In the autumn of 2021, a UK financial regulator published enforcement action findings against a mid-size bank that had maintained a "low risk" customer risk rating for a company that — over a three-year period — had processed £12 million in...
In This Chapter
- Opening: The Risk Rating That Was Never Updated
- 10.1 The Purpose and Function of Customer Risk Rating
- 10.2 Designing a Risk Rating Model
- 10.3 The PEP Classification Problem
- 10.4 Enhanced Due Diligence: What It Requires
- 10.5 Dynamic Risk Rating: Incorporating Transaction Behavior
- 10.6 EDD in Practice: Priya's High-Risk Client Onboarding Checklist
- 10.7 The Automation Question in Risk Rating
- Chapter Summary
Chapter 10: Customer Risk Rating and Enhanced Due Diligence
Opening: The Risk Rating That Was Never Updated
In the autumn of 2021, a UK financial regulator published enforcement action findings against a mid-size bank that had maintained a "low risk" customer risk rating for a company that — over a three-year period — had processed £12 million in transactions inconsistent with its declared business purpose.
The company had been rated "low risk" at onboarding in 2018. Its stated business purpose was "import/export consulting." In 2019, its transaction profile changed materially: large inbound wires from multiple international counterparties, rapid outbound transfers to a network of UK-registered companies, high cash activity inconsistent with a consulting business. None of these changes triggered an automatic risk rating review. The customer remained "low risk" throughout.
The regulatory finding was explicit: the bank's risk rating methodology did not incorporate transaction behavior as a trigger for risk rating update. The 2018 rating, based on 2018 information, remained in place as 2019 and 2020 evidence accumulated that contradicted it.
The penalty: £2.8 million. The compliance remediation required: a complete rebuild of the customer risk rating methodology.
This case captures the fundamental challenge of customer risk rating: it is not a one-time assessment. It is an ongoing judgment that must evolve with the customer's behavior.
10.1 The Purpose and Function of Customer Risk Rating
Customer risk rating (CRR) assigns each customer a risk classification — typically Low, Medium, and High, though some institutions use more granular scales — based on an assessment of the money laundering and financial crime risk the customer presents.
The risk rating serves two functions:
Proportionality of KYC measures: The CDD Rule and its international equivalents require that KYC measures be proportionate to the money laundering risk presented by the customer. A low-risk customer requires standard CDD; a high-risk customer requires Enhanced Due Diligence (EDD). The risk rating determines which level of scrutiny applies.
Transaction monitoring calibration: Customer risk ratings can be used to calibrate transaction monitoring thresholds — applying tighter thresholds (more sensitivity) for high-risk customers and more lenient thresholds for low-risk customers. This reduces the false positive burden from low-risk customers while maintaining appropriate detection for high-risk ones.
The Three-Factor Framework
Most customer risk rating methodologies evaluate risk across three dimensions, consistent with FATF's risk-based approach guidance:
Customer risk factors: - Account ownership type (individual, sole trader, partnership, company, trust) - Nationality and country of residence - PEP status (current, former, family member) - Adverse media / negative news - Industry/occupation (high-risk sectors: real estate, legal services, gambling, cash-intensive businesses)
Geographic risk factors: - Country of domicile - Countries of business operations - Counterparty jurisdictions
Product/service risk factors: - Products and services used (cash-intensive, international wires, correspondent banking, private banking) - Transaction volumes and value profile - Account structure complexity
10.2 Designing a Risk Rating Model
Scoring Approaches
Categorical scoring (rules-based): Each risk factor is assigned to a risk category (Low, Medium, High). The overall rating is determined by the highest risk category across all factors, or by a weighted combination of factor ratings.
"""
Rules-Based Customer Risk Rating
Demonstrates categorical scoring approach:
risk factors map to risk categories,
overall rating determined by highest category
or weighted combination.
