In this fourth article in this series, we will be looking at the principles behind a customer risk assessment and certain key considerations to be borne in mind when developing a robust customer risk assessment.

In a perfect world, every organisation would hope that their customer is ideal for their business, in practice, however, this may not always be the case; by carrying out a customer risk assessment the organisation are ensuring that a robust customer risk profile has been drawn up and that sufficient information is gathered on that particular customer. This will give the organisation a better understanding of potential risks posed by the customer prior to on-boarding to ascertain whether the customer falls within its risk appetite.

The concepts of risk and risk assessments have become central to the anti-money laundering debate. Following the entry into force of the 4th Anti-Money Laundering Directive there has been a stronger shift from a rule-based paradigm to a risk-based approach (the “RBA”). Whereas the former approach is more rigid, the latter retains flexibility. However, such flexibility comes with more onerous obligations especially with respect to establishing, maintaining and implementing detailed risk assessments and policies and procedures.

What is a customer risk assessment?

In brief, a customer risk assessment is a relationship-based risk assessment that considers a number of factors, including risks emanating from the customer type, the manner in which the organisation engages with the customer (interface), products, services, transactions and geographical locations with which the customer is linked. One would also need to factor in other elements, such as the customer’s behaviour and his reputation in order to gauge in a more accurate manner the risk which the customer poses. Consequentially, the key purpose of such assessment is to identify the risks to which the organisation will or may be exposed when carrying out such services or providing products, whether in the course of a business relationship or an occasional transaction.

There is no one-size-fits all approach that is to be taken, and naturally, the more complex the business relationship or occasional transaction, the more structured and rigorous the customer risk assessment should be.

Furthermore, following completion of the customer risk assessment the said organisation will be in a better, more informed position to determine the proper level of customer due diligence that is to be applied.

When does a customer risk assessment need to be carried out?

The customer risk assessment is to be carried out whenever a new business relationship is to be entered into or an occasional transaction is to be carried out.

In the case of a business relationship, although the assessment is carried out at the on-set of the relationship, it will nonetheless need to be reviewed on a periodic basis (depending on the risk profile and frequency of the periodic reviews set by the organisation) and on an ad hoc basis (for instance whenever a new service or product is being provided or when there is a material departure from the business and risk profile of the customer which may be noted through the ongoing monitoring of transactions). Such to the customer risk assessment may also be due whenever modifications to business risk assessment itself are made.

Documenting your methodology

The customer risk assessment methodology should be duly documented in writing. The customer risk assessment methodology should set out the basis as to how the customer risk assessment scoring and weighting mechanisms work in practice as well as the rationale behind each rating in respect of each customer type, product, service, transaction, interface and geographical risk. Any overrides which are to be applied as part of the customer risk assessment should also be documented in writing in the customer risk assessment methodology.

In addition, changes and updates to the customer risk assessment and customer risk assessment methodology should also be documented in writing, thereby keeping an audit trail of all changes.

What should be included in a customer risk assessment?

Although there are common factors applied across the board, there is no one standard approach that needs to be applied when drawing up a customer risk assessment. However, a crucial point that needs to be highlighted is that the methodology adopted must be consistent with the risk factors included and identified in the business risk assessment.

As detailed in article 5(1) of the Prevention of Money Laundering and Funding of Terrorism Regulation, “risk factors include those relating to customers, countries or geographical areas, product, services, transactions and delivery channels risk factors.”

