Customer Risks

Summary

Effective 1 June 2025, you will have a requirement to risk-rate any new customers, record the risk assessment and re-assess the customer risk assessment on an ongoing basis. The Supervisors have not released specific guidance on customer risk assessment and rating; however, we can infer a few things from the AML/CFT Programme Guideline that was updated in October 2024.

• First, you are required to risk-rate your customers when you conduct standard or enhanced customer due diligence. In other words, you would not be required to risk-rate your customers who qualify for simplified customer due diligence. 

• Second, your customer risk assessment should be based on the findings of your business risk assessment. For example, if a specific service was assessed as high risk, the risk assessment of a customer requesting such service should reflect those risks.

• Third, you will have some flexibility. You may use a numeric system, or you can use a low-medium-high system to rate your customers. You could use an automated solution, or you could use a qualitative assessment. Whichever solution you opt for, your compliance programme needs to explain your methodology and the frequency of your reviews. In particular, you would be expected to review customers you have assessed as high-risk more frequently than medium-risk customers. Moreover, it is important to note, you would not be expected to conduct ongoing reviews of customers that are low-risk, in the absence of any other trigger.

What’s Next?

We have developed a customer risk rating tool. Get in touch if you want to see a demo.