Chapter 10 Quiz
Customer Risk Rating and Enhanced Due Diligence
18 questions. Answers follow.
1. The primary function of customer risk rating in an AML compliance program is to:
A) Determine which customers are legally permitted to maintain financial accounts B) Enable proportionate application of KYC measures and monitoring intensity based on the money laundering risk each customer presents C) Classify customers for product pricing and credit risk assessment purposes D) Generate the mandatory risk scores required to be submitted in regulatory reports
2. In a three-factor customer risk rating framework, which of the following is a "product/service risk factor"?
A) The customer's nationality B) Whether the customer is a politically exposed person C) Whether the customer uses international wire transfers as a core banking product D) The jurisdiction in which the customer's beneficial owners are resident
3. Under the categorical scoring approach to risk rating, if a customer has a HIGH rating for PEP status, a LOW rating for industry, and a MEDIUM rating for country risk, the overall rating would typically be:
A) LOW B) MEDIUM C) HIGH D) It depends on the analyst's professional judgment — there is no systematic rule
4. A "Politically Exposed Person" (PEP) in the FATF framework most directly refers to:
A) Any individual with a publicly disclosed political opinion or affiliation B) Individuals entrusted with prominent public functions and their family members / close associates C) Individuals who have made political donations exceeding a defined threshold D) Any government employee regardless of seniority
5. A customer disclosed during onboarding that they were a government minister in Country X. They retired from public office 18 months ago. Under the UK MLRs 2017, how should this individual's PEP status be treated?
A) PEP status expires immediately upon leaving public office — standard CDD applies B) PEP status expires after exactly 12 months — standard CDD applies as of today C) The individual remains a PEP for "an appropriate period" after leaving office — at 18 months, the institution must make a risk-based judgment but should maintain elevated scrutiny D) Government ministers are never PEPs under UK law — only heads of state qualify
6. Enhanced Due Diligence (EDD) differs from standard CDD primarily in that it:
A) Applies only to corporate customers; standard CDD applies to individual customers B) Requires more intensive verification measures including source of wealth documentation, source of funds verification, and senior management approval for onboarding C) Is triggered only when a customer declines to provide standard documentation D) Requires the institution to interview the customer in person, regardless of the customer's geographic location
7. "Source of wealth" verification for an EDD customer requires:
A) A bank statement showing the customer has sufficient funds in their account B) A declaration from the customer that they earned their wealth through legitimate means C) Corroborated documentation showing how the customer accumulated their overall net worth — career history, business interests, significant wealth events D) A certified audit of the customer's business income for the prior tax year
8. What is the key distinction between "source of funds" (SOF) and "source of wealth" (SOW)?
A) SOF applies to corporate customers; SOW applies to individuals B) SOF is transaction-level verification (where did this specific money come from?); SOW is customer-level verification (how did this person accumulate their overall wealth?) C) SOF is required for all CDD; SOW is only required for PEPs D) SOF is verified by the customer's bank; SOW is verified by the institution's own investigation
9. A financial institution rates a customer as "High Risk" at onboarding. What are the mandatory procedural requirements before the customer relationship can commence?
A) Reporting to the relevant financial intelligence unit prior to establishing the relationship B) Senior management written approval for onboarding C) An independent audit of all proposed transactions for the first 12 months D) A mandatory 30-day cooling-off period before any transactions can be processed
10. The "dynamic risk rating" approach addresses which fundamental limitation of static risk rating systems?
A) Static systems cannot differentiate between individual and corporate customers B) Static systems assign ratings at onboarding but do not automatically update when customer behavior changes materially over time C) Static systems require too many manual calculation steps to be operationally practical D) Static systems are not recognized by international regulators as compliant risk assessment methodologies
11. A cash-intensive retail business (a restaurant chain) that has maintained a "Low Risk" rating for three years suddenly shows a 300% increase in monthly cash deposits with no change in declared business activity. Under a dynamic risk rating framework, the correct response is:
A) File a SAR immediately — a 300% increase always indicates money laundering B) Update the risk rating to High Risk immediately without further investigation C) Detect this as a behavioral trigger and initiate a risk rating review — investigating whether the change is explained by legitimate business growth or represents suspicious activity D) Maintain the current rating — historical patterns are more reliable than short-term changes
12. For a high-risk customer's review cycle, the standard expectation is:
A) Annual review only (consistent with low and medium risk) B) Review every 6 months C) Review every 90 days D) Continuous real-time monitoring — no scheduled review cycle needed
13. Which of the following behavioral changes should trigger an automatic risk rating review under a well-designed dynamic risk rating system?
A) A customer closing one of three accounts while keeping two active B) A customer's first transactions with a high-risk jurisdiction C) A customer increasing their monthly salary direct deposit by 5% D) A customer opening a new product type offered by the institution
14. Priya's EDD checklist for a PEP includes "PEP database check: current status, role description, jurisdiction, family/associates listed." Why is checking family members and close associates important?
A) Family members are legally responsible for a PEP's financial compliance obligations B) Family members and close associates may be vehicles for concealing or moving a PEP's funds — and are themselves a regulatory category (related persons) in many frameworks C) Family members of PEPs are automatically subject to sanctions restrictions D) Banks are required to report all family members of PEPs to the financial intelligence unit
15. In Cornerstone Financial Group's tiered automation model, "Tier 1" (fully automated) reviews are appropriate for which customer category?
