
Why do well-onboarded clients become your biggest regulatory exposure?
Most regulated payment and financial institutions have invested heavily in onboarding : the workflows, the portals, the automated document checks. The file is clean on Day 1. The problem is Day 730.
Regulators don't primarily sanction companies for bad onboarding; they sanction them for failing to maintain an up-to-date view of who their clients are and how their risk has evolved.
In virtually every ACPR sanction decision published since 2023, failures in ongoing client knowledge, not onboarding, appear as the primary grievance. MoneyGram was hit with 3 of its 8 grievances directly on KYC qualification and enhanced due diligence failures (Compliance Partners, May 2026). Chaabi Bank was sanctioned for failing to maintain "vigilance constante" on clients who had been active for years (Compliance Partners, November 2025). The pattern is consistent.
Key takeaways
- ‍Ongoing vigilance is the primary source of regulatory sanctions, not onboarding. Across recent ACPR decisions, KYC and ongoing vigilance failures account for the majority of grievances retained, from MoneyGram (3 out of 8 grievances, 2026) to Chaabi Bank (5 grievances, all related to ongoing vigilance, 2025) (Compliance Partners, 2025-2026).‍
- Most periodic review processes are manual by design, not by accident. A representative Q4 2025 RFI from a major European payment institution described every periodic review interaction as handled by email, with no client portal, no central visibility, and KYB officers dependent on sales teams to chase clients on their behalf. This is not an edge case, it is the industry norm. ‍
- Each KYB review costs between $1,500 and $3,500 per corporate entity. Two-thirds of financial institutions surveyed by Fenergo put the cost of a single KYC review for a commercial client at $2,598 on average (Fenergo, 2023). For a portfolio of 5,000 businesses due for review, that is a $13M operational exposure before a single sanction is levied.‍
- Review cycles are getting longer, not shorter. More than half of financial institutions spend between 61 and 150 days on client KYC reviews (Fenergo, 2024). Every day a review drags past its scheduled deadline is a day of documented regulatory exposure.‍
- Sensitive documents circulating by email create a compliance risk in themselves. Corporate KYB files (UBO identity documents, shareholder registers, source-of-funds evidence) are transmitted across personal inboxes with no audit trail, no encryption enforcement, and no chain of custody. The data protection exposure compounds the AML exposure.‍
- Automation on periodic reviews is achievable, not aspirational. Institutions that have automated their ongoing due diligence cycles report up to a 90% reduction in manual tasks, with team requirements halved without any reduction in review quality (Ondorse client data).
Why does regulatory exposure concentrate after onboarding?
The regulatory logic is straightforward. Under Article L561-6 of the French Code Monétaire et Financier, and equivalent provisions in the EU's Anti-Money Laundering (AML) directives, regulated institutions are not simply required to verify their clients once at onboarding. They are required to maintain an ongoing, up-to-date understanding of the business relationship, calibrated to the client's risk level.
The practical consequence: a client whose Ultimate Beneficial Owner (UBO) structure changed two years ago, who has expanded into a new activity sector, or whose directors have been subject to sanctions proceedings, must be caught by your review cycle, not by a regulator during an inspection.
Review frequency is discretionary. Market practice sets a minimum cadence:
- Low risk: review at least every 3 years
- Standard risk: at least every 2 years
- High and very high risk: more frequent intervals, defined by each institution's risk classification policy
Beyond scheduled reviews, specific triggering events (a new product subscription, a change in beneficial ownership, a Politically Exposed Person (PEP) status update, or an adverse media alert) require an immediate, event-driven review regardless of when the last scheduled review occurred.
Most institutions can describe this policy on paper. Very few can demonstrate it in practice, with evidence.
What does the current periodic review process actually look like?
Here is what one major European payment institution described in an RFI for a KYB platform - without any embellishment:
"There is no dedicated client portal for onboarding or periodic reviews. All interactions with clients are handled manually by email. For periodic reviews, KYB Officers first perform an internal screening. They then request missing information from Sales or customers. If the client does not respond, KYB Officers must follow up with Sales, who must then chase the client again."
This is a company operating across more than 10 countries and processing billions of payment flows. If this is the process at that scale, the smaller institutions running periodic reviews on spreadsheets with calendar reminders are in a structurally worse position.
The pattern described aboveis almost universal across mid-market fintechs and payment institutions:
- A KYB officer identifies that a client review is overdue, typically via a spreadsheet or a basic CRM flag.
- The officer drafts an email to the account manager or sales contact asking them to "reach out to the client."
- The account manager sends an email to the client listing the documents required.
- The client responds (or doesn't). If they don't, the process loops back to step 2, now with a delay.
- Documents arrive by email in various formats, often incomplete, often expired.
- The KYB officer manually reads, classifies, and archives documents ... often in a shared drive or the inbox itself.
- The officer updates the risk score. There is no audit trail linking the new score to the evidence collected.
At every stage, the information is retyped. At every stage, accountability is diffuse. At every stage, there is a gap between what your policy says should happen and what is actually happening.
What breaks in this approach?
The failure modes are not subtle. They are systemic.
- Oversight gaps accumulate invisibly. When reviews happen by email, there is no single place where a compliance officer or MLRO can see how many reviews are overdue, by how many days, and which clients they concern. The exposure is real but unmeasurable.
- Sales teams become unwitting compliance bottlenecks. KYB officers depend on account managers to chase clients. Account managers have revenue targets. The structural incentive is to delay, soften, or simplify the request. Reviews get deprioritised.
- Documents become evidence of nothing. A PDF received by email and stored in a shared folder has no metadata trail proving when it was received, who reviewed it, what decision it supported, and when it expires. This is not a file that holds up in an ACPR inspection.
