Banks don’t struggle with KYC because they cannot access data; the bigger failure is that customer risk stops evolving once the onboarding file is signed off.
According to Consilient, most institutions build an initial view of risk using relatively static attributes such as ownership structure, geography, industry and sector exposure, then use that snapshot to decide how intensive controls should be and how often a customer will be reviewed.
That approach also hard-codes assumptions. High-risk areas such as crypto may be placed on shorter cycles, while lower-risk corporate customers can sit on longer review schedules, even though the real-world risk attached to those customers can shift substantially between formal review points.
Recent enforcement action shows how exposed that model has become. In 2024, the $3bn penalty against TD Bank in the US grabbed attention, but the underlying message has been echoed elsewhere. In mid-2025, Swiss regulators penalised firms including Pictet and Julius Baer for due diligence failures linked to missed red flags that emerged well after onboarding.
The central problem is timing. Financial crime can change direction quickly, while customer risk understanding typically updates slowly. Under standard risk-based approaches, many low- to medium-risk corporate entities may only receive a full refresh every three to five years, a pace that assumes risk moves gradually when, in practice, it can change in weeks.
A business can look “clean” on paper and still be compromised shortly after onboarding, for example through a shelf-company acquisition. Transaction monitoring might raise alerts and an event-driven review might be triggered, yet the customer’s core risk rating often stays tied to the original onboarding assumptions. That creates a disconnect where suspicious activity is handled tactically, case by case, while the customer file continues to describe a low-risk entity.
Periodic reviews also come with a heavy operational cost. Research cited from Fenergo suggests a single corporate KYC review can take between 61 and 150 days, with investigators spending weeks chasing documentation and re-validating static attributes that may be out of date by the time the review is completed.
Regulators, meanwhile, are moving from checking whether firms have controls to asking whether those controls actually work as risk evolves. FATF has pushed for more data-driven approaches that can respond to emerging risk, and the FCA has warned against static assessments that fail to reflect how a customer’s business changes over time. The expectation is increasingly that firms can show new information is absorbed into risk assessments, weightings evolve, and learning is not isolated in separate processes.
That pressure has helped drive interest in Perpetual KYC (pKYC), but there is a growing split in what pKYC means in practice. One route focuses on automating the traditional checks more frequently, running registry, sanctions and ownership validations daily or near-real time. Those controls are useful for catching identity drift, but they do not necessarily explain how risk is changing when behaviour shifts while the paperwork stays the same.
A more advanced route aims to continuously reassess customer risk at the customer level, using behavioural signals over time to update risk understanding, rather than simply confirming who the customer is. The goal is not more checks for their own sake, but a living risk profile that reflects what the customer is doing and whether that activity changes exposure.
This is where the fear of false positives resurfaces. Rules-based monitoring already generates large alert volumes, with Datos Insights often cited for the view that 90% to 95% of alerts do not result in suspicious activity. If continuous monitoring simply produces more alerts, it adds operational strain without improving decision-making, and quickly becomes alert fatigue.
The alternative is learning-led risk assessment that focuses on improving signal quality and translating insight into better risk ratings, not just more noise. But dynamic customer understanding has historically hit a wall: context. Banks see only what happens inside their own institutions, while criminal networks operate across many.
Federated Learning is positioned as a way to close that gap without pooling customer data. The concept is to deploy a shared model inside each bank’s environment, let it learn from local transactional patterns, then share only model updates rather than sensitive information. The output is not a replacement for transaction monitoring or case management, but intelligence that can inform them, such as emerging typologies, shifting behavioural patterns and updated risk weightings.
Done well, the human impact is not about replacing investigators, but redirecting them. Instead of spending months on calendar-driven refreshes and document collection, investigators can be engaged when behaviour indicates a genuine shift in risk trajectory, moving their work closer to analysis and prioritisation.
The business case follows from that shift. Dynamic pKYC can support more targeted, evidence-led customer exits, reducing reliance on blunt de-risking of whole sectors because reviews are too costly to sustain. It can also reduce unnecessary friction for low-risk customers by reserving outreach and disruption for moments when behaviour actually changes.
Periodic reviews were built for an era when customer files changed slowly and reassessment depended on manual effort. They still have a place, but they were never designed to carry the full weight of modern financial crime risk. pKYC, implemented as continuous, learning-led risk understanding and strengthened with privacy-preserving collaboration such as Federated Learning, is presented as a route to make EDD adapt at the same speed as the threats it is meant to manage.
Copyright © 2026 FinTech Global
