What Is Perpetual KYB? The Complete Guide for Financial Institutions

Perpetual KYB — also called continuous KYB monitoring or ongoing customer due diligence — is the practice of monitoring approved corporate clients throughout the life of the relationship, not just at the point of onboarding. It replaces the traditional model of periodic review cycles with a continuous process that detects material changes as they occur.

The term is increasingly common in regulatory guidance and vendor marketing alike, but what it actually involves in practice — and what regulators specifically require — is less well understood. This guide covers the definition, the regulatory requirements, the events that trigger a review, and how to configure monitoring frequency effectively across a tiered client portfolio.

What perpetual KYB means in practice

Traditional KYB operates on a fixed review cycle. A business is onboarded, its file is opened, and it is scheduled for periodic review — annually for standard risk clients, more frequently for higher-risk ones. Between reviews, the file is largely static. If a director is sanctioned six months after onboarding, the institution may not learn about it until the next scheduled review — or until a regulator asks why action was not taken sooner.

Perpetual KYB changes the underlying model. Rather than reviewing files on a calendar, the platform monitors the data sources that matter — sanctions lists, company registries, adverse media, PEP datasets — continuously, and alerts the compliance team when something relevant changes for a client in their portfolio.

The practical difference is one of latency. A sanctions designation that would have been detected at the next annual review is detected within hours. A change in beneficial ownership that would have required the client to proactively notify the institution is flagged automatically when the registry record updates. Adverse media that would have been missed entirely is surfaced when it appears.

What regulators require

The regulatory basis for perpetual KYB sits in the ongoing customer due diligence requirements of the major AML frameworks.

FATF Recommendation 10 requires financial institutions to apply ongoing due diligence to business relationships, including scrutinising transactions and keeping customer documents and information up to date. The FATF Guidance on Beneficial Ownership, updated in 2023, specifically emphasises that institutions should have processes in place to detect changes in beneficial ownership and act on them promptly.

FCA Money Laundering Regulations (implementing the EU AMLD framework) require regulated firms to conduct ongoing monitoring of all business relationships on a risk-sensitive basis. The FCA's financial crime guidance makes clear that periodic review cycles are not, by themselves, sufficient if they do not detect material changes between reviews.

EU Anti-Money Laundering Regulation, applying directly from 2027, strengthens these requirements further, with explicit provisions on beneficial ownership verification and ongoing monitoring obligations that member states cannot dilute in national implementation.

For UK-regulated banks, the FCA has been increasingly specific in supervision and enforcement about what "ongoing monitoring" means. Firms relying solely on scheduled review cycles without any continuous detection capability face growing regulatory risk.

What triggers a perpetual KYB review

Perpetual KYB generates alerts when defined events occur for clients in the monitored portfolio. The events that should trigger a review fall into four main categories.

Sanctions list changes

Any addition of a client entity, a director, or a UBO to a sanctions list — OFAC, UN, EU, HM Treasury, or any other list relevant to the institution's jurisdictional footprint — should generate an immediate alert. The response timeline for a confirmed sanctions match is typically hours, not days. Continuous screening against updated lists is the only way to meet that obligation reliably.

This also applies to delistings. An entity removed from a sanctions list may have outstanding restrictions that apply during a wind-down period, or may represent a client whose risk profile has changed in a way that warrants review even in the absence of a current designation.

Beneficial ownership and director changes

Company registry updates — new director appointments, director resignations, changes in persons with significant control, changes in share structure — are material events that may require re-verification or updated risk assessment. A new UBO who appears on a PEP dataset, or a director who is a national of a jurisdiction that has recently been FATF grey-listed, changes the risk profile of the relationship.

In jurisdictions with reliable, timely registry APIs — the UK, most of the EU — these changes can be detected automatically as they are filed. The platform monitors the registry record for each client entity and alerts the compliance team when a relevant change appears.

Adverse media

Negative news coverage about a client entity, its directors, or its UBOs may indicate reputational risk, emerging regulatory action, or conduct that is relevant to the ongoing relationship. Perpetual KYB platforms monitor news sources and index adverse media against the client portfolio, surfacing relevant coverage for analyst review.

The challenge with adverse media monitoring is specificity: filtering genuine adverse media from irrelevant coverage with similar entity names. Effective platforms use entity disambiguation — matching news content against the specific combination of entity name, jurisdiction, and identifiers in the client record — rather than simple keyword matching.

Jurisdiction risk changes

FATF grey-listing and black-listing decisions, changes to the EU's high-risk third-country list, and updates to national regulatory assessments of specific jurisdictions affect the risk profile of clients registered or operating in those jurisdictions. A client whose jurisdiction of incorporation moves onto the FATF grey list requires a prompt review of the existing risk assessment and may trigger enhanced due diligence obligations.

Configuring monitoring frequency by risk tier

Effective perpetual KYB does not apply the same monitoring intensity to every client. A listed company in a low-risk jurisdiction with a simple ownership structure and a long, clean transaction history does not require daily sanctions screening; a private company in a higher-risk corridor with a complex ownership structure and recent adverse media does.

Risk-tiered monitoring works by assigning each client to a monitoring tier at onboarding — or dynamically, as their risk score changes — and applying different check frequencies and alert thresholds to each tier.

High-risk clients — those with elevated risk scores, FATF-relevant jurisdictions, PEP associations, or complex ownership structures — warrant the most frequent monitoring. Sanctions and PEP screening should run daily or on every list update. Registry checks should run weekly. Adverse media should be monitored continuously.

Standard-risk clients — the majority of a typical corporate portfolio — can be monitored at lower frequency without materially increasing risk exposure. Weekly sanctions screening, monthly registry checks, and ongoing adverse media monitoring is a defensible baseline for this tier, subject to the institution's own risk assessment.

Lower-risk clients — simple structures, well-known entities, long-established relationships with clean histories — may be monitored at monthly or quarterly intervals for most checks, with continuous sanctions screening maintained regardless of tier.

The monitoring schedule should be configurable without engineering involvement. Compliance policy on monitoring frequency will change as regulatory guidance evolves; the platform should allow compliance teams to update schedules directly.

Building the alert workflow

Continuous monitoring generates alerts. How those alerts are handled is as important as how they are generated.

Effective alert workflows include three components. First, triage: automated assessment of whether an alert represents a confirmed match, a probable match requiring analyst review, or a false positive that can be dismissed. Second, escalation: routing confirmed or probable matches to the appropriate analyst with full context — the specific change detected, the client record, and the relevant history. Third, documentation: a complete, timestamped record of every alert, the triage outcome, and the analyst action taken.

This documentation is not merely good practice. In an FCA examination of a firm's ongoing monitoring processes, the ability to demonstrate that alerts were generated promptly, reviewed in a timely manner, and resolved with appropriate action is the evidence that the process works. Institutions that cannot produce this record face the same risk as those with no monitoring at all: they cannot demonstrate compliance.

Perpetual KYB is not a product feature. It is a compliance obligation, and increasingly an examined one. The question for financial institutions is not whether to implement it, but whether their current approach — annual review cycles, manual checks, spreadsheet-based tracking — is adequate to meet that obligation under the regulatory expectations that now apply.