Why KYC Refresh Matters
Customer due diligence (CDD) is not a one-time onboarding activity. MAS Notice 626 requires banks and MPI holders to conduct periodic reviews of customer CDD records to ensure information remains current and risk ratings remain appropriate. Failure to conduct periodic reviews is one of the most common findings in MAS AML inspections — and one of the most preventable.
Risk-Based Review Frequency
| Risk Tier | Minimum review frequency | What triggers earlier review |
|---|---|---|
| Low risk | Every 3–5 years | Unusual transaction patterns, name screening hit, change in business nature |
| Medium risk | Every 2 years | New product relationship, beneficial owner change, adverse media hit |
| High risk | Annually | Any change in circumstances; screening hits require immediate review |
| PEP | Annually (minimum) | Change in PEP status, new media coverage, new transactions |
| Correspondent banks | Annually | Change in ownership, country risk rating, new jurisdiction activities |
What a KYC Refresh Must Cover
A periodic review is not just re-verifying identity documents. MAS Notice 626 expects the review to confirm:
- Customer identity documents — are they still valid? (passports expire; NRIC for citizens is permanent)
- Business purpose and nature — has the customer's business changed in a way that affects risk?
- Beneficial ownership — for corporate customers, have shareholders changed? New UBO above 25% threshold?
- Source of funds/wealth — for high-risk customers, is the documented source still consistent with actual transaction patterns?
- Transaction history review — do transaction patterns match the expected profile at onboarding?
- Current screening check — run fresh sanctions, PEP, and adverse media screening
Event-Triggered Reviews
In addition to scheduled reviews, certain events must trigger an immediate KYC refresh:
- Name screening hit (sanctions or PEP)
- Customer reports change in beneficial ownership
- Significant change in transaction volume (>3x typical monthly volume)
- Customer moves to or from a FATF high-risk jurisdiction
- Suspicious transaction report filed on the customer
- AML alert disposition changes customer's risk tier
Operationalising Periodic Review
Most compliance teams struggle with periodic review because they lack a systematic workflow. Best-practice approach:
1. Build a review queue by due date
Assign every customer a next-review date at onboarding (based on initial risk rating). Surface a queue 60 days before each review is due so analysts are not scrambling at deadline.
2. Use digital document collection
Sending customers emails requesting expired documents is inefficient. Integrate a digital KYC refresh flow where customers upload directly and your system validates document format and expiry automatically.
3. Automate screening as part of the workflow
Screening should run automatically as part of the periodic review — not as a separate manual step that gets forgotten.
4. Risk tier can change at review
The output of a periodic review is an updated risk rating, not just a confirmed one. If a low-risk retail customer has started making high-value cross-border transfers to high-risk jurisdictions, the review should upgrade them to medium/high risk.
MAS Inspection Focus Areas
- Are high-risk customers being reviewed annually — and is evidence of the review documented?
- Are overdue reviews tracked and escalated? A backlog of past-due reviews is a major finding
- Does the periodic review include a fresh name screening, or just a file update?
- Are beneficial ownership updates triggered by corporate structure changes?
Key Takeaways
- KYC refresh frequency is risk-based: annually for high risk/PEP, every 2 years for medium, every 3–5 years for low risk
- Periodic review must cover identity, beneficial ownership, source of funds, transaction patterns, and fresh screening — not just document renewal
- Event triggers (screening hits, large transaction spikes) require an immediate refresh regardless of scheduled date
- Build a due-date queue system 60 days ahead — chasing overdue reviews at deadline is a compliance failure
- Periodic review is where MAS examiners find the most gaps — documentation of each review is essential