Customer Risk Assessment: How to Do it Right [Step-By-Step Guide]

Learn all about customer risk assessment, factors that help determine the level of risk, automation options, and concrete steps you have to take to comply with AML regulations.

Customer risk assessment includes collecting and verifying certain information in order to assign a risk score to a user based on the level of risk. Typically, companies evaluate factors such as age, country of origin, and the nature of the business relationship to assess a customer’s risk. This includes examining the customer’s identity, location, the source of their funds, and how they intend to use those funds. 

Customer risk assessment is also a measure that’s required by anti-money laundering (AML) regulations for regulated entities, such as banks and other financial institutions. They must follow the risk-based approach (RBA). But what other key steps are vital for proper and compliant risk-scoring practices? We explain the details below. 

What is a Risk Assessment?

A risk assessment is the practice of assessing the risk level linked to a customer based on the risk that they possess within the financial system. This process is a crucial part of AML compliance and is designed to prevent money laundering, terrorist financing, and other financial crimes. This AML measure helps companies to better understand, identify, and mitigate potential risks associated with their customers.

Through a proper risk assessment, you can determine if the customer:

  • Poses a money laundering risk
  • Is a politically exposed person 
  • Is financing terrorism according 
  • Appears on watchlists or other blacklists
  • Is a sanctioned person or a sanctioned business

For this reason, to conduct a risk assessment, companies often verify customer identities and then screen their users against sanctions lists, as well as analyze their transactions in order to detect certain red flags based on factors like their location or services used. 

Factors that Determine the Customer’s Risk Profile 

Companies should understand various risk scenarios and know how to identify potential issues, including determining appropriate risk profiles for their customers. This way, they can minimize risks, limiting the scope of compliance considerations. 

The key factors that help assess and identify customer risk profiles are: 

  • Industry
  • Transaction values
  • Types and volume of transactions
  • Types of products and services offered
  • Jurisdictions they operate in
  • Jurisdictions their customers are in
  • Third parties they deal with
  • Ownership and operation of these companies

Companies will have varying levels of risk appetite for the customers they are willing to work with, only accepting certain types of business relationships. That said, you should establish certain criteria for customer risk scoring based on your business and associated threats. 

The Main Goal of Customer Risk Assessment

The key objective of customer risk assessment is to find out more about the customer during and after the onboarding process, determining if they pose any money laundering risks throughout the business relationship. 

This is why AML compliance regulations require companies to conduct such assessments and detect AML red flags, as well as key risks, for example, if the customer is sanctioned, has the Politically Exposed Person (PEP) status, or appears on any other criminal watchlist. 

That’s why integrating customer risk assessment into a company’s AML program helps to:

  • Identify and manage potential risks more effectively.
  • Determine which level of due diligence is appropriate for the customer.

Consequently, a risk assessment is crucial for both maintaining compliance with AML regulations and maintaining the overall security and integrity of the financial system. For non-obligated industries, internal risk assessments are beneficial in terms of identifying potential risks as well, which is standard practice for maintaining customer trust and avoiding tarnishing a brand’s reputation. 

What are Some Behavioral Red Flags Found During Customer Risk Assessment?

A customer risk assessment is an ongoing process and shouldn’t end as soon as the user is onboarded. That’s because risk profiles change, and user behaviors can change as well, raising red flags that require some reevaluation of their risk assessment. 

Such red flags potentially showing signs of illicit activities include:

  • Using false or suspicious documents
  • Requesting shortcuts or suspicious transaction volumes
  • Frequently changing banks in a short period
  • Having overly complicated ownership structures
  • Attempting to disguise the real owner of the business
  • Showing inconsistent levels of business activity
  • Engaging in business with high-risk countries for money laundering or terrorism financing
  • Receiving large private funding for a cash-intensive business

Related: AML Red Flags — Complete Breakdown

What Elements Should You Consider for a Compliant AML Risk Assessment?

To actually understand the risks associated with each customer, companies should integrate several steps into their AML risk assessment. This includes verifying customer identities and determining the type of due diligence that should be performed on the customer. For example, the Financial Action Task Force (FATF) advises businesses to avoid or terminate business relationships if they cannot apply the proper level of due diligence.