"""
from dataclasses import dataclass
from enum import IntEnum
class RiskLevel(IntEnum):
LOW = 1
MEDIUM = 2
HIGH = 3
@dataclass
class CustomerProfile:
customer_id: str
entity_type: str # 'individual', 'company', 'trust', 'partnership'
nationality: str # ISO country code
residence_country: str # ISO country code
is_pep: bool
pep_category: str | None # 'current', 'former', 'family', None
adverse_media: bool
industry_code: str # SIC/NAICS industry code
products: list[str] # Products/services in use
jurisdictions: list[str] # Countries of business operation (ISO)
# Risk classification tables
HIGH_RISK_COUNTRIES = {"AF", "BY", "CF", "KP", "IR", "IQ", "LY", "ML", "MM",
"NI", "PK", "SO", "SD", "SY", "TT", "VU", "YE", "ZW"}
MEDIUM_RISK_COUNTRIES = {"AE", "BO", "DJ", "EC", "ET", "GH", "GT", "HT", "HN",
"KE", "LA", "MX", "MA", "MZ", "NG", "PA", "PH", "TZ",
"UG", "VN"}
HIGH_RISK_INDUSTRIES = {"6552", # Land Subdividers & Developers
"7011", # Hotels and Motels
"7993", # Video Game Arcades / Gambling
"5813", # Drinking Places (Bars/Taverns)
"7999", # Amusement and Recreation Services
"5912", # Drug Stores and Proprietary Stores
"8111", # Legal Services
"6159", # Federal-Sponsored Credit Agencies
"6099", # Money Service Businesses
"6211", # Security Brokers and Dealers
}
HIGH_RISK_PRODUCTS = {"cash_deposits", "international_wires", "correspondent_banking",
"private_banking", "precious_metals", "crypto_exchange"}
def rate_customer_risk(profile: CustomerProfile) -> dict:
"""
Calculate customer risk rating using categorical scoring.
Returns the overall risk level, factor-level ratings, and rationale.
"""
factor_ratings = {}
# 1. Entity type risk
entity_risk = {
"individual": RiskLevel.LOW,
"sole_trader": RiskLevel.LOW,
"company": RiskLevel.MEDIUM,
"partnership": RiskLevel.MEDIUM,
"trust": RiskLevel.HIGH,
"foundation": RiskLevel.HIGH,
}.get(profile.entity_type, RiskLevel.MEDIUM)
factor_ratings["entity_type"] = entity_risk
# 2. PEP status
if profile.is_pep:
pep_risk = {
"current": RiskLevel.HIGH,
"former": RiskLevel.HIGH, # Former PEPs remain elevated
"family": RiskLevel.MEDIUM,
}.get(profile.pep_category, RiskLevel.HIGH)
else:
pep_risk = RiskLevel.LOW
factor_ratings["pep_status"] = pep_risk
# 3. Adverse media
factor_ratings["adverse_media"] = RiskLevel.HIGH if profile.adverse_media else RiskLevel.LOW
# 4. Country risk (worst of nationality/residence/jurisdiction)
all_countries = [profile.nationality, profile.residence_country] + profile.jurisdictions
country_risk = RiskLevel.LOW
for country in all_countries:
if country in HIGH_RISK_COUNTRIES:
country_risk = RiskLevel.HIGH
break
elif country in MEDIUM_RISK_COUNTRIES:
country_risk = max(country_risk, RiskLevel.MEDIUM)
factor_ratings["country_risk"] = country_risk
# 5. Industry risk
industry_risk = (RiskLevel.HIGH if profile.industry_code in HIGH_RISK_INDUSTRIES
else RiskLevel.MEDIUM if profile.industry_code.startswith("6") # Financial services
else RiskLevel.LOW)
factor_ratings["industry_risk"] = industry_risk
# 6. Product risk
high_risk_products_used = set(profile.products) & HIGH_RISK_PRODUCTS
product_risk = (RiskLevel.HIGH if high_risk_products_used
else RiskLevel.MEDIUM if len(profile.products) > 3
else RiskLevel.LOW)
factor_ratings["product_risk"] = product_risk
# Overall rating: any HIGH factor → HIGH; otherwise average
factor_values = list(factor_ratings.values())
if RiskLevel.HIGH in factor_values:
overall = RiskLevel.HIGH
elif factor_values.count(RiskLevel.MEDIUM) >= 2:
overall = RiskLevel.MEDIUM
else:
overall = RiskLevel.LOW
high_factors = [f for f, r in factor_ratings.items() if r == RiskLevel.HIGH]
medium_factors = [f for f, r in factor_ratings.items() if r == RiskLevel.MEDIUM]
rationale_parts = []
if high_factors:
rationale_parts.append(f"High-risk factors: {', '.join(high_factors)}")
