AI-Enabled Ongoing Due Diligence and Monitoring

Ongoing due diligence is the part of the program most likely to slip. Onboarding gets attention because it is the start of the relationship. Periodic review is calendar driven, easy to defer, and easy to do superficially. AI changes the economics. It makes ongoing due diligence a real-time discipline rather than an annual exercise, surfaces material changes in customer behavior and documentation, and produces the audit trail examiners look for in continuous monitoring reviews.
Artificial Intelligence (AI)

Why Ongoing Due Diligence Is the Weak Point

Most institutions do onboarding well. The team that opens accounts is trained, the documentation is fresh, and the controls are at full attention.

A year later, the customer has changed. Their business has grown, contracted, or pivoted. Their ownership has shifted. Their cash flow patterns no longer match the profile that justified the risk rating. Their address, principals, or industry classification may have changed.

The institution's documented understanding of the customer has not changed. It is a year old, and it lives in a file that is read once a year if at all. The drift between the documented understanding and the actual customer is where ongoing due diligence problems live.

The Three Things Ongoing Due Diligence Has to Do

A program that works does three things continuously.

1. Compare what the institution knows to what the customer is actually doing. This is the heart of customer due diligence under the FinCEN CDD Final Rule: the institution's documented understanding of the customer's expected activity should be reconciled against the customer's actual activity. Where they diverge materially, the institution should ask why. Unresolved, unexplained divergence is also the raw material of suspicious activity reporting obligations under 31 CFR 1020.320.

2. Refresh the customer file at the cadence the risk demands. Higher-risk customers should be reviewed more frequently than lower-risk customers. The review should be substantive: updated documentation, reconciliation, and reviewer decision. Calendar-only reviews where the file is opened and closed without analysis are findings waiting to happen.

3. Detect material changes in real time. Beneficial ownership changes under 31 CFR 1010.230. Sanctions and adverse media findings appear. Industry classification updates. Address changes. A program that catches these in real time is structurally stronger than one that waits for the annual review.

What AI Adds to Ongoing Due Diligence

AI does not replace ongoing due diligence. It changes the operating model from periodic and manual to continuous and structured.

Variance detection: Configured agent personas continuously compare the customer's transactional activity to the documented expected profile. Material variances are surfaced as structured signals tied to the underlying transactions and the relevant profile elements.

Refresh acceleration: At periodic review time, the AI ingests updated documentation, reconciles it against the prior file, and produces a structured variance report. Reviewers spend their time on what changed, not on what stayed the same.

Threshold monitoring: Configured thresholds (cash activity, foreign wire activity, deposit concentration, etc.) are monitored continuously. The thresholds themselves are part of the institution's policy and are version controlled.

Adverse media and sanctions screening: Periodic screening of customers, beneficial owners, and controlling parties is automated against approved data sources, including OFAC sanctions lists. Potential matches are surfaced for reviewer disposition with the screening evidence preserved.

Risk-rating refresh: When new evidence materially changes the customer profile, the agent persona surfaces a recommended risk-rating refresh with the supporting evidence. The reviewer makes the final risk-rating decision.

Because monitoring systems are models in the supervisory sense, institutions should also apply SR 21-8 (Interagency Statement on Model Risk Management for BSA/AML Systems) and the model risk management principles of SR 11-7 to the configured logic. The agencies issued revised, principles-based interagency model risk management guidance in April 2026, published as SR 26-2, which carries these expectations forward for AI-enabled monitoring.

Designing the Cadence

The cadence of ongoing due diligence is a policy decision, not a technology decision. Most institutions adopt a tiered model:

  • Low-risk customers: Three- to five-year periodic review with continuous monitoring for material changes.
  • Moderate-risk customers: Two- to three-year periodic review with continuous monitoring.
  • Higher-risk customers (MSBs, marijuana-related businesses, money transmitters, foreign relationships, complex ownership): Annual or more frequent periodic review with intensified monitoring.

The configuration enforces the cadence. Reviewers receive the case at the right time, with the variance report already produced.

The Documentation Standard

Ongoing due diligence documentation should support an examiner answering three questions about any customer relationship, consistent with the review procedures in the FFIEC BSA/AML Examination Manual: When was the last substantive review and what was the outcome? What changed materially since the last review? What action did the institution take in response?

The artifacts produced by an AI-enabled program answer these directly: the periodic review report, the variance log, the reviewer disposition, and the updated risk rating.

Common Pitfalls

Treating monitoring as exclusively transactional. Transaction monitoring is necessary but not sufficient. Beneficial ownership changes, control person changes, and material business changes also matter.

Defaulting to "no change" without analysis. Periodic reviews that conclude "no material change" without showing the work are an audit finding waiting to happen. The structured variance report is the work.

Ignoring negative news and sanctions outside transaction monitoring. Adverse media and sanctions screening are separate disciplines from transaction monitoring. Both have to operate continuously.

Letting periodic review slip on higher-risk customers. The customers with the most attention at onboarding need the most attention on review. A configured cadence and a structured review process protects against drift.

The Privacy and Fair Lending Layer

Ongoing due diligence touches sensitive data continuously. The Privacy-First posture applied at onboarding has to apply on review as well: PII redaction before AI analysis, identity-signal minimization, no training on customer data. The fair lending posture also continues: evidence-grounded outputs, no unsupported inference, explainable rationale tied to documentation.

These are not new controls for ongoing due diligence. They are the same controls applied consistently across the customer lifecycle.

How StandardC AI Approaches This

StandardC AI's MonitorC module is purpose built for ongoing due diligence and periodic review. Configured agent personas continuously compare customer activity to the documented expected profile and surface material variances as structured signals tied to transactions and profile elements. At periodic review time, the system ingests updated documentation, reconciles it against the prior file, and produces a structured variance summary that highlights what changed materially. Reviewers focus their time on the variances. Audit trails preserve every analysis, every reviewer disposition, and every risk-rating refresh, with the same Privacy-First architecture applied as at onboarding.

Frequently Asked Questions

How does this work with our existing transaction monitoring system?

StandardC AI is the intelligence layer. It complements rather than replaces transaction monitoring systems. The intelligence layer focuses on profile-to-activity reconciliation, documentation refresh, and material-change surfacing.

What about negative news and sanctions hits between periodic reviews?

Configured screening cadences cover this. Potential matches are surfaced for reviewer disposition with the screening evidence preserved as part of the case file.

Can reviewers override the variance signals?

Yes. Reviewers retain authority. Overrides are preserved in the audit trail with documented rationale.

How is the cadence configured for different risk tiers?

Through agent persona configuration in StandardC AI Studio, mapped to the institution's policy.

Authoritative Sources