Chapter 10 Exercises

Customer Risk Rating and Enhanced Due Diligence

Exercise 10.1: Risk Factor Classification

Difficulty: Introductory

For each of the following customer attributes, identify whether it is a customer risk factor, a geographic risk factor, or a product/service risk factor, and assign it a preliminary risk level (Low/Medium/High) with brief reasoning.

a) The customer is a sole proprietor, UK national, residing in Manchester b) The customer's beneficial owner has been identified as a former Deputy Prime Minister of a Central Asian country (left office 3 years ago) c) The customer's business operates primarily in Nigeria and Ghana (not on any OFAC or UK sanctions list) d) The customer uses a private banking relationship with a significant proportion of cash deposits e) The customer is a law firm with a client account holding third-party funds f) The customer's primary trading counterparties are based in Singapore and Hong Kong g) The customer had adverse media coverage in 2021 relating to a regulatory investigation (resolved without finding)

Exercise 10.2: Rating Calculation

Difficulty: Introductory-Intermediate

Using the risk factor ratings you developed in Exercise 10.1 (or new ones below), calculate an overall risk rating for each of the following customer profiles. Apply the following rule: if any individual factor is High, the overall rating is High; if two or more factors are Medium and none are High, the overall rating is Medium; otherwise Low.

Customer Profile A: UK retail individual, no adverse media, no PEP, earns salary, uses basic current account and savings account, no international exposure.

Customer Profile B: UK-registered private limited company, accountancy firm (industry code 8721), sole director is a current local councillor (UK domestic PEP), primarily domestic transactions, standard business current account.

Customer Profile C: BVI-registered holding company, beneficial owner is an Azerbaijani national residing in Dubai, business purpose described as "real estate investment," uses international wire transfers for property acquisitions, adverse media search: no results.

Customer Profile D: UK-registered charity, established 2019, receives donations from individuals globally including from Pakistan and Nigeria, distributes funds to partner organizations in Kenya and Tanzania, no PEP indicators, no adverse media.

Exercise 10.3: EDD Documentation Design

Difficulty: Intermediate

Design an EDD file structure for the following client. Specify what documents you would request, what independent verification you would conduct, and how you would assess the source of wealth claim.

Client: Ms. Fatima Al-Rashidi, 48, UAE national, residing in London Relationship requested: Private banking, initial deposit £3.5 million Declared source of wealth: "Proceeds from the sale of my shareholding in Al-Rashidi Trading LLC, a family business I have managed since 2009" PEP status: Ms. Al-Rashidi is the daughter of a former UAE Federal Minister of Commerce (her father died in 2019) Additional information: She has been resident in the UK since 2017, holds a UK investor visa

a) Classify Ms. Al-Rashidi's PEP status and explain the applicable risk level.

b) List the specific documents you would request for source of wealth verification.

c) What independent corroboration would you seek beyond the documents she provides directly?

d) What questions would you ask about Al-Rashidi Trading LLC to assess whether the stated £3.5 million represents a plausible share sale?

e) Draft the senior management approval memo (one page maximum) summarizing the key risk factors and the basis for approving the relationship.

Coding Exercise 10.4: Build a Risk Rating Engine

Difficulty: Coding — Intermediate

Extend the rate_customer_risk() function from Section 10.2 to add:

  1. Weighted numerical scoring: Instead of categorical HIGH/MEDIUM/LOW per factor, assign each factor a numerical score (0–10) and multiply by a weight. The weighted sum determines the rating: - Score 0–3: Low Risk - Score 4–6: Medium Risk - Score 7–10: High Risk

  2. PEP-specific override: Any current PEP (not former, not family) automatically generates a HIGH overall rating regardless of weighted score.

  3. Multiple profiles: Test your function with the four profiles from Exercise 10.2 (convert their characteristics to dictionary inputs).

  4. Rating explanation: The function should return a human-readable rationale string suitable for inclusion in a KYC file — not just the rating level.

Suggested factor weights (adjust as you see fit and justify your choices): - Entity type: 15% - PEP status: 25% - Adverse media: 20% - Country risk: 20% - Industry: 10% - Products: 10%

Coding Exercise 10.5: Dynamic Trigger Detection

Difficulty: Coding — Advanced

Extend the detect_behavioral_triggers() function from Section 10.5 to add two additional trigger detection mechanisms:

Trigger 5 — Counterparty diversification: If the number of distinct counterparties in the current period is more than 3× the number in the prior period (and the prior period had at least 5 distinct counterparties), flag for review. Description: "Rapid counterparty diversification — possible structuring or layering network establishment."

Trigger 6 — Round-amount clustering: If more than 30% of transactions in the current period are round dollar/pound amounts (exactly divisible by 1000), and this proportion is more than 2× the prior period, flag for review. Description: "Round-amount transaction clustering — possible structuring indicator."

Then write a batch_trigger_scan(customers_df, transactions_df) -> pd.DataFrame function that: - Takes a DataFrame of customer records (customer_id, current_risk_rating, declared_business_purpose) - Takes a DataFrame of transaction records (customer_id, transaction_date, amount, direction, counterparty_country, transaction_type) - Splits transactions into current period (last 90 days) and prior period (91–180 days ago) - Calls detect_behavioral_triggers() for each customer - Returns a summary DataFrame of all triggers found, sorted by severity (urgent first) then customer_id

Test with synthetic data for 100 customers.

Exercise 10.6: Review Cycle Capacity Planning

Difficulty: Applied

A UK challenger bank is designing its customer risk rating review cycle for a projected customer base: - 15,000 total customers - 5% High Risk (semi-annual review) - 20% Medium Risk (annual review) - 75% Low Risk (triennial review)

a) Calculate the total number of scheduled reviews per year.

b) If the bank implements a tiered automation model: - Tier 1 (fully automated, no analyst): applicable to 65% of Low Risk reviews — 5 minutes of system time, no analyst time - Tier 2 (system-assisted analyst review): 30% of Low Risk + all Medium Risk reviews — 10 minutes of analyst time - Tier 3 (full analyst review): all High Risk + 5% of Low Risk (quality sample) + Tier 2 escalations (estimated 8%) — 40 minutes of analyst time

Calculate the total analyst-hours required per year for each tier.

c) The bank has 1.5 FTE dedicated to KYC review (including review cycles). At 1,760 working hours per FTE per year, what is total available analyst-hours?

d) Is the automated model sufficient to handle the review volume within capacity? If not, what adjustments would you recommend?

e) What quality assurance processes should be applied to Tier 1 automated reviews to ensure they maintain regulatory compliance despite the absence of analyst involvement?

Applied Exercise 10.7: The Stale Rating Problem

Difficulty: Applied

Using the enforcement case opening the chapter as a reference, analyze the following scenario and provide recommendations:

A regional bank has 45,000 business banking customers. Risk ratings were last systematically reviewed in 2021 as part of a regulatory remediation project. Since then: - 12,000 new customers have been onboarded with ratings current to their 2022–2024 onboarding dates - For the 33,000 pre-2021 customers: 40% have had individual trigger events (onboarding of new products, annual account reviews) that incidentally updated their ratings; 60% have had no risk rating update since 2021

a) Assess the regulatory risk of the situation for the 33,000 pre-2021 customers, particularly the 60% whose ratings have not been updated since 2021.

b) Prioritize: within the 60% with stale ratings, which sub-groups should be reviewed first? Design a prioritization framework.

c) Estimate the analyst resources required to remediate the stale ratings for the highest-priority sub-groups first.

d) Draft a project plan for the remediation that would satisfy a regulator examining the bank's AML program: what would the regulator expect to see in terms of scope, timeline, governance, and documentation?