
How to Implement AI for Customer Due Diligence and Ongoing Monitoring
The Two Halves of Customer Due Diligence
Customer Due Diligence (CDD) has an upfront half (onboarding) and an ongoing half (monitoring and periodic review). The FinCEN CDD Final Rule requires both: understanding the nature and purpose of the customer relationship to develop a risk profile, and conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information.
Most programs are stronger in the upfront half. Onboarding has a defined workflow and a deadline; monitoring has neither, which is why it slips. AI rebalances the two. When examiners test the ongoing side using the FFIEC BSA/AML Examination Manual, the question is not whether the institution monitors, but whether monitoring is systematic and evidenced.
Step 1. Establish the Documented Expected Activity Profile
The CDD profile is the baseline for everything that follows: expected transaction types; expected transaction volumes and frequencies; expected counterparties; expected geographies; cash and non-cash activity expectations; and cross-border activity expectations.
The profile is captured at onboarding and refreshed at each periodic review, including the beneficial ownership records required under 31 CFR 1010.230.
Step 2. Configure Continuous Comparison
Configured agent personas compare actual activity to the documented profile on a continuous basis: variance against expected transaction volume; new counterparty patterns inconsistent with the profile; unusual cash activity for the customer type; new geographies inconsistent with the documented expectation; and cross-border activity that was not anticipated.
Material variances are surfaced as structured signals tied to specific transactions. A signal that cannot point to the transactions behind it is noise, and noise is what teaches reviewers to stop reading.
Step 3. Define the Response Cadences
Different signal types warrant different responses:
- High-severity variances escalate immediately to the BSA officer, who evaluates whether the activity warrants investigation under the suspicious activity reporting framework of 31 CFR 1020.320.
- Moderate variances are queued for periodic review.
- Low-severity variances are noted for trend analysis.
- Recurring patterns trigger profile updates.
These cadences belong in policy. A cadence that exists only in a reviewer's habit is not a control.
Step 4. Refresh the Profile at Periodic Review
At the periodic review cadence aligned to the customer's risk tier, updated documentation is ingested; the intelligence layer reconciles updated documentation to the prior profile; material changes are surfaced; and the reviewer disposes of changes, updates the profile, and recalibrates monitoring as appropriate. Sanctions screening is also refreshed against current OFAC lists as the policy requires.
The reviewer focuses on what changed. The mechanical work is done.
Step 5. Document the Rationale
For each periodic review, the file captures the documents reviewed; the reconciliation against the prior file; the material changes identified; the reviewer's disposition; the updated profile; the updated risk classification, if changed; and the updated monitoring posture. This is the evidence that answers the examiner's question before it is asked.
Step 6. Use the Data at the Program Level
Aggregate the variance data: customers consistently varying from profile; profile types where the documented expectation does not match observed activity; reviewers whose dispositions trend differently from peers.
These insights drive program improvement. They are also part of the ongoing performance monitoring that model risk guidance expects: SR 11-7 established the expectation that models in production are monitored, and the agencies issued revised, principles-based interagency model risk management guidance in April 2026, SR 26-2, that continues to require ongoing monitoring proportionate to the model's risk.
What to Avoid
- Periodic reviews that conclude "no material change" without showing the work.
- Continuous monitoring that generates noise reviewers learn to ignore.
- Profile documentation that is too vague to monitor against.
- Reviewers updating profiles silently to match activity rather than investigating the variance.
How StandardC AI Approaches This
StandardC AI's MonitorC module operationalizes continuous CDD monitoring through configured agent personas calibrated to the institution's profile expectations and monitoring policy. Material variances are surfaced as structured signals tied to specific transactions and profile elements. At periodic review, updated documentation is reconciled to the prior file and material changes are surfaced. Reviewers retain authority over all dispositions.
Frequently Asked Questions
How does this differ from transaction monitoring?
Transaction monitoring focuses on transactions against rule sets. CDD monitoring focuses on activity against the customer's documented profile. Both are necessary.
What happens when the documented profile no longer matches observed activity?
Material variances are surfaced for reviewer attention.
Can periodic review cadences vary by customer?
Yes. Risk-based cadences are configured per the institution's policy.
Authoritative Sources
- FinCEN CDD Final Rule
- 31 CFR 1010.230, Beneficial Ownership Requirements (eCFR)
- 31 CFR 1020.320, Reports of Suspicious Transactions (eCFR)
- FFIEC BSA/AML Examination Manual
- Office of Foreign Assets Control (OFAC)
- SR 11-7, Supervisory Guidance on Model Risk Management
- SR 26-2, Revised Interagency Guidance on Model Risk Management
.webp)

