That's why a one-time KYC check is no longer sufficient. Regulators across the US, UK, and Canada expect firms to maintain a living, breathing view of every customer relationship — not a snapshot frozen at onboarding.
This article covers what ongoing monitoring actually involves, what the regulatory frameworks require, how to calibrate monitoring frequency by risk level, and what a broken program looks like before it becomes an enforcement action.
TL;DR
- Ongoing monitoring is the continuous process of reviewing customer behavior, transactions, and risk profiles throughout the entire business relationship
- It goes beyond transaction monitoring to include PEP/sanctions re-screening, adverse media checks, and UBO reviews
- Regulatory frameworks in the US, UK, and Canada all mandate ongoing monitoring, with penalties for non-compliance reaching nine figures
- Monitoring frequency must be risk-calibrated; high-risk customers require significantly more frequent review than low-risk ones
- Thorough documentation of every screening decision is non-negotiable — regulators will ask for it
What Is Ongoing Monitoring in AML?
Ongoing monitoring is the systematic, continuous process of screening customers and reviewing their transactions throughout the duration of a business relationship. The distinction from a one-time KYC check matters: onboarding captures a snapshot of who someone is at a specific moment. Ongoing monitoring tracks how that picture changes over time.
FATF Recommendation 10 sets the international baseline: firms must conduct ongoing due diligence by scrutinizing transactions against the customer's known risk profile and keeping CDD records current through regular reviews, particularly for higher-risk categories.
ACAMS frames the end goal as "perpetual KYC" — maintaining accurate client data through near-real-time updates that reflect changes in customer behavior and circumstances.
Ongoing Monitoring vs. Transaction Monitoring
These terms get used interchangeably, but they're not the same thing:
- Transaction monitoring is one component — it focuses specifically on flagging unusual payment patterns, such as sudden volume spikes, structuring, or activity inconsistent with the customer's stated purpose
- Ongoing monitoring is the broader program that wraps around transaction monitoring and includes periodic KYC refresh, PEP and sanctions re-screening, adverse media checks, and UBO reviews
Transaction monitoring surfaces individual red flags. Ongoing monitoring determines what to do with them — and catches the risks that no single alert would ever reach.
That broader scope matters because customer risk doesn't stay static. A customer who looked clean at onboarding can become a significant exposure within months — and firms need a program capable of catching that shift.
Why Risk Profiles Change
A customer's risk level at onboarding is not their risk level forever. Common mid-relationship changes include:
- Winning a political election (creating PEP status)
- Appearing in adverse media connected to fraud or corruption
- A change in beneficial ownership that introduces a sanctioned individual
- Starting to transact with high-risk jurisdictions not present in their original profile
Firms that treat onboarding as the finish line create exposure — not just to financial crime, but to regulators who will ask why the change was never detected.
Key Components of an Ongoing Monitoring Program
Transaction Monitoring
Transaction monitoring sits at the core of any AML program. It involves routinely analyzing transaction patterns against a customer's stated purpose, historical behavior, and assigned risk profile.
Common red flags transaction monitoring should catch:
- Sudden spikes in transaction volume with no business explanation
- Activity involving high-risk or sanctioned jurisdictions
- Structuring patterns that suggest deliberate avoidance of reporting thresholds
- Transactions inconsistent with the customer's known income or business type
PEP Screening
PEP screening cannot be treated as a one-time onboarding check. Customers can become politically exposed persons mid-relationship — after winning an election, taking a government appointment, or joining an international organization as a senior official.
The UK Money Laundering Regulations 2017, Regulation 35 explicitly requires firms to maintain risk-management systems capable of identifying PEP status changes throughout the relationship. FATF Recommendation 12 requires enhanced ongoing monitoring for all PEP relationships, along with senior management approval for continuing those relationships.
Failing to detect a mid-relationship PEP status change means a high-risk individual is being managed under a low-risk framework — a serious compliance gap.
Sanctions and Watchlist Rescreening
Sanctions lists are not static. OFAC, the UN Security Council, HM Treasury, and other bodies add and remove designations without advance notice.
