The three types of ongoing monitoring: Which is right for your firm?
AML Services Manager
How frequent should ongoing monitoring be? Unfortunately, there is no black and white answer.
The Legal Sector Affinity Group (LSAG) guidance describes it as ‘regular review and renewal of client due diligence’. This is somewhat subjective and open to interpretation, and often in legal practice we don’t like to leave things open ended. As a result, many firms opt for a timed review often attached to risk categorisation - commonly known as a periodic review. This is based on the idea that higher risk clients require a high frequency of monitoring.
But is periodic review the only option? What risks does a periodic review hold?
Ongoing monitoring should be considered under three defined headers in order to successfully mitigate risk:
- Perpetual monitoring: Continuous, uninterrupted.
- Trigger monitoring: Linked to changes and alerts.
- Periodic monitoring: Refreshing the data at set intervals in the relationship.
The concept of perpetual monitoring is newer than others and has been led very much by the world we are facing and technology advances that aid us.
How achievable is perpetual monitoring?
On the face of it, perpetual monitoring might seem unachievable. But the good news is that you don’t need to do this all alone. The leading digital solutions out there today can support you with this process, achieving uninterrupted monitoring in the background.
It is important to recognise which parts of the monitoring process can be outsourced and which will require internal resources. The most common outsourced monitoring currently is PEP and sanctions screening. However, there are others available such as adverse media and company changes.
Perpetual monitoring is about always remaining alert and mindful of risk and the due diligence held. Using digital tools to support automation can ensure that you maintain consistent, uninterrupted control by looking at data sources all of the time – moving away from set review periods. To some extent, it also involves moving away from attaching the review to the risk rating categorisation. Instead, adopt a process that is driven by material changes that raise red flags and trigger reviews.
What is the risk with solely implementing a periodic monitoring process?
Traditionally, ongoing monitoring has been rigid, with hard timelines for ongoing reviews.
The risks are self-evident; if we wait a set period of time in between reviewing the client due diligence and matter risk assessment, what do we miss? How would we become aware that action is required? By the time the review date comes around, it could be too late.
Despite the frequency and volume of changing risk profiles, many firms are still relying on this approach of monitoring their clients. When considering the risks, there are a couple of very current examples that demonstrate why a periodic approach might not work in practice.
- The COVID 19 global pandemic.
- The war in Ukraine.
Changes have been occurring at unparalleled speed. The risk is self-evident of not having a process in place that continuously monitors for these risks.
Closing the periodic review gap
From experience, firms continually review the risk their clients pose every six to 36 months depending on their appetite or approach to risk. However, with rapid changes, firms need to be proactive in implementing monitoring solutions that fill the gap that a periodic review leaves.
A periodic approach often results in information being overlooked for a period of time. This carries a real increased risk exposure and a significant risk of reputational damage due to the lapse in time between a change and action.
As long your firm is compliant, how you choose to conduct ongoing monitoring is up to you.
In a nutshell, firms chose different ways to execute their monitoring processes. Each company will have its own appetite for risk and the gambles they are willing to take or not to take. It is about making an informed decision and documenting this decision within your practice-wide risk assessment.
However, risk factors change all the time, not according to set timescales. A timed review does not consider the fast pace at which things potentially can change in company structures or in people's lives. You cannot afford to let risk factors go unreviewed or unknown until they fitter through the timed review. By then the horse has bolted and you may have missed the opportunity to take timely action.
Interested to find out how digital ongoing monitoring can automate your CDD compliance? Let’s start a conversation.
Subscribe to our newsletter
Subscribe to our monthly newsletter for recaps and recordings of our webinars, invitations for upcoming events and curated industry news. We’ll also send our guide to Digital ID Verification as a welcome gift.