Periodic Review (KYB)

Periodic Review, also known as KYB (Know Your Business) Refresh, is the scheduled reassessment of an existing business customer's risk profile, ownership structure, and operational activities at defined intervals after initial onboarding. This ongoing due diligence process verifies that previously collected business information remains current, accurate, and compliant with regulatory requirements.

‍

‍

‍

Why Periodic Review Matters

‍

Business entities change continuously. Ownership transfers, new Ultimate Beneficial Owners (UBOs), shifts in business model, geographic expansion, and changes in transaction patterns all affect risk exposure. Without scheduled periodic reviews, financial institutions, payment service providers, and marketplaces operate with outdated information that no longer reflects true risk.

‍

Regulatory frameworks including the EU's 6th Anti-Money Laundering Directive (6AMLD), the Financial Action Task Force (FATF) recommendations, and jurisdictional requirements from the Financial Crimes Enforcement Network (FinCEN) mandate ongoing customer due diligence. These regulations require institutions to maintain current knowledge of their business customers throughout the relationship, not just at onboarding.

‍

Key challenges include:

‍

• Determining appropriate review frequency: Risk-based approaches require different cadences for different customer segments, but many organizations default to uniform annual reviews regardless of actual risk.

‍

• Data decay and availability: Business registries, UBO databases, and commercial information sources update at different rates. Information collected six months ago may already be outdated.

‍

• Resource allocation: Manual periodic reviews are labor-intensive. Teams struggle to balance thoroughness with operational capacity, particularly for large portfolios.

‍

• Alert fatigue from false triggers: Automated monitoring systems generate alerts for minor, immaterial changes (address updates, new trade names) that do not represent genuine risk shifts, consuming investigator time.

‍

• Lack of clear escalation criteria: Organizations often lack documented thresholds for when a change discovered during periodic review should trigger enhanced due diligence, transaction limits, or account suspension.

‍

‍

‍

How to Build an Effective Periodic Review Program

‍

‍

1. Establish Risk-Based Review Frequencies

‍

Segment your business customer portfolio by risk tier and assign appropriate review intervals:

‍

• High-risk businesses (e.g., money services businesses, crypto exchanges, high-value merchants in sanctioned-adjacent geographies): Quarterly or semi-annual reviews

‍

• Medium-risk businesses (e.g., cross-border e-commerce, digital goods merchants, businesses in regulated verticals): Annual reviews

‍

• Low-risk businesses (e.g., established domestic B2B merchants with predictable patterns): Biennial reviews

‍

Document the criteria used to classify risk tiers and the rationale for each frequency. Ensure your model aligns with your jurisdiction's regulatory expectations and your institution's risk appetite framework.

‍

‍

2. Define Mandatory Data Points for Each Review

‍

Create a standardized checklist of information to verify or update during each periodic review:

‍

• Ownership verification: Current UBO structure (individuals holding 25% or more ownership or control), comparison against previous records

‍

• Business registration status: Active standing with relevant company registries, valid business licenses

‍

• Authorized signatories and Key Management Personnel (KMP): Changes to individuals with transaction authority

‍

• Business model and activity: Confirmation that current operations match declared business purpose at onboarding

‍

• Transaction pattern analysis: Alignment of actual transaction volumes, types, and geographies with expected behavior

‍

• Adverse media and sanctions screening: Updated screening of the entity, UBOs, and KMP against sanctions lists, watchlists, and negative news sources

‍

• Financial health indicators: When available and proportionate to risk, review of financial statements or credit reports

‍

For higher-risk customers, expand the checklist to include supplier/partner verification, enhanced source-of-funds analysis, or site visits.

