Key Takeaways
Chapter 10: Customer Risk Rating and Enhanced Due Diligence
Core Concept
Customer risk rating (CRR) classifies each customer by money laundering risk to drive proportionate KYC measures and monitoring. It is not a one-time onboarding assessment — it must evolve dynamically as customer behavior and circumstances change.
Essential Points
1. Risk Rating Drives Proportionality - Low risk → standard CDD; longer review cycles (24–36 months); standard transaction monitoring thresholds - High risk → Enhanced Due Diligence (EDD); shorter review cycles (6 months); tighter transaction monitoring - The regulatory principle: KYC measures must be proportionate to the money laundering risk presented, not mechanically uniform
2. The Three-Factor Framework - Customer factors: entity type, PEP status, adverse media, industry/occupation - Geographic factors: country of domicile, countries of operations, counterparty jurisdictions - Product/service factors: products and services used, transaction volume/value profile, account complexity - Overall rating typically = highest risk category across factors, or weighted combination
3. PEP Classification Is High Risk With No Exception - Foreign PEPs: automatically high risk (EU/UK); risk-based under US guidance - Current PEPs always require EDD; senior management approval for onboarding - Former PEPs: elevated risk for "an appropriate period" — often 5–10 years in practice - Family members and close associates: at minimum medium risk; often high risk - Commercial PEP databases (World-Check, Dow Jones) are essential — institutions cannot build this capability internally at scale
4. EDD Elements Beyond Standard CDD - Source of wealth: how the customer accumulated their overall wealth — requires corroborated documentation (not just customer declaration) - Source of funds: where specific transaction funds originated — bank statements, wire confirmations, completion statements - Business purpose: stated purpose corroborated by independent evidence - Senior management approval: required before onboarding any high-risk customer - Enhanced ongoing monitoring: more frequent reviews, tighter transaction monitoring thresholds
5. Source of Wealth ≠ Source of Funds - SOF: where did this money come from? (transaction-level) - SOW: how did this customer build their wealth? (customer-level) - Both required for high-risk customers; missing either creates a regulatory gap
6. Static Risk Ratings Fail — Dynamic Review Is Essential - The core failure mode: rating set at onboarding remains unchanged despite material behavioral changes - Trigger events requiring off-cycle review: material volume changes (>200%), new high-risk jurisdiction activity, rapid in/out patterns, new PEP designation, new adverse media, change of BO - Behavioral monitoring should automatically flag these triggers for risk rating review
7. Automation Handles Scale; Judgment Handles Complexity - Fully automated: low-risk review cycles with no factor changes; adverse media checks; factor recalculations - System-assisted: medium-risk reviews; cleared screening alerts - Full analyst review: high-risk customers; uncleared alerts; behavioral triggers - Tiered automation can reduce total analyst time by 75%+ while maintaining quality — as Cornerstone Financial Group demonstrated
Key Distinctions
| Aspect | CDD (Standard) | EDD (Enhanced) |
|---|---|---|
| Who | Low/medium risk customers | High-risk customers; PEPs; certain mandatory contexts |
| Source of wealth | Not required | Required with documentation |
| Source of funds | Not required | Required for significant transactions |
| Senior approval | Not required | Mandatory |
| Review cycle | 12–36 months | 6 months |
| Transaction monitoring | Standard thresholds | Tighter thresholds |
Connections to Other Chapters
- Chapter 6 (KYC): CRR is an output of the KYC process — the risk rating determines how much KYC to do
- Chapter 7 (Transaction Monitoring): CRR feeds directly into transaction monitoring threshold calibration — high-risk customers should have tighter thresholds
- Chapter 9 (Beneficial Ownership): BO characteristics (PEP status, jurisdiction, adverse media on beneficial owners) are direct CRR inputs
- Chapter 11 (SAR/Case Management): CRR feeds into SAR investigation prioritization — high-risk customer alerts get higher investigation priority
- Chapter 26 (Explainable AI): ML-based risk rating models require XAI techniques to explain individual customer ratings to regulators and to the customers themselves (in right-to-explanation contexts)
- Chapter 29 (Algorithmic Fairness): Automated risk rating models may systematically rate certain demographic groups differently — a fairness concern that requires monitoring and governance
Regulatory Reference Points
| Framework | CRR Relevance |
|---|---|
| FATF Recommendation 1 | Risk-based approach (the foundational principle) |
| FATF Recommendation 12 | PEP requirements |
| FATF Recommendation 10 | CDD requirements, including EDD for high-risk |
| 31 CFR 1010.230 (FinCEN CDD Rule) | US CDD and risk-based approach |
| FCA Financial Crime Guide (FCG 3) | UK risk assessment requirements |
| AMLD5, Article 18 | EU EDD mandatory situations |
| EBA Guidelines on CDD and ML/TF Risk | EU technical standards for risk-based approach |
Next: Chapter 11 — Suspicious Activity Reporting and Case Management →