if medium_factors:
rationale_parts.append(f"Medium-risk factors: {', '.join(medium_factors)}")
return {
"customer_id": profile.customer_id,
"overall_risk": overall.name,
"factor_ratings": {f: r.name for f, r in factor_ratings.items()},
"rationale": "; ".join(rationale_parts) if rationale_parts else "All factors low risk",
"edd_required": overall == RiskLevel.HIGH,
"review_cycle_months": {
RiskLevel.LOW: 36,
RiskLevel.MEDIUM: 12,
RiskLevel.HIGH: 6
}[overall]
}
Numerical scoring (weighted scoring model): Each risk factor is assigned a numerical weight and score. The weighted sum determines the rating. More granular, allows finer-grained differentiation, but introduces arbitrary weightings that must be justified and validated.
ML-based risk scoring: Train a model on historical cases where the "true" risk rating has been validated by investigative outcome (SAR filed, confirmed suspicious activity). The model learns which factor combinations predict genuine risk. Requires sufficient labeled training data — which may be limited in smaller institutions.
10.3 The PEP Classification Problem
Politically Exposed Persons (PEPs) present one of the most significant risk rating challenges, for three reasons: the category is broad, the definition varies across jurisdictions, and the risk implications are significant.
What Is a PEP?
A PEP is an individual who is or has been entrusted with a prominent public function. FATF Recommendation 12 identifies the primary PEP categories:
Foreign PEPs (highest risk): - Heads of state, heads of government - Ministers and deputy ministers - Senior executives of state-owned enterprises - Ambassadors, high commissioners - Military officers of senior rank
Domestic PEPs (risk-based assessment required): - Members of parliament/legislature - Senior members of judiciary - Senior executives of central banks and regulatory bodies - Members of political parties' governing bodies
International organization PEPs: - Senior officials of international organizations (UN agencies, World Bank, IMF, regional development banks)
Family members and close associates: - Spouse, partner, children, parents, siblings of PEPs - Close business associates
The Jurisdictional Variation Problem
The EU (AMLD5) and UK (MLRs 2017) treat domestic and foreign PEPs differently: domestic PEPs require a risk-based assessment (not automatic high risk), while foreign PEPs are automatically high risk. US regulatory guidance (FinCEN) focuses on foreign PEPs, treating domestic PEPs as subject to standard risk-based assessment.
The practical implication: a British MP's account at a UK bank requires risk-based assessment (may not be high risk); the same MP's account at a US bank's London branch may be assessed under different criteria.
Commercial PEP screening databases (World-Check, Dow Jones Risk & Compliance, LexisNexis Bridger Insight) maintain lists of current and former PEPs with their relationship networks. These databases are essential for institutions that cannot build and maintain PEP identification capability internally.
The Former PEP Problem
FATF and most regulatory frameworks acknowledge that PEP status should be maintained for "an appropriate period of time" after leaving public office — but do not specify exactly how long. The UK FCA's Financial Crime Guide suggests at least 12 months; in practice, most institutions treat former heads of state and government ministers as PEPs for 5–10 years or more after leaving office, given the persistence of their connections and influence.
10.4 Enhanced Due Diligence: What It Requires
Enhanced Due Diligence (EDD) applies to high-risk customers — and in certain mandatory contexts (PEPs, correspondent banking, complex non-standard structures) regardless of overall risk rating.