‍

‍

3. Automate Continuous Monitoring Between Scheduled Reviews

‍

Periodic reviews should not be the only mechanism for detecting material changes. Implement continuous monitoring capabilities that alert teams to significant events between scheduled reviews:

• Real-time sanctions list updates
• Corporate registry changes (dissolutions, mergers, director appointments)
• Adverse media hits above a defined severity threshold
• Transaction anomalies (sudden volume spikes, new high-risk geographies, unusual transaction types)

‍

Automation reduces the risk of operating with stale information during the gap between reviews and allows teams to focus manual effort on substantive investigations rather than routine data checks.

‍

‍

4. Document Decision Logic and Outcomes

‍

For each periodic review, maintain a clear audit trail:

• Date of review and reviewer identity
• Data sources consulted
• Changes identified since last review
• Risk assessment outcome (risk tier confirmed, upgraded, or downgraded)
• Actions taken (no change, enhanced due diligence triggered, limits adjusted, relationship exited)

‍

This documentation satisfies regulatory examination requirements and provides institutional memory when customers escalate disputes or when explaining decisions to auditors.

‍

‍

5. Set Clear Escalation and Remediation Procedures

‍

Define thresholds that trigger escalation beyond routine periodic review:

‍

• Material UBO changes: New individual acquiring 25% or more ownership, or existing UBO increasing stake significantly

‍

• Business model pivot: Merchant previously selling physical goods now offering high-risk digital services

‍

• Sanctions or adverse media hits: Entity, UBO, or KMP appears on a sanctions list or in credible adverse media

‍

• Unexplained transaction anomalies: Activity diverges from expected profile without clear business justification

‍

Establish who has authority to approve risk tier changes, impose transaction limits, or terminate relationships. Escalation paths should be documented and consistently followed.

‍

‍

‍

Real-World Example

‍

A European payment service provider (PSP) onboarded an e-commerce merchant in 2024 as a medium-risk customer selling consumer electronics. Initial KYB verification confirmed two co-founders as UBOs, each holding 50% ownership. The company's registered address was in Germany, and initial transaction patterns aligned with B2C electronics sales across the EU.

‍

During a scheduled annual periodic review in early 2026, the PSP's compliance team discovered:

• One co-founder sold their 50% stake to a newly formed holding company registered in Cyprus
• The UBO of the Cypriot holding company was an individual not previously disclosed
• The merchant's transaction profile shifted to include significant cross-border payments to suppliers in high-risk jurisdictions
• Updated adverse media screening returned results linking the new UBO to a separate business previously investigated for customs fraud (unresolved)

‍

The periodic review triggered enhanced due diligence. The PSP requested documentation of the ownership change, source of funds for the acquisition, and business justification for the supplier shift. Pending satisfactory responses, the PSP imposed temporary transaction limits. This example illustrates how periodic review serves as a critical checkpoint to detect risk changes that would otherwise remain invisible between onboarding and an eventual incident.

‍

‍

‍

Strategic Context: Balancing Compliance and Customer Experience

‍

Periodic reviews exist at the intersection of regulatory obligation and operational friction. Overly aggressive review programs generate unnecessary customer friction, operational costs, and false positives. Insufficient review cadences or superficial checks create regulatory exposure and allow risky relationships to persist undetected.

‍

Leading risk and compliance teams approach periodic review as a portfolio management exercise. They allocate finite resources to the highest-risk segments, use automation to handle routine verifications, and design workflows that surface material risk changes quickly without drowning investigators in low-value alerts.

‍

For payment facilitators, marketplaces, and acquiring banks managing thousands of business customers, effective merchant onboarding must extend beyond day one. Periodic review closes the loop, ensuring the risk assessment made at onboarding remains valid throughout the customer lifecycle.

‍

‍

‍

About Ballerine

‍

Ballerine provides merchant risk and compliance infrastructure for payment service providers, acquiring banks, and marketplaces. Our KYB and ongoing monitoring platform automates periodic review workflows, integrates real-time data sources for continuous monitoring, and surfaces material risk changes through configurable alert logic. Teams use Ballerine to manage review cadences at scale, reduce manual effort, and maintain audit-ready documentation for regulatory examinations.

‍