The rise of continuous KYC

KYC

Know Your Customer has operated as a series of fixed moments for a long time. Starting with verifying a customer at onboarding, reviewing them periodically, and intervening when something appears to have changed. But financial crime rarely unfolds according to scheduled review cycles. Corporate structures evolve overnight, sanctions lists shift daily, and customer risk profiles can change in an instant.

That disconnect is driving growing interest in continuous KYC. Rather than treating due diligence as a compliance checkpoint, financial institutions are increasingly exploring how technology can transform KYC into a living, data-driven process that monitors risk as it emerges. Advances in automation, real-time data integration and AI are making this transition increasingly achievable, promising stronger compliance while reducing unnecessary friction for legitimate customers. 

In part 1 of The Future of Trust: Rethinking KYC in a Digital Financial System, we jumped into why traditional KYC no longer works and the reasons why it may be hitting its limit in today’s world.

For the second article of this four-part series, we examine why traditional KYC is no longer sufficient for an increasingly dynamic risk landscape, and how continuous KYC is emerging as the next evolution in customer due diligence.

What continuous KYC looks like

What does continuous KYC look like in practice? Zurab Kotaria, co-founder and CEO of Identomat, believes continuous KYC means moving away from treating verification as a one-time onboarding event.

He added, “A customer may be legitimate when they join a platform, but their risk profile, business activity, ownership structure, sanctions exposure, or transaction behaviour can change over time.”

In practice, Kotaria states, continuous KYC combines periodic reviews with event-driven monitoring “Instead of asking every customer to repeat the same verification process at fixed intervals, firms should be able to identify meaningful changes and respond proportionately.”

This he adds can include a change in a businesses’ beneficial ownership, new adverse media, unusual transaction patterns, a sactions update or inconsistencies between a customer’s stated profile and their activity.

Scott Nice, CRO at Label, stresses that continuous KYC is often talked about as if it simply means reviewing customers more frequently. However, in practice, he believes it should be a much bigger shift than that.

“It is the move from static, point-in-time compliance to a more dynamic operating model where changes in customer risk are identified, assessed and acted on as they happen, or much closer to when they happen,” Nice said. “Traditional KYC has always carried a structural weakness: a customer is onboarded, reviewed on a periodic cycle, and then often left largely untouched unless a trigger event occurs. In a digital financial system, that model is becoming increasingly difficult to defend.”

Nice adds that continuous KYC in practice means connecting customer data, transactional activity, sanctions, behavioural data, ownership information, document changes, risk indicators and adverse media screening in a more joined up workflow.

Nice remarked, “It does not mean every minor change needs to create a full refresh. That would be operationally impossible and commercially damaging. The key is risk-based monitoring, where meaningful changes are identified, prioritised and routed into the right workflow with a clear audit trail. A change in ownership, a new jurisdictional exposure, a shift in transactional behaviour or a material adverse media event should not have to wait until the next scheduled review to be understood.”

The biggest change in the view of the Label CRO is that KYC becomes less of an onboarding exercise and more of a lifestyle discipline.

“Onboarding remains important, but risk does not stay fixed after the customer is approved. In many firms, the real risk accumulates after onboarding, when the customer’s behaviour, structure, products, activity or geography begins to change. Continuous KYC is about recognising that reality and building controls around it.”

The practical challenge here is not just technology, it also stretches to operating model design. “Continuous KYC requires better data quality, stronger workflow, clearer exception handling, and a more intelligent approach to prioritisation. Without that, it can quickly become another source of alert fatigue.”

Nice views the goal here should not be to create more work for compliance teams, but it should be to identify the changes that matter, cut the noise and give analysts enough context to make better decisions more quickly.

Tim Khamzin, CEO of Vivox AI, believes that continuous KYC is not about running identity checks more frequently, but it is about maintaining a dynamic view of customer risk by combining changes in ownership, corporate structure, sanctions exposure, adverse media, transactional behaviour and other risk signals into an ongoing assessment.

He said, “The challenge is no longer collecting more data. It is identifying which changes are material, responding proportionately and maintaining a clear rationale for every compliance decision. That changes the conversation from ‘How fast can we verify identity?’ to ‘How quickly can we detect meaningful change, explain it and evidence every decision?’”