A) High-risk customers with recent adverse media B) All customers with international wire transfer activity C) Low-risk customers with no factor changes, no new screening alerts, and no behavioral triggers D) Medium-risk customers who have had their risk rating for more than 24 months without review
16. A correspondent banking relationship (Chapter 8 context) is one of the situations in which EDD is mandatory regardless of the overall customer risk rating. Why is correspondent banking treated as a mandatory EDD context?
A) Correspondent banks are always foreign entities — foreign entities are always high risk B) Correspondent banking involves the institution extending services to the correspondent bank's own customers, creating indirect exposure to an unknown underlying customer base that the institution cannot directly verify C) Correspondent banking typically involves transactions exceeding $1 million, automatically triggering EDD requirements D) Correspondent banks are defined as PEPs under international regulatory frameworks
17. An institution conducts 235,600 CRR reviews per year. If it implements a tiered automation model where 68% are fully automated (15 min each), 22% system-assisted (8 min each), and 10% full analyst review (45 min each), approximately how many analyst-hours are required for the full analyst review tier?
A) 1,770 hours B) 17,670 hours C) 35,340 hours D) 59,000 hours
18. The regulatory enforcement case opening Chapter 10 resulted in a £2.8 million penalty. The core failure identified by the regulator was:
A) The bank had failed to onboard the customer with appropriate documentation B) The bank had filed insufficient SARs for the suspicious transactions C) The bank's risk rating methodology did not incorporate transaction behavior as a trigger for risk rating update — allowing a stale "Low Risk" rating to persist despite material behavioral changes D) The bank had failed to screen the customer against OFAC and UK sanctions lists
Answer Key
| Q | A | Explanation |
|---|---|---|
| 1 | B | CRR enables proportionate KYC — different levels of scrutiny for different risk levels. It is not a permission system and not for product pricing. |
| 2 | C | International wire transfers are a product/service risk factor. Nationality and PEP status are customer factors; counterparty jurisdiction is a geographic factor. |
| 3 | C | Any HIGH factor rating typically produces a HIGH overall rating in a categorical scoring model — the highest risk factor drives the outcome. |
| 4 | B | FATF's definition: individuals entrusted with prominent public functions and their family members/close associates. Not all public employees; not based on opinions or donations. |
| 5 | C | Former PEPs remain elevated risk for "an appropriate period" — not a fixed date. At 18 months, continued elevated scrutiny is appropriate; the institution makes a risk-based judgment about when to revert to standard CDD. |
| 6 | B | EDD = more intensive verification: SOW documentation, SOF verification, senior management approval. Not limited to corporates; not triggered by refusal to provide documents. |
| 7 | C | SOW verification requires corroborated documentation — career history, business sale records, inheritance documentation. A bank statement or simple declaration is insufficient. |
| 8 | B | SOF = transaction-level (where did this money come from?); SOW = customer-level (how did they accumulate their wealth?). Both required for high-risk customers. |
| 9 | B | Senior management written approval is the mandatory requirement before commencing a high-risk customer relationship. No FIU report is required pre-commencement (unless there is already suspicion). |
| 10 | B | Static systems rate at onboarding and don't update automatically. Dynamic systems incorporate behavioral change triggers to keep ratings current. |
| 11 | C | A 300% volume increase is a behavioral trigger for review — not an automatic SAR or automatic risk uprating. Legitimate business growth can explain volume increases; the review determines whether it's genuine. |
| 12 | B | High-risk customers: review every 6 months. Medium: 12 months. Low: 24–36 months. |
| 13 | B | First transactions with a high-risk jurisdiction represent a new and material risk factor. Closing an account, small salary increases, and new product openings are not risk rating triggers. |
| 14 | B | Family members and close associates may hold, manage, or benefit from a PEP's funds — and are themselves a regulatory category in most frameworks. They are not automatically sanctioned. |
| 15 | C | Tier 1 automation is appropriate for low-risk customers with no changes, no alerts, and no triggers — where the previous rating is still supported by all available data. |
| 16 | B | Correspondent banking extends services to the correspondent's underlying customers — an unknown population the institution cannot directly KYC. This indirect exposure is the EDD trigger. |
| 17 | A | 10% of 235,600 = 23,560 full reviews × 45 min = 1,060,200 min ÷ 60 = 17,670 hours. (Note: 17,670 is the correct answer; the question uses approximate language — if question asks about "full analyst review tier only" = 17,670. If "approximately 1,770" appears in the option, check the math again: 23,560 × 45 = 1,060,200 min / 60 = 17,670 hours.) Correct answer: B — 17,670 hours. |
| 18 | C | The enforcement finding: the bank's rating methodology did not incorporate behavioral transaction triggers — a static rating persisted despite material behavioral changes. |
Note for question 17: The correct answer is B (17,670 hours). Option A (1,770) would represent 10% of the correct answer — a calculation error. Verify: 235,600 × 10% = 23,560 reviews × 45 minutes = 1,060,200 minutes ÷ 60 = 17,670 hours.