The Russia-Ukraine situation illustrated this directly: OFAC issued multiple Russia-related designation actions in a single week in late February 2022, on the 22nd, 24th, and 28th, covering new individuals, entities, and directives. Firms that rescreened customers only at onboarding had no mechanism to catch newly designated counterparties.
Continuous rescreening against updated lists is an operational requirement, not an optional best practice.
Adverse Media Monitoring
Not every high-risk individual appears on a formal sanctions or PEP list before causing harm. Adverse media monitoring — scanning global news sources for negative coverage connected to customers or their beneficial owners — provides an early-warning layer that formal lists cannot.
The FCA's Financial Crime Guide recognizes open-source internet checks as good practice for high-risk customers and PEPs. A customer connected to a corruption investigation in local news may not appear on OFAC's SDN list for months, if ever. Adverse media fills that gap.
UBO Monitoring
Criminals frequently use layered ownership structures and shell companies to obscure who ultimately controls or benefits from funds. Ongoing UBO monitoring ensures that changes in beneficial ownership are flagged and reassessed before risk exposure shifts undetected.
Ownership changes that typically require review include:
- New shareholders crossing material ownership thresholds
- Reorganized holding or parent company structures
- Changes in controlling individuals following a merger or acquisition
- Shell company insertions that obscure the true beneficial owner
Under 31 CFR 1020.210(b)(5), FinCEN's CDD Rule requires firms to maintain and update customer information, including beneficial ownership information for legal entity customers, on a risk basis. UK MLR 2017 Regulation 28(11)(b) carries a parallel requirement.
Global Regulatory Requirements for Ongoing Monitoring
Key Jurisdictions
| Jurisdiction | Regulatory Framework | Core Requirement |
|---|---|---|
| United States | FinCEN CDD Final Rule (effective May 2018) | Risk-based ongoing CDD: monitor transactions, understand customer relationships, update customer information |
| United Kingdom | Money Laundering Regulations 2017, Reg. 28(11)–(12) | Scrutinize transactions throughout the relationship; monitoring scope must be risk-proportionate |
| Canada | FINTRAC / PCMLTFA (in effect June 2021) | Ongoing monitoring for all reporting entities; enhanced monitoring and documented frequency tiers for high-risk clients |
| International Baseline | FATF 40 Recommendations | Ongoing due diligence required across all regulated sectors; enforced through FATF mutual evaluations |
The Cost of Getting It Wrong
Enforcement actions for inadequate ongoing monitoring carry real financial consequences. Two recent cases make the stakes concrete:
| Date | Regulator | Institution | Penalty | Primary Finding |
|---|---|---|---|---|
| December 2022 | FCA | Santander UK | £107,793,300 | Weaknesses in ongoing monitoring and periodic reviews across Business Banking |
| November 2023 | FinCEN | Binance | $3,376,176,820 | Failure to implement effective AML programs and suspicious activity monitoring at scale |
The financial penalties are only part of the exposure. Enforcement actions also trigger heightened regulatory scrutiny, restrictions on business activities, and reputational damage with banking partners and investors — outcomes that can affect operations long after the fine is paid.
How Monitoring Frequency Should Be Determined by Risk Level
Regulators don't prescribe a universal review schedule. The obligation is risk-based: frequency must reflect the risk level of the customer, documented in the firm's policies and defensible to examiners.
A Practical Risk-Tiered Approach
| Risk Tier | Customer Profile | Monitoring Cadence |
|---|---|---|
| Low | Retail customers, stable transaction patterns, no PEP proximity | Annual review |
| Medium | Some PEP proximity, complex structures, elevated jurisdiction exposure | Semi-annual review |
| High | Active PEPs, high-risk jurisdictions, unusual transaction patterns | Continuous or minimum quarterly |
FINTRAC's guidance states that low-risk clients can be monitored less frequently than high-risk clients, but policies and procedures must document the chosen frequency for each tier. FinCEN's CDD FAQs confirm the same risk-based principle: updates occur when monitoring reveals information relevant to assessing customer risk, not on a fixed universal schedule.
