Ongoing Compliance Monitoring for Regulated Fintechs: A Practitioner Q&A

"Ongoing compliance monitoring" is the dullest phrase in the AML rulebook and the one inspectors weight the heaviest. Under the EU's incoming Anti-Money Laundering Regulation it stops being a calendar exercise and becomes a continuous, risk-based duty — a documented loop of customer review, transaction surveillance, and management information that must run whether or not anything triggers it. Most fintechs do parts of it well and other parts only on paper.

This article is built differently from our usual long-form guides. It is a Q&A pack of the 24 questions practitioners actually ask about ongoing monitoring — the ones MLROs, CCOs, and Internal Audit leads send us by email, and the ones now being typed into LLMs. Each answer is short, sourced, and quotable. Two comparison tables anchor the technical detail.

Ongoing compliance monitoring is the continuous, risk-based scrutiny of customers, transactions, products and channels that an obliged entity must perform after onboarding to ensure that activity remains consistent with the customer's known profile and risk rating. It is the bridge between initial CDD and SAR filing. The concept is anchored in FATF Recommendation 10¹^[1] and is transposed into every serious AML regime worldwide.

In practice it splits into four modules: customer-level monitoring (periodic and event-driven CDD refresh), transaction monitoring (rules and behavioural models that fire alerts), sanctions and PEP screening (continuous list rescreening), and management information (the dashboards and committee papers that prove the first three are working).

The AMLR²^[2] — Regulation (EU) 2024/1624, applicable from 10 July 2027 — is a directly applicable regulation, not a directive. That removes the national-transposition variance that 6AMLD³^[3] tolerated and creates a single rulebook for ongoing monitoring across the EEA.

Concretely, AMLR codifies maximum CDD refresh intervals, mandates risk-classification updates triggered by defined events, and requires documented evidence that monitoring outputs feed governance. 6AMLD focused on the criminal-law harmonisation of predicate offences; AMLR governs the operational machinery that prevents them.

Responsibility runs through three roles. The management body owns the framework. A member of the management body is designated for AML/CFT. And the AML/CFT Compliance Officer — in UK terms the MLRO — runs day-to-day execution. EBA/GL/2022/05⁴^[4] set the floor for these roles.

The three lines of defence apply: the first line (operations, customer support, payments ops) executes monitoring controls; the second line (Compliance, MLRO) designs and oversees them; the third line (Internal Audit) independently tests them. None of the three can outsource its accountability.

There is no single statutory number, but EBA/GL/2023/03⁵^[5] require refresh cadence to be calibrated to customer risk. The market-standard implementation is low risk every 36 months, medium every 24 months, high every 12 months, and PEPs and very-high-risk every 6 months.

Periodic cadence is the floor, not the ceiling. Event-driven triggers — UBO change, sanctions hit, sudden volume spike, adverse media — force an unscheduled refresh regardless of when the last one ran. Inspectors look for both layers operating together.

The minimum documentary trail is: the Business-Wide Risk Assessment, the AML/CFT policy and procedures, customer risk-rating logs, alert disposition records, SAR registers, the MLRO's annual report, and minutes of the AML committee or Risk Committee that received them. FCA SYSC 6⁶^[6] sets the UK equivalent reference.

All artefacts must be retained for five years after the end of the customer relationship under both AMLR and FATF Recommendation 11. Storage must be retrievable on request — an archive that takes two weeks to query fails the test.

A periodic refresh runs on a calendar driven by the customer's risk rating — every 12, 24, or 36 months. It re-collects identity data, beneficial-ownership data, source-of-funds evidence, and re-scores the risk model. An event-driven refresh runs when something material changes — a new UBO, a country added to the FATF grey list, a sanctions hit, an adverse-media finding, or a TM alert closed as suspicious.

Periodic alone is insufficient. Event-driven alone is insufficient. Inspectors expect both, with the trigger taxonomy written into policy and the audit trail showing which trigger fired which refresh.

High-risk customers require enhanced due diligence (EDD) at onboarding and enhanced ongoing monitoring thereafter. That means tighter TM thresholds, more frequent transaction reviews (often monthly), refreshed source-of-funds and source-of-wealth evidence at every cycle, and senior management sign-off on the continuation of the relationship.

For PEPs specifically, AMLR retains the requirement for senior management approval to maintain the relationship and enhanced monitoring of the source of funds. PEP status persists for at least 12 months after the person leaves prominent public function — a frequent audit miss.

