AML compliance does not end when a client is onboarded. Ongoing monitoring is a legal requirement throughout the life of a matter, and one the SRA has identified as among the most effective controls a firm can put in place.
Here is what it involves, when it applies, and how to make it work in practice.
Why is ongoing monitoring not a one-off AML exercise?
There is a common misconception that AML due diligence is something completed at the start of a matter and then set aside. The law does not work that way. The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 require firms to monitor client relationships on an ongoing basis, reviewing transactions, updating client information, and reassessing risk as circumstances change.
The SRA has been explicit on this point. In its most recent supervisory findings, it identified ongoing monitoring as one of the most effective controls firms can put in place to protect against money laundering, and one that is still not applied consistently across the sector.
What does ongoing monitoring involve in practice?
Ongoing monitoring has two core components.
- The first is transaction scrutiny. Firms need to check that the transactions being carried out are consistent with what they know about the client, their business, and their risk profile. Where a transaction appears unusual in that context, the inconsistency itself is a signal that requires further attention.
- The second is keeping client information up to date. Customer due diligence is not static. If a client’s circumstances change, whether through a change of name, a new business relationship, or a shift in the source of funds, the firm’s records should reflect that. Outdated information undermines the purpose of the due diligence process.
When does ongoing monitoring apply to a matter?
Ongoing monitoring applies throughout the life of any business relationship, not only to higher-risk matters. All clients should be subject to monitoring, but the depth and frequency should be proportionate to the level of risk.
For lower-risk residential transactions, this may involve confirming that nothing material has changed and that the transaction is progressing as expected. For higher-risk matters, such as those involving PEPs, complex ownership structures, overseas funds, or more complex source of funds scenarios, monitoring should be more active and frequent.
Certain trigger events should always prompt a fresh review. These include a change of name or address, the introduction of new parties, a sudden change in source of funds, or a client becoming reluctant to provide information that was previously available. In these situations, the risk assessment should be revisited and due diligence updated where necessary.
What are the SRA’s findings on ongoing monitoring?
The SRA’s 2024–25 supervisory report found that ongoing monitoring remains one of the more commonly neglected aspects of AML compliance. In many firms, it is simply not built into the workflow. There is no mechanism to revisit a file once initial checks have been completed, and no prompt to reassess risk if circumstances change.
The practical challenge is that ongoing monitoring requires more than awareness. Without a defined process, whether through file reviews, case management reminders, or structured checkpoints, it is unlikely to be applied consistently across matters.
How can technology support ongoing AML monitoring?
Manual monitoring processes are inherently inconsistent. Whether a fee-earner revisits a file to check for changes often depends on individual diligence, which varies.
Digital AML systems can help address this by embedding monitoring into the process. They can automate ongoing checks, such as re-screening clients against sanctions and PEP databases, flagging changes in status, and prompting reviews at set intervals or when risk indicators are detected.
OneSearch AML provides ongoing monitoring of AML and KYC data over a 12-month period, automatically tracking changes to customer profiles and alerting the firm when action may be required.
Ongoing monitoring is best understood not as an additional task, but as a continuous part of managing risk throughout a matter. It requires firms to stay engaged with both the client and the transaction, ensuring that what is happening remains consistent with what is known. The level of scrutiny should always reflect the level of risk, increasing where complexity or uncertainty is present.
Where firms struggle is not in recognising the requirement, but in embedding it into day-to-day workflows. The SRA’s position is clear: monitoring should be active, proportionate, and capable of influencing decisions as a matter progresses, rather than being treated as something completed at the outset and left unchanged.
