Ongoing monitoring  is a key requirement under Regulation 28(11) of  The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR) that all firms must adhere to.

To streamline this process and ensure full compliance, I typically divide ongoing monitoring into four main categories:

1. Ongoing monitoring of matters
2. Ongoing monitoring of identity documents
3. Ongoing monitoring of company data
4. Ongoing monitoring of Politically Exposed Persons (PEPs), sanctions, and adverse media.

Ongoing Monitoring of matters

In terms of monitoring the matter, it's all about making sure everything still aligns with your expectations. If there have been changes, are you comfortable with why those changes happened? Does any behaviour or shift in instructions raise suspicions of money laundering?

In my time as a consultant, I often recommended that firms build triggers into their processes, prompting lawyers to stop and reassess the matter at specific points. This was usually done when ID and Source of Funds (SOF) documents were received, and again just before the transaction. This approach helped them hit two targets at once—assessing risk while also conducting and documenting ongoing monitoring.
‍

Ongoing monitoring of identity documents

Ongoing monitoring also extends to identity documents. You need to keep an eye on ID documents to make sure they’re still valid and haven’t been lost or stolen.

I’ve always recommended using technology to help with this. Sure, you can see if a document has expired by looking at it, but using technology allows  you to check if a passport has been reported lost or stolen, and even confirm that your client still lives at the same address. This way,  you can do your ongoing monitoring without having to hassle your client.
‍

Ongoing monitoring of company data

Monitoring company data is more challenging, as changes can occur more frequently than with individuals—from name and address changes to new directors or shareholders. The key question is: how will you know if these changes have taken place without regular checks? One approach firms can take is to create a document outlining all the key company details and send it to the client whenever a new matter is opened to confirm any updates.  This type of ongoing monitoring  has always been very manual and time-consuming.

However, with advancements in technology, there are now more efficient ways to handle this process, reducing the need for so much manual work.
‍

Ongoing monitoring of PEPs, Sanctions and adverse media

In today's ever-changing landscape, it’s more important than ever to ensure you are conducting ongoing monitoring of your clients  for PEPs, sanctions, and adverse media. In my view, the only real way to be sure you’re not missing anything is by using technology.

The Solicitors Regulation Authority (SRA), in their recent desk-based review on sanctions, were asking firms how they conduct ongoing monitoring for sanctions. The reality is that someone who isn’t sanctioned today, could be tomorrow. If you’re only monitoring high-risk clients or manually checking every few months, you could end up working with someone who’s been sanctioned for weeks before you even realise it. And with sanctions, it’s a strict liability offence, meaning if you make funds available to a designated person, you’re at serious risk of committing a sanctions violation.

By using a tech solution to handle ongoing monitoring, firms can have peace of mind knowing they’ll be immediately alerted if one of their “clean” clients suddenly becomes a PEP, sanctioned, or flagged for adverse media. It could be something as simple as a client getting married—if they marry a PEP, they automatically become one too. Plus, ongoing monitoring will also alert you if a “good” PEP client starts engaging in behaviour that increases the risk of doing business with them.
‍

Remember a change in client information = a refresh of CDD

Whenever there's a change in client information, it’s essential to update your client due diligence. I had a firsthand experience that really drove this home. I was asked to update a company’s name in our system. I was provided with the name change certificate, but I noticed they hadn’t updated any of the due diligence information. So, I decided to investigate further.

After checking Companies House, I found out the name change was linked to a change in ownership.  This led me to run PEP, sanction, and adverse media checks, which revealed that the new ultimate beneficial owner was actually on trial for fraud in the US.

It’s not just a good practice; it's also a legal requirement under the Data Protection Act and GDPR to keep clients’ personal information accurate and current.
‍

Record your decision making

If it’s not written down, it’s like it never happened. So, it's really important to keep a good record of your ongoing monitoring. Make sure to include:

• What you reviewed: Did anything stand out? Were there any issues or red flags?
• Actions taken: Note down any actions you took or explain why you didn’t need to take any. Even if nothing has changed, it’s important to explain your reasoning.
• Who and when: Record who carried out the monitoring and when it was done. This helps anyone looking at the file to know who handled it and when.

And don’t forget ……
‍
Domestic PEP vs Non Domestic PEP

Earlier this year, the definition of a PEP was updated. Parliament acknowledged that many UK PEPs were  facing difficulties in accessing financial and legal services due to their status. The issue? Firms were often asking for excessive financial information or conducting ongoing monitoring too frequently. So the definition of a PEP has been split into two categories:

1. Domestic PEP
2. Non Domestic PEP

A domestic PEP is defined as someone who is entrusted with prominent public functions by the “UK”.

When dealing with domestic PEPs, firms must now treat them as lower risk compared to non-domestic PEPs. This means applying a “lower level” of Enhanced Due Diligence (EDD), unless other enhanced risk factors are present.

Due to this change, it may be worth considering less frequent ongoing monitoring of CDD throughout the course of a matter for domestic PEPs, such as how often you ask for updated evidence of source of funds for a single transaction.
‍

Sanctions

We have already discussed the reality that someone who isn’t sanctioned today could be tomorrow. Relying too heavily on manual processes for sanctions checks could put you at risk. If you only re-check clients for sanctions every three months, you could end up handling a transaction involving a designated person without knowing until it’s too late.
‍

‍Simplified Due Diligence.

When applying simplified due diligence, ongoing monitoring is still necessary. In my experience, many firms avoid simplified due diligence, but if it’s part of your process, remember that monitoring remains a key requirement!

If you missed the webinar ….. Don’t worry we’ve got you covered, you can watch the recording here