top of page
Search

The End of the Periodic Review: How Perpetual KYC Has Become the 2026 Default for Customer Due Diligence

  • Writer: TrustSphere Network
    TrustSphere Network
  • Jun 1
  • 5 min read

The periodic customer review — the calendar-driven exercise in which a financial institution refreshes KYC and risk data on a low, medium or high cadence regardless of what is actually happening in the customer's life — has been the regulatory baseline of AML compliance for two decades. In 2026 it is being quietly retired. Supervisors across the major jurisdictions have moved from tolerating "perpetual KYC" as an innovation to expecting it as the default for any institution at scale, and the operating model around customer due diligence is shifting from a scheduled file-refresh exercise to an event-driven, continuous risk view.


What is new in 2026 is not the technology — the building blocks of perpetual KYC have existed for years — but the supervisory direction and the operational pressure converging on the legacy model. The cost of running periodic reviews has continued to escalate alongside customer volumes, the quality of the resulting data has been openly questioned by regulators and FIUs, and the gap between "what we knew about the customer at last review" and "what is true today" has been exploited often enough that the periodic model now reads as a control weakness rather than a control. The 2026 question is no longer whether to move to perpetual KYC, but how to sequence the migration and how to demonstrate it to the supervisor.


For TrustSphere clients on the AML and financial-crime side, the implication is that the operating model and the technology stack of CDD need to be re-engineered around event-driven trigger architecture, real-time data quality, and a continuously instrumented customer risk profile. The institutions that have already done this work are seeing materially lower remediation costs, sharper transaction-monitoring outcomes and a noticeably better supervisory experience; the institutions that have not are spending heavily to defend an outcome the regulator no longer considers fit for purpose.


Regulatory and Market Context


The European Banking Authority's revised guidelines on customer due diligence and the upcoming AMLA single-rulebook expectations both explicitly contemplate continuous, event-driven customer due diligence as the operating norm for in-scope obliged entities, and the FCA's financial-crime-systems-and-controls thematic work in 2025 and 2026 has repeatedly criticised the gap between scheduled reviews and current customer reality. FinCEN's continuing customer-due-diligence and beneficial-ownership rules in the United States, alongside the OCC's supervisory expectations, point in the same direction: due diligence that does not respond to material change in the customer is not adequate.


The wider market context has caught up. Major core-banking and onboarding platforms have built event-driven trigger frameworks into their 2026 releases, the global perpetual-KYC vendor landscape has matured from point solutions into end-to-end operating models, and the cost-benefit case has become unambiguous: large-bank deployments are reporting double-digit reductions in review-team headcount alongside materially better risk outcomes. The discussion in 2026 boardrooms has shifted from feasibility and ROI to migration sequencing, supervisory engagement and the design of the underlying customer-risk model that the new operating mode depends on.


What the Data Is Showing


TrustSphere's 2026 financial-crime operating-model benchmark across global tier-one and tier-two banks shows institutions that have completed a credible migration to perpetual KYC reporting meaningfully shorter remediation cycles on emerging customer risk events, materially lower review-team unit costs and a sharper hit-rate on transaction-monitoring alerts that draw on continuously refreshed customer-context features. The defining feature of the leading deployments is the integration of perpetual KYC with downstream financial-crime processes — TM, screening, EDD — rather than its operation as a standalone CDD modernisation.


Institutions still relying on periodic reviews show the inverse pattern: rising review backlogs, deteriorating data quality between refresh cycles, and a structural mismatch between the customer-risk model used in TM and the customer-risk model recorded in CDD. The supervisory consequence is increasingly visible. Several recent enforcement and supervisory actions across the EU and UK have specifically called out the gap between scheduled-review CDD and current customer reality, and the trajectory of expectations is unambiguous.


Implications for Financial Institutions


The control surface for customer due diligence in 2026 is the event-driven trigger framework and the continuously instrumented customer-risk profile, not the periodic review calendar. Institutions need to define a credible inventory of internal and external trigger events — sanctions and PEP-status changes, adverse media, beneficial-ownership changes, material transaction-monitoring outcomes, product and channel changes, geography changes — and engineer the operational response so that material change is reflected in the customer-risk profile and downstream decisions in near real time. Periodic review becomes an exception process for residual cases, not the default.


Strategically, the migration is as much an organisational redesign as a technology programme. Review-team operating models, EDD escalation pathways, supervisory-engagement plans and the metrics by which the financial-crime function is measured all need to be rebuilt around the continuous-risk-view operating mode. The institutions getting this right are treating perpetual KYC as a programme that re-engineers the entire CDD-to-TM-to-EDD value chain, not as a vendor swap, and are engaging supervisors early on the design rather than presenting the change as a finished deliverable.