Out-of-Cycle Review Triggers
Scheduled reviews don't eliminate the need for immediate action when a material risk event occurs. Any of the following should prompt an out-of-cycle review regardless of where the customer sits in their review cycle:
- A new adverse media hit connected to the customer or their beneficial owners
- Appearance on an updated sanctions list
- A change in UBO structure
- The customer's jurisdiction appearing on a new FATF grey or black list
- A sudden, unexplained change in transaction volume or behavior
Scaling Monitoring for Fast-Growing Firms
For fintechs, crypto firms, and embedded finance companies, rapid customer growth creates a monitoring problem that's easy to miss until it becomes a regulatory one. A program built for 5,000 customers doesn't hold at 50,000: risk tiers go stale, alert thresholds stop fitting, and review cadences slip under the weight of volume.
Fraxtional's Fractional Advisory model addresses this directly. Firms can name a Fraxtional Director as their official BSA Officer or MLRO on regulatory filings, with that person owning monitoring program design, alert sign-off, and regulatory correspondence. It's named, accountable compliance leadership without the overhead of a full-time hire.
Common Signs of a Broken Ongoing Monitoring Program
Most monitoring failures aren't dramatic. They build up through small operational gaps until a regulator or audit surfaces them.
The most telling red flags:
- Customer records haven't been updated after a triggering event; PEP status changes, sanctions hits, or adverse media findings sit unacted on
- No process exists for re-screening existing customers against updated PEP and sanctions lists on an ongoing basis
- No alert disposition documentation — alerts were reviewed informally, but there's no log showing who reviewed them, what they found, and what action was taken
- All customers reviewed on the same annual cycle regardless of risk level, which fails both FINTRAC's and FinCEN's risk-based requirements
- Purely manual processes — manual review can't scale, real-time changes get missed, and the FCA's Financial Crime Guide requires transaction monitoring to match the size and complexity of the business
The Documentation Problem
A common misconception is that doing the work is enough. It isn't. A strong ongoing monitoring program requires an auditable trail — each screening decision, each alert reviewed, and each action taken, with timestamps and documented rationale.
Firms that can't produce this trail when regulators ask are effectively in the same position as firms that never ran the checks.
FINTRAC requires records of all measures taken during ongoing monitoring, retained for at least five years. Work that can't be demonstrated offers no compliance protection.
Frequently Asked Questions
How often should ongoing monitoring be done?
There's no single fixed frequency — it depends on the customer's assigned risk level. High-risk customers may require continuous or at least quarterly review, while low-risk customers may be reviewed annually. Regulators expect firms to document and justify their chosen cadence in written policies.
What is the purpose of ongoing monitoring?
The purpose is to ensure a firm's understanding of its customers stays current throughout the entire relationship: detecting changes in risk status, flagging suspicious activity, maintaining compliance with AML/CFT obligations, and catching emerging exposure before it becomes a problem. Onboarding knowledge goes stale; ongoing monitoring keeps it accurate.
What is an example of ongoing monitoring?
A fintech's compliance team receives an automated alert that a previously low-risk customer has appeared on an updated OFAC SDN list. The team reviews the alert, updates the customer's risk profile to high-risk, restricts account activity, and files a SAR if the circumstances warrant it.
What is the difference between transaction monitoring and ongoing monitoring?
Transaction monitoring is one component of ongoing monitoring — it focuses specifically on analyzing payment patterns for suspicious activity. Ongoing monitoring is the broader program that also includes periodic KYC refresh, PEP and sanctions re-screening, adverse media checks, and UBO reviews.
What does ongoing monitoring mean in AML compliance?
In AML compliance, ongoing monitoring is the continuous, risk-based process of reviewing customer data, transactions, and associated activities throughout the business relationship. Unlike a one-time onboarding check, it's the mechanism that keeps a firm's customer knowledge current and its regulatory obligations met.
