Periodic Refresh and Perpetual KYC

Periodic Refresh and Perpetual KYC

Ongoing customer due diligence (CDD) does not stop at onboarding. The customer information collected at account opening decays — ownership changes, addresses move, sanctions lists update, and behavior shifts. Periodic refresh is the traditional control: the institution re-verifies identity, beneficial ownership, expected activity, and risk rating on a fixed schedule. Perpetual KYC (pKYC) is the modern alternative that replaces the calendar with continuous, event-driven re-assessment.

Risk-based refresh cycles

The Financial Action Task Force (FATF) and most regulators require that refresh frequency be risk-based, not uniform. A common industry mapping is:

The exam tests whether you can match cadence to risk. If a prompt says a low-risk retail customer is due for a five-year refresh but has had no risk change, a full EDD package is disproportionate; a data refresh is correct. If a customer was re-rated high last quarter, the old five-year clock no longer applies.

Perpetual KYC: event-driven, not date-driven

Under pKYC the institution maintains a live customer profile and re-reviews only when a meaningful change occurs. Three things change versus periodic refresh: review cadence becomes event-driven rather than date-driven, the underlying data is a continuously updated profile rather than a snapshot, and risk scoring becomes a dynamic recalculation rather than a static bucket. Mature pKYC programs report KYC maintenance cost reductions and faster detection of changes than annual cycles allow.

Trigger events force off-cycle review

Under either model, certain trigger events must force an immediate re-review regardless of where the customer sits in its cycle:

• A new or changed beneficial owner crossing the 25% ownership threshold (the U.S. Customer Due Diligence Rule threshold).
• A change of country of residence, incorporation, or principal operations into a higher-risk jurisdiction.
• A name match on a sanctions, PEP, or adverse-media screen.
• A transaction-monitoring alert or suspicious activity report (SAR) filing.
• A change in product, channel, or expected activity that no longer matches the original profile.

Worked scenario

A medium-risk corporate is on a 36-month cycle, 8 months from its next refresh. Screening flags that a 40% shareholder has become a politically exposed person (PEP). The proportionate CAMS answer is not "wait for the scheduled refresh" and not "exit the relationship." It is: treat the PEP status as a trigger event, perform an off-cycle EDD review, document senior-management approval to continue the relationship, and re-rate the customer to high risk — which also shortens the future refresh cycle to annual.

Outreach, documentation, and exit

A refresh often requires customer outreach to obtain updated documents — refreshed beneficial-ownership certifications, identification, financials, or source-of-funds evidence. When a customer is unresponsive or refuses to provide required information, the institution cannot simply continue with stale data. The risk-based escalation path is to restrict activity, escalate internally, and ultimately consider de-risking (exit) if the institution can no longer satisfy its CDD obligations. Each step must be documented: what was requested, what was received, what decision was made, and who approved it.

Examiners frequently cite institutions whose files show overdue refreshes with no evidence of outreach or escalation.

Regulatory basis you should be able to cite

Ongoing CDD is not optional. FATF Recommendation 10 explicitly requires institutions to conduct ongoing due diligence on the business relationship and scrutinize transactions to ensure they remain consistent with the customer's profile, source of funds, and risk. In the United States, the FinCEN Customer Due Diligence (CDD) Rule (effective May 2018) made ongoing monitoring and the maintenance of current customer information a formal program pillar, alongside the requirement to identify and verify beneficial owners at the 25% ownership threshold and one controlling individual.

The exam may phrase a question as "what does the institution owe an existing customer over time" — the answer is ongoing monitoring and keeping information current, not a one-time onboarding check.

How refresh feeds the wider program

Periodic refresh and pKYC are not isolated controls — they feed the customer risk rating, which in turn drives screening frequency, transaction-monitoring thresholds, and the depth of any enhanced due diligence. A refresh that re-rates a customer from medium to high should propagate downstream: more frequent screening, tighter monitoring scenarios, and EDD documentation. CAMS scenarios reward candidates who see refresh as the engine that keeps the whole risk picture current rather than a standalone administrative task.

The governing principle throughout is proportionality: the intensity of review should match the assessed risk, with senior-management visibility reserved for the highest-risk relationships and material trigger events.

Common traps

• Treating refresh as a calendar checkbox while ignoring trigger events between cycles.
• Applying one frequency to all customers regardless of risk — this fails the risk-based standard.
• Confusing pKYC with simply screening more often; pKYC means re-scoring and re-reviewing, not just alerting.
• Exiting customers on the first adverse signal rather than performing documented EDD and a risk-based decision.
• Continuing on stale data when a customer is unresponsive instead of restricting activity and escalating.