TL;DR: Perpetual KYC (pKYC) replaces scheduled periodic reviews with continuous, event-driven monitoring that updates customer risk profiles when something actually changes — a sanctions list addition, an ownership restructure, adverse media coverage. According to a Fenergo global survey, the average financial institution spends $72.9 million annually on KYC, with individual corporate client reviews costing between $2,000 and $2,500 each. Perpetual KYC reduces that burden by eliminating the cycle of reviewing unchanged profiles and concentrating resources on the customers whose risk has genuinely shifted.
What Perpetual KYC Means
Perpetual KYC is a continuous approach to customer due diligence that monitors and updates customer risk information in near real time, rather than relying on fixed review cycles. Traditional KYC operates on a calendar. A customer onboards, receives a risk rating, and then sits in a queue until their next periodic review — typically every one, three, or five years depending on the assigned risk tier. Between those reviews, the institution is effectively blind to changes in the customer's circumstances.
Perpetual KYC eliminates that gap. Instead of re-verifying every customer on a schedule, pKYC systems watch for material changes and trigger a review when something moves: a beneficial owner gets added to a sanctions list, a customer's registered address shifts to a high-risk jurisdiction, adverse media surfaces linking a director to fraud allegations, or a corporate restructuring changes the ownership chain. The review happens when the risk changes, not when the calendar says so.
The distinction matters operationally. Periodic KYC treats every customer in a risk tier the same way at the same interval, regardless of whether anything has changed. A low-risk retail customer whose profile has been static for three years gets the same mandatory review cycle as one whose transaction patterns shifted six months ago. Perpetual KYC allocates investigative effort based on actual risk signals, which means analysts spend their time on the profiles that need attention rather than confirming that nothing has changed on thousands of others.
How Periodic KYC Breaks Down

The periodic model was designed for an era when customer data changed slowly and the available monitoring tools could not operate continuously. That era is over, but the model persists — and its costs are compounding.
A Fenergo 2025 survey of 800 financial institutions found that the average annual KYC spend has reached $72.9 million per firm. In the UK, that figure climbs to $78.4 million. A significant driver of this cost is the periodic review cycle itself: over half of surveyed institutions reported spending between 61 and 150 days on a single KYC client review, with each review costing approximately $2,200 for a corporate customer.
Much of that spend is wasted on confirming the status quo. When an institution runs a three-year review on a corporate client and finds that nothing material has changed — same ownership structure, same business activities, same jurisdiction, clean screening results — the review consumed analyst time and system resources without reducing any risk. The institution paid $2,200 to learn what a continuous monitoring system could have confirmed passively.
The blind spots are equally costly. Between periodic reviews, material changes go undetected. A beneficial owner added to a sanctions list two months after a completed review will not be flagged until the next scheduled cycle — potentially years later. By then, the institution has been servicing a sanctioned party for months or years without knowing it. AML systems that depend on periodic snapshots cannot catch what happens between the snapshots.
Regulatory penalties reflect this gap. AML and KYC penalties totaled $4.6 billion globally in 2024, with the first half of 2025 seeing a 417% increase in penalties year-on-year. Regulators are not penalizing institutions for having imperfect data — they are penalizing them for maintaining systems that structurally cannot keep pace with risk.
The Mechanics of Event-Driven Monitoring
Perpetual KYC operates on triggers rather than timers. The system continuously ingests data from external sources — corporate registries, sanctions and PEP lists, adverse media feeds, beneficial ownership databases, credit bureaus, and transaction monitoring outputs — and compares incoming data against each customer's stored profile. When a material discrepancy appears, the system generates a case for review.
The triggers fall into several categories:
Each trigger does not necessarily mean the customer's risk has increased. A change of registered address might simply reflect a routine office move. A new director might be a standard board appointment. The pKYC system's value lies in surfacing these changes for assessment rather than letting them accumulate undetected until the next scheduled review. The compliance team evaluates whether the change is material and whether the customer's risk rating needs adjustment.
This is not the same as generating an alert for every data change. Effective pKYC implementations apply materiality thresholds and risk-based filtering to avoid drowning analysts in low-significance notifications. A minor shareholding change in a low-risk entity does not warrant the same response as a sanctions list match on a high-risk customer's UBO. The system must be calibrated to distinguish between noise and signal — which is where most implementations succeed or fail.
What It Takes to Implement pKYC
Moving from periodic to perpetual KYC is not a technology purchase. It is a structural change to how the compliance function operates, and the prerequisites run deeper than most institutions initially expect.
Data Infrastructure
Perpetual KYC requires a single, continuously updated view of each customer. Most institutions do not have this. Customer data sits in siloed systems — onboarding platforms, core banking, CRM tools, screening databases, case management systems — with no reliable mechanism for reconciliation. Before pKYC can work, the institution needs a customer data layer that consolidates these sources and maintains a canonical record.
