By: Money Navigator Research Team
Last Reviewed: 22/01/2026
FACT CHECKED
Quick Summary
A periodic KYC refresh is usually a routine re-check of information a bank must keep current, not an accusation or a signal that something is “wrong” with your business.
Banks have ongoing duties to monitor customer relationships and keep KYC information up to date, which can lead to re-checks years after onboarding (see the Money Laundering Regulations 2017 (SI 2017/692) PDF and the JMLSG Guidance Part I (July 2022) PDF).
Refreshes can be scheduled (time-based) or prompted by changes that affect risk – ownership updates, new geographies, new payment flows, or mismatches between expected and observed activity.
A refresh can be “light touch” (confirming details) or more detailed (requests for documents, explanations, and enhanced checks), depending on the bank’s risk assessment (see the FCA’s Financial Crime Guide (FCG) PDF and the FCA page on high-risk customers and enhanced due diligence).
Operational impact ranges from “no disruption” to “temporary limitations while information is reviewed”, depending on the bank and the case.
This article is educational and not financial advice.
What a “periodic KYC refresh” actually means
“KYC” (know your customer) is the set of checks banks use to understand who they are dealing with, what the business does, who owns or controls it, and whether the activity fits what’s expected.
A periodic refresh is the bank updating that understanding over time. Even if nothing has changed in your business, the bank may still need to:
re-confirm identifiers (company details, trading address, directors / controllers);
re-run screening (sanctions and politically exposed persons checks);
re-check whether the activity still fits the profile and risk rating.
The UK framework expects ongoing monitoring and up-to-date information, which is why an account can be re-checked long after onboarding (see the Money Laundering Regulations 2017 PDF and JMLSG Guidance Part I PDF).
Why banks revisit established SME accounts years later
1) Ongoing monitoring is not a one-off exercise
KYC is not only an “opening an account” requirement. Banks are expected to monitor relationships throughout their lifecycle and keep information current under a risk-based approach (see the JMLSG Guidance Part I PDF and the FCA’s Financial Crime Guide (FCG) PDF).
Practical impact: even stable, long-running businesses can receive periodic requests – sometimes via automated emails or in-app tasks – because the refresh is schedule-driven.
2) The bank’s risk view can change even if your business hasn’t
Risk scoring can shift because:
external risk signals change (new fraud typologies, sector alerts, updated sanctions lists);
the bank changes its own risk appetite or controls;
public data sources update (e.g., corporate filings and beneficial ownership details).
Enhanced checks are more likely in higher-risk contexts (see the FCA page on high-risk customers and enhanced due diligence).
3) Data quality and “record drift” builds up over time
Addresses, trading names, websites, directors, shareholder structures, and customer bases often evolve. A periodic refresh is a way for the bank to close the gap between:
what is on file; and
what is now true (or appears true) from activity and public records.
Common triggers that prompt a refresh on an established SME relationship
Banks use a mix of time-based cycles and event-based prompts. These triggers can overlap.
Ownership and control changes
If there are changes to PSCs (people with significant control) or the ownership chain, banks often re-verify beneficial ownership and controllers.
That is closely connected to the information businesses must keep current with Companies House (see GOV.UK: People with significant control (PSCs) and our guide on beneficial ownership and PSC changes triggering re-verification).
Screening hits and re-screening events (sanctions / PEP)
Even if nothing has changed in your company, screening results can change due to:
updated lists,
new adverse information,
new name-matching logic or thresholds.
Where risk is higher, banks may apply enhanced measures and enhanced ongoing monitoring (see the FCA’s page on high-risk customers and enhanced due diligence and our explainer on PEP and sanctions screening for directors and PSCs).
Activity looks different from the expected profile
Banks compare expected activity to observed activity over time. Common “mismatch” signals include:
new merchant categories or payment types;
higher chargeback/return rates in some models;
new customer acquisition channels or platforms;
unexpected volume spikes for the stated business model.
(See our guide to business model mismatch and MCCs.)
Cross-border flows and new corridors
International transfers can draw extra scrutiny because risk varies by jurisdiction, corridor, counterparties, and payment purpose. (See our guide on international payments under review.)
