TL;DR. Ongoing monitoring is not a separate obligation bolted onto customer due diligence. It is part of CDD itself, located within FATF Recommendation 10. Effective AML programmes run four distinct monitoring layers in parallel: transaction monitoring, sanctions list re-screening, customer file refresh, and registry or UBO change detection. The most common failure is treating the initial CDD file as a completed event rather than a living record. Everything downstream of that mistake compounds over time.
1. What “ongoing monitoring” actually means under FATF Rec 10
FATF Recommendation 10 sets out the CDD measures that financial institutions must apply. The fifth element, as stated in the FATF Methodology, is: “Conducting ongoing monitoring of the business relationship including scrutiny of transactions undertaken throughout the course of that relationship to ensure that the transactions being conducted are consistent with the institution’s knowledge of the customer, their business and risk profile, including where necessary, the source of funds.”
The phrase “ongoing monitoring” is inside Recommendation 10, not in a separate recommendation. That matters because supervision, enforcement, and effectiveness assessments are conducted against Recommendation 10 as a whole. A programme that onboards well but monitors poorly fails Recommendation 10, not some supplementary obligation.
The FATF Methodology specifies that institutions must keep records current, review them when triggers arise, and apply monitoring intensity proportional to risk. The records obligation in FATF Recommendation 11 (five-year minimum retention) connects directly: an undocumented review effectively did not happen for supervisory purposes.
2. The four layers of AML monitoring
A complete monitoring programme runs four distinct activities, each with different data inputs, frequency logic, and failure modes.
Transaction monitoring watches the activity in the relationship after onboarding. It detects patterns inconsistent with the customer’s stated profile: unusual transaction values, unexpected counterparty geography, peer-group deviations, structuring patterns. Transaction monitoring operates continuously and generates alerts that require human review.
Sanctions list re-screening applies current sanctions lists to the customer population. OFAC updates the SDN list on an irregular basis, averaging several times per week. The EU Consolidated Financial Sanctions List and UK OFSI Consolidated List are updated with similar frequency. The UN Security Council Consolidated List is updated less often but remains the international baseline. Because list updates are unpredictable, a programme that screens only at onboarding has an exposure window between any designation date and the next scheduled review.
Customer file refresh covers the non-transaction elements of the CDD file: registered company details, directorship, ultimate beneficial ownership declarations, and regulatory authorisation status. These change for reasons unrelated to transactions. None generate a transaction alert.
Adverse media surveillance monitors public news and enforcement databases for negative coverage involving the customer, its directors, or its beneficial owners. Court judgments, regulator enforcement actions, and investigative journalism surface risk information that does not appear in registries or transaction flows. Where adverse media establishes higher risk, monitoring should escalate to enhanced due diligence intensity rather than continuing at standard cadence.
The four layers are not interchangeable. A programme that runs excellent transaction monitoring but never refreshes the customer file will miss the UBO who became a Politically Exposed Person after onboarding. A programme that re-screens sanctions daily but has no adverse media process will miss the enforcement action that preceded the designation.
3. Monitoring frequency: risk-based, not calendar-based
The FCA Financial Crime Guide (FCG 11) states clearly that “the frequency and intensity of monitoring should be proportionate to the risk posed by the customer.” The EBA AML/CFT Guidelines (EBA/GL/2021/02) and ESMA’s market integrity guidance take the same position: risk classification drives review cadence, not administrative convenience.
Indicative frequency by monitoring type and customer risk tier:
| Monitoring type | High risk | Medium risk | Low risk |
|---|---|---|---|
| Sanctions re-screening | Real-time or daily | Weekly | Weekly or at list update |
| Customer file refresh | Annual | Every 2 years | Every 3-5 years |
| UBO change detection | Event-driven (registry diff) | Quarterly check | Annual check |
| Transaction monitoring | Continuous | Continuous | Continuous |
| Adverse media | Continuous or weekly | Monthly | Quarterly |
“Event-driven” is a critical concept here. Rather than setting a calendar review date, an event-driven approach initiates a review when a specific trigger occurs: a registry filing showing a director change, a sanctions list update that matches a name variant, a transaction that breaches a rule threshold, or a media alert. Event-driven reviews concentrate effort where change has actually occurred.
4. Registry refresh as the under-built monitoring layer
Most AML programmes invest in transaction monitoring systems and sanctions screening engines. Registry refresh receives less investment, and it shows in enforcement outcomes.
