Know Your Customer (KYC) is part of a bigger Anti-Money Laundering (AML) framework that consists of multiple processes, such as customer due diligence (CDD) measures and customer or company-wide risk assessments. This is part of the risk-based approach (RBA) to AML compliance — a mandatory process designed to assess different types of risks, such as internal AML risks linked to the company and user-centered risk factors when onboarding new customers. Accepting at least one suspicious customer without additional checks or letting a flagged transaction slide means that you’re putting everything on the table and playing with fire in terms of your company’s reputation and customer trust.
There are many nuances since the same level of due diligence can’t be applied to all customers. Low-risk ones will go through a less cumbersome onboarding process, while high-risk customers will always need to go through a more intensive flow and additional checks. That means you have to customize your AML processes according to the risk level. However, the most important part is that the risk-based approach is continuous risk assessment and ongoing monitoring. Risk levels change over time, and even the most unsuspicious customers can develop fraudulent tendencies.
So, in this blog post, we’ll review the KYC risk assessment process, breaking it down into the key steps and ways where automating this process might benefit you.
How Does the KYC Risk Assessment Process Work?
KYC risk assessment is a compliance procedure and a fraud prevention measure used by regulated entities, such as banks and other financial institutions, designed to evaluate money laundering risks linked to each customer. It involves assigning risk scores — low, medium, or high — based on the customer’s potential risk level.
In general, it involves three key steps:
1. Data Collection
Often, the process starts by collecting the customer’s identity data, such as their name, date of birth, and address. This can be done using different KYC verification methods but often involves asking the customer to upload their government-issued ID document (passport, driver’s license, or ID card). Sometimes, this method is combined with biometric authentication or selfie verification, where the customer needs to follow instructions and have their face scanned by the software so that it can match their facial biometrics with the photo on their provided ID document.
2. Analysis
Then, the company needs to assess other important data points, such as their business activities, account type, and transaction history. This procedure is often referred to as the bank verification process. It confirms whether a user’s bank account is valid and truly belongs to the rightful owner. It also ensures the account is active, matches the user claiming ownership, and helps businesses comply with KYC requirements.
3. Verification
Based on the analysis, customers are given a risk score, also known as a risk rating, from low to high. It serves as a tool to know how to react and what the next steps for the customer will be. At this point, multiple documents, transaction logs, and other checks, such as sanctions screening, need to be completed. That’s why companies use automated KYC risk assessment tools that help their internal compliance teams save time and be more accurate.
For example, AI-powered software analyzes a customer’s past business relationships, transaction patterns, location inconsistencies, and other factors more efficiently, detecting red flags in real-time. It also checks if the documents provided during onboarding match the customer’s initial data, identifying any behavior that might indicate suspicious activity. The goal here is to automatically assign a risk score to the customer and categorize them. This means that low-risk customers are seen as less likely to engage in money laundering, while high-risk customers are considered more likely to be linked to fraud.
How is the Risk-Based Approach Related to KYC Risk Assessment?
KYC risk assessment is part of the risk-based approach, which means identifying, assessing, and managing money laundering risks using appropriate KYC and AML measures. The customer risk assessment or risk rating system is mandatory for financial institutions to meet both compliance requirements and identify potential risks, especially when differentiating high-risk customers from low-risk ones, because they need the most attention in terms of applying due diligence processes.
The main goal of KYC risk assessment is to:
- Gather information about the customer during and after onboarding to determine if they pose any money laundering risks throughout the business relationship.
- Identify red flags and key risks, such as if the customer is sanctioned, a Politically Exposed Person (PEP), or listed on any watchlist.
In general, the risk-based approach ensures resources are focused on higher-risk customers and their transactions, improving the company’s internal AML strategy. In this context, KYC risk assessment as a process helps detect high-risk customers, products, channels, and jurisdictions, enabling financial institutions to customize their KYC/AML controls and take steps to prevent money laundering, terrorist financing, and other fraud.
Customer Risk Level Segmentation
You should evaluate and categorize the risk level associated with the customer and the business relationship, ultimately answering the question of whether it’s safe to partner with them and allow them into your network. Risk profiles change, and this information must be securely stored in a digital system for easy access during regulatory audits.
