Confident young woman emailing on smartphone in city

Shatter the hourglass: strategies to implement ongoing due diligence

Replacing scheduled refresh risk management, ongoing due diligence uses natural touch points and monitoring to decide when to refresh.

In brief

  • Both companies and customers can benefit from ongoing due diligence programs that are less burdensome and costly.
  • By defining the right triggers and appropriate risk tolerance, companies can tailor their risk management programs to be a better fit.
  • Below are examples, benefits and concepts for consideration when designing and adopting ongoing due diligence programs.

Financial institutions should move now to adopt ongoing due diligence as the next wave of know-your-customer (KYC) refresh risk management. Ongoing due diligence refers to a risk-based approach, based upon risk events and triggers, for maintaining KYC information that replaces traditional scheduled periodic refresh. Ongoing due diligence uses natural client touch points and ongoing monitoring to determine when refresh is necessary, and it targets refreshes that focus on triggering events rather than a full, administrative-laden refresh. For most institutions, ongoing due diligence means a hybrid approach to refreshing customer files leveraging both trigger-based and scheduled reviews for customers representing the highest risk.

While this strategy is transformative, the underlying concepts are not new: monitoring for elevated risk rating change, an adverse media hit and new politically exposed person (PEP) exposure are common elements of refresh programs. Transformation will require investment in technology, data and people strategies; thoughtful leadership; and buy-in from multiple functions across operations, risk, compliance and audit. Transformation should be a “walk, don’t run” approach, with a focus on defining, enabling and proving a concept that is specific to each institution. Financial institutions that successfully move to an ongoing due diligence program will benefit from more effective risk management at lower costs: Because large KYC program costs are significant, the resulting cost savings opportunities are equally significant.

Executing scheduled periodic refresh programs is an onerous and constant challenge for most financial institutions. Given the large operational footprint and impact on customers, significant financial and operational resources are allocated to perform scheduled periodic refresh programs, many of which require direct customer outreach. Based on our experience supporting financial institutions and industry feedback, nearly all scheduled reviews are administrative in nature and do not result in differentiated risk management activities by elevating a risk rating, determining a need to perform enhanced due diligence, spurring an unusual activity report filing, or resulting in termination or exit of a customer relationship. Some financial institutions have expressed to EY that less than 0.1% of scheduled periodic reviews resulted in differentiated risk management. Additionally, refresh activities are frustrating for customers; they are typically asked multiple times for information or documentation, and the process can drag on for months. The employee experience is equally low, and manual, cumbersome processes challenge financial institutions to complete large refresh volumes on time.

Most refresh programs are not built to perform event-driven assessments of customer risk. The resulting status quo is scheduled evaluation of all customer information, which results in imbalanced risk management. The example below illustrates how a scheduled refresh fails to capitalize on an opportunity to customize risk management:

  • ABC Restaurant, LLC located in Charlotte, North Carolina
    • Product usage: 10-year term loan opened in 2019
    • No adverse media hits, PEP or sanctions exposure, or transaction monitoring alerts
    • Customer risk rating: low
    • Scheduled refresh in 2024
  • XYZ Restaurant, LLC located in Charlotte, North Carolina
    • Product usage: 10-year term loan, demand deposit account and cash vault all opened in 2019
    • No adverse media hits or PEP or sanctions exposure
    • Three transaction monitoring alerts reflecting material cash vault usage variances in 2020
    • Customer risk rating: medium
    • Scheduled refresh in 2022

Scheduled refresh programs differentiate the above customers in one way: timing. Both customers would receive a full refresh, but XYZ would refresh earlier and with more frequency than ABC on the basis of the customer risk scoring. Customized risk management would differentiate their refreshes by (1) refreshing XYZ to review the customer’s increased cash vault usage and assess whether the nature and purpose of account can be reasonably understood and adjusted (e.g., did XYZ benefit from favorable food-critic reviews and enjoy a corresponding uptick in business, or are the observed activities apparently atypical?) and (2) reducing refresh frequency for ABC until there’s a reason to assess the customer’s risk or KYC data (e.g., customer requests to add account signer while stating that there has been a change in beneficial ownership).

While the problem statements are widely understood, the question persists: Will regulators expect scheduled periodic refresh as part of a risk-based anti-money laundering (AML) program? Over the last several years, the Financial Crimes Enforcement Network (FinCEN) has acknowledged that ongoing due diligence can be an effective risk management model:

    • May 2018: The Customer Due Diligence Requirements for Financial Institutions rule (CDD Rule) was issued. It states that the requirement to update customer information is risk-based and occurs as a result of “normal monitoring.”¹
    • May 2019: FinCEN launched an “innovation hours” initiative to support financial institutions presenting their innovative products, services and approaches that are designed to enhance AML and counter the financing of terrorism efforts.²
    • August 2020: FinCEN, in consultation with the federal functional regulators, issued an FAQ document in response to three FAQs regarding customer due diligence requirements. Among the FAQ responses: “There is no categorical requirement that financial institutions update customer information on a continuous or periodic schedule. The requirement to update customer information is risk-based and occurs as a result of normal monitoring.”³
    • September 2020: A FinCEN Advanced Notice of Proposed Rulemaking sought “to modernize the regulatory regime to address the evolving threats of illicit finance, and provide financial institutions with greater flexibility in the allocation of resources, resulting in the enhanced effectiveness and efficiency of anti-money laundering programs.”⁴

    Chapter 1

    Refresh program benefits

    Companies and customers can benefit from ongoing due diligence.

