Author: Dan Frechtling, SVP, Product and Strategy at LegitScript
Most payments firms combat financial crime with upfront underwriting followed by point-in-time reviews. Yet these practices fall short: 76% of financial organizations still reported attempted or actual fraud in 2025.
These threats stem from a fundamental mismatch: periodic reviews face off against real-time adaptation by AI-powered bad actors. Preventing fraud-related margin losses now requires payment companies to understand and respond to shifting transaction risks, while adopting “perpetual Know Your Customer” (pKYC) practices to prevent future shortfalls.
Understanding this shift starts by examining the limitations of traditional Know Your Customer (KYC) frameworks.
Static Checks in a Dynamic Risk Environment
Standard KYC practices were intended to verify identity at a fixed point in time. Conventional approaches rely on Customer Identification Procedures (CIP) and customer due diligence (CDD), requiring merchants to submit names, dates of birth, addresses, and government-issued identification numbers to their payment service provider (PSP). While these assessments are important for meeting compliance obligations, they fall short of thoroughly assessing risk as fraud tactics evolve.
PSPs designed these exposure snapshots for earlier operating models, but they are gradually becoming outdated as newer transaction abuse schemes emerge. Problematic merchants are now aware of how traditional risk assessments work and can optimize their profiles to pass initial reviews and then adjust their tactics after approval. Several post-onboarding factors often signal that a merchant misrepresented themselves for point-of-entry review, including:
- Abrupt increases in chargebacks
- Drastic changes in payment volumes
- Abnormal settlement types
When KYC is performed solely at onboarding or at fixed intervals, payments companies miss these early warning signs and lose insight into how a merchant’s risk posture evolves. Left undetected, these issues often surface down the line as compliance costs, forcing payments companies to establish additional controls that increase friction for legitimate customers. This tension only escalates as scams become easier to scale.
Onboarding Isn’t Enough in the Age of AI
One-time onboarding snapshots are increasingly insufficient in the age of AI. With intelligent systems now generating thousands of synthetic identities, shell businesses, and AI-generated storefronts in seconds, verifying legitimacy from the outset is challenging. 90% of financial professionals surveyed reported an increase in AI-driven crimes over the past two years. Transaction intermediaries often detect these fraudulent entities only after the point of entry. This means payments companies must continuously reassess merchants for emerging risks so that AI-powered bad actors don’t slip through the cracks.
Operationalizing Perpetual KYC at Scale
Ongoing monitoring practices throughout the industry are taking shape as pKYC, a term created in recent Capgemini research. This idea moves away from traditional KYC models, known for periodic reviews and disconnected systems, and replaces them with compliance embedded directly into customer interactions. As data complexity and regulatory obligations continue to grow, pKYC methods are becoming increasingly necessary to battle modern risk.
Effective pKYC implementation often starts with PSPs re-examining their exposure at key touchpoints. This positions them to better prevent fraud before it turns into downstream costs. Reassessment is most effective when it responds to telltale merchant patterns like chargeback spikes, sudden changes in payment volumes, and unusual settlement activity.
These triggers should prompt payment intermediaries to investigate regulatory risks, monitor for policy violations, and identify potential fraud schemes such as transaction laundering. When operationalized across the board, payments companies gain clearer visibility into vulnerabilities throughout the merchant lifecycle and reduce the likelihood of Mastercard Business Risk Assessment and Mitigation (BRAM) and Visa Integrity Risk Program (VIRP) violations.
These event-driven fraud refreshes are moving toward mainstream adoption. As these practices mature, pKYC will likely transition toward more responsive, real-time threat recognition practices, such as:
- Reusable digital identity frameworks: Verifiable, privacy-centric digital credentials that work across platforms.
- AI-driven workflows: AI embedded within identity check pipelines to handle evidence gathering, case narratives, screenings, and refresh triggers, while automatically documenting everything into an auditable file.
- More unified risk operations: KYC operating hand-in-hand with KYB, sanctions, and transaction monitoring to offer a single system of record.
This shift toward AI-enabled pKYC is already apparent, with 75% of financial institutions planning to increase their use of financial crime detection AI. However, even with automation and machine learning to simplify monitoring, enterprises must maintain human oversight. Payments institutions should reserve human judgment for exceptions, escalations, and complex cases; doing so will allow pKYC and ongoing monitoring to operate as intended and reduce threat exposure.
Closing the Loop on Payment Risk
With the prevalence of AI-powered bad actors, the industry has outgrown point-in-time risk assessments. These time-based checks create months-long gaps and leave companies exposed to vulnerabilities when, realistically, threats can emerge and escalate in seconds.
Implementing continuous monitoring and pKYC helps close these gaps, allowing payments firms to recognize and address risk as it develops. When payments firms and banks respond promptly to fraud, they can reduce the percentage of merchants affected, transitioning from static responses to adaptive compliance programs. Over time, this approach strengthens risk management, improves customer experiences, and builds stronger trust among merchants, consumers, and partners when handling high-risk transactions.
