Verification
May 23, 2023
7 min read

Customer Risk Assessment—All You Need to Know

Learn about risk scores, their different types, and other factors.

Oraz Kereibayev

Oraz Kereibayev

Content manager

Companies all over the world are obliged to apply a risk-based approach and carry out customer risk assessments when onboarding new users. This minimizes the chances of money laundering and other criminal activity being conducted through the business. 

We at Sumsub have prepared a short guide explaining how customer risk assessments work. 

What is customer risk assessment?

A customer risk assessment analyzes the information collected from the customer during onboarding to assign a particular risk level to them. These risk levels can be based on country of origin (low, medium, and high-risk countries, for example) or any other factor relevant to the company—for instance, age, nature and intended purpose of the business relationship, etc. 

Based on the risk assessment, companies then determine the type of Customer Due Diligence that should be applied. If risk is determined to be low, Simplified Due Diligence (SDD) can be applied. If higher risk is assessed, Enhanced Due Diligence (EDD) may be required, which means taking additional measures such as ongoing monitoring and transaction monitoring. 

The CDD consists of the following measures:

  • Customer identification and verification
  • Identification and verification of the beneficial owner (when working with businesses)
  • Assessment of the purpose and intended nature of the business relationship
  • Implementation of ongoing monitoring (keeping information and documentation up to date)

Risk factors 

When making a decision regarding a customer’s risk level, the following factors may need to be analyzed:

  • Type of customer. First, companies should determine the type of customer they’re dealing with. For individuals, this includes their age, their country of origin, whether they have Politically Exposed Person (PEP) status, and more. For businesses, additional factors should be considered, such as the date of the establishment of the entity (typically, a new entity poses higher risk than an established one). 

Example: Person X is passing verification on a UK platform. During the CDD process, the compliance officer of the platform finds out that the brother of person X is a Member of Parliament. FCA guidance states that the sibling of a PEP is themselves a PEP. This means that Person X is treated as a PEP by the platform and assessed as having a higher-than-usual risk level

  • Geographical location. The company should also take into consideration geographic factors, such as country of residence, IP addresses, and so on. This helps companies identify customers coming from high-risk jurisdictions (or even prohibited ones). 

Example: Person X is passing verification on at a UK platform. During the CDD process, the compliance officer finds out that the person is a citizen of a low-risk country. However, the IP address from which person X initiated verification was determined to belong to a high-risk country. In this case, Person X is assessed as having higher-than-usual risk. 

  • Customer’s business or professional activity. Companies should determine whether a customer is involved in high-risk activity, such as construction, pharmaceuticals and healthcare, arms trade, defense, gambling, or precious metals. More risk factors can be found in Annex 4-II of the UK JMLSG Guidance.

Example: Person X is going through CDD at a UK platform, when they’re determined to be the owner of a football club. The football sector is considered by the FATF as vulnerable to money laundering and identified by the EU as presenting higher risks due to complex organization and lack of transparency. For this reason, Person X is assessed as having higher-than-usual risk

  • Customer reputation. Companies should check whether a customer has been mentioned in adverse media and review other relevant sources (e.g., allegations of criminal activity) and determine any issues with their reputation.

Example: A UK platform detects their client, Person X, in adverse media related to a financial crime case. As UK JMLSG Guidance specifies, “Firms should determine the credibility of allegations on the basis of the quality and independence of the source data and the persistence of reporting of these allegations, among others. The absence of criminal convictions alone may not be sufficient to dismiss allegations of wrongdoing.” The Compliance Officer of the platform could not find any published litigation, and the case itself was only mentioned by tabloids. For these reasons, Person X was assigned as medium risk.

  • Customer’ behavior. Some of the factors the company should check about its customers include: 
  • Whether they provided false information about themselves
  • Unusual transactions

Unnecessary level of secrecy at the onboarding stage

Some additional factors can be found in the guide.

Example: Person X was reluctant to provide information required for CDD to a UK platform without a reasonable explanation. The compliance officer therefore determined unnecessary or unreasonable levels of secrecy, which could indicate an attempt to disguise the true nature of their business. For this reason, Person X was assessed as having higher-than-usual risk. 

  • Relationship duration. A long-term business relationship is typically lower-risk. Yet, even in these cases the company should not forget to look at certain historical patterns in the relationship that can indicate higher risk.

Example: Person X has been a customer of a real estate agent for 5 years. Each year, Person X made a major real estate purchase. Each individual purchase did not have signs of suspicious activity. However, taken as a whole, the frequency of Person X’s purchases and sales of property indicated a historically suspicious pattern. For this reason, Person X is assessed as having higher-than-usual risk. 

When assessing all of the determined factors, the company identifies the final risk score of the customer (number of points) which are linked to a certain level of risk.

Depending on the risk level, a company can choose and adjust the further procedures a customer will go through (e.g., the intensity of transaction monitoring). Companies can also implement transaction limits or add certain checks for withdrawals and/or transactions.

It should be noted that risk assessment is a regular process. Customers can present themselves as trustworthy and legitimate at first and abuse company services later. That’s why it’s necessary to implement ongoing monitoring and assessment procedures. 

