The problem: the book you have is not the book you assessed
A customer accepted five years ago was accepted against that year's risk appetite, that year's CDD standard, that year's understanding of the sector and jurisdiction they were operating in, and that year's list of PEPs and sanctions targets. Very little of that remains constant. Beneficial owners change. Business models pivot. Jurisdictions shift risk profile. New typologies emerge. The customer's transactional behaviour may or may not still match the profile agreed at onboarding, and the file may or may not have noticed.
Most CDD investment is directed at the front door because that is where new risk is easiest to describe and easiest to demonstrate. But by number, and often by exposure, the front door is a small proportion of the book. The rest of the exposure sits inside the existing customer base, accumulating quietly. That accumulation is the pattern behind a large share of recent European enforcement.
The evidence: ongoing due diligence is where the findings recur
Where the hidden risks actually sit
In practical work the hidden exposure clusters in a small number of recognisable places. Reading a legacy book against these categories is usually more informative than a general assurance review.
Good practice and poor practice in ongoing due diligence
Business impact: the size of the exposure
In every remediation programme I have led that touched a mature customer book, the population of files failing the current standard was materially larger than the first-line estimate before the programme began. The multiplier is usually between two and four. That is not a function of first-line optimism. It is a function of the genuine difficulty of estimating something the firm has not been measuring. The financial impact combines the cost of remediation itself, the cost of any supervisory response, the cost of any restrictions imposed on new customer acceptance while the book is cleared, and the disruption to relationship management with customers who have been on the books for many years and are being re-documented.
Practical solutions
The Claritas approach
We do not begin an ongoing due diligence engagement with a sample review. We begin with a data exercise: a join between the profile agreed at onboarding and the actual activity over the last twenty-four months, at customer level, across the whole population or a proportionate stratified sample. The output tells us where to look. It is a very different starting point from a random file sample and it produces a very different sense of the true exposure.
From there we work with the client to design the proportionate programme, the QA loop on top of it, and the Board reporting that would give a supervisor confidence the programme is producing quality as well as volume. The programme is nearly always risk-tiered and runs continuously; the Board reporting is nearly always shorter than the current pack and considerably more informative.
- 01The Board can state, for the top decile of the customer book by risk, the pass rate against the current CDD standard and the trend over time.
- 02Periodic reviews consist of substantive re-examination against current activity, not confirmation of previously recorded information.
- 03Trigger populations are calibrated to the firm's own typologies and their outcomes (not their volumes) are the Board KRI.
- 04Divergence between onboarding profile and current activity is systematically measured, escalated and resolved.
- 05Exit pathways for customers who cannot be brought to standard are defined, timetabled and reported.
- Danske Bank, Report on the Non-Resident Portfolio at Danske Bank's Estonian branch (Bruun & Hjejle, 2018).
- De Nederlandsche Bank / OM, Settlement with ING Bank N.V., September 2018.
- SEPBLAC, Annual Report 2025: recurring findings on ongoing due diligence and periodic review.
- European Banking Authority, Guidelines on ongoing monitoring of business relationships and transactions.


