KYC Refresh Trigger Events
Banks and money-services businesses are required under anti-money-laundering (AML) and know-your-customer (KYC) rules to re-verify customer identity and risk profile when specific trigger events occur. These might be a sudden wire transfer of $500,000 from an unexpected source, a shift from manufacturing to cryptocurrency trading, or a news report that the customer was investigated for fraud. When triggered, the institution must conduct what’s called a KYC refresh, updating the customer’s file and reassessing whether the account remains acceptable—or whether the business relationship should end.
Core Trigger Events
Regulators—particularly the Financial Crimes Enforcement Network (FinCEN), the Office of the Comptroller of the Currency (OCC), and the Securities and Exchange Commission (SEC)—do not publish a single exhaustive list of triggers. Instead, they expect banks to apply judgment: if a customer’s profile, behavior, or circumstances change materially, re-verify and reassess. That said, clear patterns have emerged from guidance and exam findings.
Transaction volume or pattern change. A customer who has wired $50,000/month suddenly wires $5 million in a single day, or begins a pattern of large round-number transfers that depart sharply from history. Alternatively, a dormant account suddenly becomes active. These spikes prompt a refresh.
New business line or stated purpose. A customer opens an account stating they are a real-estate investor; months later, they ask to enable international wire transfers and mention plans to trade cryptocurrency. The stated use of the account has shifted materially, and the bank must re-verify the customer’s legitimacy in this new space.
Change in beneficial ownership (for businesses). The bank holds a customer file stating that Alice owns 51% of Acme Corp. Six months later, an SEC filing reveals that Bob now owns the controlling stake. That is a material change in beneficial ownership (UBO). The bank must update its records, verify Bob’s identity, assess his risk profile, and ensure the relationship still meets the bank’s standards.
Adverse media. The customer’s name appears in a news report regarding fraud allegations, sanctions designation, or investigation by law enforcement. Even if the allegations are unproven, the presence of negative publicity obligates the bank to investigate further and document its findings.
Geographic change or politically exposed person (PEP) status. A customer formerly resident in a low-risk jurisdiction moves to a sanctioned country or is appointed to a government position (becoming a PEP). That shift changes the risk profile and requires a refresh.
Large or unexpected fund source. A small-business customer deposits a check for $500,000 from an unknown source with no clear business relationship. The bank must understand the source, verify it is legitimate, and ensure it does not involve illicit activity.
Account access pattern change. A customer’s account is normally accessed from one IP address (say, their home in Chicago); suddenly it is accessed from multiple countries, or there are login attempts from unusual locations. These patterns may signal account compromise or unauthorized use.
Documented Examples from Regulators
The Office of the Comptroller of the Currency (OCC) has published exam findings citing banks for failure to refresh KYC when:
- A customer’s business changed from retail sales to import/export, but the bank did not obtain new beneficial-ownership documentation or verify the legitimacy of the new suppliers and markets.
- A customer wired $2 million to a shell company in a high-risk jurisdiction, but the bank had no documentation of the purpose or the recipient’s identity.
- A customer’s account was used by an employee rather than the account holder themselves, and the bank did not update its beneficial-owner records to reflect this change.
The SEC has sanctioned broker-dealers for failing to refresh KYC when a customer’s investment profile changed materially (e.g., from buy-and-hold stocks to day trading options with borrowed money), or when a customer’s source of wealth shifted to a high-risk source.
The KYC Refresh Workflow
When a trigger event occurs, the institution typically:
Flag the event. Internal systems or a compliance officer note the trigger (transaction size, adverse media, UBO change, etc.).
Request updated information. The bank contacts the customer and asks for current ID, address verification, recent bank statements, business licenses, or other documents to re-verify and reassess.
Verify identity and beneficial ownership. The bank checks the updated documentation, reconciles it with existing records, and updates the customer profile.
Reassess risk. The bank re-scores the customer using its internal risk model, taking into account the new information. Has the customer’s risk level increased? Are there red flags that suggest illicit activity?