EDD is not a separate process from CDD — it is CDD with additional depth and scrutiny:
| CDD Element | Standard (Low/Medium Risk) | EDD (High Risk) |
|---|---|---|
| Identity verification | Documentary or eIDV | Documentary; possible in-person element; biometric for remote |
| Source of funds | Not systematically required | Required — documented evidence of funds source |
| Source of wealth | Not systematically required | Required — documented evidence of wealth accumulation |
| Business purpose | Declared purpose accepted | Declared purpose corroborated by independent evidence |
| Beneficial ownership | Standard verification | Enhanced verification; registry and commercial data cross-reference |
| Ongoing monitoring | Annual or trigger-based review | Semi-annual or quarterly review; enhanced transaction monitoring thresholds |
| Senior approval | Not required | Required — senior management must approve onboarding of high-risk customers |
Source of Wealth vs. Source of Funds
Two concepts that are frequently confused:
Source of funds (SOF): Where did the money in this specific transaction or account come from? A wire transfer from a legal settlement; a property sale; a salary payment. SOF verification answers: "Where did this money come from?"
Source of wealth (SOW): How did this customer accumulate their overall wealth? An inheritance, a business sale, an investment portfolio, a career in finance. SOW verification answers: "How did this person get to be worth this much?"
For PEPs and other high-risk customers, both must be verified. A customer claiming SOW from "business income" requires: a plausible business history, evidence the business generated the claimed level of wealth, and corroboration from sources other than the customer's own declaration.
10.5 Dynamic Risk Rating: Incorporating Transaction Behavior
The case study that opened this chapter — the company that went undetected because its risk rating was never updated — represents the core failure mode of static risk rating systems.
A dynamic risk rating approach incorporates ongoing transaction behavior as a risk signal, triggering automatic risk rating review when behavior changes materially.
Trigger Events for Risk Rating Review
Automatic triggers: - Transaction pattern significantly inconsistent with declared business purpose - Alert generation rate materially increases (customer generating 3× more alerts than prior 3-month average) - New PEP designation affecting customer or beneficial owner - New adverse media alert - New sanctions alert (even if ultimately cleared as false positive — the alert itself warrants review) - Significant change in transaction counterparty jurisdictions (new exposure to high-risk jurisdictions) - Significant increase in transaction volumes (>200% increase over 3-month period)
Customer-initiated triggers: - Change of beneficial ownership - Change of business purpose - New products or services requested - Change of address to a high-risk jurisdiction
Periodic review: - High-risk: every 6 months - Medium-risk: every 12 months - Low-risk: every 24–36 months
"""
Dynamic risk rating: trigger detection system.
Monitors customer transaction behavior and flags accounts
where behavior has changed materially — suggesting the
current risk rating may be stale.
"""
import pandas as pd
from dataclasses import dataclass
@dataclass
class RatingTrigger:
customer_id: str
trigger_type: str
trigger_description: str
severity: str # 'urgent', 'standard', 'informational'
recommended_action: str
def detect_behavioral_triggers(
customer_id: str,
current_risk_rating: str,
current_period_txns: pd.DataFrame,
prior_period_txns: pd.DataFrame,
declared_business_purpose: str,
) -> list[RatingTrigger]:
"""
Detect transaction behavioral changes that should trigger
a customer risk rating review.
Both DataFrames contain columns:
['transaction_date', 'amount', 'direction', 'counterparty_country',
'transaction_type']
Returns list of triggers found (empty = no behavioral changes detected).
