To the main content

Guide to Periodic Reviews

Periodic reviews are performed to ensure that all customer information is updated and that every customer has the right risk classification. This a crucial step in banks' and financial institutions' work to prevent financial crime. Here is a 3-step guide to the basics of Periodic Reviews.

This guide is based on a webinar on the same topic that we hosted in April. The slides and recording from the webinar are provided at the bottom of the page.

1. Why do you need to perform Periodic Reviews?

Since 2018, the European regulatory framework and the Norwegian anti-money laundering act have changed the way banks and financial institutions work to prevent financial crime. The goal of periodic reviews is to minimize the risk of such crimes, like money laundering and terror financing.

The Know-Your-Customer (KYC) principle is central in this effort, which requires financial institutions to monitor their customers' intent and behaviors in order to be able to react if a customer does something out of the ordinary.

This regular follow-up procedure is called Customer Due Diligence (CDD) and is done through periodic reviews. Dependent on the jurisdictions you need to cover, the risk profiles of your customers, and the data sources you use, the periodic reviews aim to ensure that all your data on your customers are up to date at regular intervals.

2. How often should you do it?

The frequency of periodic reviews is not specified in the Nordic legal documents as it all depends. What is clear, though, is that the frequency should vary with risk

Even though the regulation does not explicitly state how often periodic reviews should be performed, large industry actors typically use the following schedule:

  • every 6-12 months for high-risk customers
  • every 12-24 months for standard-risk customers
  • and every 24-36 months for customers with low risk

This has been adopted by much of the industry and currently serves as the most common standard. However, it is important to point out that these numbers are not legislatively stipulated, but a use case that has disseminated through the industry.

The only specific legal requirement is as follows: To have updated, correct, and sufficient customer information. This means that a periodic review could be triggered by several factors and it needs to be specified based on your company’s profile.

3. What should be included?

The main principle is to make it simple for your customers. Don't ask for information you can retrieve from other trusted sources. 

Taking advantage of digital tools, such as dynamic forms, so that the customer only needs to deal with what is relevant for them should also be done.

These tools can also minimize or remove some of the trade-offs, where a hybrid approach is advisable. The information which can be considered part of the public domain should be pre-filled while question regarding the use of products and service and underlying intentions should be left for the customer to answer.

The other side of this coin is that you should have a plan to use all the information that is collected, either from customers themselves or other sources.

Periodic Reviews Summarized

This brings us full circle to the purpose of the periodic review and its position as a tool in the AML regulatory framework: The collected information should be used to evaluate whether reclassification of the customer's risk should be performed. And you should use all the information that you've gathered to evaluate this.


For more information, here are the Presentation slides and recording from our webinar on the topic:


Interested to know more on how Quesnay can help you with Periodic Reviews?

Book a demo