“Source of funds / source of wealth” questions emerge
Banks may ask how funds are generated and whether that aligns with the business and the people behind it – especially where flows are large, unusual, or complex. (See our explainer on source of funds vs source of wealth.)
Summary table
| Scenario | Outcome | Practical impact |
|---|---|---|
| Time-based refresh cycle reaches your account | Request to confirm or update details | Admin time; deadlines; possible reminders |
| PSC / ownership chain changed | Beneficial ownership re-verification | Requests for updated ownership chart / filings |
| Re-screening flags a director/PSC name | Enhanced checks may be applied | Slower review; more questions; escalations possible |
| Activity shifts from the historic pattern | “Profile re-assessment” | Requests for invoices, contracts, explanations |
| New cross-border counterparties | Payments/relationship assessed for corridor risk | Additional information requests; review queues |
| Large, unusual credits or third-party payments | Source of funds questions | Requests for evidence and context; possible temporary limits |
What information and documents banks typically request in a periodic refresh
The “shape” of requests varies, but common categories are:
Identity and role confirmation
Directors’ and key controllers’ identity evidence (varies by provider and channel)
Proof of address (or confirmation of address if already verified)
Role confirmation (who has authority; who controls)
Company and ownership structure
Confirmation statement details and shareholder structure
Ownership chart (especially if there are multiple entities)
PSC/controller confirmations
This overlaps with the broader document set banks rely on for business banking due diligence (see what documents banks check for business bank accounts).
Trading reality checks
High-level description of products/services, customer base, and sales channels
Website, marketing channels, key suppliers or platforms
Evidence of trading (e.g., sample invoices, contracts, purchase orders) where needed
Funds and flow explanations
Banks may ask where funds come from in practice (revenue sources, payment methods, typical counterparties), and sometimes how initial capital or large injections were accumulated – especially if activity is inconsistent with the historic profile (see source of funds vs source of wealth).
How the refresh process usually runs (and where delays happen)
Step 1: Request issued (often standardised)
Many banks use templated requests aligned to a risk framework. The request may be delivered:
by email,
in-app,
via relationship manager,
via a compliance portal.
Step 2: Triage and risk-based scoping
Accounts are typically triaged into “light”, “standard”, or “enhanced” review paths, depending on risk. Enhanced due diligence can be triggered by higher-risk factors or unclear information (see our guide to EDD for SMEs: triggers, checks, outcomes and the FCA page on high-risk customers and enhanced due diligence).
Step 3: Evidence review and reconciliation
Delays commonly arise when:
information is incomplete or inconsistent;
ownership/control is complex;
activity explanations do not map clearly to actual payment flows;
screening requires manual resolution.
Step 4: Outcome applied
Outcomes can include:
confirmation completed with no further action,
request for additional information,
change to the risk rating (which may affect monitoring intensity),
in some cases, restrictions or exit decisions (separately governed by the bank’s policies and legal duties).
Where the bank cannot be specific about what triggered a question, it may relate to legal constraints around disclosures in financial crime contexts (see why banks can’t explain restrictions and “tipping off”).
Scenario Table
| Scenario-level | Process-level | Outcome-level |
|---|---|---|
| Low-change, low-complexity SME | “Confirm and update” workflow | Refresh completed; monitoring baseline retained |
| Ownership/control changed | Beneficial ownership re-check + reconciliation | Updated controller record; risk score may change |
| Higher-risk indicator present (e.g., screening complexity) | Enhanced due diligence + enhanced monitoring | More evidence requested; longer review cycle |
| Activity profile materially shifted | Transaction pattern review + business model validation | Updated expected activity model; monitoring intensity adjusted |
| Cross-border expansion | Corridor/counterparty review | Additional information required; potential risk reclassification |
Practical operational impacts SMEs often see
A periodic refresh is frequently administrative, but it can still create operational friction:
Time and attention costs: gathering documents and answering questions on short deadlines.
Payment friction: some providers apply temporary limitations in certain cases while reviews are active (varies by institution and circumstances).
Follow-on checks: a refresh can lead to additional questions if it uncovers inconsistencies (ownership details out of date, unclear trading narrative, unexplained payment patterns).
When banks do need to apply limitations, the explanation provided can be minimal in some financial crime scenarios (see why banks can’t explain restrictions and “tipping off”).
