By Stuart Watkins, CEO, Zenoo
Onboarding gets all the attention. Ask any compliance vendor what they do, and the first answer is almost always about onboarding: identity verification, document checks, risk scoring, customer acceptance. It is the part of KYC that is visible, measurable, and directly connected to revenue.
Ongoing monitoring, by contrast, is the part of compliance that most firms treat as an afterthought. A periodic re-screen against sanctions lists. An annual review for high-risk customers. A transaction monitoring system that generates alerts but rarely changes anyone's risk rating. The regulators have noticed, and they are not impressed.
In the past 18 months, a significant proportion of AML enforcement actions across the UK and EU have cited inadequate ongoing monitoring as a primary or contributing failure. Not the absence of monitoring. The inadequacy of it. Firms had monitoring in place, but it was not continuous, not risk-based, and not connected to the broader compliance lifecycle.
What regulators actually mean by "ongoing monitoring"
The regulatory expectation for ongoing monitoring has three distinct components, and most firms are only doing one of them.
Component 1: Transaction monitoring. This is the most familiar element. Monitoring customer transactions against expected patterns, sanctions lists, and risk indicators. Most firms have some form of transaction monitoring in place, though the quality and calibration vary enormously.
Component 2: Customer risk review. This is where most firms fall short. The requirement is to periodically reassess each customer's risk rating based on updated information. Has the customer's business activity changed? Have they expanded into new jurisdictions? Has their ownership structure changed? Has their transaction behaviour deviated from the expected profile? These questions should be answered on a schedule that reflects the customer's risk tier: annually for high-risk, every two to three years for medium-risk, and every three to five years for low-risk.
Component 3: Event-driven monitoring. This is the component that most firms lack entirely. The requirement is to trigger a review when something changes: a new sanctions designation in a jurisdiction where you have customers, a change in a customer's PEP status, negative media coverage about a customer, a change in the regulatory status of a jurisdiction. Event-driven monitoring connects your customer base to the outside world in real time.
"Our regulator asked us a simple question: 'When Russia invaded Ukraine and new sanctions were imposed, how long did it take you to screen your entire customer base against the updated lists?' We had done it within 48 hours, which they accepted. But then they asked: 'And how did you identify customers with indirect exposure to sanctioned entities through their supply chains?' We did not have an answer for that."
The periodic re-screening trap
The most common ongoing monitoring approach we see is periodic re-screening: running the customer database against updated sanctions and PEP lists on a daily or weekly cycle. This is necessary but insufficient.
Periodic re-screening catches changes to sanctions and PEP lists. It does not catch changes in the customer themselves. A customer who was low-risk at onboarding may have expanded into high-risk jurisdictions, changed their ownership structure, or begun transacting in ways that are inconsistent with their original risk profile. Periodic re-screening against external lists will not identify any of these changes.
The firms that do ongoing monitoring well treat it as a continuous process that integrates multiple data sources. Transaction monitoring flags behavioural changes. Sanctions and PEP screening catches list changes. Company registry monitoring identifies ownership changes. Adverse media monitoring catches reputational risks. And all of these inputs feed into a risk assessment that is updated continuously, not just at the next scheduled review date.
Building a continuous monitoring framework
Here is a practical framework for moving from periodic re-screening to genuine continuous monitoring.
Layer 1: Automated screening. This is your baseline. Daily or real-time screening of your customer base against sanctions, PEP, and adverse media sources. Automated alerting when a match is found. This is the layer most firms already have. If you do not, this is where to start.
Layer 2: Transaction behaviour analysis. Monitor customer transactions against their established profile. Flag deviations that exceed defined thresholds: unusual transaction volumes, new counterparties in high-risk jurisdictions, transactions inconsistent with the customer's declared business activity. This requires your transaction monitoring system to be calibrated against customer-specific baselines, not just generic rules.
Layer 3: Corporate structure monitoring. For business customers, monitor changes to their corporate structure. Director changes, shareholder changes, new subsidiaries, changes in registered address. Company registry data is increasingly available through APIs, and monitoring services can alert you to changes in real time. This is particularly important for UBO verification, where changes in ownership may alter the customer's risk profile.
Layer 4: Jurisdictional risk monitoring. Monitor changes in the risk profile of the jurisdictions where your customers operate. FATF mutual evaluations, grey list additions and removals, Transparency International updates, and changes in sanctions regimes. When a jurisdiction's risk profile changes, your customers with exposure to that jurisdiction should be flagged for review.
Layer 5: Risk recalculation. This is the layer that connects everything. When any of the first four layers generates a signal, the customer's risk rating should be automatically recalculated. If the recalculated risk is materially different from the current rating, the customer should be queued for a manual review. This ensures that risk ratings stay current without requiring a manual review of every customer on a fixed schedule.
"We implemented event-driven risk recalculation 18 months ago. In the first quarter, it identified 340 customers whose risk ratings needed to change. Under our old periodic review schedule, we would not have caught most of those changes for another six to twelve months. Three of them were genuine high-risk cases that needed immediate attention."
The technology requirements
Continuous monitoring at scale requires technology that most firms do not currently have. The key requirements are:
Real-time data ingestion. Your monitoring system needs to ingest updated screening data, transaction data, and corporate registry data in real time or near real time. Batch processing with overnight runs is not sufficient for a continuous monitoring framework.
Customer-specific baselines. Your transaction monitoring needs to understand what "normal" looks like for each customer, based on their declared business activity, risk profile, and transaction history. Generic rules ("flag any transaction over £10,000") generate noise. Customer-specific baselines generate signal.
Automated risk scoring. When a monitoring event occurs, the system needs to automatically recalculate the customer's risk score and determine whether the change is material enough to trigger a manual review. This requires a risk model that is configurable, transparent, and auditable.
Case management integration. When a review is triggered, it needs to flow into your case management system with all the relevant context: what triggered the review, what data changed, what the previous risk assessment said, and what information the analyst needs to make a decision. If your monitoring and case management systems are not integrated, reviews will fall through the gaps.
Audit trail. Every monitoring event, every risk recalculation, and every review decision needs to be logged with a timestamp, the data that informed it, and the outcome. This is not optional. It is the evidence that your monitoring programme works.
Resourcing continuous monitoring
One of the most common objections we hear is that continuous monitoring will overwhelm compliance teams with reviews. The concern is understandable but misplaced. A well-calibrated continuous monitoring framework actually reduces the total review burden by focusing human attention on the cases that matter.
Under a periodic review model, every customer in a risk tier is reviewed on the same schedule, regardless of whether anything has changed. This means analysts spend significant time reviewing customers where nothing has changed and everything is as expected. That is wasted effort.
Under a continuous, event-driven model, reviews are triggered only when something changes. Customers where nothing has changed are not reviewed until the next event. Customers where something material has changed are reviewed promptly. The total number of reviews may be similar, but the proportion of reviews that lead to a genuine risk decision is much higher.
The key is calibration. If your monitoring thresholds are too sensitive, you will generate too many events and overwhelm your team. If they are too loose, you will miss material changes. This calibration is an ongoing process that requires regular testing and adjustment.