That said, there are other elements involved in AML risk assessment. The key factors that businesses should consider include:

1. Customer Due Diligence (CDD)

Customer due diligence (CDD) allows companies to assess the risk of entering a new business relationship and aims to prevent fraud, money laundering, and other illicit activities. CDD processes verify a user’s identity and determine the risks they may pose, helping companies make informed decisions to avoid legal penalties and financial losses, such as those in financial institutions where due diligence is required before granting account access.

In general, customer due diligence involves the following processes:

  • Customer identification and verification.
  • Identification and verification of beneficial owners for corporate clients.
  • Assessment of the purpose and nature of the business relationship.
  • The performance of ongoing monitoring to keep the users’ risk profiles accurate and up-to-date.

Based on this step in the AML risk assessment, businesses can decide which type of CDD they should apply. If the risk is low, companies choose simplified due diligence (SDD). However, for higher-risk customers, companies perform enhanced due diligence (EDD), which involves extra checks and other AML measures like transaction monitoring

Related: What is the Difference Between KYC and CDD?

2. Identification of Different Risk Factors

To determine a customer’s overall risk means assessing different risk factors, such as the type of business, transaction volume, geographical location, etc. This is important because users in high-risk jurisdictions or those who are identified as having suspicious transactions should face increased scrutiny. 

Here are some tips that will help you determine the customer’s risk score:

  • Consider geographic factors like country of residence to identify customers from prohibited jurisdictions.
  • Determine the type of customer, identifying whether they’re an individual or a business. This is crucial because, for individuals, you should assess the country of origin, age, and PEP status. For businesses, consider other factors like the company’s establishment date (newer entities pose a higher risk), location, beneficial ownership, etc. 
  • Check if the customer has adverse media mentions or any links to criminal activity affecting your company’s reputation.
  • Check if the customer is involved in high-risk sectors like iGaming, arms trade, or pharmaceuticals.
  • Evaluate the duration of the relationship. Keep in mind that long-term relationships are typically considered lower risk.
  • Monitor customer behavior, including checking if the customer hasn’t provided false information or suddenly has been involved in unusual transactions.

Given the extensive work of gathering, assessing, screening, and monitoring data and cross-checking it with various databases, compliance officers often use AML automation to streamline tasks, including streamlining customer risk assessment. Often, such software gives out risk scores based on the mentioned factors and other risks, including the customer’s occupation, residency, and financial behaviors. 

3. Enhanced Due Diligence (EDD)

When the risk is higher, financial institutions need to apply enhanced due diligence (EDD) measures, such as:

  • Collecting customer information (both for individual and business clients).
  • Identifying the customer’s beneficial owner.
  • Defining the purpose and intended nature of the business relationship.

EDD is an extended KYC and AML process that intensifies scrutiny of potential business partnerships, uncovering risks not detectable through standard due diligence.

Companies that perform enhanced due diligence should collect the following data:

  • Individual clients. Companies should gather data regarding indicators of financial crime risk, including corruption, money laundering, and other crimes, including other details like adverse media mentions and information on the source of wealth (SOW).
  • Business clients. Businesses should collect information about directors. Shareholders, officers, senior management members, and ultimate beneficial owners (UBOs) to picture the whole company’s background.

Like every step in the customer risk assessment process, EDD should focus on identifying the client’s risk, understanding it, and assessing how or whether it can be mitigated. This involves gathering more information about the customer, closely monitoring transactions, and assessing the potential exposure to different financial crimes.

Examples of When Enhanced Due Diligence Should be Performed

If initial risk assessment checks reveal high-risk factors, such as the entity is a cash-intensive business or the customer is a PEP, companies should perform enhanced due diligence. Other cases when EDD measures should be applied include:

  • When the business relationship involves a person or transaction in a high-risk jurisdiction.
  • If the customer has provided false or stolen ID documents or information when establishing a relationship.
  • When the company identifies a high risk of money laundering or terrorist financing.
  • When a transaction is suspicious, showing red flags such as unusually large amounts or lacks a properly explained legal purpose.