Companies change. A corporate customer active at onboarding may have changed its directors, restructured its ownership, moved to a higher-risk jurisdiction, or been struck off. None of these changes generate a transaction. If the programme refreshes registry data only on an annual calendar cycle, there is a window of up to twelve months during which the file describes a legal entity that no longer exists in the form described.
UBO changes are the highest-stakes gap. When a beneficial owner changes above or below the relevant threshold, or acquires PEP status, the customer’s risk classification may change entirely. Registry-based UBO registers file changes on event dates (the UK PSC register at Companies House is one of the few publicly searchable examples; most jurisdictions restrict access). A programme that polls at fixed intervals will detect the change on average at the midpoint of the interval.
The practical mitigation is an event-driven trigger layered onto a calendar minimum. The calendar minimum provides a floor; the event-driven trigger provides earlier detection when a signal is available, such as a registry filing notification or a news alert naming the customer.
Country-specific jurisdiction guides, such as the Global Business Due Diligence Guide and individual country guides for Singapore, describe where registry filing data lives by country and what change events are publicly accessible.
5. Transaction monitoring rule design in 2026
Transaction monitoring systems use three broad approaches, and most production systems use a combination.
Rule-based monitoring triggers alerts when transactions match defined criteria: amounts above a threshold, counterparty geography, peer-group deviations, structuring patterns. Rules are explicit, auditable, and explainable. Their limitation is that they are static: a rule calibrated for 2020 conditions will miss patterns that emerged in 2024.
Behaviour-based or anomaly-based monitoring uses statistical models to detect transactions that deviate from a customer’s established behaviour or from a peer group. These can identify novel patterns that no rule anticipated. The limitation is interpretability: a model that flags a transaction without specifying which features drove the alert creates documentation and escalation challenges. The FCA’s Discussion Paper DP5/22 and MAS’s Veritas initiative both emphasise explainability as a prerequisite for supervisory confidence in model-driven outputs.
Hybrid approaches use rules as scaffolding and models as overlays. A rule defines the population of interest; a model scores within that population by severity. The rule provides the audit trail; the model provides prioritisation.
Industry data consistently shows false-positive rates of 90-99% in legacy rule-only systems. An analyst reviewing 100 alerts may find one genuine suspicious case. Alert volume is not a proxy for effectiveness. The Wolfsberg Group’s Statement on Effectiveness (2018) argues that institutions should measure AML programme effectiveness by the quality of information provided to law enforcement, not by the number of alerts generated or SARs filed. The Basel Committee’s Sound Management guidance reinforces that calibration decisions must be documented and periodically reviewed.
6. Tuning and governance
A transaction monitoring system well-tuned at deployment will drift over time as customer behaviour patterns shift and new products change transaction profiles. Tuning governance is not optional.
Effective programmes establish a documented tuning cycle: quarterly review of alert closure and true-positive rates, with a full threshold review at least annually. Any threshold change requires documented rationale and sign-off at the MLRO level or equivalent.
The false-positive/false-negative tradeoff requires explicit management. Tightening thresholds risks missing genuine suspicious activity. Loosening them generates alert backlogs, which are themselves a compliance failure: alerts sitting unactioned for weeks or months are a recurring finding in FCA and FinCEN enforcement actions. Alert backlog is a regulatory risk independent of the underlying monitoring quality.
Management information (MI) to the board should cover: alert volumes and disposition rates, rule or model performance metrics, SAR filing rates, and any material incidents. The FCA’s Annual Financial Crime Survey collects sector-level data on these metrics; firms can benchmark their MI programme against it.
7. SAR filing as the output of monitoring
When monitoring generates reasonable grounds for suspicion, the institution has a reporting obligation. In the UK, this is a Suspicious Activity Report filed with the National Crime Agency (NCA) under POCA 2002. In the US, a SAR is filed with FinCEN under the Bank Secrecy Act. In Singapore, a Suspicious Transaction Report goes to STRO of the Commercial Affairs Department. India’s obligation runs to FIU-IND.
FATF Recommendations 20 through 23 set the international framework: Recommendation 20 requires reporting of suspicious transactions regardless of amount; Recommendation 21 provides safe harbour (tipping-off provisions); Recommendations 22 and 23 extend obligations and supervision to designated non-financial businesses and professions.
The concept of defensive filing, submitting a SAR to create a paper trail rather than because there is genuine suspicion, is a known failure mode. Regulators in multiple jurisdictions have stated that SAR quality matters more than volume. A SAR containing clear, specific, and actionable intelligence is more valuable to law enforcement than five vague SARs filed to avoid liability. The NCA’s SAR quality guidance and FinCEN’s advisories both address this point.
