Periodic KYC Review Process
1. Purpose
This procedure (Ref: COMP-KYC-004) defines the Bank's process for conducting periodic KYC reviews of existing customer relationships. Periodic reviews are a regulatory requirement under AMLD6 and FATF Recommendation 10, ensuring that customer information remains accurate, complete, and reflective of the current risk profile.
2. Scope
This procedure applies to all existing customer relationships across all business lines and jurisdictions. It covers both individual and corporate clients.
3. Review Frequency
Periodic reviews are scheduled based on the customer's risk rating as follows:
| Risk Rating | Review Frequency | Review Window |
|---|---|---|
| High | Annually | Within 12 months of last review |
| Medium | Every 3 years | Within 36 months of last review |
| Low | Every 5 years | Within 60 months of last review |
Reviews that are not completed within the review window are classified as overdue and subject to the escalation process described in Section 7.
4. Trigger-Based Reviews
In addition to scheduled periodic reviews, an ad-hoc review must be initiated when any of the following trigger events occur:
- Material change in the customer's ownership structure or beneficial ownership.
- Significant change in the customer's transaction behaviour or risk profile.
- Adverse media or negative screening alert.
- Sanctions hit or near-match requiring investigation.
- SAR filed in relation to the customer.
- Regulatory request or direction to review the customer.
- Change in the customer's jurisdiction of residence or incorporation.
- Significant change in the customer's product or service usage.
5. Review Process
Step 1 — Notification
The KYC Operations Team generates a review notification sixty (60) calendar days before the scheduled review date and assigns it to the responsible Relationship Manager via the KYC workflow system.
Step 2 — Data Refresh
The Relationship Manager contacts the customer to confirm or update the following:
- Personal or corporate identification details.
- Residential or registered address.
- Beneficial ownership information.
- Source of funds and source of wealth (where applicable).
- Nature and purpose of the business relationship.
- Expected transactional activity.
Step 3 — Screening Refresh
The KYC Operations Team re-screens the customer and all associated parties against:
- Sanctions lists (EU, OFAC, UN, HM Treasury).
- PEP databases.
- Adverse media sources.
Step 4 — Risk Re-Assessment
The customer's risk rating is recalculated using the Bank's Customer Risk Assessment Model. If the risk rating has changed, the Relationship Manager must document the rationale and apply any additional due diligence measures required by the new rating.
Step 5 — Approval
| Risk Rating | Approver |
|---|---|
| Low | Relationship Manager |
| Medium | Relationship Manager + Compliance Officer |
| High | Senior Management (VP+) + Compliance Officer |
Step 6 — Documentation
The completed review, including all updated documents, screening results, and approval records, must be uploaded to the KYC system within five (5) business days of approval.
6. Quality Assurance
The KYC Operations Team conducts quality assurance checks on a sample of completed reviews each month. The target QA sample rate is 10% of all completed reviews. QA findings are tracked and reported to the Head of Compliance monthly.
7. Overdue Reviews and Escalation
| Overdue Period | Action |
|---|---|
| 1–30 days | Automated reminder to Relationship Manager and line manager |
| 31–60 days | Escalation to department head; account restrictions may be applied |
| 61+ days | Escalation to Head of Compliance; mandatory account restrictions; potential relationship exit assessment |
8. Review
This procedure is reviewed annually. Next review: Q1 2027.