Ongoing Due Diligence
Last Updated: 04/30/2026
Protect your business with reliable and effective AML strategies with AML UAE.
Ongoing Due Diligence: At a Glance
- Ongoing due diligence refers to monitoring relationships with existing customers to identify and mitigate ML/TF risks.
- Regulated entities must conduct periodic KYC, regular screening, and transaction monitoring to identify changes in customer profiles and assess customer risks.
- AML UAE helps financial institutions, DNFBPs and VASPs in UAE to design policies, implement CDD and ongoing KYC measures to detect anomalies and prevent financial crime.
What Is Ongoing Due Diligence in AML Compliance?
Ongoing due diligence (ODD) is the continuous monitoring of customer relationships after onboarding to detect evolving ML/TF/PF risks. Under UAE Federal Decree-Law No. 10/2025, all regulated entities must conduct periodic KYC refreshes, real-time transaction monitoring, sanctions rescreening and event-driven reviews. AML-related Failures attracted over AED 370 million in CBUAE fines in 2025. ODD differs from CDD (onboarding verification) and EDD (deep-dive for high-risk clients) by operating as a perpetual compliance cycle rather than a point-in-time check.
Ongoing Due Diligence: Definition
Ongoing due diligence (ODD) is the continuous process of monitoring existing customer relationships to detect changes in risk profiles, transaction behaviour and beneficial ownership that may indicate money laundering, terrorist financing or proliferation financing.
Under UAE Federal Decree-Law No. 10/2025 and Cabinet Decision No. 134/2025, all financial institutions, DNFBPs and VASPs must maintain ODD programs that include periodic KYC refreshes, real-time transaction monitoring, sanctions and PEP rescreening, and event-driven reviews when material changes occur.
How It Works
Ongoing Due Diligence (ODD) is an important regulatory requirement under AML/CFT laws of UAE in which customers and their activities are monitored on a continuous basis once the business relationship is established.
Any customer posing low risk during onboarding may evolve into high-risk due to several factors, such as expansion of business in high-risk jurisdictions, changes in ownership structures or controlling rights of the customer.
ODD ensures the detection of emerging ML/TF or PF risks, behavioural changes in customers depicting their evasive conduct (cf. FATF Recommendation 10, Interpretive Note, para. 18 “Financial institutions should be required to conduct ongoing due diligence on the business relationship”), or any potentially illicit financial activity which might have developed with time after the onboarding.
UAE’s regulatory regime emphasises a risk-based approach (per Article 4 of Federal Decree-Law No. 10/2025 and Articles 16-19 of Cabinet Resolution No. 134/2025) for Financial Institutions (FIs), Designated Non-Financial Businesses and Professions (DNFBPs) and Virtual Asset Service Providers (VASPs) operating within UAE to counter evolving financial threats more effectively and remain compliant through efficient ongoing monitoring.
The ODD Lifecycle: Four Phases
ODD Lifecycle
01 | 02 | 03 | 04 |
Trigger Identification | Data Collection & Refresh | Risk Reassessment & Decision | Documentation & Feedback Loop |
Scheduled or event-driven · Risk-proportionate · Fully documented · Continuously improving
Phase 1: Trigger Identification
ODD is initiated either on a scheduled basis (driven by the customer’s risk tier) or by a specific event (see Event-Driven Due Diligence below). Common triggers include the annual review cycle, a sanctions list update matching the customer’s profile, unusual transaction patterns flagged by the monitoring system, or a material change in the customer’s business structure.
Phase 2: Data Collection and Refresh
The compliance team collects updated information: current identification documents, refreshed screening results (sanctions, PEP, adverse media), recent financial statements or transaction data, and any changes to beneficial ownership or authorised signatories. The depth of collection is proportionate to the customer’s risk classification.
Phase 3: Risk Reassessment and Decision
The collected data is assessed against the entity’s customer risk assessment methodology. The outcome determines whether the customer’s risk rating changes (upgrade, downgrade, or maintain), whether enhanced measures are required, or whether the relationship should be exited. Every decision is documented with a supporting rationale.
Phase 4: Documentation and Feedback Loop
All findings, decisions, and actions are recorded in the customer’s file. If the review surfaces a suspicious activity indicator, the compliance team escalates to the MLRO for potential STR filing via goAML. Lessons from individual reviews feed back into the entity’s broader risk assessment and control framework, improving future detection capability.