Timing obligations are jurisdiction-specific. UK POCA requires reporting before completing a transaction where possible, or promptly after becoming aware. US BSA requires SAR filing within 30 days of initial detection, with a 60-day extension available.
8. Common AML monitoring failures regulators cite
Enforcement actions across the FCA, FinCEN, and MAS show the same failure modes recurring across institutions and time periods.
Stale customer files. Customers onboarded several years ago without a file review since are a recurring finding. Risk classification, UBO structure, and sanctions status may all have changed.
Threshold rules never re-tuned. A rule calibrated on 2018 volumes will behave incorrectly against 2026 transaction sizes. Inflation alone moves the effective coverage of a nominal threshold.
Sanctions screening not re-run after list updates. A customer designated last Tuesday still shows as clean in the programme’s records.
UBO changes missed. No registry refresh trigger was designed into the programme.
SAR backlog. Alerts sitting unreviewed for months are simultaneously a monitoring failure and a potential late-reporting exposure.
Insufficient MI to the board. Governance quality is assessed in both the FCA’s individual accountability framework and the FATF Effectiveness methodology.
9. What good looks like in 2026
Risk-tiered review cadence. High-risk customers get annual file reviews, event-driven re-screening, and continuous transaction monitoring. Low-risk customers get longer cycles, but the cycle exists and is documented.
Event-driven re-screening. The programme initiates a review when something changes: registry filings, sanctions list updates, adverse media alerts, transaction anomalies.
Tuning governance. A documented owner for each rule and model, a defined review cycle, and a record of every threshold change with rationale. No rule runs indefinitely without review.
Independent review. Internal audit tests the monitoring programme, and an external reviewer examines it at least once per multi-year audit cycle, covering both design adequacy and operational effectiveness.
Alert quality investment. Fewer, better-targeted alerts with higher true-positive rates and faster disposition times, producing higher-quality SARs when escalation is warranted. The Wolfsberg Group’s AML Principles probe whether a programme is designed to detect what it should detect, not whether it generates a sufficient number of reports.
10. FAQ
Is ongoing monitoring separate from CDD?
No. Ongoing monitoring is the fifth element of CDD under FATF Recommendation 10. A programme that treats initial CDD and ongoing monitoring as distinct work streams will under-resource monitoring because it is not visible as a discrete compliance requirement.
How often should you re-screen against sanctions lists?
For high-risk counterparties, real-time or daily batch screening is standard. For lower-risk populations, weekly batch screening is reasonable, provided screening is re-triggered on any list update. The key is that screening runs against the current list, not a stale snapshot.
Can transaction monitoring rules be machine-learning only?
In practice, supervisors in the UK (FCA DP5/22) and Singapore (MAS Veritas) expect explainability. A black-box model with no human-readable explanation creates difficulties in SAR documentation and regulatory examination. Hybrid approaches, where rules define populations and models score within them, are easier to govern.
What is a reasonable customer review cycle?
Annual for high-risk, two years for medium-risk, three to five years for low-risk, as a floor. Event-driven triggers sit on top of the calendar so that a material change initiates a review ahead of schedule.
How do you detect UBO changes between annual reviews?
Watch for new filings in the relevant corporate registry and trigger a UBO review when a filing occurs. Where registry notifications are not available, quarterly checks provide earlier detection than annual reviews. Customer notifications are supplementary, not a primary control.
What metrics show that monitoring is working?
Alert closure rate, time-to-closure, true-positive rate, SAR filing rate as a proportion of closed alerts, threshold change frequency with documented rationale, and the proportion of the customer book with a current file review.
When do alerts become SARs?
When the review of an alert establishes reasonable grounds to suspect that funds are proceeds of criminal activity or connected to terrorist financing. The threshold is suspicion, not proof. Closing an alert without filing should be documented with the reasons the suspicion threshold was not met.
Last verified: May 2026. Sources: FATF Recommendations 10, 11, 20-23 and FATF Methodology (2013, updated 2023); FCA Financial Crime Guide (FCG 11) and FCA Discussion Paper DP5/22 on AI in Financial Services; FinCEN Bank Secrecy Act SAR filing rules and FinCEN advisories; MAS Notice 626 (Prevention of Money Laundering) and MAS Veritas AI governance framework; Wolfsberg Group Statement on Effectiveness (2018) and Wolfsberg AML Principles for Correspondent Banking; Basel Committee on Banking Supervision, Sound Management of Risks Related to Money Laundering and Terrorist Financing (2020 revision).