These are the risk level categories that are used during the KYC risk assessment process:
- Low-risk customers. Individuals with a clear track record: no adverse media hits, clear and transparent financial history, all transactions match their profile, they can prove their income, etc.
- Medium-risk customers. These individuals have a moderate risk profile due to indirect factors like a certain region or industry where there’s a higher chance of money laundering activities.
- High-risk customers. Individuals with a possibility of being tied to potentially fraudulent acts, such as unclear funding sources or links to diplomatic/political connections. For example, if they’re a relative of a PEP, they’ll need to undergo enhanced due diligence (EDD).
- Blocklisted or prohibited customers. Individuals who can’t be onboarded to any platform due to their history of fraud, money laundering, or any type of financial crime. Onboarding such a customer is against regulatory compliance requirements.
Low-risk customers undergo simplified due diligence (SDD) measures, medium-risk — standard due diligence, and high-risk individuals and entities must go through EDD processes.
Who are High-Risk Customers?
High-risk customers are those who have higher chances of being involved in criminal activity, such as money laundering or terrorism financing. To actually detect and verify such people, KYC risk assessment is used, which often uses a weight-based system to assign risk scores or weights while categorizing from low to high risk.
Some examples of customers who are considered high-risk to posing higher money laundering risks include:
- Customers who are PEPs.
- Close relatives and associates of PEPs.
- Entities whose ultimate beneficial owner (UBO) is a PEP.
- Customers who have suspiciously complex or opaque beneficial ownership structures.
- Foreign, non-resident customers doing business in another country.
- Customers from higher-risk countries where there’s a high money laundering rate
- Customers from high-risk business sectors.
- Customer accounts of cash-intensive businesses, such as real estate developers or luxury item dealers.
- Customers with poor reputations, especially if it’s already public.
- Customers who are found to have unusual account activity.
- Customers who lack a proper and lawful economic purpose to open an account.
Customers who are identified as higher risk during KYC risk assessment should undergo stricter compliance procedures or EDD. These measures are customized by each company individually based on their internal risks. For example, financial institutions or cryptocurrency platforms handle large transaction volumes. Additionally, crypto is considered to be a more risky industry due to the nature of crypto transactions and anonymity.
So, it’s natural that companies in this sector are required to implement robust risk mitigation measures. These strategies must include identifying high-risk customers, screening and monitoring their activities and preparing for suspicious activity reporting when necessary.
How to Start the KYC Risk Assessment Process?
One of the most important things when starting risk assessment and management processes is to know what kind of documentation each customer, whether low or high-risk, would need to provide for identity proofing. This is needed to verify their identity and assess their risk profile. Afterwards, you need to differentiate individuals and entities since both carry different risk factors.
Legal entities, or simply companies, undergo the KYB risk assessment process (but sometimes KYC/KYB terms in the context of assessing risks are used interchangeably). For example, certain entity categories, such as non-profit organizations and charities, are considered high-risk because they can be used as a money laundering channel to hide illicit funds. The same goes for currency exchange service providers or more obvious ones like arms dealers and gambling establishments (with fraudulent techniques like smurfing or multi-accounting).
After identifying the type of client you’re dealing with and the needed documentation for verification, you’ll need to dig deeper into the customer’s financial background. For example, an individual client who doesn’t have a job makes large deposits often is a red flag, indicating a potential risk. Identifying unusual financial activities and suspicious behavior becomes easier once the key risk factors are determined during the risk assessment.
Related: Customer Risk Assessment — How to Do it Right
KYC Risk Assessment Factors
Risk rating, or KYC risk assessment, is based on several key factors that work, such as guidelines for identifying potential risks, determining the customer’s risk level, and then the type of due diligence they’ll need. Most regulated entities use a similar risk management program in order to stay compliant, use accurate data and maintain up-to-date risk profiles.
These main risk factors are designed to assess the customer’s risk level:
Industry and Product
Customers who might want to hide their activity and lay low choose to start business relationships in industries that generate large amounts of cash, such as gambling, (because this way, it’s harder to trace transactions). However, the KYC risk assessment model should be tailored among all financial players, as, for example, insurance has a different model. In other words, such sectors are more attractive to criminals.
