AI Agents for KYC & Customer-Profile Review: A 2026 Guide for Compliance Teams

An AI agent for KYC and customer-profile review is a software agent that performs the recurring back-office steps of a customer due-diligence review — refreshing KYC data, re-screening for sanctions, PEP, and adverse-media hits, re-verifying beneficial ownership, triaging transaction-monitoring alerts, and re-rating customer risk — by operating directly inside the compliance team's existing case-management, screening, and core systems, with every action logged and a human analyst approving the final decision. It clears the high-volume, repetitive review work while keeping the regulated judgment with a person.

This is a guide for compliance teams: what a customer-profile review requires, how often you actually have to do one, the rules by business type in 2026, and where AI agents fit.

Key takeaways

• U.S. ongoing-monitoring and customer-refresh obligations are risk-based and event-driven, not a fixed calendar. The FFIEC manual states there is "no categorical requirement" to update customer information on a periodic basis.
• The obligation differs by business type, and one big 2026 change is easy to get wrong: the FinCEN AML rule for investment advisers was delayed to January 1, 2028.
• The work is a bottleneck: industry studies consistently estimate 85-95% of AML alerts are false positives, building a single SAR can take 4+ days, and large banks put 10-15% of headcount on KYC/AML.
• The stakes are real: TD Bank paid a record $3.09B BSA settlement in 2024; Coinbase once carried a backlog of 14,000 customers awaiting review and 100,000+ unreviewed alerts.
• Only about 4% of banks have automated the majority of KYC workflows — most reviews are still done by an analyst moving data by hand between screening tools, case management, and core systems.

What is a KYC / customer-profile review?

A KYC review is the recurring check that confirms a financial institution still knows who its customer is, what they do, and whether their activity makes sense. It is the "ongoing" half of customer due diligence (CDD): onboarding establishes the profile, and the review keeps it current and flags risk.

For brokerages and advisers it also covers the customer investment profile (objectives, risk tolerance, time horizon) that suitability and best-interest obligations depend on.

How often must you review a customer profile?

This is the most misunderstood question in KYC, and the answer is the opposite of what most people expect: in the U.S., there is no fixed mandated cadence. The requirement is risk-based and event-driven. The FFIEC BSA/AML Exam Manual puts it plainly: ongoing monitoring "does not impose a categorical requirement that the bank must update customer information on a continuous or periodic basis… The requirement to update customer information is event-driven and occurs as a result of normal monitoring."

In practice firms set their own risk-tiered schedule and trigger reviews on events:

Customer risk tier	Typical review trigger
High risk (PEPs, foreign correspondent, private banking, high-risk geography)	Enhanced due diligence; most frequent review, often ~annual plus event-driven
Medium risk	Periodic refresh on the firm's risk-based schedule
Low risk	Event-driven; refreshed when monitoring surfaces a change

So the honest answer to "how often" is: as often as the customer's risk and behavior demand. (Note this is U.S. practice. EU and UK regimes lean toward defined periodic-review timetables.)

KYC review requirements by business type (2026)

The obligation that drives the review depends on what kind of institution you are.

• Retail brokerage / broker-dealers. FINRA Rule 2090 requires knowing the essential facts of every customer at "the opening and maintenance" of the account — a continuing duty with no fixed interval. Rule 2111 ties recommendations to the customer investment profile. A Customer Identification Program and the CDD "fifth pillar" (31 CFR 1023.210) require risk-based ongoing monitoring and, "on a risk basis, to maintain and update customer information."
• RIAs / robo-advisers. Advisers owe a fiduciary duty and deliver Form CRS, but note the 2026 reality: the FinCEN AML program and SAR rule for investment advisers, finalized in 2024, was delayed to January 1, 2028. Until then, covered advisers have no operative AML-program obligation under that rule, and a separate adviser CIP requirement is still only a proposal.
• Neobanks / banks / BaaS. A neobank is not its own category; the regulated entity is the sponsor bank, whose BSA program covers accounts opened through the fintech. The FinCEN CDD Rule (31 CFR 1010.230) requires identifying customers, verifying beneficial owners of legal entities (the 25%-ownership and control prongs), understanding the relationship, and ongoing monitoring. A February 2026 FinCEN order (FIN-2026-R001) eased repeat beneficial-ownership verification at every new account opening.
• Crypto exchanges / MSBs. FinCEN treats convertible-virtual-currency exchangers as money transmitters with full BSA obligations: MSB registration, a risk-based AML program, SARs (a lower $2,000 threshold), and the Travel Rule at $3,000.

