Perpetual KYC: automated risk-based compliance

Identity verification isn’t just something you have to do at onboarding. Yes, banks and fintechs are required to run Know Your Customer (KYC) and Know Your Business (KYB) checks on new customers, but they are also required to reverify KYC, KYB, and sanctions screening on existing customers periodically based on the customer’s level of risk.

Specific requirements vary by geographic location. Generally speaking, at a minimum, banks and fintechs must reverify high-risk customers every year, medium-risk customers every two to three years, and low-risk customers every three to five years. They must also reasonably avoid doing business with anyone on local sanctions lists.

These periodic reviews have historically been costly and time-consuming, especially if you have a large customer base. They can also leave significant lapses in time between your due diligence checks which open banks and fintechs up to regulatory risk.

As more banks and fintechs move towards a culture of compliance where they go above and beyond what regulators require, many financial institutions and fintechs are opting for a risk-based, perpetual KYC approach instead of practicing periodic KYC.

Challenges with periodic KYC

The risk levels you set at onboarding are not dynamic

The intervals at which you periodically review each customer’s information are based on risk levels that you set at onboarding and are not updated until the next time you rescreen them for KYC.

With new account fraud increasingly impacting banks and fintechs, the risk level you set for a customer at onboarding will not necessarily be their risk level for long. In fact, if fraudsters are lucky enough to make it through your initial onboarding funnel, they often show signs of fraudulent activity in the first 30 - 90 days. If you wait til day 365 to rescreen them for KYC, you’re already behind.

Risk-based approaches are more difficult to execute without dynamic risk profiles

Many banks and fintechs don’t use a risk-based approach for periodic KYC. Instead, they might rescreen their entire customer base at arbitrary intervals.

This approach adds unnecessary friction for your low-risk customers, leading to a higher churn rate for your good customers. It can also lead to more false positives and more manual reviews — driving compliance costs up and preventing good customers from making transactions.

Sanctions lists can change daily

We live in a volatile geopolitical climate right now, and sanctions lists can change daily. Periodic reviews expose you to the risk of being non-compliant with the latest watchlists, which could lead to fines and reputational damage.

Disparate processes and systems for initial KYC and periodic KYC

Many banks and fintechs view their periodic KYC processes as a separate function from their initial KYC.

With multiple tools and processes managing your initial and periodic KYC (and storing the data associated with each process), there is no single source of truth to look at a customer’s risk holistically across the entire customer lifecycle.

What is perpetual KYC?

Perpetual KYC — also known as continuous KYC, ongoing KYC, or simply “pKYC” — is the process of automating recurring KYC, KYB, and sanctions checks based on specific rules or “triggers” instead of at periodic intervals.

These rules might be based on risk level: for example, reverifying high-risk customers once a day, medium-risk customers once a week, and low-risk customers once a month. Other rules may be based on events, for example:

• updates to sanctions watchlists
• a new customer relationship with a Politically Exposed Person (PEP)
• an update to a customer's personally identifiable information (PII)
• a risky transaction
• a new account user or Beneficial Owner

Perpetual KYC benefits

Implementing a perpetual KYC process can have a multitude of benefits, including:

Reduced operational costs

Running periodic refreshes to rescreen business and consumer clients is time-intensive, highly manual, and expensive — especially for larger organizations with bigger customer bases. Perpetual KYC streamlines a lot of this work, reducing false positives and the need for manual oversight and driving operational costs down.

Better fraud prevention and mitigation through dynamic customer risk profiles

Robust KYC policies directly improve your fraud prevention and mitigation capabilities. Perpetual KYC's event-based triggers help banks and fintechs build dynamic risk profiles for each customer based on account activity, PII changes, and other triggers.

These dynamic risk profiles enable banks and fintechs to keep KYC information up-to-date in real-time and flag (and respond to) risky behavior sooner than they would through traditional periodic KYC processes.

Improved customer experience

Periodic KYC reviews often require customers to submit additional verification (such as providing documentation), which can add friction and feel cumbersome when they’ve already done that at the point of their initial onboarding.

Perpetual KYC streamlines the process for customers behind the scenes, reducing the need for repetitive information and documentation. A risk-based perpetual KYC approach allows you only to add friction for your high-risk customers while keeping the customer experience frictionless for your low-risk customers.

Stay up-to-date with ever-evolving regulations and sanctions lists

Non-compliance with regulations and sanctions can lead to hefty fines and pose a reputational risk. Perpetual KYC protects banks and fintechs from both of these risks by keeping them as up-to-date as possible with the ever-changing regulatory landscape.

How to implement perpetual KYC

Below are some steps to take to implement perpetual KYC.

Map out your big-picture policy changes

Implementing a risk-based perpetual KYC approach will require you to look at your existing ongoing compliance policies and reimagine them. Identify what changes need to be made and document your new policies.

Outline the procedures and rules that support your new policies

Now that you’ve mapped out your new perpetual KYC policies, identify the granular rules and thresholds you need to build to support them.

Build or buy the technology that powers this policy

A big piece to the perpetual KYC puzzle is having the digital infrastructure to power your perpetual KYC workflows. Can your current tech stack support perpetual KYC? Or do you need to build out this functionality or find a vendor that offers perpetual KYC capabilities?

Test and optimize

Once you’ve got the policies, rule set, and technology in place, test these new changes to ensure they effectively keep you compliant and identify fraud. Make tweaks to your workflows as needed.

How Alloy helps balance cost with risk for perpetual KYC

Many organizations think investing in the digital infrastructure to run perpetual KYC is too costly. However, when you’re smart about how you set up your perpetual KYC rule sets and processes, it is actually much more cost-effective than periodic KYC.

Cost-effective workflows based on customer risk

A customer’s risk rating should not only determine the frequency at which you rescreen them but also inform which pKYC workflow you run them through. For example, for a high-risk customer, you may use an evaluation schedule that checks them more frequently and uses more data sources than you would for a low-risk customer.

Access to over 180 data sources with a single API

As part of due diligence, banks and fintechs will typically reach out to several different data sources to validate that the customer is in good standing. It can be manually intensive and costly to manage disparate systems and combine a number of different data sources. With Alloy’s single API, clients can access 180+ global data sources with coverage spanning 195 markets.

Synthesized risk signals from onboarding and ongoing

Alloy allows you to look at a customer’s holistic risk profile across the entire customer lifecycle. Tap into unique insights across onboarding, transactions, and on-platform behavioral data to identify high-risk activity in real-time. Easily combine disparate data sources such as transaction history, device data, and PII data in one place to effectively stay compliant and screen for fraud.

Automatic triggers for high-risk events

Don’t worry about looking at every transaction or customer event. Simply set up the rules and parameters, and Alloy enables automatic action off the back of high-risk or suspicious activity or sanctions updates. If there is a breach of the predetermined thresholds, instead of just sending these cases through for manual review, Alloy triggers a KYC refresh or route to step-up verification when necessary, reducing the burden on your risk teams.