Did You Know?
The UAE Central Bank issued over AED 370 million in AML-related fines in 2025 alone, with failures in customer monitoring and transaction surveillance accounting for the majority of penalties. Continuous review of customer relationships is no longer a best practice; under Federal Decree-Law No. 10/2025, it is a legal obligation carrying fines of up to AED 5 million per violation for regulated entities.
Why Does Ongoing Due Diligence Matter?
Customer risk is not static. A low-risk client onboarded in 2022 may now operate in a FATF grey-listed jurisdiction, hold politically exposed connections, or channel funds through newly sanctioned intermediaries. Without continuous oversight, these shifts remain invisible until a regulator, auditor, or law enforcement agency surfaces them.
For UAE-regulated entities, the stakes are concrete. The Central Bank, DFSA, FSRA, CMA, MoET, and VARA each conduct inspections that test whether firms can demonstrate active, documented monitoring, not just policies on paper. Firms that treat ODD as a checkbox exercise face enforcement actions that go beyond fines: licence suspensions, personal liability for senior management, and reputational damage that disrupts banking relationships.
ODD also serves a commercial function. Firms with mature monitoring programmes detect risk-profile changes early, enabling proactive decisions: exiting a relationship before exposure crystallises, or upgrading controls before an inspection finds gaps. In a market where correspondent banks scrutinise UAE entities closely, demonstrating robust ODD capability is a competitive differentiator.
Who Must Perform Ongoing Due Diligence in the UAE?
Under Federal Decree-Law No. 10/2025 and Cabinet Resolution No. 134/2025, ODD obligations apply to three broad categories of regulated entities across the UAE mainland and financial free zones:
Category | Examples | Primary Regulator(s) |
Financial Institutions (FIs) | Banks, exchange houses, insurance companies, finance companies, payment service providers | CBUAE, CMA |
DNFBPs | Real estate agents/brokers, dealers in precious metals and stones (DPMS), lawyers, accountants, TCSPs, commercial gaming operators | Ministry of Economy and Tourism, Ministry of Justice, GCGRA |
Virtual Asset Service Providers (VASPs) | Crypto exchanges, custodial wallet providers, virtual asset transfer services, DeFi on-ramp/off-ramp platforms | VARA (Dubai), FSRA (ADGM), CMA (mainland) |
Free Zone Entities (DIFC) | Wealth managers, fund administrators, advisory firms, fintech companies | DFSA |
Free Zone Entities (ADGM) | Financial services firms, crypto-native businesses, corporate service providers | FSRA/Registration Authority (RA) |
Note: ODD obligations extend to all customer types, including natural persons, legal persons, legal arrangements, beneficial owners, and authorised signatories. The scope covers both existing and legacy relationships onboarded before the 2025 law took effect.
How Does ODD Differ from CDD and EDD?
Understanding the differences between Customer Due Diligence (CDD), Enhanced Due Diligence (EDD) and Ongoing Due Diligence (ODD) is essential for building a compliant AML program. Each serves a distinct purpose within the customer lifecycle, and UAE regulators expect firms to apply all three appropriately based on risk.
Due Diligence | Customer Due Diligence (CDD) | Enhanced Due Diligence (EDD) | Ongoing Due Diligence (ODD) |
When Applied | At onboarding before establishing a business relationship | At onboarding or during the relationship for high-risk customers | Continuously throughout the entire business relationship |
Purpose | Verify customer identity and assess initial risk level | Conduct deeper investigation into high-risk customers, PEPs and complex structures | Monitor for changes in behaviour, risk profile and transaction patterns over time |
Scope | Identity verification, beneficial ownership, basic risk assessment | Source of wealth and funds, detailed background checks, senior management approval | Transaction monitoring, periodic KYC refresh, sanctions and PEP rescreening, adverse media checks |
Risk Level | Standard and low-risk customers | High-risk customers, PEPs, high-risk jurisdictions, complex ownership | All customers, with frequency and depth scaled to risk rating |
UAE Legal Basis | Federal Decree-Law No. 10/2025, Articles on CDD obligations | Federal Decree-Law No. 10/2025, Cabinet Decision No. 134/2025 on EDD measures | Federal Decree-Law No. 10/2025, CBUAE guidelines on continuous monitoring |
Frequency | Once at onboarding (refreshed during ODD) | Triggered by risk indicators or regulatory requirement | Periodic reviews (e.g. annually for medium risk, every 6 months for high risk) plus event-driven triggers |
What Are the Key Objectives and Scope of Ongoing Due Diligence?