Kevin McGuinness, global head of strategy at Napier AI, added that continuous KYC means moving away from static, point-in-time checks toward ongoing monitoring that reflects a customer’s real risk profile as it changes – triggered by behaviour, transactions or external data, not just a periodic review date.

He said, “AI can genuinely improve this by spotting relevant changes faster and reducing noise from manual re-screening, but it introduces new risks around explainability and over-reliance on model outputs.”

Continuous KYC marks a shift away from compliance driven by the calendar and towards compliance driven by risk. Rather than relying on scheduled reviews, institutions are increasingly looking to identify changes in customer risk as they happen, allowing due diligence to become a continuous process rather than a periodic exercise.

Jason Palleschi, director of solutions marketing, financial crimes risk management at Quantifind, says this shift is gathering momentum across the industry. Reflecting on a recent Quantifind roundtable with senior compliance leaders from banking, payments, insurance and consulting, he says “one theme emerged consistently: the traditional refresh cycle is no longer sufficient.” While customer risk can change overnight, many KYC programmes still depend on refresh cycles that take place annually, or even less frequently.

“In practice, continuous KYC means moving beyond fixed refresh cycles and toward continuous monitoring that triggers reviews when meaningful risk changes occur,” Palleschi explains. Instead of reassessing every customer on a fixed timetable, firms monitor changes in ownership, sanctions exposure, adverse media, network relationships and other indicators that could materially alter a customer’s risk profile.

AI and entity resolution are central to making this practical, helping firms separate “routine changes from meaningful risk events” so compliance teams focus where risk has genuinely evolved. As participants at the roundtable noted, “the goal is not to create more reviews, but to create more relevant reviews by separating noise from material risk.” In short, “the goal isn’t to review everything continuously. It’s to continuously identify what matters.”

Despite growing consensus, Palleschi believes most firms are still on the journey. The biggest hurdles are not necessarily AI” but fragmented data, legacy systems, disconnected workflows and governance challenges.

Even so, he argues that “real-time compliance is no longer a theoretical future state. The transition is already underway.” The institutions that move fastest, he concludes, will be those able to combine “trusted data, explainable AI, and operational workflows into a single decision-making process”, underpinned by strong governance and a clear strategy for turning continuous intelligence into action.

For Comply Exchange, continuous KYC is about replacing periodic reviews with a model of ongoing monitoring that keeps customer risk assessments up to date in real time.

Rather than reviewing customers at fixed intervals, organisations maintain what the company describes as “a live picture” of their customer base by connecting to real-time data sources, including sanctions feeds, adverse media, corporate registry updates and transaction behaviour signals. “When something changes, it triggers a review automatically. There’s no waiting for the calendar.”

The result is a more targeted approach to compliance. Instead of repeatedly conducting routine rechecks, compliance teams can focus their attention on customers whose risk profiles have genuinely changed, significantly reducing the gap between a material event occurring and the organisation becoming aware of it.

According to Comply Exchange, the implications extend beyond operational efficiency. “This shift changes more than the process. It changes the role of the compliance function itself,” moving compliance away from periodic administration and towards continuous, risk-led oversight.

Can AI improve KYC?

Is AI able to improve KYC without creating new risks? For Kotaria, he believes AI can improve KYC substantially, particularly by helping compliance teams process large volumes of information, identify anomalies, prioritise higher-risk cases, and reduce repetitive manual work.

He added, however, that it should not become a black box that makes high impact compliance decisions without transparency or accountability.

Kotaria explained, “The most effective use of AI is to support human judgement rather than replace it entirely. Firms need clear governance around data quality, model monitoring, explainability, bias testing, and escalation processes. An AI system may help identify which cases require attention, but there must still be a clear and auditable rationale behind the final decision.”

Khamzin says that AI has a role to play, but he believes regulators are unlikely to reward automation alone.

“They’ll reward explainability, governance and operational consistency. As AI becomes embedded in compliance operations, firms will increasingly be expected to demonstrate not only what decisions were made, but how they were reached, what evidence supported them and where human oversight was applied,” said the Vivox AI CEO.

“The winners won’t be the firms with the most AI. They’ll be the firms that can show, at any moment, why they trust a customer, adapt when that risk changes and produce an audit trail that regulators can readily follow.”

