What is Re-KYC? KYC Refresh and Ongoing Due Diligence Explained

Re-KYC is no longer a periodic compliance exercise. As customer risk profiles, ownership structures, business activity, and transaction behavior change over time, financial institutions need a more dynamic way to keep customer and merchant information accurate, current, and aligned with risk.

Re-KYC, also known as KYC refresh, is the process of reviewing, updating, and revalidating customer or merchant due diligence information after onboarding. It helps financial institutions maintain accurate risk profiles, meet AML obligations, and support ongoing customer due diligence throughout the relationship.

For payment providers, acquirers, PayFacs, fintechs, and regulated financial services businesses, Re-KYC is not simply a repeat verification exercise. It is a trust function that helps organizations maintain confidence in every customer or merchant relationship as risk evolves.

At its core, Re-KYC extends the foundations of Know Your Customer (KYC) into the ongoing customer lifecycle. Regulators increasingly expect firms to maintain accurate, up-to-date customer information and apply a risk-based approach to ongoing monitoring, rather than treating due diligence as a one-time onboarding task. Global standards, including those set by the Financial Action Task Force (FATF), reinforce the importance of keeping customer information current and reassessing risk as relationships, ownership structures, and activity change.

This is especially important in merchant portfolios, where risk profiles can change due to shifts in ownership, transaction patterns, business activity, vertical exposure, or geographic expansion. Managing that risk effectively requires more than isolated checks. It requires a connected approach to onboarding, Know Your Business (KYB) checks, Anti-Money Laundering (AML) screening, underwriting, risk assessment, and ongoing due diligence.

OnBoard by MVSI supports this connected approach by bringing digital onboarding, KYB, AML screening, underwriting, and ongoing due diligence into one end-to-end merchant onboarding and compliance platform for regulated payments, fintech, and financial services businesses.

This shift reflects a broader move toward continuous customer due diligence, where Re-KYC plays a central role in helping organizations manage risk, maintain audit-ready records, and make trusted compliance decisions over time.

This evolution also raises a critical question: how can Re-KYC move beyond periodic updates to operate effectively across the full customer lifecycle?

‍

Key takeaways

• Re-KYC, or KYC refresh, is the process of reviewing, updating, and revalidating customer or merchant due diligence information after onboarding.
• Global AML expectations require firms to keep customer information current and apply risk-based ongoing monitoring throughout the relationship.
• Traditional Re-KYC models often rely on periodic reviews, which can create visibility gaps when customer or merchant risk changes between review cycles.
• Manual and fragmented Re-KYC processes can slow decision-making, increase operational workload, and make it harder to maintain audit-ready compliance records.
• Effective Re-KYC connects onboarding, KYB, KYC, AML screening, risk scoring, OCDD, workflow orchestration, and audit trails in one governed process.

‍

What is Re-KYC?

Re-KYC is the process of reviewing, updating, and revalidating customer or merchant due diligence information after the initial onboarding stage. It helps financial institutions keep customer data, ownership information, risk profiles, and compliance records accurate as the relationship evolves. Unlike initial verification, Re-KYC is not a one-time activity. It is an ongoing requirement embedded within the end-to-end KYC process, driven by regulatory expectations for ongoing monitoring and risk-based review.

In merchant onboarding, Re-KYC plays an important role in maintaining trust after the merchant has been approved. A merchant that was low risk at onboarding may become higher risk later due to changes in ownership, business activity, transaction behavior, sanctions exposure, adverse media, or other risk signals.

Re-KYC is often referred to as a KYC refresh, especially when customer or merchant information is reviewed at defined intervals or updated in response to risk triggers. While the terminology may vary, the implication is the same: failing to keep customer data current creates blind spots that can lead to missed risk signals and regulatory gaps.

In practice, Re-KYC extends core KYC obligations into the operational lifecycle of merchants, where existing information is periodically reviewed, updated, and revalidated to reflect changes in ownership, business activity, and overall risk, often supported by additional business verification checks where required.

As outlined in global standards such as the FATF recommendations, financial institutions are expected to keep customer information up to date and apply ongoing scrutiny based on risk. Failure to do so can result in significant penalties and reputational damage.

Re-KYC is therefore not just a periodic update, but an ongoing process that helps financial institutions keep customer information accurate, complete, and aligned with current risk throughout the relationship.

