Ongoing Monitoring. Continuous Compliance

You verified your customer's identity two years ago. Everything checked out. Clean documents. Legitimate business. No red flags.

But what about today? Are they still the same customer? Is their business still the same? Are their transactions still consistent with what you know about them?

That's where ongoing monitoring comes in. Because customer due diligence isn't a one-and-done checkbox. It's continuous.

What Is Ongoing Monitoring?

AUSTRAC calls it "ongoing customer due diligence" (OCDD). It means:

• Monitoring transactions throughout the business relationship
• Keeping customer information current (KYC updates)
• Re-assessing ML/TF risk when circumstances change
• Detecting suspicious activity as it happens, not just at onboarding

Think of it this way: Initial CDD is a snapshot. Ongoing monitoring is a movie. You're watching the customer relationship unfold over time, looking for changes that might indicate new risks.

Why Onboarding Isn't Enough

Criminals don't stay static. They adapt:

The Clean Start
Customer opens an account with legitimate funds. Small, normal transactions for six months. Builds trust. Then boom — suddenly moving $500,000 through the account. That's layering, and you'd miss it if you only looked at onboarding.

The Structure Change
Customer was an individual. Now they've transferred ownership to a shell company with offshore beneficial owners. Risk profile just changed dramatically.

The PEP Upgrade
Customer wasn't a politically exposed person when you onboarded them. Now they've been appointed to a senior government position. They're a PEP. You need enhanced due diligence going forward.

The Sanctions Hit
Customer was clean two years ago. Today they appear on a sanctions list. If you're not continuously screening, you've got a sanctioned party using your services.

Ongoing monitoring catches these changes. Onboarding alone doesn't.

What You're Monitoring For

Transaction Patterns

Look for activity that's inconsistent with what you know about the customer:

• Volume changes: Customer normally transacts $5,000 monthly. Suddenly it's $50,000 weekly.
• Type changes: Customer always deposits salary. Now they're receiving international wire transfers from high-risk jurisdictions.
• Timing changes: Customer's transactions used to be regular and predictable. Now they're sporadic and large.
• Counterparty changes: Customer used to pay suppliers. Now they're sending money to individuals in countries with weak AML regimes.

None of these are automatically suspicious. But they warrant inquiry. "Hey, we noticed your transaction patterns have changed. Can you explain why?"

Customer Information Updates

People move. Businesses change ownership. Beneficial owners shift. You need to keep your records current:

• Has their address changed?
• Has their employment or business changed?
• Have beneficial owners changed?
• Has their source of wealth changed?
• Are they still in the same line of business?

If your KYC information is out of date, you can't properly assess whether their current activity makes sense.

PEP Status

Political appointments happen. Family connections emerge. Someone who wasn't a PEP at onboarding might be one now. Continuous PEP screening catches this.

Sanctions Status

Sanctions lists update constantly. Someone clean yesterday might be sanctioned today. Daily or real-time sanctions screening is essential.

Adverse Media

News stories linking your customer to fraud, corruption, or crime. You might not have found anything at onboarding, but adverse media can emerge anytime.

How Often Do You Monitor?

There's no one-size-fits-all answer. It's risk-based:

Low-Risk Customers
- Review annually or biannually
- Basic transaction monitoring
- Update KYC when they contact you or at renewal

Medium-Risk Customers
- Review every 6-12 months
- Regular transaction monitoring with lower thresholds
- Periodic KYC updates and re-verification

High-Risk Customers
- Review quarterly or more frequently
- Enhanced transaction monitoring
- Frequent KYC updates
- Continuous PEP and sanctions screening

Your AML program should specify review frequencies based on risk categories. But the key principle: Higher risk = more frequent monitoring.

Transaction Monitoring Systems

Manual monitoring doesn't scale. If you've got hundreds or thousands of customers, you need automated transaction monitoring that:

Sets thresholds and rules
"Alert if any single transaction exceeds $50,000" or "Flag if monthly transaction volume increases by 300%"

Profiles customer behavior
Learns what's "normal" for each customer, then flags deviations

Detects patterns
Structuring (multiple transactions just under thresholds), rapid movement of funds (layering), unusual jurisdictions

Generates alerts for review
Doesn't file SMRs automatically. Generates alerts that compliance staff review to determine if they're genuinely suspicious

Documents the review
Records who reviewed the alert, when, and what they concluded

The KYC Refresh

Customer information goes stale. Ongoing monitoring includes refreshing your KYC:

Triggered Updates
Customer notifies you of an address change, new beneficial owner, business restructure — you update your records immediately.