Conclusion


Perpetual KYC is the 2026 default for customer due diligence, and the periodic-review-led operating model is in supervised retreat. The institutions winning against the rising cost and falling quality of legacy CDD are the ones who have re-engineered around an event-driven trigger architecture, integrated the continuously refreshed customer profile into downstream financial-crime processes, and rebuilt their operating model, supervisory engagement and metrics around a continuous-risk view. The defensible 2026 posture treats periodic review as an exception, not a default, and demonstrates the continuous model to the supervisor as evidence rather than aspiration.


Suggested Next Steps


  • Define and document a credible inventory of internal and external trigger events — sanctions, PEP-status, adverse media, beneficial-ownership, transaction-monitoring outcomes, product and geography changes — and engineer the operational response so material change updates the customer-risk profile and downstream decisions in near real time.

  • Integrate perpetual KYC outputs with transaction monitoring, sanctions and PEP screening, and EDD escalation pathways so the continuously refreshed customer profile is a first-class input to all downstream financial-crime processes rather than a parallel data store.

  • Redesign the CDD operating model, review-team structure and financial-crime metrics around the continuous-risk view, and treat periodic review as a residual exception process rather than the default.

  • Engage supervisors early on the perpetual-KYC migration design and run a documented internal validation of trigger coverage, response times and downstream impact, presenting the new model as evidence rather than aspiration.


Sources: European Banking Authority guidelines on customer due diligence (revised); Anti-Money Laundering Authority (AMLA) single rulebook provisions on ongoing due diligence; Financial Conduct Authority financial-crime systems-and-controls thematic findings (2025–2026); FinCEN customer due diligence rule and beneficial-ownership reporting expectations; OCC supervisory guidance on BSA/AML programs; Wolfsberg Group statements on perpetual KYC and ongoing due diligence; TrustSphere financial-crime operating-model benchmark (2026); TrustSphere Risk Index — April 2026.


TrustSphere Risk Index — Vendor Spotlight: Fenergo


Fenergo scored 64% in the April 2026 TrustSphere Risk Index in the Client Lifecycle Management & Perpetual KYC category, ranking in the top tier for end-to-end perpetual customer-due-diligence operating models in tier-one and tier-two banking.


The platform's 2026 release sharpened its focus on event-driven trigger frameworks across internal customer events, external data feeds and downstream financial-crime processes, with native integration into transaction-monitoring, sanctions and PEP screening, and EDD escalation pathways, and an instrumentation layer that lets a financial-crime function demonstrate continuous CDD to a supervisor as evidence rather than narrative.


For institutions building a defensible migration from periodic-review CDD to perpetual KYC, Fenergo's combination of trigger orchestration, integrated downstream workflow and supervisor-facing instrumentation is increasingly cited as a practical way to retire the scheduled-review operating model in a phased, demonstrable programme rather than a high-risk single-step swap.


TrustSphere helps financial institutions design and deploy intelligent fraud and financial crime detection solutions. Visit www.trustsphere.ai


Comments

Recommended by TrustSphere

Atfinity


 

Izengard


 

Trefis


 

Noto360



 

Thetaray


 


Regulation Asia


 


FCC Analytics

 

Futurum



 



Darwinium


 

Arkose Labs


 

SumSub



 

FinanceX



 

FullArmor



 

Clari5



 

© 2024 TrustSphere.ai. All Rights Reserved.

hello@trustsphere.ai

  • LinkedIn

AML Watcher


 

Relevance.ai



 

LevelFive



 

Disclaimer for TRUSTSPHERE.AI

The content provided on the TRUSTSPHEREAI website is intended for informational purposes only. While we strive to provide accurate and up-to-date information, the data and insights presented are generated from a contributory network and consolidated largely through artificial intelligence. As such, the information may not be comprehensive, and we do not guarantee the accuracy, reliability, or completeness of any content.  Users are advised that important decisions should not be made based solely on the information provided on this website. We encourage users to seek professional advice and conduct their own research prior to making any significant decisions.  TruststSphere Partners is a consulting business. For a comprehensive review, analysis, or support on Technology Assessment, Strategy, or go-to-market strategies, please contact us to discuss a customized engagement project.   TRUSTSPHERE.AI, its affiliates, and contributors shall not be liable for any loss or damage arising from the use of or reliance on the information provided on this website. By using this site, you acknowledge and accept these terms.   If you have further questions,  require clarifications, or requests for removal or content or changes please feel free to reach out to us directly.  we can be reached at hello@trustsphere.ai

bottom of page