The primary objective of ODD is to ensure that customer information is accurate, complete and up to date. It includes changes to customer data, beneficial ownership structures, customer behaviour, and updating the risk profiles.
ODD also involves real-time monitoring of transactions, including deposits, transfers, and withdrawals, to identify unusual patterns, suspect ML/TF risks, and systematically align the changes with customer profiles.
Continuous monitoring ensures customers’ behaviour matches their profiles and helps detect red flags, anomalies and evolving risks to prevent financial crime.
However, the level of monitoring varies based on the customer risk scoring. For instance, high-net-worth individuals, charity organisations, crypto users, cross-border clients, and corporate customers may require increased scrutiny with higher vulnerability to ML/TF risk.
The frequency and depth of ODD reviews should align with the customer’s risk rating. As a general benchmark, high-risk customers (including PEPs, those linked to sanctioned jurisdictions and complex corporate structures) should be reviewed at least every six months. Medium-risk customers typically require an annual review, while low-risk customers may be reviewed every two to three years. However, these intervals are minimums; event-driven triggers can require immediate reassessment regardless of the scheduled review date.
"Ongoing due diligence is not a periodic checkbox exercise. It is a living, risk-responsive process that must adapt as quickly as the threats it is designed to detect. The entities that treat ODD as a static annual task are the ones regulators find non-compliant."
What Are the Core Components of an Effective ODD Program?
An effective ODD program includes the following core components:
- Periodic updation or re-KYC at regular intervals to re-assess customers and update their risk rating and customer profiles.
- Ongoing screening against the sanctions lists, PEP database, and adverse media sources.
- Monitoring customer transaction patterns and behaviours in real-time.
- Review customer information when suspicious activity is identified, such as during ownership changes, involvement with high-risk jurisdictions, and unusual activity.
Pro Tip: Align your ODD review calendar with your entity’s business risk assessment (BRA) cycle. When the BRA is updated annually, use it as a trigger to recalibrate customer risk tiers and adjust monitoring frequency accordingly. This ensures your ODD programme reflects current threat levels rather than outdated assumptions from initial onboarding.
Key Money Laundering Typologies ODD Should Detect
ODD monitoring rules and reviewer training should be calibrated to the following UAE-relevant typologies identified in the 2024 National Risk Assessment:
Trade-based money laundering (TBML):
Over- or under-invoicing, phantom shipments, and misrepresented goods in import/export transactions.
Real estate layering:
Use of multiple property transactions, nominee purchasers, or rapid buy-sell cycles to obscure the origin of funds.
Structuring (smurfing):
Breaking large cash deposits or transfers into smaller amounts to avoid reporting thresholds.
Shell company misuse:
Complex corporate structures with opaque beneficial ownership designed to disguise the source or destination of funds.
Virtual asset laundering:
Rapid movement of cryptocurrency through multiple wallets, use of mixing services, or conversion between virtual and fiat currencies.
Professional enablers:
Lawyers, accountants, or corporate service providers facilitating the creation of structures that obscure illicit fund flows.
ODD Accountability: Who Does What
Clear role assignment prevents gaps in the review cycle. The following responsibility matrix applies to most UAE regulated entities:
Activity | Responsible | Accountable | Consulted | Informed |
Schedule periodic reviews | Compliance team | MLRO / CO | Risk team | Senior management |
Conduct KYC refresh | Onboarding / ops team | Compliance team | Relationship manager | MLRO |
Run sanctions / PEP screening | Screening system (automated) | Compliance team | IT / vendor | MLRO |
Re-assess customer risk tier | Compliance analyst | MLRO / CO | Risk committee | Senior management |
Approve high-risk retention | Senior management | Board | MLRO / CO | Compliance team |
Conduct independent audit | Internal audit / external firm | Board / audit committee | Compliance team | Regulators (on request) |
Key Performance Indicators for ODD Programs
Measuring ODD effectiveness requires quantifiable indicators. The following KPIs help compliance teams and boards assess whether the program is functioning as intended:
- Review completion rate: Percentage of scheduled periodic reviews completed on time versus total due. Target: 95% or above.