External Data Feeds
Continuous monitoring requires continuous data. Corporate registry data needs to refresh at least daily. Sanctions and PEP lists need real-time or near-real-time updates. Adverse media feeds need automated ingestion with NLP-based relevance filtering to separate material coverage from noise. Each data source introduces its own latency, format, and reliability characteristics. Managing these feeds at scale is an engineering problem as much as a compliance one.
Risk Model Recalibration
Periodic review models assign risk tiers and define review frequencies. Perpetual KYC replaces this with dynamic risk scoring that updates continuously based on incoming data. The existing risk model may need significant rework — not just to incorporate new data points, but to define materiality thresholds for each trigger type, establish escalation criteria, and calibrate alert volumes to what the compliance team can actually process.
Process and Governance
The workflow changes substantially. Analysts shift from processing a queue of scheduled reviews to responding to triggered cases. Case prioritization logic, SLA definitions, escalation paths, and quality assurance processes all need redesign. The governance framework — who approves risk rating changes, what documentation is required, how decisions are audited — must be rebuilt around event-driven workflows rather than periodic cycles.
What Regulators Expect
No major regulatory framework mandates perpetual KYC by name. FATF Recommendation 10 requires ongoing due diligence and transaction scrutiny throughout the business relationship, but it does not prescribe a specific methodology. The requirement is outcomes-based: institutions must keep customer information current and ensure that their understanding of the customer's risk profile reflects reality.
Periodic reviews satisfy this requirement only if the review frequency is genuinely proportionate to the risk. A five-year review cycle for a high-risk customer in a jurisdiction where ownership structures change frequently does not meet the FATF standard, even though it technically constitutes "ongoing" due diligence. Regulators are increasingly explicit about this. The EU's Anti-Money Laundering Authority (AMLA) expects firms to align KYB screening frequency with real-time transaction monitoring cadences. The Reserve Bank of India's 2025 amendment to its KYC Master Direction strengthened expectations around ongoing monitoring and customer communication.
The regulatory trajectory points clearly toward continuous monitoring as the expected standard, even where it is not yet explicitly required. Institutions that implement pKYC now are building toward a regulatory expectation that is forming, not inventing one that does not exist.
Where Sphinx Fits
Sphinx's AI compliance agents operate as a continuous monitoring and review layer that slots into existing compliance infrastructure. When a pKYC trigger fires — a sanctions list update, an ownership change, adverse media — Sphinx agents can ingest the trigger event, pull relevant customer data from the same systems analysts use, run the necessary screening and verification checks, and produce an audit-ready case file through the Interpretable Agentic Framework. Every decision is documented with the reasoning that produced it, not just the outcome.
For the triggered reviews that require human judgment — a beneficial ownership change that alters the risk profile, adverse media that needs contextual assessment, a customer relationship that may need to be exited — Sphinx routes the case to the right analyst with evidence already assembled and preliminary analysis complete. The analyst applies judgment where it matters. The data collection that previously consumed most of the review time is already done.
Frequently Asked Questions
What is the difference between perpetual KYC and periodic KYC?
Periodic KYC reviews customer profiles on a fixed schedule — typically every one, three, or five years based on risk tier. Perpetual KYC (pKYC) monitors customer data continuously and triggers reviews only when something material changes, such as a sanctions list update, ownership restructuring, or adverse media hit. The shift is from calendar-driven compliance to event-driven risk management.
Does perpetual KYC eliminate the need for periodic reviews entirely?
Not necessarily. Most implementations retain a backstop periodic review at extended intervals — often annually for high-risk customers and every three to five years for lower-risk profiles — as a safety net to catch anything the event-driven system might miss. The periodic review becomes a secondary control rather than the primary mechanism for keeping customer data current.
What data sources does pKYC require?
Effective pKYC relies on continuous feeds from corporate registries (for ownership and director changes), sanctions and PEP lists (for screening updates), adverse media providers (for negative news), credit bureaus (for financial status changes), and the institution's own transaction monitoring system. The quality of pKYC is directly tied to the breadth and freshness of these data feeds.
Is perpetual KYC required by regulators?
No major regulatory framework mandates pKYC by name. FATF Recommendation 10 requires "ongoing due diligence" throughout the business relationship, and the EU's AMLA expects monitoring frequency to align with real-time transaction monitoring. The requirement is outcomes-based: customer information must be kept current. Perpetual KYC is the most reliable way to meet that standard, but the regulation prescribes the outcome, not the method.
How does perpetual KYC reduce compliance costs?
PwC estimates that medium-sized banks can achieve 60% to 80% cost savings by reducing manual intervention through pKYC implementation. The savings come from eliminating redundant reviews of unchanged profiles, concentrating analyst time on customers whose risk has actually shifted, and catching issues earlier — before they compound into regulatory exposure or enforcement action.

.png)