Compare Business Bank Accounts
Different providers structure compliance workflows differently (self-serve portals vs relationship-led reviews, document formats, response windows, and how updates are submitted). If you want a neutral overview of account types and features across providers, see our comparison hub: Compare business bank accounts.
Frequently Asked Questions
There isn’t a single fixed interval across the market. Many banks run periodic refresh cycles on a risk-based schedule, meaning higher-risk profiles are typically reviewed more frequently than lower-risk ones (see the principles described in the Money Laundering Regulations 2017 PDF and the JMLSG Guidance Part I PDF).
Even within the same bank, refresh timing can vary by product type, delivery channel, and changes detected over time. A business can therefore experience a refresh “earlier than expected” if other triggers occur alongside the bank’s periodic cycle.
Not necessarily. A refresh is often a request to confirm or update information and can complete without any limitation to account use.
However, if required information is missing, contradictory, or indicates higher risk, the bank may apply additional checks. In some cases, that can coincide with temporary limitations while information is assessed, depending on the institution’s policies and legal obligations.
KYC files can become stale: documents expire, addresses change, names change, and verification standards evolve. Banks may also need to re-confirm who holds key roles and who ultimately controls the business.
Separately, public record updates and corporate filing changes can prompt reconfirmation of controllers. PSC information is also part of the wider corporate transparency framework (see GOV.UK: People with significant control (PSCs)).
Outcomes vary by bank and by the type of information requested. Some institutions issue reminders and allow extensions; others escalate the case to manual review if deadlines are missed.
If the bank is unable to complete required checks, it may be obliged to limit certain services or, in some circumstances, consider exiting the relationship. Those outcomes are not automatic, but they are part of how regulated firms manage incomplete KYC in practice.
Yes. A refresh can include “trading reality” questions – evidence that supports what the business does, who it trades with, and what typical payment flows represent.
This is often tied to reconciling observed account activity with the stated business model. The bank may request a small sample rather than a full trading history, especially where the goal is simply to validate categories of activity.
Banks may ask for the source of funds when activity levels, payment patterns, or funding events are difficult to reconcile with the historic profile – particularly where there are large inflows, third-party payments, or unusual credits.
“Source of funds” is usually about the immediate origin of money entering the account; “source of wealth” is broader and can relate to the accumulated wealth of owners/controllers in certain contexts (see the FCA discussion in the Financial Crime Guide (FCG) PDF).
They can. Screening is not only an onboarding step; results can change as lists update, data quality improves, or name-matching logic changes. A “hit” can be a false positive that still needs resolution.
Where higher risk is identified, firms are expected to apply enhanced due diligence and enhanced ongoing monitoring (see the FCA page on high-risk customers and enhanced due diligence).
Cross-border activity can increase complexity: multiple jurisdictions, correspondent banking chains, and varying risk profiles across corridors and counterparties. Banks may need clearer purpose-of-payment context and counterparty details.
This does not automatically imply wrongdoing. In practice it often reflects risk-based monitoring rules and the need to keep expected activity models aligned with actual behaviour.
Yes. A refresh may result in the bank updating its view of the business – sometimes due to genuine business evolution (new markets, new products, new payment methods), and sometimes due to improved data.
A changed risk rating can affect how frequently monitoring occurs and what level of evidence is requested in future. That can feel like “more checks”, even when the business is operating normally.
Banks may provide limited detail in some financial crime contexts, including where disclosure constraints apply. That can make it difficult for businesses to understand the “why” behind a request.
If a business wants to raise a service complaint (for example, delays or unclear communications), the usual pathway is: complain to the firm first, then escalate if unresolved. The Financial Ombudsman Service explains the general steps and timelines in its consumer guide on how to complain.
Periodic KYC refreshes tend to feel personal because they interrupt day-to-day operations, but the underlying mechanism is usually systemic: banks are continually reconciling:
- Identity
- Ownership/control
- Expected activity against what they observe and what external data sources show.
Over time, “small drifts” (old records, changed trading patterns, new counterparties) can accumulate until the relationship no longer fits the stored profile – so the refresh becomes the point where the bank realigns the file to the live reality.
Related Content