- Risk re-classification rate: Percentage of reviewed customers whose risk tier changed during the review period. A rate of zero may indicate rubber-stamping rather than genuine reassessment.
- Alert-to-STR conversion ratio: Number of STRs filed versus total monitoring alerts generated. A very low ratio may indicate poorly calibrated rules; a very high ratio may indicate under-alerting.
- Average time-to-close for reviews: Mean number of business days from review initiation to documented closure. Prolonged reviews signal resource constraints or process inefficiency.
- Screening coverage rate: Percentage of active customers screened against current sanctions lists and PEP databases within the last 30 days. Target: 100%.
- Audit finding recurrence rate: Number of ODD-related findings repeated across consecutive internal or external audit cycles. Recurring findings indicate systemic weaknesses rather than isolated lapses.
When Should Event-Driven Due Diligence Be Triggered?
While periodic reviews form the backbone of ODD, certain events require immediate reassessment of a customer’s risk profile outside the regular review cycle. This is known as event-driven review, and UAE regulators expect firms to act promptly when triggers arise.
Common triggers for event-driven reviews include:
- A significant or unusual transaction that does not align with the customer’s established profile or expected activity
- Changes in beneficial ownership, corporate structure or controlling interests of a legal entity customer
- A customer or related party appearing on updated sanctions lists, PEP databases or adverse media reports
- The customer expanding operations into high-risk jurisdictions
- Filing of a Suspicious Transaction Report (STR) related to the customer
- Regulatory changes that alter the risk classification of a customer’s sector or geography
- Material changes in the customer’s business model, such as shifting from domestic retail to international trade finance
Firms that rely solely on scheduled periodic reviews without responding to these trigger events leave themselves exposed to regulatory criticism. A customer who was low-risk at onboarding can shift to high-risk status rapidly, and failing to detect and act on that shift is one of the most common findings in UAE regulatory inspections.
How Does Ongoing Due Diligence Apply to Third-Party Relationships?
Continuous monitoring obligations are not limited to direct customer relationships. UAE AML regulations also require regulated entities to monitor the third parties, agents, intermediaries and correspondents they rely on in delivering services. If a third party has weak AML controls, the risk flows directly to the regulated entity.
An effective third-party ODD program should include:
- Defining clear AML compliance requirements that third parties must meet as a condition of the relationship
- Conducting periodic assessments of the third party’s AML controls, policies and screening procedures
- Monitoring for red flags such as regulatory actions against the third party, changes in ownership or negative media coverage
- Maintaining documented records of all third-party due diligence activities and findings for audit and regulatory review
- Reassessing the relationship when the third party operates in or expands into high-risk jurisdictions
The FATF standards and UAE’s regulatory guidance both emphasise that regulated entities cannot outsource their compliance obligations. Even when a third party performs screening or verification on a firm’s behalf, the regulated entity retains full responsibility for the adequacy and accuracy of those checks.
What Does UAE Law Require for Ongoing Due Diligence?
UAE Federal Decree-Law No. 10 of 2025 and Cabinet Decision No. 134 of 2025 mandate financial institutions, DNFBPs, and VASPs to identify, verify and continuously monitor customers to prevent financial crime. It includes implementing risk-based CDD and continuous monitoring, analysing multiple ML/TF/PF risk factors, such as customer type, transactions, etc.
The Central Bank of the UAE (CBUAE) expects banks and exchange houses to conduct KYC and ongoing transaction monitoring to confirm the legitimacy of their customer and funds.
Ministry of Economy (MoET), Ministry of Justice (MoJ), Virtual Assets Regulatory Authority (VARA), and Capital Market Authority (CMA) mandate DNFBPs, VASPs, brokers and asset managers to monitor customer activities, update information, evaluate risks, and implement enhanced due diligence.
Moreover, regulated entities must also document findings, maintain audit trails to keep track of customer activities & records, and report suspicious activity to ensure AML/CFT compliance.
Jurisdiction-Specific ODD Requirements
- UAE Mainland (CBUAE-Regulated Entities): The CBUAE AML/CFT Guidelines (Section 6.3.5) require licensed financial institutions to scrutinise transactions throughout the relationship, ensure consistency with the institution’s knowledge of the customer, and update CDD information on a risk-sensitive basis.