‍

Why is Re-KYC required for financial institutions?

Re-KYC is required because customer and merchant risk does not remain static after onboarding. Information that was accurate at the start of a relationship can become outdated as ownership structures, trading activity, transaction behavior, geographies, products, and risk indicators change. Without structured review mechanisms, these gaps can introduce exposure that remains invisible until it becomes a compliance issue, a fraud event, or a regulatory finding.

For example, a merchant may onboard with a clear ownership structure, predictable transaction volumes, and a defined business model. Over time, that same merchant may expand into new markets, change beneficial ownership, introduce new products, or show transaction patterns that no longer match the original risk profile. Without effective Re-KYC, those changes may not be reviewed until the next scheduled refresh.

This challenge is amplified by the global nature of modern financial systems. As highlighted by US Bank, the expansion of global trade, travel, and financial networks has made financial crime increasingly transnational, allowing risk to move across jurisdictions with greater speed and complexity. In this environment, institutions need a current understanding of customer behavior to identify activity that falls outside expected patterns, particularly in the context of money laundering and terrorist financing.

This growing complexity is reflected in regulatory expectations across different jurisdictions. UK government KYC guidance also emphasizes the need to verify identity, understand ownership and control structures, and apply enhanced due diligence where risk is higher. It also highlights the importance of identifying beneficial owners, validating individuals with significant control, and assessing the source of wealth and funds, all of which must remain accurate over time.

In parallel, periodic KYC update requirements outlined by institutions such as RBI take this further by requiring customer information to be refreshed at defined intervals based on risk classification, with higher-risk customers subject to more frequent updates. Together, these requirements point to a clear conclusion: maintaining an accurate and current understanding of customers is not a one-time obligation, but an ongoing responsibility.

To meet this expectation, institutions must move beyond static processes and build the capability to continuously reassess customer information as it evolves. In practice, this means they must be able to:

• Detect when customer information is no longer reliable
• Identify changes in ownership, control, or transaction behavior
• Reassess customer risk using current and verifiable data
• Maintain complete and audit-ready documentation

Without this capability, organizations operate with delayed visibility. By the time issues surface, exposure has often already occurred, whether through regulatory breaches, financial loss, or reputational damage.

As these gaps widen, many institutions are beginning to explore continuous monitoring approaches such as perpetual KYC to improve visibility and responsiveness to changing risk.

‍

Re-KYC vs perpetual KYC: what’s the difference?

Re-KYC and perpetual KYC both aim to help financial institutions keep customer information accurate and aligned with current risk. The key difference lies in how and when that information is updated. Re-KYC typically relies on periodic reviews and defined triggers, while perpetual KYC uses continuous monitoring, event-based signals, and automation to update risk views more dynamically.

While both approaches serve the same objective, the way they are operationalized creates a significant difference in how effectively risk can be identified and managed over time.

‍

How traditional Re-KYC operates

In practice, Re-KYC is primarily structured around periodic review cycles. Customer information is revisited at predefined intervals, often determined by risk classification, with higher-risk profiles reviewed more frequently than lower-risk ones.

This means that updates are largely driven by time rather than continuous changes in customer behavior. During these scheduled reviews, institutions refresh documentation, verify key details, and reassess risk based on the information available at that point in time.

Event-based and risk-based triggers may also be used, but in many traditional Re-KYC models, the core mechanism remains time-based. This means important changes may only be reviewed when a scheduled refresh takes place, unless a specific trigger is detected earlier.

‍

Limitations of periodic Re-KYC models

Periodic review cycles create a simple problem: risk does not wait for the next refresh date. Ownership changes, shifts in transaction behavior, new adverse media, or changes in business activity can emerge at any point between review cycles.

In high-volume merchant environments, this can leave compliance and risk teams working from outdated information.

This leads to:

• Delayed identification of changes in ownership or control
• Missed shifts in transaction patterns
• Risk assessments based on outdated information

Over time, this creates a widening gap between recorded customer data and actual customer activity. The longer the interval between reviews, the greater the risk that critical changes go undetected, reducing the effectiveness of compliance controls.

This gap highlights a key limitation of traditional Re-KYC models: they are necessary for compliance, but insufficient on their own for maintaining timely visibility of risk.