"""
triggers = []
if current_period_txns.empty or prior_period_txns.empty:
return triggers
# --- Trigger 1: Volume change ---
current_volume = current_period_txns["amount"].sum()
prior_volume = prior_period_txns["amount"].sum()
if prior_volume > 0 and current_volume / prior_volume > 2.5:
triggers.append(RatingTrigger(
customer_id=customer_id,
trigger_type="volume_increase",
trigger_description=f"Transaction volume increased {current_volume/prior_volume:.1f}x vs prior period",
severity="standard",
recommended_action="Review current period transactions; update risk rating if warranted"
))
# --- Trigger 2: New high-risk jurisdiction ---
high_risk_countries = {"AF", "KP", "IR", "SY", "BY", "CU", "MM", "SD"}
prior_countries = set(prior_period_txns["counterparty_country"].dropna().unique())
current_countries = set(current_period_txns["counterparty_country"].dropna().unique())
new_countries = current_countries - prior_countries
new_high_risk = new_countries & high_risk_countries
if new_high_risk:
triggers.append(RatingTrigger(
customer_id=customer_id,
trigger_type="new_high_risk_jurisdiction",
trigger_description=f"First transactions with high-risk jurisdictions: {new_high_risk}",
severity="urgent",
recommended_action="Immediate risk rating review; obtain explanation from customer"
))
# --- Trigger 3: Cash proportion change ---
current_cash = current_period_txns[
current_period_txns["transaction_type"] == "cash"
]["amount"].sum()
current_total = current_period_txns["amount"].sum()
prior_cash = prior_period_txns[
prior_period_txns["transaction_type"] == "cash"
]["amount"].sum()
prior_total = prior_period_txns["amount"].sum()
current_cash_pct = current_cash / current_total if current_total > 0 else 0
prior_cash_pct = prior_cash / prior_total if prior_total > 0 else 0
if current_cash_pct > 0.30 and prior_cash_pct < 0.10:
triggers.append(RatingTrigger(
customer_id=customer_id,
trigger_type="cash_proportion_increase",
trigger_description=f"Cash proportion increased from {prior_cash_pct:.0%} to {current_cash_pct:.0%}",
severity="standard",
recommended_action="Verify cash business purpose; check if current product profile reflects actual usage"
))
# --- Trigger 4: Rapid in-out pattern (simplified) ---
inbound = current_period_txns[
current_period_txns["direction"] == "CREDIT"
]["amount"].sum()
outbound = current_period_txns[
current_period_txns["direction"] == "DEBIT"
]["amount"].sum()
if inbound > 0 and outbound / inbound > 0.95:
prior_inbound = prior_period_txns[
prior_period_txns["direction"] == "CREDIT"
]["amount"].sum()
prior_outbound = prior_period_txns[
prior_period_txns["direction"] == "DEBIT"
]["amount"].sum()
prior_ratio = prior_outbound / prior_inbound if prior_inbound > 0 else 0
if prior_ratio < 0.70: # Material change in in/out ratio
triggers.append(RatingTrigger(
customer_id=customer_id,
trigger_type="rapid_movement_pattern",
trigger_description=(
f"Current in/out ratio {outbound/inbound:.0%} vs prior {prior_ratio:.0%}. "
"Possible transit account usage."
),
severity="urgent",
recommended_action="Immediate transaction monitoring review; escalate to compliance"
))
return triggers
10.6 EDD in Practice: Priya's High-Risk Client Onboarding Checklist
When Priya onboards a new high-risk client for any of her institutional clients, she works through a structured EDD checklist. The checklist is not a replacement for professional judgment — it is a framework that ensures no element is overlooked.
EDD Checklist: Senior Private Banking Customer (PEP)
Identity Verification - [ ] Certified copy of unexpired government-issued photo ID (passport preferred) - [ ] Independent verification against registry, credit bureau, or biometric liveness check - [ ] PEP database check: current status, role description, jurisdiction, family/associates listed
Source of Wealth - [ ] Customer narrative: written description of career history and wealth accumulation events - [ ] Corroboration documents: salary slips, business sale documentation, inheritance records, audited accounts - [ ] Consistency check: stated SOW consistent with known career history and public record - [ ] Third-party confirmation: accountant letter, solicitor confirmation, or wealth management statement where available
Source of Funds (for specific transactions) - [ ] Bank statements showing origin of funds to be deposited - [ ] Wire transfer confirmations identifying source account and originating bank - [ ] For property proceeds: completion statement from conveyancer - [ ] For business sale: purchase agreement summary or completion statement
Business Purpose and Expected Activity - [ ] Signed customer statement describing expected account use and anticipated transaction volumes/values - [ ] Plausibility assessment: is the stated use consistent with the customer's profile? - [ ] Transaction profile documented in KYC file for ongoing monitoring calibration
Senior Management Approval - [ ] Risk assessment summary prepared by relationship manager/compliance - [ ] Review by Compliance Director (or equivalent) - [ ] Written approval by Head of Private Banking / CCO - [ ] Approved relationship recorded in compliance system with review date
Ongoing Monitoring - [ ] Enhanced transaction monitoring parameters applied (tighter thresholds) - [ ] Next review date set: 6 months (high risk) - [ ] Trigger events documented: what would prompt an off-cycle review?
