Ongoing Monitoring

Not a One-Time Exercise

CDD is not completed at onboarding and then forgotten. The MLR 2017 and FATF Recommendation 10 require ongoing monitoring throughout the entire business relationship. This is a continuous obligation — not a periodic box-ticking exercise.

Ongoing monitoring serves two purposes:

Transaction monitoring: Ensuring that transactions are consistent with the firm's knowledge of the customer, their business profile, and risk profile.
CDD refresh: Keeping customer information up to date and ensuring that the CDD held remains adequate and relevant.

Transaction Monitoring

Transaction monitoring systems look for patterns and anomalies that may indicate money laundering (ComplyCube):

What is Monitored

Transaction volumes vs expected patterns

Values vs known income or turnover

Geographic patterns and high-risk countries

Counterparty analysis

Speed and frequency of transactions

Cash deposits vs stated business type

Round-figure transactions

Transactions near reporting thresholds

Alert Triggers

Transactions significantly above or below the customer's profile baseline
Transactions with sanctioned individuals, entities, or jurisdictions
Multiple transactions just below reporting thresholds (structuring indicator)
Sudden dormancy followed by high-volume activity
Payments to or from shell companies or anonymous sources

Profile Updates

Customer profiles must be updated when (iDenfy):

The customer's circumstances change (new directors, change of address, new business activities)
The customer's risk rating changes
Periodic review cycles are reached (low risk: every 3–5 years; medium: every 1–2 years; high: every 6–12 months)
New products or services are requested
Adverse media or regulatory alerts are received

Event-Driven Reviews

Certain events should trigger an immediate, out-of-cycle review rather than waiting for the next periodic review (Flagright analysis):

Law enforcement information or enquiries about the customer
Adverse media (negative press, criminal allegations)
SAR filed by the firm or another institution about the customer
Material change in transaction patterns
Customer requesting unusual products or services
Sanctions list updates affecting the customer or their associates
Change of beneficial ownership or control
Customer operating in a newly high-risk sector or jurisdiction

Dashboard showing red flag alerts and monitoring indicators

Case Study: The Stunt & Co Monitoring Failure

The FCA's Final Notice against Barclays in the Stunt & Co case provides a textbook example of ongoing monitoring failure.

GBP 46.8M

from a convicted launderer

5 Years

without a proper review

GBP 39.3M

fine for breaching Principles 2 & 3

Timeline of Failures

Onboarding

Barclays opened the Stunt & Co account without gathering sufficient information about the business, its expected transaction patterns, or its connections.

During the Relationship

Stunt & Co received GBP 46.8 million from Fowler Oldfield — a gold dealer later convicted of money laundering — in just over one year. This volume from a single counterparty should have triggered immediate scrutiny.

Law Enforcement Warnings

Police provided information to Barclays about Fowler Oldfield. Police also raided Fowler Oldfield's premises. Despite these clear red flags, Barclays did not initiate a proper review.

Five-Year Delay

It took Barclays five years from the initial red flags to conduct a proper review of the Stunt & Co relationship.

Consequences

GBP 39.3 million fine for breaching FCA Principles 2 and 3 — failure to exercise due skill, care, and diligence, and failure to organise affairs with adequate risk management (FCA Press Release).

What Should Have Happened

According to Flagright's analysis: Dynamic risk assessment — immediate reassessment when police made contact. Automated monitoring triggers for single-counterparty volume. Event-driven reviews on law enforcement contact. Clear escalation protocols to senior compliance. Swift action within defined timescales.

Scenario 1 of 3

The Quiet Account

A retail customer opened a savings account three years ago. Their expected profile was: monthly salary deposit of GBP 3,500, small debit card transactions. Over the past two months, the account has received six cash deposits of GBP 8,000 each from different branches. The relationship manager noticed but assumed the customer had started a new side business. No further action was taken.

Scenario 2 of 3

The Delayed Review

A corporate client has been flagged for a periodic EDD review (due every 12 months). The review was due in March 2025. The compliance team is busy with a system migration and postpones the review to "later this quarter." In June, they still have not completed it. In August, a newspaper article alleges the client's CEO is under investigation for fraud. The compliance team begins the review in September.

Scenario 3 of 3

The Trusted Client

A long-standing private banking client (15-year relationship) is classified as medium risk. Police contact the bank requesting information about the client in connection with a tax evasion investigation. The relationship manager notes the police enquiry in the file and mentions it to the client during their next meeting, explaining that "the bank had to provide some information but it is nothing to worry about." The client closes their account the following week.

0 of 3 errors identified

All 3 errors identified — Lesson 3 complete! Proceed to Lesson 4.

Previous: EDD & PEPs Next: Lesson 4 — Recognising Red Flags