Related: What is the Difference Between CDD and EDD?

4. Transaction Monitoring

This part of the risk assessment process, once again, helps detect and prevent money laundering. More importantly, transaction monitoring is vital to detect unusual activities in customer behavior. This helps gather additional information and file suspicious activity reports (SARs) if needed. The FATF advises companies to adjust the extent and depth of their transaction monitoring based on their internal risk assessment and individual customer risk profiles

The FATF also recommends that ongoing transaction monitoring and customer due diligence be conducted continuously or triggered by specific transactions (when an AML red flag is detected). Automated ongoing monitoring systems often analyze transaction patterns and identify such deviations, triggering further investigation and simplifying work for the company’s internal compliance teams.

Factors Shaping Transaction Monitoring Strategies

Businesses typically conduct transaction monitoring in various ways, depending on the characteristics that only apply to their operating industry, jurisdiction, and so on. For example, the following elements make an impact on the company’s monitoring practices:

  • Their corporate culture
  • Associated operational and the industry’s risks
  • Customer profiles, including any intermediaries and third-parties
  • Their sector, size, complexity, and market reach

Some jurisdictions are known for their money laundering havens or simply inadequate AML regulations and weak governments. Cross-border transactions or cash-intensive businesses complicate monitoring practices. That is why every business should tailor their transaction monitoring very carefully based on AML red flags and internal business processes. 

Related: Transaction Screening vs Transaction Monitoring 

5. Politically Exposed Persons (PEPs)

A Politically Exposed Person (PEP) is an individual who holds a significant public role within a government or international organization and is more vulnerable to activities such as bribery or corruption. Their elevated risk comes from the potential misuse of their position for money laundering or personal gain.

For this reason, companies consider PEPs high-risk clients. Despite that, during a risk assessment, if you identify a customer who has a PEP status, that doesn’t automatically ban them from accessing your services. For example, in Europe, PEP checks are part of the Anti-Money Laundering Directives (AMLDs). 

While the PEP status doesn’t automatically imply criminal behavior, 5AMLD requires continuous monitoring of these individuals. This involves updating their risk profiles in response to any status changes.

Individuals Considered as PEPs

The FATF defines PEPs as individuals who meet this criteria:

  • High-ranking individuals. These are the main figures designated by major political parties, including central bank board members, high-ranking military officers, or senior executives of government-owned businesses.
  • Government officials. These can be senior officials in the judiciary, legislative, or executive branches. Diplomats and parliament members, such as ambassadors, are also considered PEPs.
  • Close associates. This includes close relatives of parliamentarians, individuals with beneficial ownership of legal entities, family members, or those involved in companies where the government is the sole or majority shareholder.

Related: PEPs and Sanctions Checks Explained

6. Customer Risk Profiles

Customer risk profiles are designed to help businesses assess customer risks and detect potential money laundering activities. This element aims to categorize customers into different categories based on their overall risk assessment results. 

In general, to determine a customer’s risk profile, you need to analyze their data and build a background. This involves screening their financial activities and socials, as well as other internal and external records. 

Risks You Should Consider When Building a Customer Risk Profile

To have a robust AML program means to have a risk profiling strategy. A customer risk profile depends on various factors, including the mentioned transaction monitoring. That means individual risk factors should be assessed in the context of general customer behavior. 

Certain risk factors are often used by companies when building customer risk profiles, including assessing:

  • Customer risk. This means reviewing the behavior and the client’s characteristics, such as the potential for money laundering, connections to politically exposed persons, legal risks, and reputational risks.
  • Geographical risk. This factor evaluates the potential for illegal activities based on local laws and regulations, including regulatory risk linked to the customer’s location.
  • Transactional risk. This includes analyzing elements like the transaction’s amount, volume, and purpose in order to detect potentially suspicious activities or unveil money laundering techniques, such as structuring.
  • The nature of services that the customer seeks. This element might also be a sign of money laundering. For instance, frequent inquiries about cash deposits or international transfers are an AML red flag.