The EBA guidelines list non-exhaustive trigger categories: changes in the customer's circumstances (UBO, structure, address, occupation), changes in the products or services used, changes in the customer's risk profile (PEP status, sanctions, adverse media), changes in jurisdictional risk (new FATF grey-list entry), and changes in the institution's risk appetite.

The practitioner test: can your policy map each trigger to a system event? If a UBO changes in the corporate register, does that fire a workflow ticket? If a country moves to the FATF grey list, does your screening engine rescreen the affected book? If not, the policy is theoretical.

The execution can be outsourced; the responsibility cannot. An obliged entity may engage a third party to run alert triage, KYC refresh, or screening operations — but the obliged entity remains the regulated party, owns the outputs, and must demonstrate effective oversight via SLAs, KPIs, sample QA, and exit plans.

Under DORA and the EBA outsourcing guidelines, AML monitoring is typically classified as a critical or important function. That triggers a heavier governance regime: pre-engagement risk assessment, written outsourcing agreement with audit rights, register entry, and notification to the competent authority before signing.

The defensible KRI set covers: % of customers with overdue periodic refresh, % of high-risk customers reviewed in the last 12 months, average time-to-completion for a CDD refresh, % of risk-rating changes triggered by event vs calendar, and PEP / sanctions rescreening completion rate.

Each KRI needs a green / amber / red threshold defined in policy, an owner, and a documented escalation path when amber or red. A dashboard with numbers but no thresholds is not a control.

Rules-based TM uses deterministic thresholds — "alert if a single transaction exceeds €15,000", "alert if cumulative volume in 24h exceeds 200% of declared activity". They are easy to explain, easy to audit, and prone to high false-positive rates.

Behaviour-based TM uses statistical or ML models that score deviation from a customer's own historical pattern or from peer-group patterns. They produce fewer, higher-quality alerts but require explainability documentation to be defensible. Most mature programmes run both layers in parallel.

There is no statutory benchmark, and "normal" varies by business model. For an EMI with retail consumer customers, market observation suggests 0.1% – 0.5% of active accounts generating a SAR per year. For a CASP with mid-market crypto-active customers, 0.3% – 1.0% is observed. An MSB with cash exposure runs higher.

What inspectors actually look at is the direction of travel and the quality narrative. A SAR rate that has collapsed against a stable customer base is a red flag. A SAR rate flat against rapid customer growth is a red flag. Absolute volume matters less than coherence with the risk profile.

There is no regulatory target. Industry-realistic ranges sit at 2% – 8% true positives for rules-based systems and 10% – 25% for well-tuned behavioural models. A TP rate below 1% suggests over-broad thresholds; above 30% suggests rules tuned too narrowly and probable under-detection.

Define "true positive" carefully in policy. The defensible definition is "alert closed with an action that adds compliance value" — SAR filed, EDD performed, risk rating uplifted, or relationship exited. "Reviewed and dismissed" is not a true positive even if the analyst found it interesting.

AMLR requires reporting "promptly" to the FIU once knowledge or suspicion is formed — no fixed day count, but the operative test is whether the institution acted without undue delay. In the UK, the SARs regime via the National Crime Agency operates on the same "as soon as practicable" standard.

The defensible policy KPI most institutions adopt is SAR filed within 3 business days of the suspicion threshold being crossed, with an internal escalation path that gets a draft to the MLRO within 24 hours. Document the clock-start moment — "trigger event" must be unambiguously defined in the procedure.

For each rule or model, the log records: the typology it targets, the threshold or scoring logic, the data lineage feeding it, the alert volume and TP rate over a rolling 12-month window, the date of last review, the rationale for any change, and the approver. Every change point is auditable.

A formal tuning review should run at least annually and on every material change to product, customer segment, or risk appetite. NYDFS Part 504 made this an explicit certification requirement in the US; EU regulators expect it implicitly under risk-based supervision.

At least annually the board (or equivalent senior management body) must receive the MLRO's annual report. In practice, a fintech of any meaningful scale runs quarterly compliance MI through a Risk Committee or AML Committee, with monthly operational MI at management level.

"Seen" is not "received". Inspectors will read the minutes to confirm the board discussed the MI, challenged it, and took documented decisions. A board pack with a 40-page compliance appendix that nobody asked a question about is a finding waiting to happen.

