The quick fix that wasn't: KYC refresh fatigue

Oct 22 / Leonard Nwogu-Ikojo

When clients push back on KYC refreshes, it’s rarely about the paperwork, it’s about perception. In this case snapshot, we follow Max, a compliance officer caught between regulatory obligation and client frustration. What begins as a simple periodic review quickly turns into a reminder of why ongoing due diligence matters — even when “nothing has changed.” Through Max’s experience, we explore the human side of compliance, the regulatory lens behind Article 26 of the AMLR, and the delicate balance between customer experience and risk management.


This article is intended for educational and informational purposes only and does not constitute legal, regulatory, or professional compliance advice. The scenario and recommendations provided are illustrative and may not capture all applicable requirements or risks in specific cases. Readers should follow their organization’s internal policies, data protection requirements, and seek professional advice tailored to their circumstances.

Case snapshot: the pushback

Max was halfway through his queue of periodic KYC refreshes when the email landed:

“You already have my data. Why are you asking again? Nothing has changed.”

It came from a long-standing corporate client, flagged for a routine CDD review. The documents on file were three years old, and while the company’s structure hadn’t visibly shifted, regulations required periodic updates.

Max sighed. He’d seen this reaction before. For customers, refreshes felt redundant; for compliance, they were non-negotiable obligations.

Even if no changes are obvious, periodic reviews are required to validate assumptions—because risk is dynamic.

Supervisors often stress that outdated KYC is a weak link: customers who once appeared low-risk can become high-risk over time without leaving obvious traces in corporate registries or customer declarations.

Max called the client, carefully explaining:

“It’s not that we don’t trust you. Outdated data puts both you and us at risk. Regulations also require us to prove, continuously, that we understand who our customers are.”

The client reluctantly agreed, but Max knew the frustration was real. Too much friction, and customers look for easier banking relationships. Too little, and compliance failures loom.

The additional responses from the customer on certain questions revealed minor changes which the customer did not inform the financial institution about.

Max updated the customer records, a smile playing on his lips. "Another day of productivity," he thought, "not just activities."

Regulatory lens: why refresh matters

Under Article 26 of the AMLR, institutions must carry out ongoing due diligence and update KYC information:

  • At set intervals, based on the customer’s risk category.
  • When trigger events occur, such as changes in ownership, transaction behavior, or suspicion of money laundering/terrorist financing.

Final thought: refresh isn’t redundant

A client's risk profile is a living story. Onboarding is just the opening scene. The real work of compliance (ongoing monitoring) lies in reading the subsequent chapters, watching for unscripted changes and subtle plot twists that betray the original script.

A rigid, periodic review only captures a series of isolated snapshots. True due diligence requires following the full narrative of risk as it unfolds, ensuring that a simple, low-risk business doesn't become a vehicle for illicit activity.

As compliance professionals, we must understand our role and responsibilities in the bigger picture.

Created with