Perpetual KYC: automated risk-based compliance

How to keep risk profiles fresh with automated KYC verification

If you’re a bank, fintech, or credit union, then you’ve used know your customer (KYC) onboarding processes to verify customer information and assess compliance risk.

Perpetual KYC, or “pKYC,” is an extension of this concept, furthering traditional KYC through automated, ongoing identity verification. It uses real-time triggers rather than fixed schedules to help keep financial organizations compliant with anti-money laundering (AML) regulations.

Just because someone passed your initial identity checks doesn't mean their risk profile stays frozen in time. People change jobs, move countries, get added to sanctions lists, or — in some cases— turn out to be fraudsters who slipped through the cracks of your onboarding funnel.

What is perpetual KYC?

Perpetual KYC is the process of automating recurring KYC, KYB, and sanctions checks through ongoing monitoring based on specific rules or triggers instead of at periodic intervals. Other names for this process include continuous KYC and ongoing KYC. 

Think about how you evaluate someone new in your life. Your first date is all about verification and reassurance. Are they who they say they are? But you don't stop there. You keep watching on dates two and three — noticing if their story changes, if they act inconsistently, or if other red flags start appearing that weren't visible at first.

Perpetual KYC helps financial institutions and fintechs approach customer verification the same way. It’s an approach to financial compliance that involves continuous monitoring and triggers based on real-time events. These might include:

• Updates to sanctions watchlists
• A new customer relationship with a politically exposed person (PEP)
• Changes to personally identifiable information (PII)
• Risky transactions or behavioral red flags
• New account users or beneficial owners
• Unusual account activity in the first 30 to 90 days after onboarding

Understanding KYC requirements

Although KYC requirements vary by geographic location, the fundamentals are consistent. Financial organizations must verify customer identities, assess risk levels, and maintain up-to-date records throughout the customer relationship.

These requirements stem from global frameworks, such as those set by the Financial Action Task Force (FATF) and the Financial Conduct Authority (FCA), which guide AML and other regulatory compliance programs. In the US, the Bank Secrecy Act (BSA) and regulations from FinCEN establish specific customer due diligence (CDD) and enhanced due diligence (EDD) standards that institutions must follow to prevent financial crime risk.

As more financial service providers move towards a culture of compliance, many financial institutions and fintechs are incorporating a risk-based, perpetual KYC approach instead of solely practicing periodic KYC.

What’s wrong with periodic KYC checks? 

Perpetual KYC is an important part of customer lifecycle management (CLM) and represents an advancement in how FIs approach risk assessment. 

Simply put, periodic or traditional KYC operates on a fixed schedule. High-risk customers might be reviewed annually, medium-risk customers every two to three years, and low-risk customers every three to five years (depending on what each financial institution or fintech decides). 

You can see the problem with this. It’d be crazy to give someone access to your bank account after the first date, then wait a full year before checking in on them again. But that's essentially what financial institutions that conduct periodic KYC rather than perpetual KYC do. They verify someone once, give them access to financial services, and then don't look again until the next scheduled review.

The risk level you set for a customer at onboarding will not necessarily stay their risk level for long. In fact, if fraudsters are lucky enough to make it through your initial onboarding funnel, they often show signs of fraudulent activity within the first 30 to 90 days. If you wait until day 365 to rescreen them for KYC, you’re already behind.

Risk-based approaches are more difficult to execute without dynamic risk profiles

Many financial institutions and fintechs don’t use a risk-based approach for perpetual KYC. Instead, they might rescreen their entire customer base at arbitrary intervals determined by a periodic review schedule.

This creates two problems. First, it inflates false positives and manual reviews, driving compliance costs up and slowing down good customers. Second, it prevents institutions from adjusting the frequency or thoroughness of KYC checks when a customer’s risk meaningfully shifts.

With static profiles, a low-risk customer who suddenly moves to a higher risk geography, adds a new beneficial owner, or shows unusual early life account activity will not be reviewed until the next scheduled refresh. Dynamic risk profiles automatically update the customer’s risk rating and trigger the appropriate KYC workflow, ensuring proactive screening when needed and reducing unnecessary friction for everyone else.

Sanctions lists can change daily

We currently live in a volatile geopolitical climate, meaning sanctions lists can change daily. Periodic reviews expose you to the risk of being non-compliant with the latest watchlists, which could lead to fines and reputational damage.

Disparate processes and systems emerge between initial KYC and periodic KYC

Many financial institutions and fintechs view their periodic KYC processes as a separate function from their initial KYC at onboarding. With multiple tools and processes managing your initial and periodic KYC (and storing the data associated with each process), there is no single source of truth to look at a customer’s risk holistically across the entire customer lifecycle.

What perpetual KYC does differently

Instead of waiting for a calendar date to trigger a review, perpetual KYC uses real-time data and event-based rules to determine when verification is needed. The system continuously monitors customer activity and automatically initiates checks when specific conditions are met.

Here's how perpetual KYC typically works.

