Keep customer records current without the annual review scramble
Perpetual KYC (pKYC) keeps customer due diligence continuously up to date through event-driven refreshes, rather than fixed periodic reviews. When something changes, such as a customer's address, transaction pattern or risk profile, the record is re-checked. It is an industry model for meeting the ongoing-monitoring duty in the Money Laundering Regulations 2017.
For a compliance team sitting on a large customer book, the pain is familiar. A periodic review cycle comes round, thousands of files fall due at once, and a chunk of the work re-confirms information that never changed. Meanwhile, records that did change sit stale until their scheduled slot arrives. Perpetual KYC is the operating model that spreads this work across the year and ties each check to a reason.
Perpetual KYC is a continuous approach to keeping customer due diligence current. Instead of reviewing every file on a fixed calendar, the firm defines events that should trigger a re-check, then acts on them as they happen. A change of address, a shift in transaction behaviour, a change in beneficial ownership or a new screening hit each prompt a targeted review, close to the moment the change occurs.
The term is an industry one. It describes how a firm can meet an existing legal duty, not a separate rule of its own.
Periodic review works on a schedule. Files are re-examined in batches by risk band, often annually or every few years, whether or not anything about the customer has changed. Perpetual KYC works on triggers. The record updates when a defined event occurs, so effort concentrates where something has actually moved and the book stays current between the peaks.
|
Dimension |
Periodic KYC review |
Perpetual KYC (pKYC) |
|
Trigger |
Fixed calendar cycle (e.g. annual, by risk band) |
Predefined events (address change, transaction pattern, ownership change, screening hit, risk change) |
|
Timing of updates |
Scheduled, in batches |
When something changes, close to real time |
|
Record currency between reviews |
Can go stale until the next cycle |
Kept current continuously |
|
Customer experience |
Periodic re-document requests |
Refresh in the background where data allows |
|
Cost profile |
Large periodic peaks of manual work |
Spread across events; manual effort on exceptions |
|
Regulatory basis |
Meets Reg 28(11) ongoing-monitoring duty |
Meets the same duty via event-driven refresh |
|
Where identity re-match fits |
Re-verify in the batch cycle |
Re-verify on the trigger, or batch-wash the back-book |
The Money Laundering Regulations 2017 require ongoing monitoring of a business relationship. Regulation 28(11) sets out two limbs: scrutiny of transactions throughout the relationship, and reviews of existing records that keep the documents or information obtained for customer due diligence up-to-date. Perpetual KYC is one way to satisfy the second limb.
Those two limbs do different jobs. Limb (a) is about watching transactions against what you know of the customer. Limb (b) is about keeping the underlying customer information current. An identity refresh sits against limb (b) only. It does not perform transaction scrutiny, which stays with the firm's monitoring systems.
No. The Money Laundering Regulations 2017 require ongoing monitoring and that CDD information is kept up to date. They do not name perpetual KYC, prescribe event-driven refresh, or set a fixed review frequency. Firms are free to meet the duty through periodic reviews, an event-driven model, or a combination. Perpetual KYC is one recognised way to do it, not a rule in itself.
There is no such thing as "the pKYC rule". The duty is fixed in law; the operating model a firm uses to meet it is a choice. The regulator's interest is in whether the chosen approach keeps records current on a risk-sensitive basis, with clear policies on review frequency and defined event-driven controls.
A refresh is triggered by a predefined event that suggests the customer's information may have moved. Common triggers include a change of address or contact details, a significant or unusual transaction, a change in beneficial ownership, a screening alert, or a shift in the customer's risk rating. The firm sets the trigger list against its own risk assessment.
Triggers should be risk-sensitive. A change of registered ownership on a higher-risk corporate customer warrants a fuller review than a routine address update on a low-risk personal account. Governed triggers, mapped to risk, are what separate a defensible pKYC model from an inbox of undifferentiated alerts.