- Sensitive data circulates without control. UBO identity documents, source-of-wealth evidence, and corporate shareholder structures are transmitted through employee inboxes. This violates both GDPR data minimisation principles and basic AML chain-of-custody expectations.
- No event triggers reach the review queue. A client's director appears on an updated sanctions list. A registry entry records a change in beneficial ownership. The periodic review cycle (running on a calendar) has no mechanism to capture this and accelerate the review. The event passes undetected until the next scheduled cycle.
- High-risk clients are not treated differently from low-risk ones. Without automated risk-based routing, review cadences are flat. A high-risk client reviewed annually on the same cadence as a low-risk client reviewed every five years is not a risk-based approach. It is a uniform one.
The ACPR's sanction record makes the consequence concrete. In June 2025, a well established bank received a reprimand and a €600,000 fine with deficiencies in ongoing client knowledge explicitly cited (AfterData, 2025). The prior year, a financial services firm was fined €1 million for inadequate Know Your Customer (KYC) management (Deloitte ACPR Bilan 2024). In both cases, onboarding was not the primary vector. Ongoing vigilance was.
What should a modern periodic KYB review cycle look like?
The right architecture starts from a different premise. Rather than treating periodic reviews as discrete administrative tasks triggered by a calendar, the correct model treats the review cycle as a continuous process that combines scheduled cadences with event-driven triggers, all within a structured workflow that produces auditable decisions.
Risk-stratified cadences, not flat schedules. Review frequency must be driven by the client's current risk score ; which itself should update dynamically as new information arrives. A business that scored low-risk at onboarding but has since expanded into a high-risk jurisdiction, changed UBOs, or accumulated adverse media hits should be reviewed at the cadence appropriate to its current risk level, not the one assigned two years ago.
Event-triggered reviews that run in parallel to scheduled ones. Ownership changes in the business registry, sanctions list updates, adverse media alerts, PEP status changes : any of these should automatically open a new review task without waiting for the scheduled cycle. This is what Article L561-6 actually requires: review when the information changes, not just on a fixed schedule.
A dedicated client portal, not an email thread. The document collection step should happen through a structured channel where the client knows exactly what is requested, can upload documents in one session, and receives immediate validation feedback. This eliminates the sales-intermediary step entirely and creates an auditable record of every interaction.
Centralised case management with queue visibility. Every overdue review should appear in a single, ranked queue. KYB officers should see what is due, how overdue it is, and which cases they own. Team leads should see workload distribution across the team. The MLRO should be able to generate a snapshot of portfolio review status at any moment, not reconstruct it from a spreadsheet.
Immutable audit trails linked to decisions. Every document collected, every risk score update, every review decision must be time-stamped and linked to the evidence that supported it. Not stored in a folder, linked in the case file, with the decision logic recorded.
Can the review cycle be automated without losing control?
Yes, and the objection that automation sacrifices judgment is a false framing. The tasks that benefit most from automation are not the analytical ones. They are the coordination tasks: scheduling review windows by risk tier, reopening client portals with a configurable follow-up sequence, re-screening entities daily against sanctions and PEP lists, monitoring business registries for structural changes, and routing overdue cases to the right analyst automatically.
One payment fintech deployed Ondorse across its full compliance cycle with a starting position most compliance teams would recognise: 17,000 business entities to review, minimal initial data, and a 12-month plan built around 6 FTEs doing manual verification. After 5 months, 90% of the portfolio was complete. The team was at 2.5 FTEs. Document checks that previously required 4 people working manually for 90 days (3,500 expired identity documents) were fully automated. The periodic re-KYB component ran without sales involvement.
The analytical work such as assessing context remains with the compliance officer. Automation handles the logistics. The result is not a black box; it is a compliance officer who spends their time on the cases that require judgement, not chasing sales for documents that were due six weeks ago.
Across Ondorse deployments at regulated payment institutions, teams running periodic KYB review cycles see on average a 65% reduction in overdue review rate within 6 months of deployment, and cut their average case completion time in half : from 20 minutes to under 10 minutes per file. Annual review targets that previously required 12 months are now completed in 5.
What Ondorse does differently on periodic reviews
Ondorse's Ongoing Due Diligence (ODD) module was built for exactly this gap. It does not treat periodic reviews as an add-on to onboarding. It treats the review cycle as its own structured process, with its own logic, its own triggers, and its own audit layer.
The core mechanics:
- Risk-stratified scheduling: review cadences are set by risk profile (low, medium, high) and enforced automatically. When a client's risk score changes, the cadence updates accordingly.
- Event-triggered reviews: registry changes, sanctions hits, adverse media alerts, and document expiry dates all trigger review tasks automatically, independent of the scheduled cycle.
- Client portal, reopened on demand: for each review, the client portal is reopened with a pre-configured document request tailored to the client's profile. Follow-up sequences run automatically; KYB officers are only notified when escalation is needed.
- Daily re-screening: every active entity - either a legal persons and natural persons - is re-screened daily against sanctions lists, PEP databases, and adverse media sources. ‍
- Queue management: all open reviews appear in a prioritised queue, ranked by urgency and assigned to analysts based on configurable routing rules. No review falls through the gap.‍
- Immutable case history: every state, every transition, every document, every decision is logged and cannot be modified ... only appended. The audit trail is a structural property of the platform, not a reporting feature.
For compliance teams managing a growing client portfolio under increasing regulatory scrutiny, this is not a marginal improvement. It is the difference between a review process that exists on paper and one that holds up in an inspection.
Have questions about how Ondorse handles periodic KYB reviews for your specific regulatory context or portfolio size? Get in touch with our team.
Discover our latest guide
Everything you need to know about this subject
Heading
Subtextt
.jpeg)