What perpetual KYC changes

Perpetual KYC reduces reliance on fixed review cycles by using continuous monitoring to identify relevant changes in customer data, merchant activity, and risk signals. Instead of relying only on scheduled reviews, institutions can use event-based signals to prompt targeted updates, reviews, or escalations when risk changes.

This approach focuses on:

• Ongoing monitoring of customer profiles
• Earlier identification of anomalies and risk signals
• Targeted updates, reviews, or escalations when risk changes

Perpetual KYC helps institutions maintain a more current view of customer risk while reducing reliance on periodic refresh cycles. Rather than replacing Re-KYC, perpetual KYC represents an evolution in how ongoing due diligence is performed, shifting from reactive updates to more continuous risk visibility.

‍

Trigger-based vs continuous compliance models

At a structural level, the difference between the two models is clear.

• Re-KYC operates primarily through scheduled reviews, with event-based and risk-based triggers acting as secondary controls
• Perpetual KYC operates through continuous monitoring, where updates, reviews, or escalations are driven by event-based risk signals.

Trigger-based models depend on predefined conditions before action is taken. Continuous models reduce this dependency by maintaining ongoing visibility across the customer lifecycle.

This distinction is critical, as it defines whether institutions are reacting to risk after it emerges or identifying it as it develops.

‍

Why the shift is happening

The shift toward perpetual KYC reflects growing pressure on traditional Re-KYC models. As financial systems become more interconnected and customer behavior becomes more dynamic, the limitations of periodic review cycles become more difficult to manage.

Institutions are expected to identify changes earlier, respond faster, and maintain accurate customer records at all times. This is difficult to achieve when updates are tied primarily to scheduled reviews.

As a result, many organizations are moving toward models that combine scheduled reviews, event-based triggers, continuous monitoring, and automation. This gives compliance and risk teams a more current view of customer or merchant risk, without relying only on static refresh cycles.

‍

Re-KYC remains a foundational component of compliance frameworks. However, its reliance on periodic reviews creates limitations.

The challenge is no longer whether Re-KYC is required, but how it must evolve to close the gaps created by time-based review cycles.

In practice, this means integrating continuous monitoring principles into Re-KYC processes, transforming them from periodic reviews into more dynamic, risk-driven workflows.

‍

What should an effective Re-KYC process include?

To close these gaps, Re-KYC is most effective when it is connected to the end-to-end onboarding and compliance lifecycle, where customer and merchant data can flow across collection, validation, verification, screening, monitoring, risk scoring, decisioning, and audit.

When onboarding and Re-KYC operate in isolation, gaps begin to appear. Data collected at the start of the relationship becomes disconnected from ongoing monitoring and risk assessment, creating delays in identifying changes and increasing exposure over time.

The following checklist outlines the core capabilities required to operationalize Re-KYC as part of an integrated, end-to-end onboarding and compliance framework.

‍

Dynamic data collection tailored to entity, geography, and risk

Effective Re-KYC begins with how data is captured. Static forms create friction and fail to collect the right information across different entity types, jurisdictions, and risk profiles. To address this, financial institutions should embed the following capabilities:

• Smart, dynamic forms adjust required fields based on merchant type, entity structure, geography, product, risk profile, and regulatory requirements
• Data collection is structured to capture both KYB and KYC information relevant to downstream verification, screening, and risk assessment
• Information is standardized at the point of entry to support validation and risk assessment

This creates complete, structured onboarding data that can be reused and updated throughout the customer lifecycle. This structured data then flows directly into validation and verification processes, forming the foundation for downstream risk assessment.

‍

Faster data validation, extraction, and enrichment

Once data is collected, it should be processed quickly so teams can assess its accuracy, completeness, and usability. Here’s how it should operate:

• Data is captured through forms and supporting documents during KYB and KYC processes
• Key information is extracted from documents, including identity, registration, and ownership details
• Extracted data is validated against trusted registries, databases, and third-party data sources
• Missing, incomplete, or inconsistent information is flagged early so teams can resolve issues before they affect risk decisions

This creates a clean, structured data foundation that supports accurate Re-KYC. It establishes a reliable baseline against which all future changes can be detected.