    Ongoing due diligence creates opportunities to advance risk management, enhance customer experience and right size operating costs:

    Agile risk management 

    Ongoing due diligence supports an agile approach to risk management by refreshing specific aspects of a customer file during a customer interaction (e.g., product or service add) or when an event occurs demonstrating that the customer’s use of an account or a change in data should be reviewed to assess customer risk.

    Improved customer experience 

    From a customer’s perspective, scheduled refresh activities occur at random and are fraught with unclear requests that typically require multiple interactions to resolve. Leveraging ongoing due diligence to refresh the KYC information when the customer is already interacting with an employee or when there is an identifiable basis for refresh enables a customizable, natural and more efficient customer experience.

    Reduced operating costs

    Replacing the administrative task of fully refreshing every customer with ongoing due diligence reduces overall spend and results in opportunities to invest in smarter tools and systems and enhancing methods to focus on higher-risk customers.

    Competitive advantage

    Tailored and less frequent customer outreach will differentiate early adopters from peer organizations.


    Chapter 2

    Defining a strategic vision

    Leaders should consider risk appetite, among other criteria, when designing due diligence programs.

    Ongoing due diligence solution design 

    An effective ongoing due diligence solution requires an ecosystem of technologies and data as opposed to a single out-of-the-box solution. This solution should address process changes, integrated systems, data clean up, third-party data sources and workflow to enable end-to-end performance built with the proper controls. An effective ongoing due diligence solution will require baseline technology focused on the following:

    Trusted data sources

    Implementing an ongoing due diligence framework requires a reliance on trusted data sources to identify changes to customer information, such as a name change or exchange delisting, which may vary in reliability depending on global footprint and customer types.

    Orchestration layer

    Integrated data feeds, trigger events and decisioning logic will need to connect to a case management tool that manages tailored journeys based upon an initial risk triage:

    Event hub

    As the orchestration layer connects the ecosystem of data sources, the event hub uses a series of business rule logic to determine whether review is required and, if so, what level of review, based on the trigger event identified.


    Straight-through processing

    As a default mechanism, a sophisticated system will determine appropriate actions based on the trigger and attempt to resolve systematically through activities such as automated data sourcing and validation of updated customer information. Hands-on analyst intervention would occur only when straight-through processing rules do not resolve the trigger.

    Digitized customer experience

    Ongoing due diligence programs will need to be agile. Whether assessing customer information as part of a new product or service or based upon a risk event, the outreach process and customer experience should be enabled by digital portals that support a direct and interactive experience. This is particularly true for commercial banking and corporate and investment banking customers with cross-border and multi-person outreach within a single organization to efficiently process refresh activities.

    The definition and monitoring of risk triggers will require integration with transaction monitoring or frontline monitoring programs assessing customer behavior. Leading firms should take this principle forward and continually assess segments of customers (e.g., charities, pawn shops, cash-intensive businesses) to understand irregular vs. expected activity within peer groups. These typology findings should inform additions or updates to risk triggers.


    Chapter 3

    Beginning the journey

    Adopting ongoing due diligence will take time and organization.

    Transformation to ongoing due diligence will be a multi-quarter journey with significant complexity. Organizing around the below core concepts will support an ordered journey to ongoing due diligence:

    Assess current program and approach

    Evaluate opportunity to use a trigger-based approach by assessing effectiveness of the current scheduled refresh process. This evaluation should include current refresh risk management outcomes (e.g., frequency of risk-rating elevation) and the type and nature of updates being made (i.e., whether updates are frequently impacting risk-rating attributes or are administrative in nature). Additionally, financial institutions should identify any gaps in the overall AML and/or KYC program that would need to be addressed (e.g., ability to enable a full suite of triggers), the extent of current technology and data enablement to support a change to ongoing due diligence, and how a trigger-based approach aligns with risk appetite.

    Engage key stakeholders

    Regulators should be engaged to cultivate transparency and opportunity to receive constructive feedback while mitigating the risk of future findings during exams.

    Agree on customer segment mapping to trigger categories

     Analyze the customer population and confirm the categories of triggers to be applied to each customer segment. Once a baseline inventory of triggers is defined, assess the overall impact on refresh (i.e., how many customers would receive a touch point over one, two or three years based upon trigger events). Engaging compliance and audit for challenge, as appropriate, will support a clear enterprise vision.

    Select a pilot population

    Initial strategies should focus on a pilot/challenger model by identifying a lower-risk population of customers with a relatively static information and risk profile to test data and technology builds and the overall control framework.

    Review technology and integration impact

    Evaluate usage of third-party data and application programming interface connectivity for the pilot population. Determine simplified journeys required and size the effort to configure the KYC tool. Build the control framework leveraging technology.

    Determine rollout and maintenance

    A broader rollout of an event-based approach could first support the smoothing of refresh populations by pulling forward scheduled refresh populations while later transitioning to a truly trigger-based refresh program, which will require periodic tuning and evaluation.


    Ongoing due diligence as part of a hybrid approach to refreshing customer files, using both trigger-based reviews and scheduled reviews for high-risk customers, shows an up-to-date, thorough risk management process.

    Related articles

    How EY Cognitive Investigator and AML Managed Services infused higher quality in transaction monitoring

    Consolidating high-volume monitoring with Ernst & Young LLP Financial Crime Managed Services paid dividends for a global financial group. Find out more.

    11 Jul 2023

    Enriching financial crimes compliance for insurance clients

    We introduced automation in an insurance client’s monitoring to improve risk coverage and ultimately cut compliance costs. Learn more in this case study.

    20 Sep 2022

    Selecting an AI/ML FinCrime solution: five guidelines to consider

    As financial institutions turn to AI/ML solutions to fight FinCrime, they must distinguish between product offerings. Read on for five leading practices.

    13 Jun 2022 Carl Case + 1