Ongoing monitoring is the backbone of any mature anti-money laundering program. Unlike onboarding checks, which capture a snapshot of a customer at a single point in time, ongoing monitoring treats that profile as a living record — one that must be continuously updated as transactions flow, businesses evolve, and global risk landscapes shift. Regulators worldwide have made ongoing monitoring a non-negotiable obligation precisely because most financial crime surfaces long after initial due diligence has been completed.
How Ongoing Monitoring Works
The process is cyclical, not linear. Each stage feeds information back into the customer's risk profile, keeping compliance data current and enabling increasingly accurate anomaly detection over time.
Establish a Baseline Risk Profile
At onboarding, customer due diligence assigns each customer a risk tier and documents expected transaction behavior — typical volumes, counterparties, geographies, and product usage. This baseline becomes the reference point against which all future activity is measured.
Screen Transactions in Real Time
Every transaction is checked against rule-based thresholds and machine-learning models as it occurs. Transaction monitoring systems flag activity that deviates from the baseline — structuring patterns, rapid fund movements, or transactions involving high-risk jurisdictions — for human review.
Run Continuous Sanctions and PEP Screening
Customer records are screened daily (or in real time) against sanctions screening lists, politically exposed persons (PEP) databases, and adverse media feeds. Any new match against a sanctions list triggers an immediate account freeze and compliance review, regardless of where the customer sits in their review cycle.
Investigate Alerts and Document Findings
Compliance analysts triage flagged alerts, gather context, and determine whether the activity is explainable or genuinely suspicious. Every decision — including decisions to dismiss an alert — must be documented with clear reasoning to satisfy regulatory examination requirements.
File Suspicious Activity Reports When Required
If an alert cannot be adequately explained, the institution must file a Suspicious Activity Report (SAR) with the relevant financial intelligence unit — FinCEN in the US, the NCA in the UK, or equivalent national bodies. SAR filing does not necessarily mean ending the customer relationship; that is a separate business decision.
Conduct Periodic Profile Reviews and Refresh Data
On a schedule determined by risk tier — typically every 6 months for high-risk, 1–2 years for standard — compliance teams formally refresh customer data: re-verify identity documents, update beneficial ownership information, reassess the risk rating, and confirm that the customer's activity still matches their stated business profile.
Why Ongoing Monitoring Matters
Regulators and financial intelligence units have made clear that onboarding checks alone are insufficient to combat financial crime. The evidence base for continuous oversight is substantial and growing.
The Financial Crimes Enforcement Network (FinCEN) received over 3.6 million Suspicious Activity Reports in fiscal year 2022, the vast majority of which were generated by ongoing transaction monitoring systems rather than manual review or onboarding-stage red flags. This volume underscores how much criminal activity only becomes visible over time through behavioral patterns. A 2023 LexisNexis Risk Solutions study estimated that the total cost of financial crime compliance for US financial firms has reached approximately $61 billion annually — a figure driven in large part by under-optimized monitoring systems generating excessive false positives. Firms that invest in risk-tiered, well-calibrated monitoring consistently report lower cost-per-alert ratios and faster investigation cycle times.
FATF's mutual evaluation reports consistently identify failures in ongoing monitoring — not failures at onboarding — as the primary gap in national AML frameworks. In the most recent round of evaluations, countries were frequently cited for weak transaction monitoring thresholds, infrequent customer profile refreshes, and poor documentation of alert disposition decisions. For individual businesses, these same gaps are what regulators target during examinations.
Regulatory Baseline
FATF Recommendation 10 explicitly requires financial institutions to conduct ongoing due diligence and scrutinize transactions throughout the customer relationship to ensure they are consistent with the institution's knowledge of the customer, their business, and risk profile.
Ongoing Monitoring vs. Customer Due Diligence
Ongoing monitoring and customer due diligence are complementary obligations that are often conflated. Understanding the distinction is critical for structuring your compliance program correctly.
| Dimension | Ongoing Monitoring | Customer Due Diligence |
|---|---|---|
| Timing | Continuous throughout the relationship | Point-in-time, primarily at onboarding |
| Primary trigger | Automated alerts, scheduled reviews, events | Account opening, product change, risk threshold |
| Scope | Transactions, behavior, profile drift | Identity verification, risk classification |
| Frequency | Real-time screening + periodic full reviews | Periodic refresh only |
| Key output | Alerts, SARs, updated risk scores | Verified customer profile and risk rating |
| Regulatory basis | FATF R.10, BSA, 6AMLD ongoing obligation | FATF R.10, FinCEN CDD Rule, AMLD4/5 |
| Who owns it | Compliance + operations (shared) | Compliance / KYC team |
The practical implication: CDD gives you a starting point; ongoing monitoring determines whether that starting point stays valid.