- DIFC (DFSA-Regulated Entities): Firms must apply EDD and enhanced ongoing monitoring. In 2025, the DFSA increased unannounced inspections targeting crypto firms and wealth managers operating within the DIFC.
- ADGM (FSRA-Regulated Entities): The FSRA operates a three-tier CDD system (simplified, standard, enhanced) and expects blockchto be used ain analysis as a practical measure for crypto-related transactions. The FSRA pursued 16 enforcement actions in 2025, with four specifically related to AML deficiencies, including inadequate customer due diligence and failures in ongoing monitoring.
- VASPs (VARA-Regulated, Dubai): VARA’s AML Rulebook mandates comprehensive ODD for virtual asset service providers, including real-time transaction monitoring for on-chain activity, travel rule compliance, and counterparty risk assessment. The Federal AML regime applies in addition to VARA’s own rules.
- DNFBPs (MoE / MoJ-Supervised): The Ministry of Economy supervises real estate agents, DPMS, accountants, TCSPs, and gaming operators. The MoJ supervises the lawyers, notaries, and other legal professionals. The September 2025 DNFBP Guidelines and Circular No. 6/2025 specifically emphasise risk-based CDD implementation, with practical guidance on SDD and the expectation of documented ongoing monitoring proportionate to identified risks.
Regulatory Reference: FATF Recommendation 10 requires financial institutions to conduct ongoing due diligence on business relationships, including scrutiny of transactions throughout the course of those relationships. In the UAE, Article 16 of Cabinet Resolution No. 134/2025 requires regulated entities to implement continuous monitoring measures proportionate to the ML/TF/PF risk level assigned during the customer risk assessment. The CBUAE Guidance for Licensed Financial Institutions (June 2021), Section 6.3.5, further details the requirements for ongoing monitoring of business relationships, including transaction scrutiny and periodic information updates.
How Do AI and Automation Support Ongoing Due Diligence?
Using technology in ODD helps identify, evaluate and mitigate ML/TF/PF risks. The use of automated transaction monitoring systems enables risk-based continuous monitoring through rule-based and AI-enhanced models to identify unusual patterns and anomalies. The use of screening systems with Natural Language Processing (NLP) scans customer information against unstructured data (e.g., negative news sources) to help identify individuals associated with adverse media. Further, these systems support ongoing screening against updated sanctions lists and PEP databases through real-time alert generation.
The AML tools enable integration of onboarding data with case management and monitoring platforms, providing structured data flow, traceability, and real-time risk identification. It thus replaces manual data entry, improves accuracy, and helps meet AML/CFT compliance obligations.
What Red Flags Does Ongoing Due Diligence Help Identify?
Effective continuous monitoring helps regulated entities identify the following red flags and risk indicators:
- Large and frequent transfer of funds is inconsistent with customer stated profiles.
- Unexplained use of offshore structures or high-risk jurisdictions may signal tax evasion or the concealment of illicit funds or true owners.
- Rapid cash-based transactions may be used to avoid thresholds, indicating smurfing or structuring.
- Unusual crypto activity such as large sums of crypto movement in/out of the wallet quickly, unexplained large & frequent transactions.
- Frequent, unexplained changes in beneficial owners, sudden changes in business model, or use of a complex corporate structure often indicate the hidden true owners or the source of funds.
What are the best practices for Ongoing Due Diligence in the UAE?
Building a strong ODD program requires more than meeting minimum regulatory requirements. The following best practices help UAE-regulated entities stay ahead of compliance expectations and reduce exposure to enforcement risk:
Document every decision:
Record who was checked, what was found, how the risk was scored, what was escalated and why. UAE regulators treat undocumented decisions as if they never happened.
Set clear review schedules by risk tier:
High-risk customers should be reviewed frequently. Say, every six months, medium-risk annually and low-risk every two to three years. Maintain a compliance calendar that tracks upcoming reviews.
Combine periodic and event-driven reviews:
Scheduled reviews catch gradual shifts. Event-driven reviews catch sudden changes. Both are necessary; neither is sufficient on its own.
Train staff to recognise and escalate red flags:
Compliance officers and front-line staff should receive regular, documented training that covers UAE-specific typologies such as trade-based money laundering, real estate layering and crypto-related risks.
