Learn about risk scores, their different types, and other factors.
Companies all over the world are obliged to apply a risk-based approach and carry out customer risk assessments when onboarding new users. This minimizes the chances of money laundering and other criminal activity being conducted through the business.
We at Sumsub have prepared a short guide explaining how customer risk assessments work.
A customer risk assessment analyzes the information collected from the customer during onboarding to assign a particular risk level to them. These risk levels can be based on country of origin (low, medium, and high-risk countries, for example) or any other factor relevant to the company—for instance, age, nature and intended purpose of the business relationship, etc.
Based on the risk assessment, companies then determine the type of Customer Due Diligence that should be applied. If risk is determined to be low, Simplified Due Diligence (SDD) can be applied. If higher risk is assessed, Enhanced Due Diligence (EDD) may be required, which means taking additional measures such as ongoing monitoring and transaction monitoring.
The CDD consists of the following measures:
When making a decision regarding a customer’s risk level, the following factors may need to be analyzed:
Example: Person X is passing verification on a UK platform. During the CDD process, the compliance officer of the platform finds out that the brother of person X is a Member of Parliament. FCA guidance states that the sibling of a PEP is themselves a PEP. This means that Person X is treated as a PEP by the platform and assessed as having a higher-than-usual risk level.
Example: Person X is passing verification on at a UK platform. During the CDD process, the compliance officer finds out that the person is a citizen of a low-risk country. However, the IP address from which person X initiated verification was determined to belong to a high-risk country. In this case, Person X is assessed as having higher-than-usual risk.
Example: Person X is going through CDD at a UK platform, when they’re determined to be the owner of a football club. The football sector is considered by the FATF as vulnerable to money laundering and identified by the EU as presenting higher risks due to complex organization and lack of transparency. For this reason, Person X is assessed as having higher-than-usual risk.
Example: A UK platform detects their client, Person X, in adverse media related to a financial crime case. As UK JMLSG Guidance specifies, “Firms should determine the credibility of allegations on the basis of the quality and independence of the source data and the persistence of reporting of these allegations, among others. The absence of criminal convictions alone may not be sufficient to dismiss allegations of wrongdoing.” The Compliance Officer of the platform could not find any published litigation, and the case itself was only mentioned by tabloids. For these reasons, Person X was assigned as medium risk.
Unnecessary level of secrecy at the onboarding stage
Some additional factors can be found in the guide.
Example: Person X was reluctant to provide information required for CDD to a UK platform without a reasonable explanation. The compliance officer therefore determined unnecessary or unreasonable levels of secrecy, which could indicate an attempt to disguise the true nature of their business. For this reason, Person X was assessed as having higher-than-usual risk.
Example: Person X has been a customer of a real estate agent for 5 years. Each year, Person X made a major real estate purchase. Each individual purchase did not have signs of suspicious activity. However, taken as a whole, the frequency of Person X’s purchases and sales of property indicated a historically suspicious pattern. For this reason, Person X is assessed as having higher-than-usual risk.
When assessing all of the determined factors, the company identifies the final risk score of the customer (number of points) which are linked to a certain level of risk.
Depending on the risk level, a company can choose and adjust the further procedures a customer will go through (e.g., the intensity of transaction monitoring). Companies can also implement transaction limits or add certain checks for withdrawals and/or transactions.
It should be noted that risk assessment is a regular process. Customers can present themselves as trustworthy and legitimate at first and abuse company services later. That’s why it’s necessary to implement ongoing monitoring and assessment procedures.
As a rule, based on the customer risk assessment, the particular type of CDD needed for the particular Customer is defined:
Now let’s discuss each type of due diligence in detail.
Conditions for the application of Simplified Due Diligence measures depend on the jurisdiction. For example, in the UK, JMLSG Guidance for the UK financial sector states that companies can apply SDD to the following groups of customers, which as a rule pose a low degree of risk of ML/TF:
In the UAE, if there’s no suspicion of money laundering or terrorism financing activities, a company can apply SDD to the following types of customers:
As the UK JMLSG Guidance specifies, SDD is not an exemption from CDD. However, companies may adjust the amount, timing or type of each or all of the CDD measures in a way that is commensurate with the low risk they identified. SDD measures can be the following:
It should be noted that the customer in any case should be verified in any case.
Information the company collects during the SDD should, on the one hand, allow the company to conclude that the customer is a low risk, and on the other hand, be sufficient for determining the nature of the business relationship to identify any unusual or suspicious transactions.
Enhanced Due Diligence (EDD) is applied in situations that indicate a higher risk of money laundering and terrorist financing. According to JMLSG Guidance for the UK financial sector, EDD is needed:
According to JMLSG Guidance for the UK financial sector, EDD measures include:
Issues with customer risk assessment often come from inaccurate information collection, monitoring, and risk analysis. Oftentimes, this problem results from manual verification procedures. To fix this, it may be worth considering an automated solution provided by an experienced vendor.