10.7 The Automation Question in Risk Rating
What Can Be Automated?
Much of the risk rating process is algorithmically straightforward: applying factor tables, calculating weighted scores, triggering alerts based on behavioral parameters. These elements can and should be automated.
Good candidates for automation: - Initial risk rating calculation from KYC data inputs - Adverse media screening and PEP database checks - Trigger detection (behavioral change monitoring) - Review cycle scheduling and reminder generation - Risk rating update when factors change (e.g., new PEP designation)
Requires human judgment: - Qualitative assessment of source of wealth documentation (is this credible?) - Assessment of ambiguous or incomplete EDD documents - Determination of whether a behavioral trigger represents genuine risk or legitimate business change - Senior approval decisions for high-risk customer onboarding
Cornerstone Financial Group: Automating Risk Rating at Scale
Cornerstone Financial Group (the composite institution used throughout this textbook) operates across multiple business lines serving 380,000 customers. Maya Osei's team, having completed the KYC automation project for retail onboarding, turned in late 2022 to automating the customer risk rating review cycle for the existing customer base.
The scale challenge: 380,000 customers with varying review cycles. High risk (2%: 7,600 customers, 6-month cycle) = 15,200 reviews per year. Medium risk (18%: 68,400 customers, 12-month cycle) = 68,400 reviews per year. Low risk (80%: 304,000 customers, 24-month cycle) = 152,000 reviews per year. Total: approximately 235,600 reviews per year.
Even at a very efficient 15 minutes per automated review (data refresh, screening check, automated factor recalculation), this represents nearly 59,000 analyst-hours annually — approximately 30 FTE dedicated purely to review cycle management.
Maya's solution: a tiered automation approach.
Tier 1 (fully automated, no analyst required): Low-risk customers with no factor changes, no new screening alerts, no behavioral triggers. System refreshes data, re-runs screening, confirms risk rating, and documents the review. An analyst reviews a random 5% sample for quality assurance.
Tier 2 (system-assisted, analyst confirms): Medium-risk customers, or customers with a new screening alert that was automatically cleared. System prepares a review summary; analyst reviews summary and confirms or escalates. Target: 8 minutes per review.
Tier 3 (full analyst review required): High-risk customers, customers with new uncleared screening alerts, customers with behavioral triggers. Full analyst review. Target: 45 minutes per review.
Result: of the 235,600 annual reviews, approximately 68% were Tier 1 (fully automated), 22% Tier 2 (system-assisted), and 10% Tier 3 (full review). Total analyst time: reduced from the estimated 59,000 hours to approximately 14,000 hours — a 76% reduction while maintaining quality across all review types.
Chapter Summary
Customer risk rating assigns customers a money laundering risk classification that drives the intensity of KYC measures applied and the frequency of ongoing monitoring reviews.
The three-factor framework — customer risk, geographic risk, and product/service risk — provides the structure for most risk rating methodologies.
PEP classification is one of the most challenging elements of risk rating, requiring up-to-date PEP databases, consistent application of jurisdictional definitions, and appropriate treatment of former PEPs and PEP family members.
Enhanced Due Diligence applies to high-risk customers and certain mandatory contexts (PEPs, correspondent banking), requiring source of wealth documentation, source of funds verification, and senior management approval at onboarding.
Dynamic risk rating incorporates behavioral triggers — transaction pattern changes, new adverse media, new PEP designations — to ensure ratings remain current as customer behavior evolves.
Automation can handle most of the routine risk rating review cycle, reserving analyst time for the high-risk, complex, or ambiguous cases that genuinely require professional judgment.
Continue to Chapter 11: Suspicious Activity Reporting and Case Management →