Systems monitor for events that signal increased risk

Perpetual KYC systems monitor for events that signal increased risk, like sanctions list updates, changes to PII or beneficial ownership, transaction monitoring alerts, unusual transactions, new account relationships, or behavioral shifts that don't match a customer's baseline profile. When these triggers fire, the system automatically runs the appropriate verification workflow.

Dynamic risk profiles evolve with customer behavior

Instead of locking in a risk rating at onboarding, perpetual KYC builds adaptive profiles that update with new customer data. Customer-level machine learning and artificial intelligence help surface anomalies sooner, strengthening risk management without adding friction.

Automated verification workflows streamline escalation

The best perpetual KYC systems automate the entire process. When a trigger fires, the system runs the appropriate checks against relevant data sources, scores the results, and either clears the customer or escalates to compliance for manual review. Only the truly suspicious cases require human intervention.

Benefits of perpetual KYC

Implementing a perpetual KYC process can have a multitude of benefits, including:

Improved operational efficiency

Running frequent periodic refreshes to rescreen low-risk customers is time-intensive, highly manual, and expensive, especially for larger organizations with bigger customer bases. Perpetual KYC streamlines a lot of this work, taking a proactive approach based on risk level that reduces the need for manual oversight and drives down operational costs.

Better fraud prevention and mitigation through dynamic customer risk profiles

Robust KYC policies directly improve your fraud prevention and risk mitigation capabilities. Perpetual KYC's event-based triggers help financial institutions and fintechs build dynamic risk profiles for each customer based on account activity, PII changes, and other triggers.

These dynamic risk profiles enable financial institutions and fintechs to keep KYC information up to date in real time and flag (and respond to) risky behavior sooner than they would through traditional periodic KYC processes.

Enhanced customer experience

Periodic KYC reviews often require all customers to submit additional verification materials (such as providing documentation), which can add friction and feel cumbersome when they’ve already done that at the point of their initial onboarding.

Perpetual KYC improves customer satisfaction by expediting this process behind the scenes, reducing the need for repetitive information and documentation. A risk-based perpetual KYC approach allows you to only add friction for your high-risk customers while keeping the customer experience frictionless for your low-risk customers.

Real-time compliance with ever-evolving regulations and sanctions lists

Non-compliance with regulations and sanctions can lead to hefty fines and pose a reputational risk. Perpetual KYC protects financial institutions and fintechs from both of these threats by keeping them as up to date as possible with the ever-changing regulatory landscape.

How to implement perpetual KYC

The shift from periodic to perpetual KYC requires both policy changes and technical infrastructure. Here's a practical roadmap:

Map out your big-picture policy changes

Implementing a risk-based perpetual KYC approach will require you to look at your existing ongoing compliance policies and reimagine them. Identify which real-time events you would like to monitor for throughout the customer lifecycle, and document your new policies.

Define rules and thresholds

Once you’ve mapped out your new perpetual KYC policies, get granular. Identify the specific rules, risk thresholds, and triggers you need to build to support them. 

Build or buy the technology

Perpetual KYC requires digital infrastructure that can monitor customer risk continuously, pull data from multiple sources, apply rules dynamically, and automate workflows from end to end. Evaluate whether your current tech stack can support this approach or if you need to build out functionality internally or partner with a vendor that offers perpetual KYC capabilities.

Test and optimize

Once you've implemented your policies, rule sets, and technology, test thoroughly. Monitor how well the system catches fraud and maintains compliance. Track false positive rates, manual review volumes, and customer friction. Make adjustments to your workflows as needed to improve performance over time.

How Alloy helps balance cost with risk for perpetual KYC

Perpetual KYC is only as effective as the technology behind it. Alloy gives compliance teams the tools to stop fraud and stay compliant beyond customer onboarding — automating ongoing monitoring, streamlining verification, and managing costs without compromising on risk control.

Cost-effective workflows based on customer risk

A customer’s risk rating should not only determine the frequency at which you rescreen them but also inform which pKYC workflow you run them through. For example, for a high-risk customer, you may use an evaluation schedule that checks them more frequently and uses more data sources than you would for a low-risk customer.

Access to over 250 data solutions with a single API

As part of due diligence, financial institutions and fintechs will typically reach out to several different data sources to validate that a customer is in good standing. It can be manually intensive and costly to manage disparate systems and combine a number of different data sources. With Alloy’s single API, clients can access over 250 global data solutions with coverage spanning 195 markets.

Synthesized risk signals from onboarding and ongoing

Alloy allows you to look at a customer’s holistic risk profile across the entire customer lifecycle. Tap into unique insights across onboarding, transactions, and on-platform behavioral data to identify high-risk activity in real-time. Easily combine disparate data sources such as transaction history, device data, and PII data in one place to effectively stay compliant and screen for fraud.

Automatic triggers for high-risk events

Don’t worry about looking at every transaction or customer event. Simply set up the rules and parameters, and Alloy enables automatic action when suspicious activity happens or sanctions lists update. Instead of just sending these cases through for manual review, Alloy triggers a KYC refresh or routes to step-up verification when necessary, reducing the burden on your risk teams.