KYC remediation is a one-off cleanup of the existing customer book. It is a project with a start and an end, run to bring historic files up to a current standard. Perpetual KYC is the ongoing operating model that keeps the book current afterwards. Remediation fixes the back-book once; perpetual KYC keeps it fixed.
Most firms need both, in sequence. A remediation exercise clears the backlog and establishes a clean baseline. A perpetual model then maintains that baseline through event-driven refresh, so the firm does not accumulate another decade of drift and face the same batch cleanup again. Our KYC remediation and re-KYC guide covers the one-off exercise in detail.
Identity re-matching is the step that re-confirms a customer still matches across independent, reliable data sources. Within a perpetual KYC model, when a trigger fires or a batch refresh runs, the customer's name, address and date of birth are re-checked against sources such as banks, mobile networks and public-sector data. It refreshes the identity evidence that underpins the file.
This is one component of ongoing monitoring, not the whole of it. Identity re-matching supports the record-currency limb of Regulation 28(11). It does not perform transaction or behaviour monitoring. Sanctions and PEP screening, risk scoring and case management sit in the firm's other systems. The wider perpetual monitoring programme, including transaction scrutiny, remains the firm's responsibility.
Two mechanisms do most of the work. A batch data wash runs the whole back-book against independent sources in one pass, re-confirming who still matches and flagging who no longer does. A real-time API call does the same for a single customer on a trigger, so a change of address or a screening event refreshes that record without waiting for a cycle.
For the customer, a background refresh means no repeat document request when the data already resolves. For the compliance team, routine confirmations clear automatically and only genuine exceptions reach a human. This is where OneID's KYC Match fits: it handles the identity re-match step within a perpetual KYC model, as a batch data wash across the back-book or an API refresh on a trigger. OneID is a digital verification services provider, certified under the UK's Digital Verification Services Trust Framework. The firm keeps the wider due diligence: risk assessment, screening, transaction monitoring and record-keeping.
You can run 1,000 records through KYC Match for free, to compare the match results against your existing provider. Contact OneID to set up the comparison.
Is pKYC a legal requirement in the UK? No. The Money Laundering Regulations 2017 require ongoing monitoring and keeping customer due diligence information up to date. They do not mandate perpetual KYC or set a fixed review frequency. pKYC is an industry model for meeting that duty through event-driven refresh.
What is the difference between perpetual KYC and KYC remediation? KYC remediation is a one-off cleanup of the existing customer book, a project with a start and end. Perpetual KYC is the ongoing operating model that keeps records current afterwards through event-driven refresh. Remediation clears the backlog; perpetual KYC maintains the baseline.
What is ongoing monitoring under the Money Laundering Regulations 2017? Regulation 28(11) requires scrutiny of transactions throughout a business relationship, and reviews of existing records that keep the documents or information obtained for customer due diligence up-to-date. It sets no fixed review frequency, leaving firms to monitor on a risk-sensitive basis.
Does perpetual KYC replace transaction monitoring? No. Perpetual KYC as an identity-refresh model sits alongside transaction scrutiny; it does not replace it. The Money Laundering Regulations 2017 treat transaction scrutiny and record-currency as separate limbs of ongoing monitoring. A firm keeps both.
How often should you refresh KYC? The Money Laundering Regulations 2017 set no fixed frequency. Refresh should be risk-sensitive: event-driven re-checks when something changes, supported by risk-based review cycles for higher-risk customers. The firm sets the approach against its own risk assessment.
What is a KYC refresh? A KYC refresh re-confirms a customer's details are still current and accurate. It can re-check identity attributes against independent sources, review the risk rating, and update records where information has changed. In a perpetual model, refreshes are triggered by events rather than a fixed calendar.
Confirm a customer's address in seconds, no utility bill, no upload
Stop failing good customers at the identity check
Fintech KYC decides the first ninety seconds of onboarding. Someone downloads the app, enters their deta...