Due Diligence Types

As a rule, based on the customer risk assessment, the particular type of CDD needed for the particular Customer is defined:

  • Customer Due Diligence (CDD) applies to all customers except those subject to Simplified Due Diligence or Enhanced Due Diligence.
  • Simplified Due Diligence (SDD) may apply SDD to a particular customer if it is determined the business relationship presents a low degree of risk of ML/TF.
  • Enhanced Due Diligence (EDD) should be applied to high-risk customers and other cases specified by applicable law.

Now let’s discuss each type of due diligence in detail.

Simplified Due Diligence

Conditions for the application of Simplified Due Diligence measures depend on the jurisdiction. For example, in the UK, JMLSG Guidance for the UK financial sector states that companies can apply SDD to the following groups of customers, which as a rule pose a low degree of risk of ML/TF:

  • A public administration, or a publicly owned enterprise
  • Customers coming from low risk countries
  • Companies listed on a regulated market
  • Firms holding a pooled account 
  • Certain life assurance and e-money products 
  • Certain pension funds
  • Child Trust Funds

In the UAE, if there’s no suspicion of money laundering or terrorism financing activities, a company can apply SDD to the following types of customers:

  • Identified low-risk customers.
  • Listed companies (e.g., companies listed on regulated stock exchanges subject to disclosure requirements).

As the UK JMLSG Guidance specifies, SDD is not an exemption from CDD. However, companies may adjust the amount, timing or type of each or all of the CDD measures in a way that is commensurate with the low risk they identified. SDD measures can be the following: 

  • adjusting the timing of CDD, namely:
  • Verifying the identity of the customer during the establishment of the business relationship
  • Verifying the identity of the customer after the establishment of the business relationship or after transactions exceed a determined threshold
  • Reducing the frequency of customer identification profile updates
  • Reducing the frequency of ongoing monitoring and scrutinizing transactions, based on a reasonable level of the threshold
  • Not collecting specific information or carrying out specific measures to understand the purpose and intended nature of the business relationship, but inferring the purpose and nature from the type of transactions or business relationship established

It should be noted that the customer in any case should be verified in any case. 

Information the company collects during the SDD should, on the one hand, allow the company to conclude that the customer is a low risk, and on the other hand, be sufficient for determining the nature of the business relationship to identify any unusual or suspicious transactions.

Enhanced due Diligence

Enhanced Due Diligence (EDD) is applied in situations that indicate a higher risk of money laundering and terrorist financing. According to JMLSG Guidance for the UK financial sector, EDD is needed:

  • “In the cases identified by the company where there is a high risk of ML/TF
  • In the cases of business relationship with a person located in a high risk jurisdiction or in relation to any relevant transaction where either of the parties is established in a high risk jurisdiction
  • If the company has determined that a customer or potential customer is a PEP, or a family member or known close associate of a PEP
  • In any case where a customer has provided false or stolen identification documents or information on establishing a relationship
  • In any case where:
    • a transaction is complex or unusually large; or there is an unusual pattern of transactions, or
    • the transaction or transactions have no apparent economic or legal purpose
  • In any case which by its nature presents a higher risk of money laundering or terrorist financing”

According to JMLSG Guidance for the UK financial sector, EDD measures include:

  • “Obtaining, and where appropriate verifying, additional information on the customer and updating more regularly the identification of the customer and any beneficial owner 
  • Obtaining additional information on the intended nature of the business relationship 
  • Obtaining information on the source of funds or source of wealth of the customer 
  • Obtaining information on the reasons for intended or performed transactions 
  • Obtaining the approval of senior management to commence or continue the business relationship 
  • Conducting enhanced monitoring of the business relationship, by increasing the number and timing of controls applied, and selecting patterns of transactions that need further examination 
  • Requiring the first payment to be carried out through an account in the customer’s name with a bank subject to similar CDD standards”
  • “Obtaining additional information on the customer (e.g. occupation, volume of assets, information available through public databases, internet, etc.), and updating more regularly the identification data of customer
  • Obtaining additional information on the intended nature of the business relationship
  • Obtaining information on the source of funds or source of wealth of the customer
  • Obtaining information on the reasons for intended or performed transactions
  •  Obtaining the approval of senior management to commence or continue the business relationship
  • Conducting enhanced monitoring of the business relationship, by increasing the number and timing of controls applied, and selecting patterns of transactions that need further examination”

Issues with customer risk assessment often come from inaccurate information collection, monitoring, and risk analysis. Oftentimes, this problem results from manual verification procedures. To fix this, it may be worth considering an automated solution provided by an experienced vendor.

AMLAutomationCDDCustomer OnboardingEDDFinancial InstitutionsKYCRisk-Based ApproachTransaction Monitoring

Explore more

CDD Checklist for KYC—4 Steps to Stay Compliant
CDD Checklist for KYC—4 Steps to Stay Compliant
Oraz Kereibayev

Oraz Kereibayev

Content manager

AML Compliance in Argentina—One of the Most Prominent Countries in Latin America
AML Compliance in Argentina—One of the Most Prominent Countries in Latin America
Oraz Kereibayev

Oraz Kereibayev

Content manager

5 Most Important AML Compliance Laws You Need In 2020
5 Most Important AML Compliance Laws You Need In 2020
Sumsub Team

Sumsub Team

All-star