However, in the same sense, traditional financial products and services are also commonly exploited and should be viewed as higher risk. You should ask yourself questions like what products or services does the customer use, and why they might use high-risk services like cash withdrawals. That said, industry and product risk factors alone don’t define a customer’s overall risk level. All relevant factors must be considered to determine a more accurate and comprehensive KYC risk score.
Geographic Location
Customers who operate in high-risk areas, typically known for money laundering or terrorist financing, are also considered higher risk. This also includes jurisdictions with poor AML rules. In general, by identifying countries with high money laundering or terrorist financing risks, you can better assess a customer’s relationship with foreign counterparties and assess their risk level based on their transactions. That’s because their transactional activity is linked to money laundering risks in terms of country-level risk and foreign geographic locations.
Transaction Patterns
Unusual account activities can signal fraud, which is why users’ transactions should be screened before their onboarding and afterwards as a precaution to identify new risks. Often, financial institutions define their risk criteria that represent their internal AML risk assessment and different risk patterns or money laundering typologies. This can be high transaction volumes, atypical cross-border transactions, frequent transfers, etc. By filtering out suspicious scenarios, you can prioritize risky customers and allocate your resources accordingly.
Transaction pattern risks generally mean that you need to identify specific risks related to each customer’s transaction. For example, fraud risks, credit risks, operational risks, and industry risks, or factors that were mentioned earlier. For this to be accurate and up-to-date, you need to collect relevant information, such as historical transaction data and the user’s KYC onboarding or personal information, that helps maintain accurate risk profiles.
Related: Bank Account Verification
Do You Need to Automate Your KYC Risk Assessment?
Regulated entities need to keep up with strict AML/CTF compliance regulations, and the KYC risk assessment process is one of them. More importantly, using automated RegTech solutions is also mandatory in some jurisdictions, for example, this rule is mentioned in the EU’s Sixth Anti-Money Laundering Directive (6AMLD).
With automated KYC risk assessment software like iDenfy’s, you can create different flows — all tailored to your use case — for example:
- Determine the risk score values and create your own risk categories.
- Choose from a rich library of custom rules or add new ones.
- Set restrictions and limit the countries you wish to work with based on your business needs and best practices.
- Categorize the KYC risk assessment results (from very low to very high) and adjust risk levels if needed.
- And more, which we’ll show in more detail below.
Advanced software makes risk management faster and more accurate, which is key to success and maintaining high regulatory compliance standards. By customizing the process, you can quickly spot high-risk customers and ask them for extra verification while keeping things smooth and easy for low-risk customers, helping you maintain strong conversion rates.
Getting Started with iDenfy’s KYC Risk Assessment
Here’s how to enable the risk assessment process on our dashboard:
Step 1: Select the profile type
When choosing the risk assessment type on our dashboard, you have two options: KYC or KYB. KYC lets you add extra steps to verify the identity of individual customers.
Step 2: Configure risk levels
Assign different risk levels to different geographical locations based on their risk. Countries with higher rates of money laundering should automatically be considered as high-risk, which will prevent you from working with risky individuals.
Step 3: Adjust risk score values
Assign different risk scores. For example, if you create just one rule, it will automatically receive 100% of the weight. This flexibility lets you adjust how each rule affects the overall KYC risk assessment, helping you tailor your risk management approach.
Step 4: Turn on the risk assessment feature
When you’re ready to verify the customer’s identity, you can easily include KYC risk assessment as an extra feature to your ID verification process. To do that, initiate the ID verification, find the risk assessment section, and then click the toggle button to turn it on.
Step 5: Select your preferred template
After that, you are able to select the risk assessment templates you created. If you don’t have them created yet, you can follow our guide on how to complete this process.
Step 6: Generate a one-time session token
For the final steps of identity verification creation from our dashboard, you must double-check to ensure that all the information is selected correctly. Once this is done, click “Create” to generate a one-time session token. The token then needs to be copied and sent to the customer who’s going to go through the ID verification flow.
Still find this a bit confusing? No worries. Our team is ready to provide you with a personal hands-on experience and show you how our KYC risk assessment software works — including any other features that you’re interested in.