Khamzin’s final opinion here is that the debate is no longer whether firms should move to continuous KYC. He explained, “The regulatory direction has already been set. With the EU’s new AML framework, AMLA and the single rulebook are raising the bar from periodic customer reviews to consistently demonstrating that firms understand customer risk as it evolves, not just at onboarding.”

AI has the potential to transform KYC, but its success will depend less on the sophistication of the models than on the strength of the governance surrounding them. According to Nice, AI delivers the greatest value when it enhances compliance processes rather than attempts to replace them.

Nice argues that KYC teams are still burdened by fragmented systems, inconsistent documentation, manual reviews and duplicated effort, leaving analysts to interpret large volumes of information under significant time pressure. AI can ease that burden by summarising information, extracting data from documents, identifying inconsistencies, prioritising cases and detecting anomalies, enabling analysts to understand customer risk more quickly.

Its real value, however, lies in helping firms move “from static review to contextual review”. Nice explains that AI can identify whether changes in customer behaviour are genuinely unusual, highlight inconsistencies in ownership information, detect conflicting documentation and connect disparate data points that might otherwise be overlooked. Used effectively, he says, it makes KYC “more accurate and more responsive.”

Yet Nice is equally clear that AI introduces new risks if it is treated as a substitute for governance or human judgement. “KYC decisions need to be explainable, challengeable and evidenced,” he says.

Where AI contributes to a risk rating, escalation or customer decision, firms must understand how the output was generated, what data informed it and who remains accountable. “Automation does not change who is accountable, it changes how accountability must be designed, governed and evidenced.”

Ultimately, Nice believes the greatest threat is not AI itself, but poor foundations. “The biggest risk is AI operating on poor data inside weak processes,” he says. Incomplete or inconsistent customer data can simply accelerate flawed decision-making, while poorly governed models risk introducing bias, false confidence and decisions that cannot be reconstructed.

The firms that realise AI’s full potential, he concludes, will be those that use it to strengthen human judgement, improve workflows and enhance the evidence underpinning every compliance decision, rather than removing people from the process altogether.

Comply Exchange believes AI has the potential to significantly strengthen KYC, particularly by helping compliance teams cope with the growing volume and complexity of customer data. Rather than replacing human analysts, the technology is proving most valuable when used to accelerate and enhance their decision-making.

According to the company, AI can process vast quantities of unstructured data far faster than any manual team, identify patterns across customer portfolios that might otherwise go unnoticed and surface adverse media or behavioural signals that traditional rule-based systems are likely to miss. These capabilities are particularly valuable for a compliance function that has long struggled with data overload.

However, Comply Exchange stresses that the risks are just as real. AI models trained on historical datasets can inherit existing biases, while automated decisions made at scale are often more difficult to explain to regulators than manually documented reviews. The company also warns that the greater an organisation’s reliance on AI without appropriate human oversight, the greater the risk that errors go undetected and quietly proliferate.

The firms seeing the strongest results, Comply Exchange argues, are not those that have “handed KYC to an algorithm”, but those that have embedded AI within a robust governance framework.

In these organisations, AI-generated outputs are reviewed, decisions are documented and compliance teams retain clear accountability. Ultimately, the company believes AI can substantially improve KYC, but only when the governance framework surrounding it is every bit as rigorous as the model itself.

Palleschi, meanwhile, believes that AI is quickly becoming indispensable to modern KYC. As customer bases expand and risk signals multiply, he argues that manual processes alone are no longer capable of monitoring millions of customers effectively.

Palleschi says technologies such as AI, entity resolution and network analysis are increasingly essential for uncovering hidden relationships, prioritising risk, reducing false positives and accelerating investigations. However, he emphasises that success depends on how the technology is deployed. “The key is deploying AI in a way that increases transparency rather than reducing it.”

According to Palleschi, the strongest implementations use AI to resolve entities, prioritise alerts, uncover hidden relationships and summarise customer risk, while maintaining “clear evidence, audit trails, and human oversight.” Based on Quantifind’s experience, institutions achieve the best outcomes when “AI augments analyst judgment rather than attempts to replace it.”

With robust governance, explainability and human-in-the-loop controls, Palleschi believes AI can strengthen both risk detection and operational efficiency without introducing unacceptable new risks. Indeed, he says many compliance leaders are beginning to view AI “not as a source of additional risk, but as an important tool for managing risk at scale.”

Real-time compliance: Are firms ready?