Periodic Reviews
Even if nothing's changed, you reach out: "We're updating our records. Can you confirm your current address, employment, and beneficial owners?"

Transaction-Triggered Reviews
High-value or unusual transaction comes through. Before processing, you verify current information: "Is your source of funds still employment income? Has your financial situation changed?"

Re-Verification
For high-risk customers, you don't just ask them to confirm information. You re-verify it. Check their ID again. Confirm their address through utility bills. Verify beneficial ownership through corporate registries.

When to Escalate

Ongoing monitoring will surface issues. When do you escalate?

Escalate to Enhanced Due Diligence when:

• Customer's risk profile has increased (new PEP status, adverse media, high-risk jurisdictions)
• Transactions are inconsistent with their profile and they can't adequately explain why
• Customer becomes evasive when asked for information updates

File an SMR when:

• Transaction monitoring flags patterns consistent with ML/TF (structuring, layering)
• Customer appears on sanctions lists or has links to terrorism
• Customer can't or won't explain source of funds for unusual transactions
• Multiple red flags combine to create suspicion

Terminate the relationship when:

• Customer is sanctioned (you have no choice)
• Customer refuses to provide updated KYC information required for ongoing monitoring
• Risk is too high to manage even with ECDD
• Customer's activity clearly violates your risk appetite

Common Ongoing Monitoring Failures

Set and Forget
"We did CDD at onboarding. We're good." No. CDD is continuous. If you're not monitoring, you're not compliant.

Too Much Data, No Action
Transaction monitoring generates thousands of alerts. Compliance team is overwhelmed. Alerts pile up without review. That's worse than no monitoring — you've got evidence of suspicious activity and you're ignoring it.

Not Updating Risk Assessments
Customer was low-risk three years ago. Their business has changed, transaction volumes have increased 10x, but they're still in your low-risk category. Risk assessments need to update based on ongoing monitoring.

No Documentation
You reviewed a transaction alert and decided it wasn't suspicious. But there's no record of who reviewed it, when, or why they cleared it. AUSTRAC audit finds undocumented alerts. That's a breach.

Screening Only at Onboarding
PEP and sanctions screening happened two years ago. Lists have updated hundreds of times since. You're not screening continuously. You might have sanctioned parties or PEPs without knowing it.

Technology for Ongoing Monitoring

Effective ongoing monitoring requires systems that:

• Automate transaction monitoring — Rule-based and behavior-based detection
• Schedule periodic reviews — Alert compliance when customer reviews are due
• Continuous screening — Daily or real-time PEP and sanctions checks
• Adverse media monitoring — Automated news scanning for customer mentions
• Workflow management — Track who's reviewing what, ensure nothing falls through cracks
• Audit trails — Record every review, decision, and action for AUSTRAC compliance

Platforms like ARCaml provide ongoing monitoring capabilities — transaction alerts, periodic review scheduling, continuous screening, and documentation — so you're not manually tracking hundreds of customers.

Tranche 2: Ongoing Monitoring from Day One

If you're entering the AUSTRAC regime in July 2026, ongoing monitoring starts immediately. Not after you've onboarded customers. From day one.

Real estate agents: After you've facilitated a property sale, you're not done. If the buyer becomes a repeat customer, you monitor their subsequent transactions for consistency with their profile.

Accountants: Client you're managing a trust for? You monitor their use of that trust ongoing. Changes in beneficial ownership, unusual transactions, new risk factors — you're watching continuously.

Lawyers: Managing a client's trust account over months or years? Ongoing monitoring of that account's activity is mandatory.

You can't just onboard clients pre-July 2026 and assume they're grandfathered in. Ongoing monitoring applies to all customers, including those onboarded before obligations started.

The Bottom Line

Ongoing monitoring is where AML compliance gets real. Initial CDD is important, but it's ongoing monitoring that catches criminals who slip through, customers whose circumstances change, and emerging risks.

AUSTRAC's message is clear: Customer due diligence is continuous. You monitor throughout the relationship. You keep information current. You re-assess risk when things change.

Because the alternative — onboarding customers and never looking at them again — is how money launderers operate for years before anyone notices. And by then, millions have been laundered through your services.

Build ongoing monitoring into your processes from the start. Automate what you can. Document everything. And treat every customer relationship as an ongoing assessment, not a one-time checkbox.