wasted effort.
Under a continuous, event-driven model, reviews are triggered only when something changes. Customers where nothing has changed are not reviewed until the next event. Customers where something material has changed are reviewed promptly. The total number of reviews may be similar, but the proportion of reviews that lead to a genuine risk decision is much higher.
The key is calibration. If your monitoring thresholds are too sensitive, you will generate too many events and overwhelm your team. If they are too loose, you will miss material changes. This calibration is an ongoing process that requires regular testing and adjustment.
Key takeaways
- Regulators cite inadequate ongoing monitoring in AML enforcement actions across the UK and EU, not the absence of monitoring itself. Periodic re-screening alone is insufficient.
- Effective continuous monitoring requires five integrated layers: automated screening, transaction behaviour analysis, corporate structure monitoring, jurisdictional risk monitoring, and automated risk recalculation.
- Event-driven monitoring with customer-specific baselines generates signal instead of noise, reducing wasted analyst time on customers where nothing has changed.
- Real-time data ingestion, customer-specific baselines, automated risk scoring, case management integration, and comprehensive audit trails are essential technology requirements.
- Well-calibrated continuous monitoring focuses human effort on material changes, improving both compliance effectiveness and team efficiency.