A million-dollar question for many as whether companies are ready for real-time compliance.

The answer to this question for McGuinness is partially. “The appetite is there, but many are still constrained by legacy infrastructure and data quality issues that need solving before real-time becomes reliable rather than just fast. What rarely gets said out loud is that bolt-ons and overlay approaches don’t modernise AML operations.”

He explained that if rule changes still take months, latency still prevents real‑time decisions, and upgrades remain annual events rather than continuous improvements, the core problem hasn’t been solved. It’s just been disguised.

“Configurable, risk-based approaches are fundamental to real-time screening to manage capacity and consumption. Blanket screening every customer and transaction in real-time against every list regardless of sanctions versus PEPs would be incredibly inefficient,” concluded McGuinness.

Comply Exchange believes also that this is not fully the case, but that the gap is closing.

The firm said, “Real-time compliance operations require more than good technology. They require clean, structured, accessible data. They require integration between systems that have historically operated in silos. They require compliance teams with the skills and capacity to act on live alerts rather than batch reviews. And they require a regulatory environment that accommodates the shift.”

Many organizations are still working through the foundational steps, believes the firm, and legacy infrastructure makes real-time data feeds difficult to ingest cleanly. “Alert volumes from continuous monitoring can overwhelm teams who aren’t resourced or structured to handle them. Without the right workflows in place, real-time monitoring can create noise rather than clarity,” said Comply Exchange.

Label’s Nice is firm in the thought that most firms are not fully ready for real-time compliance operations, although many are moving in that direction.

He explained, “The ambition is clearly there. Financial institutions want faster onboarding, better customer experience, more responsive risk detection and more efficient compliance teams. The issue is that real-time compliance depends on foundations that many firms are still trying to fix.”

Real-time compliance requires clean data, integrated systems, clear ownership of decisions, well-designed workflows and the ability to act on information quickly.

In the view of Nice, many institution’s foundations in this area remain fragmented. “ Customer data may sit across multiple systems. Risk information may be interpreted differently by different teams. Reviews may still rely heavily on manual processes, spreadsheets, email approvals and institutional knowledge. In that environment, real-time compliance can become more of an aspiration than an operating reality.”

Additionally lies the control question. Real-time does not always mean instant approval or automatic action in every case. In regulated environments, he outlines, speed still has to be balanced with accountability.

He added, “Firms need to understand what can be automated, what should be escalated, and where human review is still required. A real-time model without proper controls can create just as much risk as a slow manual model.”

Nice concluded, “The firms that are closest to being ready are those that have already invested in data architecture, workflow automation, API-based integration, monitoring and clear governance. They are not just digitising old processes. They are redesigning compliance around better information flows and clearer decision-making. That is where the market needs to go. Real-time compliance will not be achieved by adding a new interface to an old operating model. It requires a more connected, evidence-led and risk-based way of running compliance.”

Palleschi’s view here is that whilst most firms recognize that compliance must become more continuous and intelligence-driven, few have fully reached that state.

He said, “The biggest obstacles are not necessarily AI. They’re fragmented data, legacy systems, disconnected workflows, and governance challenges. At Quantifind, we see many institutions making meaningful progress by investing in data modernization, entity resolution, workflow automation, and AI-assisted risk monitoring. The industry is increasingly focused on how to operationalize continuous monitoring, even as firms continue to debate the pace and scope of adoption.”

Palleschi concluded with the idea that real-time compliance is no longer a theoretical future state, the transition is already underway, and the institutions that move fastest will be those that can combine trusted data, explainable AI, and operational workflows into a single decision-making process.

He finished, “As we heard repeatedly from industry participants, success will depend not only on technology, but also on strong governance, cross-functional alignment, and a clear strategy for turning continuous intelligence into action.”

Finally, Kotaria is succinct – many firms are moving in this direction, but readiness for real-time compliance still varies widely.

He detailed, “In our experience, the biggest challenge is not necessarily the lack of technology. It is making sure that identity data, AML screening, ownership information, and monitoring processes are connected in a way that gives compliance teams a clear picture of risk as it changes.”

Read the daily RegTech news

Copyright © 2026 RegTech Analyst

Enjoying the stories?

Subscribe to our daily FinTech newsletter and get the latest industry news & research

Investors

The following investor(s) were tagged in this article.