This validated data becomes the input for both verification workflows and risk scoring, helping downstream processes operate on consistent and reliable information.

‍

Dynamic risk scoring and automated decisioning

Risk assessment should be able to update as new information emerges, helping teams make faster, more consistent, and more defensible decisions across the customer or merchant lifecycle.

• Risk scores and customer risk profiling are assigned at onboarding and updated as new risk signals emerge
• Transaction activity, screening results, and external signals feed into risk models
• Risk decisions are recalibrated based on new information, rules, and review outcomes

Automation can accelerate risk assessment by surfacing changes, applying rules consistently, and routing cases to the right workflow. However, trusted Re-KYC decisions still depend on governed processes, clear escalation paths, human oversight where required, and a complete audit trail.

As new data flows in from validation and verification processes, risk scoring enables a more streamlined Re-KYC approach, where requirements are automatically applied based on customer or merchant risk, profile, and activity.

This allows institutions to dynamically determine which entities require full Re-KYC, partial updates, or no action at all, rather than applying the same reviews across all customers.

‍

Continuous monitoring and event-driven updates

Monitoring connects onboarding to Re-KYC by detecting changes as they emerge across both internal activity and external data sources.

Here’s how this is applied in practice:

• Transaction activity and behavioral patterns are monitored continuously
• Event-based triggers capture changes in ownership, business activity, screening results, or other risk signals as they emerge
• Screening updates detect changes across global watchlists and data sources, including PEP status, sanctions exposure, and adverse media
• Customer or merchant risk profiles are updated dynamically as new information becomes available

This helps institutions trigger Re-KYC actions based on relevant risk signals, scheduled review cycles, or both, as part of ongoing customer due diligence (OCDD).

By monitoring both internal activity and external data sources, institutions can initiate Re-KYC processes at the right time, aligned with OCDD and actual changes rather than scheduled reviews.

‍

Unified data and workflow orchestration across the lifecycle

Re-KYC becomes effective only when all processes operate within a single, connected system:

• Customer data is centralized across onboarding, verification, monitoring, and decisioning
• Workflows are orchestrated to support consistency and traceability
• Updates in one part of the lifecycle are reflected across all systems

In regulated payments, fintech, and financial services, these capabilities are increasingly delivered through end-to-end merchant onboarding and compliance platforms that unify onboarding, KYB, KYC, AML screening, ongoing customer due diligence (OCDD), workflow orchestration, and reporting into one system. OnBoard by MVSI supports this level of integration, helping organizations manage Re-KYC as a connected, risk-based workflow rather than a disconnected periodic task.

This helps every stage of the Re-KYC process operate on the same data foundation, reducing fragmentation and supporting consistent decisioning across the lifecycle.

For providers operating across multiple brands, regions, products, ISOs, agents, or partner channels, the same Re-KYC controls need to apply consistently across every merchant relationship. White label capabilities can support consistent branded experiences across those environments while keeping KYB, AML screening, OCDD workflows, approvals, risk controls, audit trails, and reporting centrally governed.

By connecting data collection, validation, monitoring, and decisioning into a single system, institutions can maintain continuous visibility across the entire customer lifecycle.

‍

Re-KYC is becoming a trust function, not just a refresh process

Re-KYC is no longer strongest when treated as a purely periodic refresh. As customer data, ownership structures, business activity, and transaction behavior change, financial institutions need a more connected way to keep risk profiles current and decisions defensible.

For payment providers, acquirers, PayFacs, fintechs, and regulated financial services businesses, this is not only an efficiency challenge. It is about maintaining trust, control, and confidence across every customer or merchant relationship. Teams need to know that the information behind every decision is accurate, current, auditable, and aligned with risk.

Modern Re-KYC depends on connected data, risk-based workflows, ongoing monitoring, automation, and oversight. Automation can accelerate checks and surface risk signals, but trust requires governed workflows, clear accountability, defensible decisions, and complete audit trails.

Without this shift, Re-KYC will remain reactive. With connected data, governed workflows, automation, and oversight in place, organizations can maintain a trusted view of customer and merchant risk, support regulator-ready decisions, and grow with greater confidence.

‍

Note: This content is provided for general informational purposes only and does not constitute legal or regulatory advice. Re-KYC and AML requirements may vary by jurisdiction and organization.