TL;DR

• Approving a higher-risk customer is the beginning of the compliance work, not the end of it
• FinCEN’s CDD rule requires ongoing monitoring commensurate with customer risk — “risk-based” means more frequent and more granular monitoring for higher-risk relationships
• Behavioral triggers for re-review: volume drift vs. approved use case, new counterparties or geographies, product use outside approved scope, complaint spikes, adverse media
• Evolve Bank’s 2024 Federal Reserve enforcement action cited failure to maintain adequate customer monitoring of fintech partnerships — monitoring gaps, not approval gaps
• Doing nothing after observing behavioral drift creates documented evidence that you knew — which is worse than not monitoring at all

You approved the customer. The exception memo is signed. The account is open.

Now what?

For most compliance teams, the AUP work stops there. Due diligence is done, the approval is documented, and the relationship moves to operations. Monitoring — if it exists — means the same automated transaction alerts covering every other customer.

That’s the gap. The due diligence that justified approval was customer-specific: specific business type, specific fund flows, specific counterparties, specific use case. The conditions that made the relationship acceptable at approval are the same conditions you need to verify are still holding six months later.

Higher-risk customer monitoring isn’t optional. It’s the fourth pillar of FinCEN’s CDD framework — and the one that breaks down most often.

What FinCEN Actually Requires

The FinCEN CDD Final Rule establishes four pillars of customer due diligence for covered financial institutions:

1. Customer identification and verification (CIP)
2. Beneficial ownership identification
3. Understanding the nature and purpose of the customer relationship
4. Risk-based ongoing customer due diligence — including ongoing monitoring to identify and report suspicious activity and, on a risk basis, maintaining and updating customer information

That fourth pillar is what requires higher-risk customers to receive more intensive monitoring than standard accounts. “Risk-based” isn’t ambiguous: the intensity, frequency, and granularity of ongoing monitoring must be commensurate with the customer’s risk profile.

FinCEN is also explicit about what triggers a re-review: “a significant and unexplained change in the customer’s activity” requires review and update of the customer’s risk profile. This isn’t an annual calendar event — it’s a behavioral trigger. If activity changes materially, you’re required to look again.

The industry is moving clearly in this direction. A 2026 fintech compliance review found that 40% of financial institutions now base risk assessments on significant behavior changes or negative news alerts rather than static, scheduled review dates. That shift — from periodic to event-driven (perpetual KYC) monitoring — is both an emerging best practice and an examiner expectation.

What “Consistent with Approved Use Case” Actually Means

Your AUP approval memo documented a specific use case: what the customer does, what transactions they’ll run, where funds come from, and which counterparties they interact with. Ongoing monitoring means verifying that what’s actually happening matches that description.

The FFIEC BSA/AML Examination Manual is direct: financial institutions must monitor transactions and account activity for consistency with what they know about their customers. Deviations from the expected pattern are monitoring triggers, not curiosities.

In practice, translating an approval memo into monitoring parameters means documenting four things at approval:

• Volume baseline: The expected monthly run rate. Set monitoring triggers at ±50% of this baseline.
• Counterparty and geography scope: The expected counterparty footprint. Flag transactions outside it.
• Product use scope: The specific products approved. Monitor for use of products outside the approved set.
• Settlement patterns: The expected timing and structure of settlements. Flag irregular patterns inconsistent with the stated business cycle.

These parameters should live in your case management or CRM system — not just in a PDF file that gets archived after approval.

The Five Behavioral Signals That Require Re-Review

1. Volume Drift Beyond the Approved Baseline

A customer approved at $500K/month running $2M/month hasn’t necessarily done anything wrong — but that activity needs to be verified against the stated business purpose. Volume growth that isn’t explained by an identifiable business reason (seasonal surge, new contract, product launch) is a signal that the account’s actual use is broader than disclosed.

Monitoring approach: Set a volume trigger at ±50% of the stated monthly baseline. Any month that exceeds the trigger generates a review task — not an automatic SAR, but a verification inquiry with documented outcome.

2. New Counterparties or Jurisdictions

The most underutilized field in a new customer file is the counterparty list. If a customer describes their business as domestic B2B payments between known vendors, and monitoring shows high-value transactions to new offshore entities in unexpected jurisdictions, the relationship profile has changed.

Monitoring approach: Run monthly counterparty analysis against the customer’s disclosed counterparty footprint. Flag net-new high-value counterparties (above a materiality threshold you define) for review within 15 business days.

3. Product Use Outside Approved Scope

Platform rules and AUP categories apply to specific products and transaction types. A customer in a restricted or enhanced-review category was approved for specific products for specific reasons. If an approved ACH-only customer begins using card issuing, instant transfer, or crypto features, the alert should route to compliance — not just fraud operations.

Monitoring approach: Configure product-level usage alerts in your core platform or payment processing system for each higher-risk customer. This requires a conversation with your technical or operations team about per-customer alert rules — most modern payment platforms support this configuration.

4. Complaint or Chargeback Spike

An unusual number of consumer complaints or chargebacks attributable to a single higher-risk customer is a direct signal that their activity is harming end customers — or that the underlying activity is different from what was approved. This is particularly relevant for payment aggregators, marketplace platforms, and BNPL products where the customer’s end consumers file disputes against your platform.