Types of Ongoing Monitoring
Ongoing monitoring is not a single activity — it encompasses several distinct but overlapping disciplines, each targeting different risk vectors.
Transaction monitoring is the most familiar form — automated rule engines and behavioral models analyzing payment flows for structuring, rapid cycling, layering, or unusual counterparty patterns.
Behavioral monitoring compares a customer's current activity profile against their historical baseline and their peer group. A merchant whose average transaction value suddenly doubles, or who begins accepting payments from a new geographic cluster, will appear as an outlier worth investigating.
Sanctions and PEP screening operates on a continuous basis, re-screening existing customers against updated lists each time a new designation is published. Given that OFAC can update its SDN list multiple times in a week, daily or real-time screening is increasingly the industry standard.
Periodic profile reviews are scheduled, formal assessments during which compliance teams re-verify identity documents, confirm beneficial ownership, and re-underwrite the customer's risk rating. These are the most resource-intensive component but are necessary to catch changes that don't generate automated alerts — such as a quiet change in company directorship.
Event-driven reviews are triggered by specific external or internal events: a new adverse media hit, a country moving onto a high-risk watchlist, a large one-off transaction, or a customer requesting a significant product change. These reviews sit outside the scheduled cycle and require rapid response.
Best Practices
For Merchants
Apply a risk-based monitoring strategy from day one. Segment your customer base into at minimum three tiers — low, medium, and high risk — and calibrate alert thresholds, review frequencies, and escalation procedures for each tier independently. Treating all customers identically wastes resources on low-risk accounts while under-monitoring where it matters most.
Document every alert decision, including dismissals. Regulators consistently cite undocumented alert closure as a key examination failure. A dismissed alert with no written rationale is indistinguishable from a missed alert during an audit.
Conduct out-of-cycle reviews when material changes occur — new beneficial owners, significant transaction spikes, or negative news — rather than waiting for the next scheduled review date.
For Developers
Build event-driven webhooks into your monitoring pipeline so that external triggers (sanctions list updates, customer profile changes, large transaction events) automatically create review tasks in your case management system without manual intervention.
Implement feedback loops between alert disposition outcomes and model thresholds. When analysts consistently dismiss a particular alert type as a false positive, that signal should automatically flow back to threshold calibration rather than accumulating as wasted analyst time.
Ensure your monitoring data store is a superset of your onboarding data store, not a separate silo. Ongoing monitoring is only as effective as the baseline it references — fragmented data means fragmented detection.
Common Mistakes
Setting thresholds once and never revisiting them. Transaction patterns shift as businesses grow and product lines change. Static thresholds that were calibrated at onboarding will generate increasingly irrelevant alerts — either too many false positives or too many missed true positives — within 12 to 18 months.
Ignoring the "ongoing" in ongoing monitoring. Many businesses perform excellent initial know-your-customer checks and then treat the customer as a static, verified entity forever. This directly violates the spirit and letter of anti-money laundering regulations, which explicitly require continuous reassessment.
Failing to document alert dismissals. Every alert that is reviewed and closed without escalation must have a documented rationale. Examiners treat an undocumented closure as evidence of a control failure, regardless of whether the underlying judgment was correct.
Treating monitoring as a compliance function alone. Fraud, credit risk, and AML monitoring often generate overlapping signals. Siloing these functions means each team is working with an incomplete picture. Unified risk data produces better decisions and fewer duplicate investigations.
Over-automating without human oversight. Automated systems are essential at scale, but fully automated alert disposition — where no human reviews flagged transactions — is not compliant in most regulatory frameworks and misses contextual nuance that models cannot yet reliably capture.
Ongoing Monitoring and Tagada
Tagada operates as a payment orchestration layer, routing transactions across multiple acquiring banks and payment processors based on performance, cost, and compliance criteria. For merchants using Tagada, ongoing monitoring intersects directly with how transaction data flows across providers.
When payment volume is split across multiple acquirers through orchestration, ensure your transaction monitoring system aggregates data from all routing paths into a single view. Fragmented transaction history — one acquirer seeing half the picture — produces a distorted behavioral baseline and dramatically increases false negatives in anomaly detection. Configure Tagada's reporting webhooks to feed a unified monitoring data store rather than analyzing each processor's data independently.