Control Tools Across the Customer Lifecycle

Control Tools Across the Customer Lifecycle

The customer lifecycle is the sequence of controls a financial institution (FI) applies from the moment a prospect applies to the moment the relationship ends. CAMS tests this as a chain, not a checklist: a weakness at onboarding (poor identification) propagates into weak screening and blind monitoring. The four stages are onboarding / Know Your Customer (KYC), ongoing monitoring, periodic and event-driven review, and exit (offboarding).

At onboarding the FI performs Customer Due Diligence (CDD): collect and verify identity (the Customer Identification Program, CIP), determine beneficial ownership, understand the nature and purpose of the relationship, and assign an initial risk rating. Screening against sanctions, Politically Exposed Person (PEP), and adverse-media lists happens here and continuously thereafter. The output is a risk rating that drives every downstream control.

The risk-based approach (RBA) sets control intensity. The Financial Action Task Force (FATF) requires that resources concentrate where risk is highest:

Worked example. A retail customer rated low-risk opens a business account, names two 40% owners and starts wiring funds to a high-risk jurisdiction. The event (product/behavior change) triggers an event-driven review: re-rate the customer, capture the new beneficial owners, re-screen, and recalibrate monitoring scenarios. The control that fails most often on the exam is the missing re-rating — candidates pick 'file a Suspicious Activity Report (SAR)' before reassessing risk.

Use this lifecycle-to-control map when answering scenarios:

• Onboarding cue (new account, new owner): apply CIP, beneficial-ownership capture, sanctions/PEP screening, initial risk rating.
• Monitoring cue (alert, unusual pattern): investigate, decide SAR/no-SAR, consider de-risking.
• Trigger event (address change, ownership change, negative news): event-driven refresh of CDD.
• Time-based cue (rating-based cycle elapsed): periodic review and re-verification.
• Exit cue (unmanageable risk, repeated SARs): offboard while preserving records and avoiding tipping off.

Common traps

First, SDD is never 'no diligence' — it is reduced verification justified by documented low risk, and it is prohibited whenever there is any suspicion of money laundering. Second, EDD is additive, not a replacement: the standard CDD still applies underneath. Third, de-risking an entire customer category to avoid cost is discouraged by FATF and regulators because it pushes activity into less-transparent channels; the exam-correct answer is to manage risk, not abandon whole segments.

Fourth, the Money Laundering Reporting Officer (MLRO) or BSA Officer owns the program but does not personally clear every alert — control ownership sits across the three lines of defense (business, compliance, audit).

The exam-best answer almost always reflects proportionality: match the control to the risk, document the rationale, escalate through the right owner, and keep the audit trail. Dramatic actions (instant closure, mass freezing) are usually wrong unless a sanctions hit or legal obligation forces them.

The three lines of defense

Lifecycle controls are operated across the three lines of defense, a governance model the exam expects you to apply. The first line is the business itself — relationship managers and operations staff who own the customer relationship, perform onboarding, and are accountable for risk in their book. The second line is the compliance and risk function, led by the BSA Officer or Money Laundering Reporting Officer (MLRO), which sets policy, calibrates monitoring, and independently challenges the first line. The third line is internal audit, which independently tests whether the first two lines actually work.

A scenario where compliance both runs and audits its own monitoring is a defective design because it collapses the second and third lines.

Periodic versus perpetual KYC

Traditional programs refresh CDD on a fixed cycle keyed to risk rating — for example high-risk annually, medium every two years, low every three years. The modern alternative is perpetual KYC (pKYC): instead of waiting for a calendar date, the system continuously ingests trigger events (a new beneficial owner, a sanctions-list change, a behavior shift, adverse media) and refreshes the relevant data in real time. pKYC reduces stale records and aligns review effort with actual risk movement. The exam-correct view is that pKYC complements, not abolishes, the obligation to keep CDD current.

A worked offboarding scenario

Consider a money-services business customer that generates three SARs in six months, repeatedly fails to provide source-of-funds evidence, and operates in a high-risk corridor. The lifecycle answer is structured exit: a documented decision to offboard because the residual risk cannot be managed within appetite. Critically, the FI must (1) continue to monitor and report suspicious activity until closure is effective, (2) avoid tipping off the customer about any SAR, (3) preserve all records for the retention period, and (4) consider whether a final SAR is warranted on closure.

Offboarding is a control, not an escape hatch from reporting duties.

The unifying exam principle across the lifecycle is that controls are layered and sequential: identity feeds screening, screening and risk rating feed monitoring, monitoring feeds investigation and reporting, and unmanageable risk feeds a documented exit — each with a named owner and an audit trail. When a question offers a single dramatic action, the better answer usually integrates the right control at the right stage with the right governance.