Customer Risk Assessment Policies

PreviousIdentity Policy NextCustom Policies

Last updated 15 days ago

Customer Risk Assessment Policies are templates for your . They define the questions your team will answer about a during a customer risk assessment, and the implied risk classification associated with each answer.

You can choose to make many different Customer Risk Assessment Policies, for instance an organisation may choose to have one for each different type of customer. When it comes time to do a Customer Risk Assessment, you can pick which policy is the right for that particular relationship.

An organisation can have many customer risk assessment policy .

They are each presented as a table with a list of questions which can be added, reordered or deleted. Each question has a corresponding list of possible options as answers with a corresponding risk level. As many or as few questions and options can be added as required. Guidance can also be added to display additional details alongside each question as your team fills out the customer risk assessment.

In Proofdesk when customer risk assessment policies are reviewed, they can be assigned a "next review date". This keeps your team informed about which procedures are up for review when the time comes.

"Relevant persons must establish, record, operate and maintain procedures and controls for conducting risk assessment reviews so as to ensure their risk assessments remain up to date and relevant in every case.
Risk assessments must be reviewed periodically, but in order to ensure the relevant person can manage and mitigate its ML/FT risks, risk assessments should also be reviewed when circumstances change or relevant new threats or technologies emerge."

Section 2.2.6

Relevant Legislation/Guidance

- 4 Procedures and controls

(1) A relevant person must not enter into or carry on a business relationship, or carry out an occasional transaction, with or for a customer or another person unless the relevant person —

(a) establishes, records, operates and maintains procedures and controls —

(i) in order to comply with each paragraph within Parts 3 to 9;

(ii) in relation to determining whether a customer, any beneficial owner, beneficiary, introducer or eligible introducer is included on the sanctions list; and

(iii) in relation to internal controls and communication matters that are appropriate for the purposes of forestalling and preventing ML/FT;

(b) takes appropriate measures for the purpose of making its employees and workers aware of —

(i) the AML/CFT legislation; and

(ii) the procedures and controls established, recorded, maintained and operated under head (a).

(2) The procedures and controls referred to in sub-paragraph (1) must —

(a) have regard to the materiality and risk of ML/FT including whether a customer, beneficial owner, beneficiary, introducer or eligible introducer poses a higher risk of ML/FT;

(b) enable the relevant person to manage and mitigate the risks of ML/FT that have been identified by the relevant person when carrying out the requirements of this Code; and

(3) The ultimate responsibility for ensuring compliance with this Code is that of the relevant person, regardless of any outsourcing or reliance on third parties during the process.

- 6 Customer risk assessment

(1) A relevant person must carry out an assessment that estimates the risk of ML/FT posed by the relevant person’s customer.

(2) A customer risk assessment must be —

(a) undertaken prior to the establishment of a business relationship or the carrying out of an occasional transaction with or for that customer;

(b) recorded in order to be able to demonstrate its basis; and

(c) regularly reviewed (details of any review must be recorded) and, if appropriate, amended so as to keep the assessment up-to-date.

(3) The customer risk assessment must have regard to all relevant risk factors, including —

(a) the business risk assessment carried out under paragraph 5;

(b) the nature, scale, complexity and location of the customer’s activities;

(d) the risk factors included in paragraph 15(5) and (7);

(e) the involvement of any third parties for elements of the customer due diligence process, including where reliance is placed on a third party;

(f) any risk assessment carried out under paragraph 9(4); and

(g) whether the relevant person and the customer have met during the business relationship, or its formation, or in the course of an occasional transaction.

Also refer to section 2.1 through 2.2