Perspectives
Perspective 009Practice

The hidden risks sitting quietly in your customer base.

Most firms spend their time looking for new financial crime risks. Fewer stop to ask whether yesterday's customers still represent today's risks. That question is becoming increasingly important as supervisory expectations continue to evolve.

By Everett MorganWinter 202610 min read
Amsterdam Zuidas financial district at dusk reflected in a calm canal
Executive brief

Reading time · 10 minutes  ·  Primary audience · Boards, MLROs, Heads of Client Lifecycle Management, Chief Risk Officers

Why this matters

A firm's onboarding controls sit at the front door and receive most of the investment attention. The material undisclosed exposure sits inside the existing book: customers accepted under an earlier standard, whose circumstances have moved and whose files have not. In the Danske Bank Estonia case, the majority of the exposure came from customers who were already on the books; in the ING Netherlands 2018 settlement, ongoing due diligence failures were named specifically; SEPBLAC's 2025 findings recur on the same theme in the Spanish market. Ongoing due diligence is where firms carry the risk they cannot see.

Key findings
  1. 01Legacy customer books drift silently. Beneficial ownership changes, source of funds evolve, activity moves outside the profile agreed at onboarding. Files record none of it.
  2. 02Enhanced due diligence performed once at onboarding and never revisited is a snapshot, not a control. Supervisors now treat it as such.
  3. 03Trigger-based reviews on their own are insufficient. They only work when the triggers themselves are calibrated, monitored and independently tested.
  4. 04The most productive single control on a mature book is a proportionate periodic review programme, not a large onboarding uplift.
Questions Boards should ask
  1. 01For the top decile of our customer book by risk, when were the files last genuinely reviewed against the current CDD standard, not merely refreshed on the system?
  2. 02Of the customers whose activity has materially changed in the last twenty-four months, what proportion have had their risk rating and EDD status re-examined as a consequence?
  3. 03Where a trigger fires (adverse media, PEP status change, structural change), can we evidence the outcome of the review, not only that the trigger was raised?

The problem: the book you have is not the book you assessed

A customer accepted five years ago was accepted against that year's risk appetite, that year's CDD standard, that year's understanding of the sector and jurisdiction they were operating in, and that year's list of PEPs and sanctions targets. Very little of that remains constant. Beneficial owners change. Business models pivot. Jurisdictions shift risk profile. New typologies emerge. The customer's transactional behaviour may or may not still match the profile agreed at onboarding, and the file may or may not have noticed.

Most CDD investment is directed at the front door because that is where new risk is easiest to describe and easiest to demonstrate. But by number, and often by exposure, the front door is a small proportion of the book. The rest of the exposure sits inside the existing customer base, accumulating quietly. That accumulation is the pattern behind a large share of recent European enforcement.

The evidence: ongoing due diligence is where the findings recur

Where the hidden risks actually sit

In practical work the hidden exposure clusters in a small number of recognisable places. Reading a legacy book against these categories is usually more informative than a general assurance review.

Good practice and poor practice in ongoing due diligence

Business impact: the size of the exposure

In every remediation programme I have led that touched a mature customer book, the population of files failing the current standard was materially larger than the first-line estimate before the programme began. The multiplier is usually between two and four. That is not a function of first-line optimism. It is a function of the genuine difficulty of estimating something the firm has not been measuring. The financial impact combines the cost of remediation itself, the cost of any supervisory response, the cost of any restrictions imposed on new customer acceptance while the book is cleared, and the disruption to relationship management with customers who have been on the books for many years and are being re-documented.

Practical solutions

The Claritas approach

We do not begin an ongoing due diligence engagement with a sample review. We begin with a data exercise: a join between the profile agreed at onboarding and the actual activity over the last twenty-four months, at customer level, across the whole population or a proportionate stratified sample. The output tells us where to look. It is a very different starting point from a random file sample and it produces a very different sense of the true exposure.

From there we work with the client to design the proportionate programme, the QA loop on top of it, and the Board reporting that would give a supervisor confidence the programme is producing quality as well as volume. The programme is nearly always risk-tiered and runs continuously; the Board reporting is nearly always shorter than the current pack and considerably more informative.

What success looks like
  • 01The Board can state, for the top decile of the customer book by risk, the pass rate against the current CDD standard and the trend over time.
  • 02Periodic reviews consist of substantive re-examination against current activity, not confirmation of previously recorded information.
  • 03Trigger populations are calibrated to the firm's own typologies and their outcomes (not their volumes) are the Board KRI.
  • 04Divergence between onboarding profile and current activity is systematically measured, escalated and resolved.
  • 05Exit pathways for customers who cannot be brought to standard are defined, timetabled and reported.
References
  • Danske Bank, Report on the Non-Resident Portfolio at Danske Bank's Estonian branch (Bruun & Hjejle, 2018).
  • De Nederlandsche Bank / OM, Settlement with ING Bank N.V., September 2018.
  • SEPBLAC, Annual Report 2025: recurring findings on ongoing due diligence and periodic review.
  • European Banking Authority, Guidelines on ongoing monitoring of business relationships and transactions.
About the author
Everett Morgan
Founder & Principal Adviser, Claritas Risk Advisory

Everett has more than twenty years' experience in financial crime, AML governance, regulatory compliance and operational risk gained within Deutsche Bank, Morgan Stanley and BNP Paribas. He established Claritas Risk Advisory to provide smaller regulated financial institutions with experienced independent judgement, practical insight and proportionate recommendations.

Need an independent perspective?

Preparing for regulatory change starts with understanding where your organisation stands today.

If you would like to discuss your financial crime framework or explore how Claritas Risk Advisory can help, I would be pleased to arrange a confidential conversation.

Let's start with a conversation