The standard contents are: an assessment of the effectiveness of the AML/CFT framework, a summary of the BWRA, monitoring statistics (alerts, SARs, refresh completion, KRI trends), training delivery and outcomes, audit and regulator findings and remediation status, and a forward-looking compliance plan with resource requirements.

The report must be signed by the MLRO, presented to the management body, and the management body's response (acceptance, challenge, requested changes) minuted. Both documents stay in the five-year record.

AMLR formalises a previously implied split: a Compliance Manager / AML/CFT Compliance Officer responsible for the framework, and a designated member of the management body who is the AML/CFT champion at board level. The two roles can be held by the same person only in narrow circumstances.

AMLR also requires the AML/CFT Compliance Officer to have sufficient seniority, independence, and resources — language that EBA/GL/2022/05 fleshes out and that AMLA (the new EU AML Authority) is expected to police uniformly across the EEA from 2028.

There is no universal threshold, and notification triggers vary by NCA. The defensible internal policy lists: any breach of a regulatory rule that the regulator would reasonably want to know about, any breach that triggers customer detriment, any control failure with systemic implications, and any prudential or own-funds breach.

For the UK, the FCA's Principle 11 obliges "open and cooperative" disclosure — interpreted as prompt notification once the firm is reasonably aware. Late or omitted notifications attract heavier enforcement than the underlying breach.

Internal Audit is the third line and must be organisationally independent of Compliance. Its job is to test whether the AML/CFT framework operates as designed and as intended. Frequency: at minimum an annual thematic review, supplemented by deep-dives into specific modules (TM tuning, sanctions, KYC refresh) on a rolling multi-year plan.

Audit findings must be rated, tracked, and reported to the Audit Committee with closure SLAs. Compliance owns remediation but cannot mark its own homework — Audit re-tests closure.

The recurring finding across EU, UK, and APAC inspections is policy-to-execution drift: the AML manual describes a sophisticated risk-tiered model; the actual system runs every customer on the same six rules with the same thresholds. The customer risk rating exists in a database column but does not change behaviour anywhere downstream.

The fix is mechanical: trace each policy clause to a system control. If a clause cannot be traced, either the policy is aspirational or the control is missing. Inspectors do this exercise live — running it pre-emptively is one of the highest-leverage audit-prep activities.

Yes, with conditions. AMLR and most national regimes permit a group-level AML/CFT Compliance Officer where the entities are part of the same group and the officer has authority and resources at each entity. Each entity still needs a designated management-body member for AML/CFT.

What's not acceptable: a part-time MLRO with no operational visibility into the entity. Regulators have closed firms where the MLRO was a consultant who appeared once a quarter and signed a report drafted by the operations team.

Dormancy is not the same as exit. While the relationship persists, the customer must remain on continuous sanctions and PEP screening, and identity / UBO data must remain reasonably current. Most firms run a "dormant tier" with a longer refresh cadence and a documented threshold for either reactivation review or formal exit.

If a dormant account reactivates, treat it as an event-driven trigger: full refresh, source-of-funds enquiry on the first material movement, and enhanced TM for the first 90 days.

For a mid-stage EMI or CASP with 50k – 500k active customers, a credible ongoing-monitoring programme runs €600,000 – €2.5M per year fully loaded. Cost is dominated by people (50–70%), followed by TM / screening tooling (15–25%), data feeds and KYC vendors (10–15%), and audit / training.

The biggest cost drivers are alert volume (a function of tuning quality), high-risk customer mix, and jurisdictional complexity. Halving alert volume through proper tuning routinely pays back the entire tooling budget within 18 months.

Ongoing monitoring is where serious AML programmes are won and lost. Onboarding controls have the headlines; ongoing monitoring has the evidence. As AMLR transitions from text to enforcement between 2027 and 2028, the firms that treat monitoring as a documented, measurable, board-visible loop will pass inspection. The rest will spend their second-line headcount writing remediation plans.

• AML Audit for a Regulated Crypto Firm: what an external AML audit covers and the evidence pack that survives it.

• AML Compliance Retainer for CASPs: the retained-MLRO model and what a monthly compliance run looks like in practice.

• AMLR Readiness Programme: 12-Month Roadmap: month-by-month plan to be AMLR-ready before the July 2027 application date.

• The EMI Compliance Programme Architecture: sister piece — the full architecture of an EMI compliance programme, end to end.