What’s ongoing monitoring of a client?

Ongoing monitoring of a client is a core part of your anti-money laundering (AML) obligations when you have a business relationship under the UK’s Money Laundering Regulations 2017 (as amended) (MLRs).

Unlike initial checks, it’s continuous. It means keeping transactions and customer information under review over time so that you can spot changes that might indicate rising risk or criminal activity.

When you first onboard a client, you gather information to identify them and assess their risk. But that’s only a snapshot of a point in time. People, businesses and circumstances change. Ongoing monitoring builds on that initial due diligence so your picture of the client stays current throughout the relationship.

What ongoing monitoring involves

At its heart, ongoing monitoring has two linked elements

1. Reviewing transactions

You should keep track of customer transactions across the life of the relationship, looking to ensure the activity you see fits with your knowledge of:

• who the customer is;
• their business profile or purpose; and
• the risk they present.

This includes flagging activity that’s unusual in volume, size or destination, and taking a closer look at where funds came from if there’s reason to do so.

2. Keeping records and customer data up to date

You also need to revisit the information you hold on clients, checking that identity, beneficial ownership and risk assessments remain accurate. 

If something has changed (for example, a change in the beneficial owner, business structure or transaction patterns) you should refresh your documentation and update your risk rating.

Together these elements mean you aren’t just compliant at onboarding but remain so throughout the life of the relationship.

When ongoing monitoring applies

Ongoing monitoring only applies when you have a business relationship with a client. In simple terms, a business relationship is one where you expect to deal with the client on an ongoing basis, rather than carrying out a single, one-off piece of work. 

HMRC describes this as a relationship that has an element of duration, even if there isn’t a fixed end date at the outset.

If you’re carrying out an occasional transaction only, and there’s no expectation of further work, the MLRs don’t require ongoing monitoring in the same way. Your AML obligations still apply but they don’t continue once the work is finished.

Where a business relationship does exist, ongoing monitoring continues for as long as that relationship is in place. That means keeping the client under review while you’re acting for them, and stopping only when the relationship has genuinely ended.

Why ongoing monitoring matters

Initial customer due diligence gives you a baseline. But risk isn’t static. Ongoing monitoring helps you:

• ensure your understanding of the customer stays accurate;
• spot and respond to behavioural changes or suspicious patterns; and
• update risk assessments promptly when triggers occur.

For example, if transaction activity suddenly changes in volume or destination, or if you learn that a beneficial owner has changed, you need to reassess whether your previous checks still hold true. 

This ongoing vigilance makes your risk-based approach effective and helps you identify and mitigate potential harms such as money laundering, terrorist financing or proliferation financing.

Taking a risk-based approach

The MLRs require that the extent and frequency of ongoing monitoring reflects the level of risk posed by each client. High-risk clients, such as those with complex ownership or politically exposed persons (PEPs), require more frequent and detailed reviews. Lower-risk clients may need less frequent scrutiny.

A one-size-fits-all annual review doesn’t align with a risk-based approach, because it fails to account for differences in risk profiles or changes in activity. Good monitoring processes should be tailored to the risk indicators you’ve identified in your client base.

How to demonstrate effective monitoring

When regulators or supervisors review your controls, you’ll need to show records that demonstrate you are:

• reviewing transaction activity in line with how you’ve assessed risk;
• updating customer information when triggers occur;
• adjusting risk assessments where appropriate; and
• recording decisions and actions you’ve taken.

Supervisors will look for evidence that you’ve embedded ongoing monitoring in your policies, controls and procedures. The emphasis is on proportionality. The amount and frequency of monitoring should match the risk faced.

Common pitfalls to avoid

Getting ongoing monitoring right isn’t just about ticking a box. Common issues include:

• applying the same monitoring frequency for all clients regardless of risk;
• failing to link unusual transactions back to risk assessments or customer profiles; and
• not updating customer data after significant changes in behaviour or circumstances.

Avoiding these pitfalls helps ensure your ongoing monitoring is both effective and defensible.

Final thoughts

Ongoing monitoring of a client is an essential part of your AML framework. It’s about understanding your clients as they evolve, spotting signs of increased risk and keeping your records accurate and up to date. As a member of staff, any concerns should be raised with the MLRO. This does not have to be a SAR situation but anything that does not seem right.

By tailoring monitoring to risk and keeping documentation robust, you make it easier to meet your obligations under the MLRs 2017 and to demonstrate compliance in the event of a supervisory review.