The carried-forward KYC file and unresolved customer due diligence risks

Feb 18 / Leonard Nwogu-Ikojo
A routine year-end review. Dozens of customer files unresolved for months — no deadlines, no ownership, no escalation. In this compliance fiction story, Max uncovers a familiar but dangerous pattern: KYC gaps quietly carried forward until passive inaction becomes an implicit acceptance of risk. Under the AMLR, that's not a backlog problem. It's a governance failure.

This article is intended for educational and informational purposes only and does not constitute legal, regulatory, or professional compliance advice. The scenario and recommendations provided are illustrative and may not capture all applicable requirements or risks in specific cases. Readers should follow their organization’s internal policies, data protection requirements, and seek professional advice tailored to their circumstances.

The issue surfaced quietly in early January during what was meant to be a routine callover review.

Max was reconciling open KYC (Know Your Customer) actions from the previous year when the pattern emerged. Dozens of customer files, some classified as low risk and others explicitly marked as medium-high, were labeled “pending clarification.” There were no deadlines, no escalation notes, and no ownership beyond a vague handoff between onboarding, remediation, and relationship teams.

“These were last updated in Q3,” Ella noted, scanning the tracker.

“And yet they’re still active customers,” Luc replied. “Did we ignore them, or just stop looking? These customers’ risks have not been resolved.”

The files told a familiar story, 

  • Missing source-of-wealth explanations deferred “until the next review.” 
  • Beneficial ownership confirmations were requested but never received. 
  • Risk ratings left unchanged despite clear trigger events. 
  • Temporary approvals quietly becoming permanent through inaction.

Each team had done something, but no one had finished the job. From an operational view, it looked like backlog management. From a regulatory perspective, this was an implicit acceptance of risk without a formal decision.

Where the KYC control framework failed

The institution failed to treat KYC as a complete lifecycle. Once onboarding was passed, unresolved issues were allowed to persist under the assumption they would be addressed “in due course.” But "due course" never arrived. The customer relationship continued, transactions flowed, and risk was carried forward without reassessment.

Max summarized it bluntly in his review note:

“An open KYC issue is an unresolved risk decision.”

Regulatory lens: AMLR obligations and the full KYC lifecycle

This failure maps directly to multiple obligations under the Anti-Money Laundering Regulation (AMLR). Allowing unresolved KYC gaps to persist breaches the requirement to maintain an accurate and current understanding of the customer. Unresolved issues, by definition, represent doubts.

Continuing a relationship without resolution contradicts regulatory expectations for Customer Due Diligence (CDD). A KYC process in which issues move between teams without clear ownership is a control design failure. When open KYC issues persist across reporting cycles, it is viewed as a governance breakdown rather than mere analyst oversight.

Final thoughts: ownership, governance, and effective AML controls

KYC is a process that concludes only when a definitive decision is made, not merely when a client is onboarded. When information is incomplete, the firm must take decisive action: resolve the issue, escalate it, restrict the client relationship, or exit it entirely. To passively carry issues forward is a silent and dangerous acceptance of risk.

Effective AML control hinges on ownership. Without it, every unresolved file is a blind spot guaranteed to escalate into a regulatory finding.
Created with