EU AMLR Article 26: what ongoing monitoring means in practice

EU AMLR Article 26 focuses on ongoing monitoring of business relationships and transactions. For obliged entities, the operational message is clear: onboarding is not enough. We need systems that keep customer information, risk understanding, and monitoring actions current throughout the relationship.

Regulation (EU) 2024/1624 is available on EUR-Lex. This article is general information and not legal advice.

What Article 26 changes operationally

Ongoing monitoring requires firms to keep watching the relationship after approval. That includes reviewing transactions and activity, keeping customer due diligence information up to date, and responding when risk changes.

The practical challenge is that many firms still treat KYC as a periodic file refresh. Article 26 pushes teams toward a more continuous model:

• Onboarding evidence should feed monitoring.
• Risk ratings should change when new facts appear.
• Ownership changes should trigger review.
• Screening results should route to case review.
• Periodic refresh should be risk-based.
• Review evidence should stay attached to the customer file.

From annual review to perpetual KYC

Perpetual KYC does not mean every customer is constantly re-onboarded. It means the firm maintains a living customer record. Triggered events, periodic schedules, monitoring alerts, and evidence refreshes should update the same file rather than creating disconnected tasks.

Examples of useful triggers include:

1. Ownership or control change.
2. New high-risk jurisdiction exposure.
3. Sanctions, PEP, or adverse media match.
4. Product or service change.
5. Unusual activity.
6. Expired document or evidence.
7. Risk model threshold change.

Controls needed for Article 26 ongoing monitoring

Article 26 readiness should be treated as a workflow design question. We need controls that keep customer knowledge current and make monitoring decisions visible. A static calendar reminder is not enough if the customer record, risk rating, screening result, and reviewer decision remain disconnected.

Control | Practical implementation

Risk-based review cadence | High-risk clients receive more frequent review than low-risk clients.

Event-driven refresh | Ownership changes, new services, expired evidence, or adverse information trigger targeted review.

Screening review | Possible sanctions, PEP, or adverse media matches move into documented case review.

CDD update workflow | The firm refreshes only the information that changed rather than re-onboarding everything.

Risk model recalculation | New facts can change the risk rating and require EDD or senior approval.

Audit trail | Every refresh, decision, override, and reviewer action remains attached to the customer file.

This operating model supports the broader EU shift toward consistent AML controls. It also helps firms show that monitoring is active and risk-based rather than a passive file review.

What firms should assess now

Obliged entities should review how customer data currently moves through the organisation. We should ask whether onboarding evidence feeds monitoring, whether ownership changes are captured, whether screening matches are routed, and whether reviewer decisions are retained in a single customer record.

Useful readiness questions include:

• Can we identify all customers due for review by risk level?
• Can we see which files have expired documents or outdated ownership information?
• Can we trigger review when a service, jurisdiction, beneficial owner, or risk factor changes?
• Can we show why a high-risk customer remained approved?
• Can we distinguish a refreshed evidence item from the original onboarding evidence?
• Can we export a complete history of CDD, EDD, screening review, and approvals?

If the answer is no, the firm may need to strengthen workflow and record keeping before Article 26 expectations are tested in practice.

Perpetual KYC without overwhelming clients

Perpetual KYC should not mean asking customers to repeat the entire onboarding journey every few months. The better model is targeted refresh. If a document expires, request that document. If a beneficial owner changes, refresh ownership and risk. If a screening result appears, route the match to review. If the client starts using a new service, update the risk context.

This approach reduces friction and improves evidence quality. Clients are more likely to respond when requests are specific, relevant, and explained. Compliance teams also avoid reviewing information that has not changed.

How Veraxa supports EU AMLR readiness

Veraxa connects onboarding, risk rating, workflow review, and perpetual monitoring. Approved clients move from initial intake into ongoing workflows with review cadence, triggers, and evidence history attached.

For related pages, see EU perpetual KYC software, the EU jurisdiction page, and Perpetual KYC Monitoring.

Frequently asked questions

What is EU AMLR Article 26?

EU AMLR Article 26 concerns ongoing monitoring of business relationships and customer transactions under Regulation (EU) 2024/1624.

What is ongoing monitoring in AML?

Ongoing monitoring means continuing to understand the customer relationship after onboarding, including reviewing activity, updating information, reassessing risk, and responding to unusual behaviour or changed facts.

What is perpetual KYC?

Perpetual KYC is an operating model where customer information is refreshed through risk-based triggers and review workflows instead of relying only on static periodic review cycles.