After considering all the factors, companies categorize customers based on their risk scores. Typically, there are four types of customers: low-risk (clear and traceable identities with income sources and transactions matching their profile), medium-risk (typically considered to have a higher-than-average risk), high-risk customers (for example, those who do not have a clear funding source or are high net-worth individuals) and individuals who are banned due to financial crime. 

7. Record-Keeping

To comply with AML rules, companies must maintain detailed records of their risk assessments, customer due diligence practices, and monitoring activities. Beyond regulatory compliance, documentation is essential to demonstrate the company’s efforts to actually mitigate AML risks. This also includes continuously reviewing record-keeping and reporting practices and reporting suspicious activity when needed. 

Types of Records that Should Be Kept

To keep up with regulatory requirements, regulated entities must collect and keep these records:

  • Transaction details.
  • Client identification and verification documents.
  • Customer due diligence data that was collected during onboarding.
  • Documentation and the reasons for clients who weren’t onboarded.
  • Information on the client’s source of funds and source of wealth
  • Records from enhanced due diligence and ongoing monitoring.
  • Records of internal and external escalations and related decisions.

Companies should keep various records based on regulatory requirements and operating jurisdiction. So, the main goal is to maintain a comprehensive audit trail that has all client KYC data, including AML screening results, while maintaining ongoing compliance in case the customer risk profile changes. 

8. Ongoing Monitoring

Ongoing monitoring helps assess if high-risk customers require extra due diligence. The process itself involves keeping business relationship knowledge current and scrutinizing transactions for consistency with expected behavior and purpose. Consequently, this procedure ensures that all operations align with the initial risk profile set during onboarding.

The collected information is also used to assess the risk level associated with each customer. Ongoing monitoring focuses on systematically reviewing existing records, especially for higher-risk customers. This is a complex task, often resulting in AML compliance breaches if not done right. 

Signs of an ineffective ongoing monitoring process include:

  • Neglect of red flags from suspicious activity monitoring. 
  • Inadequate response to law enforcement inquiries. 
  • Failure to update customer information and adjust risk profiles. 
  • Limited transaction monitoring diversity and screening pattern adjustments.

Related: What is Ongoing Monitoring?

10 Steps to Conduct Customer Risk Assessment with iDenfy’s Automated Solution

Traditional manual risk calculations using spreadsheets are time-consuming, costly, and prone to errors. However, in the past, this is how decisions were made. Now, instead of relying on fraud and compliance manager’s subjective risk evaluations, companies can help them by switching to an automated customer risk assessment solution. 

These tools generate sophisticated risk scores based on different rules, including pre-established or custom-made rules. To set up iDenfy’s risk assessment tool, begin by defining client risk categories like geography, customer type, products/services, and delivery channels. Then, establish and assign risk rules for each category. Ensure each category’s weight adds up to 100%. 

This setup allows the tool to accurately calculate client risk and takes about 10 simple steps on the dashboard: 
  1. Enter the risk assessment profile name and description
  2. Create risk channels based on their categories
  3. Choose from four categories: geographical, product, customer, and delivery 
  4. Create custom rules or choose options from the template library
  5. Configure risk levels and select their values based on different countries 
  6. Add descriptions that illustrate the selected risk levels
  7. Select the default risk level for the remaining unselected countries
  8. Add additional custom rules 
  9. Include the weight level percentage of each rule 
  10. Save the risk profile and receive the calculated risk score

See the full explanation demo here.

Our integrated risk assessment solution delivers precise risk calculations within seconds without disrupting customer onboarding. The risk score is determined through a weighted system. Each category has multiple rules, and the system combines the maximum score from each rule to calculate the risk score, ranging from “Very Low” (1) to “Very High” (5). 

Optimize your risk assessment. Let’s talk more about your specific use case. 

Frequently asked questions


Who Needs to Assess Customer Risks?


Obliged entities perform customer risk assessments as part of their AML compliance efforts. In general, this includes banks and other financial companies, fintechs, as well as asset management services, real estate agencies, crypto exchanges, and iGaming platforms all apply a risk-based approach and use strict risk assessment measures. 


How Long Does it Take to Assess a Customer?


Save costs by onboarding more verified users

Join hundreds of businesses that successfully integrated iDenfy in their processes and saved money on failed verifications.