Use technology to reduce manual gaps:
Automated screening, real-time transaction monitoring and AI-powered anomaly detection reduce human error and ensure coverage across large customer portfolios.
Conduct independent testing:
Periodic audits of your ODD program by internal audit or external reviewers help identify weaknesses before regulators do.
Maintain a centralised case management system:
All customer reviews, alerts, escalations and decisions should be recorded in one system with a full audit trail for regulatory inspection.
ODD Compliance Checklist for UAE Entities
☐ Customer risk profiles documented and tiered (high / medium / low)
☐ Review frequency defined per risk tier (e.g. 6 months / 12 months / 24 months)
☐ Transaction monitoring rules calibrated to business type and customer segment
☐ Sanctions and PEP screening integrated with the ongoing monitoring cycle
☐ Adverse media screening conducted at each scheduled review
☐ Beneficial ownership information verified and updated at each review cycle
☐ Source of funds and source of wealth reassessed for high-risk customers
☐ STR/SAR escalation triggers documented and staff trained on filing via goAML
☐ Record-keeping meets the 5-year minimum retention requirement
☐ Annual independent audit of ODD programme effectiveness completed
What Are Common Weaknesses in ODD Programs?
The following are some of the common weaknesses in ODD programs:
- Outdated customer information with no regular or periodic KYC checks.
- The lack of use of integrated systems leads to fragmented information.
- Failure to analyse customer behaviour to detect anomalies in transaction patterns.
- Ineffective staff training or improper documentation of customer information may affect escalation and regulatory reporting procedures.
How Does AML UAE Strengthen Ongoing Due Diligence for UAE Businesses?
AML UAE supports regulated entities in designing tailored AML policies and procedures for monitoring existing customers. Its managed KYC support helps implement re-KYC and ongoing monitoring to detect suspicious behaviour and keep customer data up to date.
AML UAE helps select AML software that implements sanctions screening and risk scoring, and maintains audit trails for regulatory readiness. Further, it helps identify compliance gaps in ODD processes through conducting a health check.
Moreover, AML UAE provides staff training to enable them to effectively monitor customers, identify & mitigate risks, and escalate suspicious activity for investigation and regulatory reporting.
Whether your organisation is a bank, exchange house, real estate brokerage, precious metals dealer, law firm, accounting practice or VASP, AML UAE tailors its ODD support to the regulatory requirements specific to your sector and supervisory authority. Its approach covers the full ODD lifecycle, from policy design and technology selection through to staff upskilling and regulatory readiness testing.
AML UAE ODD Service Framework
Gap Assessment and Diagnostics
AML UAE conducts independent ODD health checks to benchmark your current programme against regulatory expectations. The assessment maps your review cycles, documentation standards, screening coverage, and escalation procedures against the requirements of CBUAE, DFSA, FSRA, MoET, Moj, and CMA (as applicable) and delivers a prioritised remediation roadmap.
Policy Design and Calibration
We develop risk-proportionate ODD policies, including customer risk-tier definitions, review frequency matrices, trigger-event catalogues, and RACI frameworks tailored to your entity’s size, sector, and supervisory authority.
Technology Selection and Implementation
AML UAE helps regulated entities evaluate, select, and implement AML software for automated sanctions rescreening, adverse media monitoring, transaction surveillance, and risk-score recalculation, ensuring the technology supports your ODD process rather than replacing human judgment.
Managed KYC and Periodic Review Execution
For entities that need operational support, AML UAE provides managed Re-KYC services: collecting updated documentation, refreshing screening results, re-assessing risk profiles, and documenting outcomes to examination-ready standards.
Training and Competency Building
Our training programmes cover ODD responsibilities for front-line staff, compliance officers, MLROs, and senior management, with scenario-based exercises drawn from real UAE enforcement actions to build practical detection capability.
