Ongoing monitoring in business verification: the gap you can no longer ignore

Most compliance teams do a thorough job of onboarding. Documents collected, ownership structure mapped, risk score assigned, case approved. And then, in many firms, the relationship goes quiet until the next scheduled review.

The problem is that the businesses you onboard do not stand still. Ownership structures change. UBOs acquire new PEP exposure. Sanctions hit entities two layers up the corporate chain. Directors are replaced. Financial profiles shift. None of these events arrive with a notification, and none of them wait for your next periodic review cycle.

Ongoing monitoring is the part of business verification that most firms find hardest to operationalise well. Onboarding has a clear start and end point. Monitoring does not. It is continuous, it cuts across multiple systems, and the operational overhead compounds as the customer base grows.

The real gap is not onboarding. It is what happens after

The compliance teams we speak to describe a consistent picture. Their onboarding flows are increasingly automated. Document collection, registry checks, AML screening, risk scoring: much of this has been structured into repeatable workflows. But the ongoing monitoring layer is often held together by manual effort, calendar reminders, and individual analyst judgment.

When a screening result comes in, does the risk score update automatically? When a corporate shareholder changes, does it trigger a case review without someone noticing first? When a periodic review is approaching, is the analyst notified or does it surface only when someone thinks to look?

In practice, the answer to most of these questions is: it depends on who is working that day.

That is not a criticism of compliance teams. It is a structural problem. KYB, AML screening, and risk scoring are often separate systems that do not share data automatically. An alert in one does not propagate to the others. The monitoring framework exists on paper, but the connections between its components are manual.

The systems are there. The connections often are not.

A sanctions alert that sits in one system while the risk score in another remains unchanged is not a monitoring failure in the traditional sense. But it is a gap, and regulators are increasingly looking at gaps between what the framework says should happen and what actually happens in production.

What ongoing monitoring should actually look like

Effective ongoing monitoring in business verification has three components that need to work together.

Continuous AML screening

Not annual. Not at the point of a periodic review. Daily, or as close to it as operationally possible. If a UBO is sanctioned or appears on a PEP list after onboarding, the team should hear about it within hours, not at the next calendar review. The screening result should feed directly into the risk score, not sit in a queue waiting for an analyst to make the connection.

Event-driven registry monitoring

Corporate structures change. Directors are replaced. New shareholders appear. In many jurisdictions, these changes are visible in company registries in close to real time. A monitoring framework that watches for these changes and automatically triggers a review when they occur is categorically different from one that catches them only during periodic re-KYB. The former is proactive. The latter is reactive and, increasingly, not sufficient.

Risk-calibrated periodic reviews

Not every customer needs the same level of attention. A low-risk counterparty with stable ownership and consistent activity warrants a lighter review cadence than a high-risk entity in a higher-scrutiny jurisdiction. The periodic review process should be driven by the risk profile, not a uniform calendar. And when a review is triggered, whether by time or by event, it should produce a documented, auditable outcome.

The integration layer

The connection between these three components is what matters. When a screening hit changes a risk score, that should surface in the case management system and route to the appropriate analyst. When a registry change is detected, that should link to the customer's verification record and, depending on the nature of the change, trigger either an alert or a full review. The monitoring framework needs to be integrated, not a collection of separate checks that happen to run on the same customer.

Why this is getting harder to defer

There are two forces pushing ongoing monitoring up the compliance agenda at the same time.

The volume problem

As regulated firms grow their counterparty base, the manual overhead of monitoring scales with it. A team that could stay on top of periodic reviews for 200 clients cannot run the same process for 2,000 without either adding headcount or changing the operational model. The answer is not more analysts. It is a monitoring infrastructure that scales.

The regulatory signal

AMLA's consultation paper on ongoing monitoring of business relationships, published on 3 June 2026, makes the direction of travel explicit. The draft guidelines under Article 26(5) of the AMLR set out two core obligations: keeping customer information up to date through both periodic and event-driven reviews, and operating a transaction and activity monitoring framework that is continuous, risk-based, and integrated with the customer due diligence process.

The word that matters most in the paper is integrated. AMLA requires that CDD processes, sanctions screening, and the ongoing monitoring framework operate in a coordinated manner, supported by adequate data and information quality. Fragmented systems that require manual effort to connect their outputs are precisely what this language is designed to address.

The consultation closes on 3 September 2026 and final guidelines are expected in Q4. These are not finalised rules yet. But the direction is clear, and the gap analysis needed to comply does not take less time because you start it later.

What AMLA's guidelines actually require

The paper is deliberately principles-based rather than prescriptive. AMLA does not mandate specific tools, frequencies, or technologies. What it does mandate is effectiveness, explainability, and proportionality.

Keeping customer information up to date

The guidelines establish that periodic reviews should be risk-calibrated in their depth and intensity, not uniform. For low-risk customers with no new activity, a lighter review is acceptable. For higher-risk customers, or when a trigger event occurs, the review should be initiated without undue delay. Expired identity documents do not need to be automatically re-collected, but the decision not to re-collect must be documented and risk-justified.

Event-driven reviews

The guidelines set out a non-exhaustive list of triggers: changes in ownership structure, new adverse media, unusual transaction patterns, changes in financial situation, new PEP status. Firms are expected to have mechanisms in place to detect these events and act on them without undue delay.

The scope of transaction and activity monitoring

AMLA explicitly states that monitoring is not limited to transaction monitoring in the narrow sense. It includes activities, behaviours, events, and changes in circumstances throughout the business relationship. Individual transactions that appear low-risk in isolation may form concerning patterns over time. The framework needs to be capable of detecting both.

The technology question

AMLA is neutral on tools but not on outcomes. Where the volume and complexity of activity makes manual monitoring insufficient, automated or semi-automated systems should be considered. Where those systems are used, they must be explainable, governed, and subject to human oversight. A monitoring tool that produces outputs a compliance officer cannot explain to a regulator is not compliant, regardless of how accurate it is.

The gap analysis questions worth asking now

Whether or not AMLA's final guidelines land exactly as drafted, the operational questions they surface are worth working through now.

Five questions for your compliance team

1. Are your KYB records, AML screening outputs, and risk scores connected, or does linking them require manual effort?
2. When a screening result changes, does the customer's risk profile update automatically and route the case appropriately?
3. Do you have event-driven monitoring in place for ownership structure changes, or do you rely on periodic reviews to catch those?
4. Is your periodic review cadence driven by the customer's risk level, or is it uniform across the book?
5. Can you produce a documented audit trail for each monitoring decision, including the rationale where automated tools are involved?

For firms with a clear yes to all of these, AMLA's guidelines are a validation of what is already in place. For those with gaps, the consultation period is the time to close them.

The direction of travel

Compliance is moving from periodic to continuous. The expectation that a file is complete when it is approved and revisited only on a schedule is giving way to an expectation that the monitoring framework is always running, always connected, and always capable of surfacing the risk that matters.

The firms that have built that infrastructure because the operational logic demanded it are the ones best positioned for what AMLA is now formalising. For the rest, the window to close the gap is open. Q4 is closer than it looks.

Dotfile is an AI-native business verification platform built for compliance teams that need KYB to be fast, defensible, and ready for anywhere. Book a demo.