US$40,000,000. £44,000,000. C$176,960,190.

These figures represent just a few of the fines issued by FinCEN (US), FCA (UK), and FINTRAC (Canada) in 2025 for the same underlying weaknesses: from insufficient customer identification procedures to ineffective systems for maintaining up-to-date due diligence and risk assessments. 

The penalties are still climbing, even as global spend on Anti-Money Laundering (AML) compliance and Know Your Customer (KYC) checks by financial institutions continues to reach new heights. A large part of this problem is that KYC hasn’t adapted to the reality of how customer risk evolves.

The conventional KYC approach operates under a periodic review model. This can let customers shift from low‑risk to high‑risk in a short period of time, often remaining undetected for months or even years until the next scheduled review. In other words, breaching fundamental expectations for effective financial crime controls.

The need for transformation goes beyond efficiency: it’s essential. Capgemini’s latest whitepaper examines why perpetual KYC (pKYC) represents a necessary operating reset.

We speak with Manish Chopra, Global Head of Financial Crime and Compliance at Capgemini, about what’s really driving enforcement actions and why broader pressures mean the time for change is now.

Q1. Banks continue to invest billions in AML compliance, yet regulators still identify recurring deficiencies. What’s driving this disconnect?

Banks aren’t faltering for a lack of investment. There’s a broader issue playing out here: the current KYC operating model has become a structural bottleneck. It duplicates investigation. It misses red flags and traps analysts by creating unnecessary work on low-risk customers. It was built for a different era. And in today’s world, that simply does not work. Regulators see the gaps because risk evolves continuously – while most KYC programs still operate on fixed, calendar-based, and often manual reviews.

This creates an accountability gap when customer risk outpaces a firm’s ability to detect and respond. It’s why we see many of the enforcement actions and large fines made public ultimately come down to inadequate KYC. Until the approach shifts from periodic to proactive, the deficiencies will persist.

Q2. What’s fundamentally different about regulatory expectations today compared to five or ten years ago?

A decade ago, many programs could pass on documentation and periodic reviews. Today, the enforcement reality is clear: regulators are judging firms, big and small, on whether they can identify, explain, and act on changing customer risk at the moment it matters – not months or a year later.

Regulatory authorities worldwide also recognize that an effective, risk-based, and reasonably designed AML/CFT program is critical for protecting national security and the integrity of the financial ecosystem. Why? Because financial crime thrives when emerging risk signals are identified too late to prevent harm. On that basis, supervisors increasingly expect firms to show that their controls can keep pace.

Q3. What is perpetual KYC (pKYC)?

Perpetual KYC (pKYC) reduces reliance on the calendar-based refresh cycle. It’s a risk-based compliance approach that continuously monitors and updates customer information in real-time or near real-time, using data triggers and automation. pKYC strengthens a firm’s defenses by making decisions traceable, timely, and evidence based – closing the gap regulators most often cite in enforcement actions.

Q4. If I were the Head of Financial Crime today, what questions should I ask about my current KYC program?

Any regulated financial institution that wants to maintain its license to do business must demonstrate to regulators that it has an effective financial crime and compliance framework in place. Crucially, this framework needs to be on par with the firm’s risk profile spanning its customers, products and services, transactions, geographical presence, and delivery channels. 

I’d start with the “Know” part of KYC just because it’s so critical. A financial institution must truly understand each customer: who controls the organization, what types of activities or business they routinely conduct, and their source of wealth and income. Based on all this, can we clearly explain why a customer had a specific risk rating at any moment in time? And if challenged, can we come up with a decision with confidence?

Then look at the responsiveness. If a high-risk event happens on a Monday, would we know by Tuesday, or months down the road? And once we detect it, do we have clear ownership of process and an end-to-end course of action? If the answer’s no, the issue is structural, not a staffing, training, or resourcing problem.

Q5. What’s the key message from Capgemini’s new KYC report?

The takeaway is straightforward: financial crime is evolving faster than traditional KYC programs can respond. A reliance on periodic KYC reviews will continue to create reputational, operational, and financial damage. Modernizing KYC is a compliance necessity and a strategic differentiator in 2026.

This isn’t a technology upgrade. It requires a new foundation built on three pillars: intelligent automation, decision-ready insights, and the ability to adapt controls as risk changes. And all this needs to be grounded in clarity, transparency, and regulatory alignment. Taken together, these elements form the backbone that takes KYC programs from reactive reviews to spotting risks as they happen.