What a periodic review actually involves, step by step

A single customer-profile review is a chain of steps across several systems:

1. Refresh KYC data — confirm identity, address, occupation, source of funds, expected activity, and entity details against the existing record.
2. Re-verify beneficial ownership for legal-entity customers.
3. Screen against sanctions, PEP, and watch lists.
4. Check adverse media for financial-crime or reputational red flags.
5. Triage transaction-monitoring alerts — compare actual versus expected activity and build the case narrative.
6. Update the suitability / investment profile (for brokerage and advisory).
7. Re-rate customer risk, escalating to enhanced due diligence if needed.
8. Decide on a SAR, and document the rationale either way.

Most of that work is an analyst logging into one tool, copying a value, and pasting it into another: the screening platform, the case-management system, the core record. The judgment is small. The clicking is enormous.

Why customer-profile review is a bottleneck

The numbers explain the pain. Industry studies consistently estimate that 85-95% of AML alerts are false positives, with only a few percent leading to a SAR. Building one SAR can take more than four days, and large banks devote 10-15% of their workforce to KYC/AML. Compliance hours at large banks rose 61% between 2016 and 2023, far faster than headcount overall.

When the work backs up, it gets expensive. Coinbase's 2023 settlement described a backlog of 14,000 customers awaiting review and over 100,000 unreviewed transaction-monitoring alerts. TD Bank's $3.09B BSA settlement in 2024 was the largest ever, and Block's Cash App paid $80M in 2025 for weak CDD and monitoring. The cost of falling behind is now measured in remediation orders and nine- and ten-figure penalties.

Can you automate KYC reviews?

Less than most people assume. Only about 4% of banks have automated the majority of their KYC workflows, and "perpetual KYC" (pKYC), the idea of continuously refreshing profiles instead of on a calendar, is still mostly in pilots. The blocker has been that the work spans systems that don't talk to each other: screening tools, case managers, sanctions databases, and core records, many without usable APIs.

That is exactly where agents change the math.

What an AI agent for KYC actually does

An AI agent for KYC review is a computer-use agent: it operates the compliance stack you already run, by reading the screen and acting on it, rather than waiting for every vendor to expose an integration. On a periodic or event-driven review, the agent gathers the KYC data, runs the sanctions, PEP, and adverse-media screens, pulls and compares the transaction history, drafts the case narrative, and assembles everything an analyst needs, then routes it for the human decision.

The point is not to replace the analyst. It is to remove the eight steps of clicking so the analyst spends their time on the one step that matters: the judgment call, including whether to file a SAR. Because that judgment is regulated, the agent has to be auditable by design. It needs scoped access, human approval before any consequential action, and a complete, examiner-ready trail of what it did and why. We lay that out in the agent trust framework.

For compliance, that combination is the whole point: clear the review backlog and the false-positive grind, keep a human on the decision, and produce a record you can hand to an examiner.

FAQ

How often must you review a customer profile? In the U.S., there is no fixed mandated cadence. Ongoing monitoring is risk-based and event-driven; the FFIEC says there is "no categorical requirement" to update customer information periodically. Firms set risk-tiered schedules and trigger reviews on events.

What is the difference between CDD and EDD? Customer due diligence (CDD) is the baseline: identify and verify the customer, understand the relationship, and monitor ongoing. Enhanced due diligence (EDD) is the deeper scrutiny applied to higher-risk customers, such as PEPs, foreign correspondent accounts, and private banking.

Do investment advisers have a KYC/AML obligation in 2026? The FinCEN AML program and SAR rule for advisers was finalized in 2024 but delayed to January 1, 2028. Advisers still owe a fiduciary duty and deliver Form CRS, but the specific AML-program obligation under that rule is not yet operative.

Can AI agents file SARs? No. An AI agent can gather the data, triage alerts, and draft the case, but the SAR decision is a regulated judgment that stays with a human analyst, who reviews and approves it.

What is perpetual KYC (pKYC)? Continuously refreshing customer profiles as data changes, instead of on a fixed periodic schedule. It fits the risk-based, event-driven model regulators already expect, and agents that monitor and refresh on existing systems are what make it practical.