Document the decision. The bank records the refresh—what was updated, what documents were obtained, what risk reassessment was done, and the decision (continue the relationship, enhance monitoring, or terminate).
Escalate if needed. If the reassessment reveals suspicious activity, the bank files a Suspicious Activity Report (SAR) with FinCEN. If the customer’s risk has become unacceptable, the bank may exit the relationship (which may require a SAR as well, depending on the facts).
Special Case: Large Transactions and the $10,000 Threshold
The Bank Secrecy Act (BSA) requires reporting of cash transactions over $10,000 (Currency Transaction Reports, or CTRs). While not strictly a KYC refresh, large cash deposits do trigger compliance review. The bank must:
- Verify the source of the cash.
- Ensure it is not a “structuring” (deliberately breaking up large amounts to avoid the $10,000 reporting threshold, which is itself a crime).
- Update its understanding of the customer’s business and cash-handling practices.
A customer who has never deposited cash suddenly deposits $50,000 in cash raises questions and warrants investigation.
Adverse Media and Sanctions Screening
Banks are required to screen customers and their beneficial owners against:
- Sanctions lists (OFAC, EU, UN)
- Negative news databases (arrest records, fraud allegations, regulatory enforcement)
- Politically exposed persons (PEPs) databases (government officials, their families, and associates)
When a customer first appears on one of these lists, or when adverse media is published after account opening, that is a trigger. The bank must investigate and decide whether to:
- Continue the relationship and enhance monitoring.
- Request additional documentation or representations from the customer.
- File a SAR.
- Terminate the relationship.
Ongoing Monitoring vs. Refresh
It is important to distinguish ongoing monitoring (continuous surveillance of transactions and public information) from KYC refresh (a more formal re-gathering and re-verification of the customer’s identity, business, and risk profile).
Ongoing monitoring might flag a suspicious transaction pattern and trigger a review, which may escalate to a formal KYC refresh if the pattern is unusual enough to warrant it. But not every suspicious transaction requires a full refresh—the bank may simply file a SAR and continue monitoring.
A KYC refresh is more comprehensive: it includes contacting the customer, obtaining updated documents, and re-scoring the relationship against current risk criteria.
Timeline and Reasonableness
Regulators expect a “reasonable” timeframe for KYC refresh. What is reasonable depends on the trigger and the bank’s resources:
- Routine changes (address, phone number): 30–60 days.
- Material business changes: 30–90 days.
- Adverse media or sanctions: often within 10–30 days; a potential match to a sanctions list may require immediate escalation and can freeze the account pending resolution.
A bank that sits on adverse media for months without investigating faces significant regulatory risk.
Failure to Refresh: Regulatory Consequences
Banks that fail to refresh KYC when required face:
- Civil money penalties (often $10,000–$100,000+ per violation).
- Corrective action orders requiring enhanced AML programs.
- Reputational harm and loss of correspondent banking relationships.
- Criminal prosecution (rarely, but possible for willful violations or conspiracy).
The Financial Crimes Enforcement Network (FinCEN) and the OCC have each published enforcement actions against banks for inadequate KYC refresh processes, particularly when the failure enabled money laundering or sanctions evasion.
See also
Closely related
- AML (Anti-Money Laundering) — the regulatory framework that mandates KYC refresh
- Dodd-Frank Act — legislation that strengthened AML and KYC rules
- Beneficial ownership — the key focus of KYC for business accounts
- Customer due diligence — the foundational KYC process at onboarding
- Suspicious Activity Report (SAR) — escalation when KYC refresh uncovers red flags
Wider context
- FINRA — regulates broker-dealer KYC and refresh
- Federal Reserve — oversees bank AML compliance
- Securities and Exchange Commission — enforces KYC on investment firms
- Bank Secrecy Act — foundational anti-money-laundering statute
- OFAC (Office of Foreign Assets Control) — sanctions list compliance, a KYC component