CLARITY - our library of practical, frank compliance information for regulated businesses

Ongoing Monitoring: are you missing a trick?

Ongoing monitoring is one of the areas the FSA most consistently finds lacking on review.

I don’t think it’s because it’s not generally being done, per se, although there are plenty of instances where it isn’t. I think it’s more about a lack of direction and momentum. There’s a misconception that the risk based approach starts and ends at client engagement, whereas in reality it should be a live consideration for the life cycle of the relationship. With my nerdy compliance hat on and in an ideal world, I’d like to see risk being considered every time there is client interaction.

Before you shout at your screen and roll your eyes, yes, I know this is not in any way realistic.

So, can we find a happy medium between nerdy compliance and commercial reality? I think we can, but it means setting out our stall in relation to what ongoing monitoring is, isn’t and should be. Let’s dive in.

Ongoing monitoring

Let’s take an academic approach here and look at what our regulator expects ongoing monitoring to be.

It is a continuous obligation that sits at the heart of the risk-based approach. It has three components that need to work together: keeping customer due diligence up to date, scrutinising transactions and activity for anything that looks inconsistent with what you know about the client, and screening against sanctions lists on an ongoing basis rather than just at onboarding.

The Handbook is clear that procedures and controls for ongoing monitoring must be risk-sensitive. That means higher-risk relationships warrant more frequent and more detailed attention, and lower-risk relationships can be reviewed less intensively, provided the approach is documented and defensible. It doesn’t mean lower-risk clients can be left indefinitely without any review at all.

Trigger events are also a feature of the ongoing monitoring requirement. A periodic review calendar is the backbone of any ongoing monitoring programme, but it should not be the only thing prompting you to look at a file. A change in ownership, a new instruction that sits outside the client's usual pattern, an adverse media hit, a shift in the client's jurisdiction profile: any of these should prompt a look, regardless of where you are in the review cycle.

Refreshing DD

Let’s look at what ongoing monitoring isn’t.

Emphatically, it’s not about updating that passport.

This is the most common failure I see in practice. A file review is not simply an exercise in blindly updating the client DD and rerunning a sanction check. Obviously, please do go ahead and make sure that the DD you have on file is fit for purpose. Just do it with a pragmatic assessment of the actual purpose the DD is there to achieve, aligned with the risk rating of the client and your last interactions with them. If, on assessment, you don’t feel that there is any need to renew what is there, document your thought process as part of the review. Only gather what is actually needed.

Ongoing monitoring approached as a document refresh exercise is a hollow activity that will not fulfil your regulatory obligations and will simply aggravate your clients. It satisfies the appearance of compliance without engaging with the purpose of it. And that distinction, between going through the motions and genuinely looking at a relationship in the round with an enquiring mind, is exactly what a reviewing officer will be assessing when they sit down with your files.

What ongoing monitoring should be

Ongoing monitoring, done correctly, should be a useful tool that does a lot of heavy lifting for your business. It should function as both regulatory and commercial protection and intelligence. It is a chance to layer knowledge, consolidate and build.

Think of it as sedimentary. Each review deposits something new onto what is already there. Over time, that accumulation of knowledge is what gives you a genuinely three-dimensional picture of a client and a relationship. A firm that approaches ongoing monitoring with that mindset will almost always produce better outcomes, for itself and for its clients, than one that treats each review as an isolated administrative task.

The overview factor here is incredibly powerful. When you have the opportunity to review the relationship in the round, you will have the opportunity and perspective to spot patterns and behaviours that might be missed when they crop up intermittently and seemingly in isolation when you are rushing to the next call or meeting.

Looking outward

The outward-facing dimension of ongoing monitoring is where most firms at least attempt to focus their attention, even if the execution falls short. The question you are asking is whether anything in the client's world has changed in a way that is relevant to the risk profile of the relationship.

Has the ownership or control structure shifted? Are the same people still involved, and in the same roles? Has the nature of the instruction evolved, either in scope or in the jurisdictions it touches? Has anything surfaced through adverse media searches, Google Alerts, or general awareness of the client's sector that adds texture to what you know? Has the client's jurisdiction profile changed, or has the risk weighting of a jurisdiction they were already connected to moved? Are you still providing the same services as when the relationship started?

Don’t be afraid to reassess your initial risk rating. They are not set in stone and changing a rating, either up or down, is not failure. A relationship that was appropriately rated standard risk at onboarding may look exactly the same after a thorough review. The point is that you looked, with an enquiring mind, and you can demonstrate that you did.

You should also be assessing your touch points with the client. Do you have enough interaction with them (bearing in mind their risk level) that you don’t need to employ other monitoring methods to ensure you are aware enough of their activities and financial flows? You may feel like you now have sufficient interaction to step down some monitoring strategies that were set in place when the client was new and an “unknown quantity”. Assess your level of comfort and cut your cloth accordingly. Make sure you document your reasoning.

Looking inward

This is the dimension that rarely gets thought about. You can (and should) employ ongoing monitoring as an internal tool, both positively and negatively.

Ongoing monitoring is not only about whether the client still passes muster from an AML perspective. It is also about whether the relationship still makes sense for the firm.

This is where that overview factor really starts to come in to play. Is this client straightforward to deal with, or do they consistently make it difficult to obtain information, instructions, or documentation? Is there a pattern of late payment, or of disputed fees? Is the firm being asked to stretch into services or structures that sit at the edge of its expertise, and is the relationship being retained because it genuinely works, or because nobody wants the awkward conversation about ending it?

These are legitimate business questions, but they are also relevant to risk. A client who is evasive about providing information is a client who is making it harder for the firm to meet its regulatory obligations. A relationship that is costing more to service than it generates, or that is pulling the firm into territory it is not well placed to navigate, is a relationship that carries risk beyond the purely financial.

It’s not just negative patterns that you can spot here. In the course of your dealings with the client over the period, are there patterns of interest or activity that, when looked at together, might suggest an up-selling opportunity? Can you cross sell? Equally, are you missing work because you don’t have a sector of expertise that, when you see a pattern of lost opportunity, might suggest that investing in training might pay dividends?

Inward-looking monitoring does not need to be a formal process sitting alongside the AML review, but can you afford to overlook it? The conclusions it produces could inform the overall assessment of whether a relationship continues to be one the firm should be in, or conversely, whether it is one that might be underdeveloped.

Chore or Asset

Ongoing monitoring is one of those compliance obligations that can feel like a chore or, done well, feel like an asset. The difference lies entirely in the mindset you bring to it. A reviewing officer looking at your files can tell within a fairly short space of time whether the process has been a genuine exercise in paying attention or a mechanical run through a checklist. So can you, if you're honest about it.