    1. Customer Risk: customer risk includes the risk which is posed by the customer, taking into account the type of customer (natural person / company / trust / foundation, PEP etc), and the nature of the activities of the customer. Among other factors, higher risk activities, activities conducted through opaque and complex structures and cash-sensitive activities should be factored into the customer risk assessment as these would attract a higher risk of money laundering.
    2. Geographical Risk: Geographical risk is typically a key element in establishing the overall risk categorisation of the customer. When assessing the geographical risk, one must extend this assessment to not only to the geographical location (i.e. residence or country of incorporation) of the customer and beneficial owner but also to other geographical links that the customer and its beneficial owner(s) has/have with one or more geographical areas including (a) the location where the customer or its beneficial owner have their main business or where the activity generating the customer’s or beneficial owner’s wealth and/or funds is (b) the jurisdictions with which the customer or beneficial owner have relevant personal links.
    3. Product, Services and Transaction Risk: Certain products and/or services pose a higher risk of money laundering due to their nature and features (which makes them more prone to be used by criminals). Therefore, when assessing risks which may arise from the products and services organisations must be aware of (i) transparency which the product / service offers (does the product or services allow the customer or beneficial owner to remain anonymous, or seek to make the structure/transaction more opaque?) and (ii) complexity (is the transaction straight-forward or does it involve multiple persons or jurisdictions with no specific lawful purpose?). With respect to transaction risk one would principally be looking at the value and size of the transaction and whether the product / service allows for a capping of a transaction or otherwise. Products or services which do not allow for a cap on transactions would pose a higher risk of money laundering.
    4. Delivery Channel Risk: When assessing the delivery channel risk, one must analyse the manner in which the organisation will interact with the customer and the channels used to provide a given product / service. A customer’s interaction with a subject person may take place through various channels, including online, face to face, through agents, intermediaries, and/or introducers each posing a different level of risk. When dealing with agents, intermediaries and/or introducers, the regulatory status of such agents, intermediaries and introducers may also impinge on the overall customer risk and therefore this should also be taken into account when establishing the customer risk.

In order to be able to generate an overall customer risk, the organisation will need to ask a number of questions to the customer. Such questions are typically best placed in the customer on-boarding forms which should seek to capture as much information as possible in order that employees would then be able to compile the customer risk assessment based on the information provided.

The above four risk factors are not exhaustive and other additional factors need to be taken into consideration. These include:

    1. Behaviour of the customer and beneficial owner – there are certain behaviours which by their very nature, either alone or in conjunction with other factors, are indicative of a higher risk of money laundering or funding of terrorism. One will need to consider unusual behaviours by the customer, factor these into the customer risk assessment and ensure that risk mitigation measures are applied in respect of the relevant risk.
    2. Reputation of the customer and beneficial owner – Through adverse media checks organisations are able to build a more robust risk profile on the customer. Whilst the overall risk factors indicated above might give rise to a low risk of money laundering and funding of terrorism, through adverse media checks one could identify additional information on the customer or beneficial owner (which would not have been disclosed by the customer and which might lead to a re-classification of the customer as a higher risk customer). Assessing in detail the adverse media, establishing its relevance and factoring this into the customer risk assessment is part of the customer risk assessment. Such exercise should also be duly documented to ensure a proper record keeping.
    3. Sanction – Sanction screening against certain sanctions lists (UN, EU and National Sanctions) is mandatory in terms of the National Interest (Enabling Powers) Act. Customers may be screened against other sanctions lists (such as the OFAC lists and the list issued by the Office of Financial Sanctions Implementation HM Treasury). Any hits relating to sanctions should be duly taken into account for the purposes of the customer risk assessment.

Calibration

Customer risk assessments should be duly calibrated and tested prior to being implemented. Calibrating your customer risk assessment allows you to award more weight to a specific risk factor depending on the relevance which such risk factor plays within the relationship with the customer. This exercise will help the organisation to generate a more accurate customer risk profile depending on the type of relationship which the organisation has with the customer.

Conclusion

Depending on the outcome of the customer risk assessment, one will need to consider whether the customer falls within the risk appetite of the organisation (as established in the customer acceptance policy) or otherwise. In case where the customer falls within the organisation’s risk appetite, the employees of the organisation will need to undertake the appropriate level of due diligence, whether simplified, standard or enhanced. Documented procedures as to the type and form of documents which are to be obtained in respect of each type of due diligence is key in order to ensure that a standard approach is being adopted by the employees.