Variants, Synonyms, and Related Abbreviations
The following terms are used interchangeably with or closely related to ongoing due diligence across different regulatory frameworks, jurisdictions, and compliance platforms:
Term / Abbreviation | Context / Usage |
ODD | Standard abbreviation for ongoing due diligence, widely used in FATF and UAE regulatory guidance |
Continuous monitoring | Preferred term in transaction monitoring contexts; emphasises real-time or near-real-time surveillance |
Periodic review / Re-KYC | Scheduled reassessment of customer identity, risk profile, and documentation at defined intervals |
Customer lifecycle management | Broader compliance term encompassing onboarding CDD, periodic ODD, event-driven EDD, and offboarding |
Enhanced ongoing monitoring | Intensified ODD applied to high-risk customers; combines periodic review with event-driven triggers |
pKYC (Perpetual KYC) | Technology-driven model replacing periodic reviews with continuous, automated data refresh and risk recalculation |
Post-onboarding due diligence | Synonym used in M&A and correspondent banking contexts for ongoing checks after initial approval |
Related Glossary Terms
- Customer Due Diligence (CDD) → /customer-due-diligence
- Enhanced Due Diligence (EDD) → /enhanced-due-diligence
- Know Your Customer (KYC) → /know-your-customer
- Suspicious Transaction Report (STR) → /suspicious-transaction-report
- Politically Exposed Person (PEP) → /politically-exposed-person
- Beneficial Ownership → /beneficial-ownership
- Risk-Based Approach (RBA) /risk-based-approach
- Transaction Monitoring → /transaction-monitoring
- Name Screening → /name-screening
- AML Compliance Program → /aml-compliance-program
Summary: The Non-Negotiable Role of Ongoing Due Diligence
Ongoing due diligence is the mechanism that converts a point-in-time onboarding check into a living, adaptive compliance programme. In the UAE’s current regulatory environment, where enforcement actions exceed AED 380 million annually, and personal liability for senior management is now codified in law, a passive approach to customer monitoring is a quantifiable business risk.
The framework is clear: Federal Decree-Law No. 10/2025 and its Executive Regulations require risk-proportionate, documented, and continuous oversight of every business relationship. Regulators across all jurisdictions, from the Central Bank to VARA, are testing not whether policies exist but whether they work in practice.
Firms that invest in structured ODD programmes, supported by clear accountability (RACI), measurable KPIs, and risk-calibrated review cycles, will meet regulatory expectations while building operational resilience. Those that do not will find that the cost of remediation after an enforcement action far exceeds the cost of getting it right from the start.
Ready to Strengthen Your ODD Programme?
AML UAE provides end-to-end support for building, auditing, and operationalising ongoing due diligence frameworks tailored to UAE regulatory requirements. From gap assessments and policy development to managed KYC refresh services and compliance training, our team helps regulated entities move from reactive to proactive compliance. Contact AML UAE to schedule a confidential ODD gap assessment.
General FAQs on Ongoing Due Diligence
ODD refers to the continuous monitoring of business relationships with existing customers after onboarding to detect anomalies that indicate money laundering and terrorist financing.
An effective ongoing monitoring program includes periodic KYC, transaction monitoring, PEP, sanctions, & adverse media screening, as well as reviewing customer information to detect suspicious activity.
ODD is a critical aspect of an AML framework because it helps identify ML/TF risks in existing customers and ensures their profiles are accurate and up to date to comply with AML/CFT legal obligations.
Update customer profiles, expiry of customer documents, unusual transaction patterns, changes in customer behaviour, and changes in beneficial ownership trigger a review of customer information during ODD.
The frequency depends on the customer’s risk rating. High-risk customers, including PEPs and those operating in high-risk jurisdictions, should be reviewed at least every six months. Standard-risk customers typically undergo annual reviews, and low-risk customers may be reviewed every two to three years. In addition to these periodic reviews, event-driven triggers (such as unusual transactions, ownership changes or new sanctions designations) should prompt immediate reassessment regardless of the scheduled cycle.
Build a Robust AML Compliance Program
We provide customised AML/CFT Policies and Procedures that are compliant with UAE Laws
Share via :
About the Author
Pathik Shah
FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)
Pathik is an ACAMS-certified AML consultant specialising in governance, risk, and compliance for regulated entities in the UAE. He brings over 28 years of experience, with 1,000+ hours of AML training and 200+ advisory engagements across DNFBPs, VASPs, and FIs. He supports businesses in aligning with AML/CFT requirements from the CBUAE, DFSA, MoET, MoJ, VARA, CMA, FSRA, and FATF. Known for translating complex regulations into audit-ready procedures, Pathik enables operational clarity and compliance readiness.
Reach Out to Pathik