Re-KYC (Periodic KYC)

What is Re-KYC?

Re-KYC, also called Periodic KYC, is the regulator-mandated process of refreshing a customer's identity information, supporting documents, and risk profile at defined intervals after the original onboarding. The purpose is simple: a customer's circumstances change — addresses move, occupations shift, ownership structures evolve, sanctions status updates — and a KYC file that was accurate three years ago may no longer reflect the customer's true risk today. Re-KYC ensures that the institution's customer due diligence (CDD) data stays current, that screening signals remain reliable, and that residual money-laundering risk continues to be managed within the firm's appetite.

In practice, re-KYC re-validates ID documents, re-runs sanctions, PEP and adverse-media screening, refreshes beneficial-ownership information for legal-entity customers, and reconciles transaction behaviour against the documented customer profile. It is one of the most heavily examined controls in any AML programme.

Why Re-KYC matters

Customer risk is not static. A previously low-risk individual may take up a politically exposed position; a corporate customer may restructure ownership across new jurisdictions; a previously dormant account may suddenly process volumes inconsistent with its declared purpose. Without periodic re-verification, an institution carries customers on the wrong risk band — applying inadequate monitoring, missing screening hits, and accepting transactions that should be referred. Beyond the regulatory exposure (fines, enforcement actions, restrictions on growth), the operational consequence is real: stale KYC data is one of the most common root causes cited in AML enforcement actions globally.

Re-KYC frequency by customer risk band

Most regulators apply a risk-based periodicity rather than a single fixed cycle. The table below reflects the most common standard adopted across major jurisdictions; institutions should always confirm against their specific regulator's rules.

Risk band	Typical frequency	Review depth	Approval
Low-risk	Every 8–10 years	Standard CDD refresh; document and screening update	Operations team
Medium-risk	Every 5–7 years	CDD refresh plus targeted re-screening and behavioural review	Compliance team lead
High-risk	Every 1–2 years (often annually)	Full EDD measures; intensified beneficial-ownership analysis	Compliance officer
PEPs / high-risk jurisdictions	At least annually	Full EDD plus source-of-funds and source-of-wealth checks	Senior management sign-off

Beyond the calendar cycle, re-KYC is also event-triggered — for example, a sanctions list update producing a new match, a material change in customer behaviour, a new beneficial owner, or expiry of a previously verified identity document.

Re-KYC for high-risk customers

The high-risk segment carries the most demanding re-KYC obligations. Regulators expect institutions to refresh the file at least once a year and, in many jurisdictions, to apply the same Enhanced Due Diligence (EDD) measures used at onboarding — including source-of-funds and source-of-wealth verification, intensified beneficial-ownership analysis, and senior-management approval of the continued relationship. The institution must also document why the customer continues to merit the relationship at all: for high-risk customers, periodic KYC is as much a re-approval as a refresh. Failure to complete high-risk re-KYC on time is one of the most common findings in AML examinations and a frequent driver of supervisory penalties.

Re-KYC vs KYC Refresh vs perpetual KYC

The terms are closely related but not interchangeable. Re-KYC is the broader concept of periodic re-verification on a calendar or event-driven cycle. KYC Refresh is often used to describe the operational act of updating a specific data field or document inside the file — for example, capturing a new ID following expiry — and may not involve full re-screening. Perpetual KYC (pKYC) is the modern, technology-led model where the customer file is continuously updated through real-time data feeds, behavioural signals, and automated alerts, removing the need for fixed calendar cycles for most customers. Many institutions are progressively migrating from periodic re-KYC towards perpetual KYC for low- and medium-risk segments while retaining scheduled refreshes for high-risk relationships.

Re-KYC vs KYC Remediation

Re-KYC is a forward-looking, scheduled control — it keeps an existing healthy file current. KYC Remediation, by contrast, is a backward-looking, corrective exercise triggered when historic KYC files are found to be incomplete, outdated, or non-compliant — often following a regulatory finding, a portfolio acquisition, or a system migration. Remediation programmes typically involve a one-off mass review of a defined customer cohort and may be subject to regulator-imposed deadlines. Re-KYC is business-as-usual; remediation is exceptional.

How a Re-KYC cycle works

A modern re-KYC cycle begins with identification of customers due — driven by the institution's risk-banding, the date of last verification, and any event triggers logged in the system. The customer is then notified through their preferred channel — email, in-app message, SMS, or relationship-manager outreach — with a clear list of information or documents required. Document and data capture follows, ideally through a digital workflow with embedded OCR, document-authentication, and biometric face-match where identity proofing is required. Updated information is then re-screened against sanctions, PEP, and adverse-media lists, and beneficial-ownership data is reconciled against external registries.

The compliance team then re-rates the customer, comparing the refreshed profile against the original risk band and any transaction-monitoring signals from the period since the last review. The decision — retain, re-band, restrict, or exit — is documented along with the supporting evidence and approver. Modern institutions increasingly orchestrate this entire cycle through a unified KYC platform that handles identification, capture, screening, decisioning, and audit trail in a single workflow.

Common Re-KYC challenges

Three challenges dominate periodic-KYC programmes. First is customer friction — re-KYC requests interrupt the customer experience and often suffer poor response rates, especially for low-engagement segments; institutions must design touchpoints that are short, clear, and channel-appropriate. Second is data quality — historic files often contain incomplete or inconsistent fields that surface only when refreshed, requiring decisions on whether to treat the gap as remediation or accept the new data and move on. Third is operational scale — high-risk re-KYC volumes can spike unpredictably (for example, after a sanctions regime change), and manual capacity rarely flexes to match. Automation, straight-through processing for clean cases, and exception-based human review are the three levers that consistently determine whether a re-KYC programme stays on schedule or falls into backlog.

Compliance and regulatory expectations

Examiners assess re-KYC against three lines of evidence: that all in-scope customers are reviewed within the prescribed cycle, that the depth of review is calibrated to risk, and that the outcome is documented and acted upon — including risk re-rating, EDD where required, and exit where the relationship can no longer be supported. Records of the refreshed information, screening outputs, decisions, and approvals must be retained for the period required by the institution's primary AML law (typically five to six years, sometimes longer). A programme that runs reviews on time but takes no action when risk has changed is treated as no programme at all.