Monitoring approach: Track complaints and chargebacks attributable to each higher-risk customer on a rolling 90-day basis. Set a relative trigger (3x the normal complaint rate for comparable customer types) and an absolute trigger (5+ complaints in a calendar month).

5. Adverse Media or Third-Party Risk Signals

A news event, a legal filing, a regulatory action, or a sponsor bank RFI about a specific customer can fundamentally change the risk picture in a way that transaction monitoring won’t catch. Adverse media monitoring is the external complement to behavioral transaction analysis.

Monitoring approach: Set up alerts for each higher-risk customer’s entity name and principal names. Configure sponsor bank RFIs as an automatic re-review trigger — an RFI about a specific customer from your bank partner is a direct signal that their risk posture toward that relationship has shifted. As covered in detail in the sponsor bank RFI KRI post, rising RFI volume plus subject matter drift toward compliance-program questions is an early debanking signal.

What Happens When Monitoring Shows Drift

Catching behavioral drift creates an obligation to act. Documenting the deviation without responding to it is the worst possible outcome — it creates a record that you knew and chose to continue.

Step 1: Document the deviation. What was approved vs. what you’re observing. When the change appears to have started. The specific transaction data supporting the observation.

Step 2: Re-run the approval analysis on current activity. Is the observed activity within your AUP? Can you monitor it effectively with available controls? Does your bank partner’s policy permit this type of activity at this volume? Is the business rationale for the change credible and verifiable?

Step 3: Make a documented decision. Four options:

Doing nothing is not on the list. “We noticed and decided it wasn’t worth re-reviewing” becomes your documentation record if a regulator or bank partner asks later.

The Enforcement Record

The Federal Reserve’s June 2024 cease-and-desist against Evolve Bank & Trust is the clearest recent example of what happens when ongoing monitoring of higher-risk relationships fails. The order found that Evolve failed to maintain an effective risk management framework for its fintech partnerships — specifically, inadequate ongoing oversight and monitoring of those relationships. The bank’s compliance program did not keep pace with the transaction behaviors of its fintech clients as those businesses scaled.

Consequence: Evolve was barred from onboarding new fintech partners and launching new products without prior Federal Reserve approval. The enforcement wasn’t about the initial approvals. It was about the failure to monitor what was happening after approvals were granted.

TD Bank’s $3.1 billion resolution in October 2024 also documented backlogs of customers to be exited that “presented unacceptable AML risk” — customers whose ongoing activity had crossed into high-risk territory and were never removed from the portfolio. The original approval decision had been made. The exit decision was never triggered by monitoring. That failure is a monitoring failure, not an onboarding failure.

Both cases share the same structural gap: the compliance investment was concentrated at the front of the relationship (onboarding, due diligence) with inadequate ongoing oversight of what happened after the account opened.

Structuring Your AUP Monitoring Program

The minimum viable monitoring program for higher-risk customers has four components:

The Exit Process Done Right

Exit is the hardest part of higher-risk customer management, but it’s essential that the exit process be as documented as the approval process.

The mechanics of a defensible exit:

1. Follow the exit triggers you defined at approval. Your original exception memo should have included specific conditions under which the relationship would be re-evaluated or terminated. Use those as the basis for the exit decision — they represent your advance judgment about what risk you could manage.

2. Do not cite constitutionally protected activity. The OCC has issued guidance explicitly warning banks against exits driven by customer industry or viewpoints rather than concrete compliance risk. Document the specific transaction behavior, compliance finding, or control failure that drives the exit — not a general reputational concern.

3. Match approval authority. If the relationship required senior compliance sign-off or risk committee approval to open, exit should be reviewed at the same level. This protects against exits driven by operational convenience rather than risk analysis.

4. Give contractual notice. Follow the notice requirements in your customer agreement. Most agreements allow termination for cause with shorter notice periods — “for cause” should be documented in the exit memo.

So What?

If your AUP program ends at approval, you’re carrying the risk of every approved higher-risk customer without the protection of knowing whether the relationship is still what you agreed to.

The practical starting point:

1. Pull every active AUP exception memo. Does each one document a volume baseline, counterparty scope, and approved products? If not, reconstruct the parameters from the original due diligence file.
2. Configure behavioral triggers for each higher-risk customer in your transaction monitoring system: volume, counterparty, product scope. This likely requires a conversation with your fraud or operations team about per-customer alert rules.
3. Set a calendar for annual EDD re-reviews and load each higher-risk customer onto it. The calendar should be in your issues management or compliance tracking system, not a personal spreadsheet.
4. Document re-review outcomes. “Reviewed on [date], activity consistent with approved use case, no change required” is a defensible record. “No review conducted” is not.

For teams building or formalizing their AUP program, the Compliance Essentials bundle includes the AUP template, exception memo structure, restricted and prohibited category due diligence guides, and the ongoing monitoring framework that ties them together — from the initial approval decision through the ongoing oversight that keeps it defensible.

Related reading:

• Acceptable Use Policy Template for Fintechs: Prohibited, Restricted, and Enhanced-Review Customers
• AUP Exception Memos: How to Document a High-Risk Customer Approval Without Creating a Mess
• Restricted Business Due Diligence: Questions to Ask Before You Approve Cannabis, Weapons, Adult, Gambling, or Crypto Customers
• Sales vs. Compliance in High-Risk Customer Reviews: How to Avoid Losing Good Deals for Bad Reasons