Back to proofdesk.com

Risk Classification Policy

The Risk Classification Policy allows organisations to configure risk classifications by which to categorise the risk profiles of relationships. It also determines what each classification means for your AML/CFT approach to that relationship. It allows organisations to document and enforce:

  • The frequency of review for ongoing relationships depending on their risk classifications.

  • The level of approval required for relationships depending on their risk classifications.

The legislation and regulator's guidance refers to two risk classifications - “higher risk” and “not higher risk”. It also allows for adoption of additional classifications if the organisation deems it appropriate. Risk classifications in Proofdesk are fully customisable to suit your organisations requirements, while keeping in line with legislation.

"The Code itself contains two very broad risk classifications particular to CDD procedures and controls. These are “higher risk” (where enhanced CDD requirements apply and specified Code concessions cannot be used) and “not higher risk” (which is everything else, and subject to specified conditions, certain concessions are allowed). The Code does not refer to “low” or “lower” risk. However, the Code does allow relevant persons to adopt more refined risk classifications, provided the requirements for enhanced CDD and the conditions for using Code concessions are adhered to and the relevant person is able to manage and mitigate their ML/FT risks."

The Handbook 2023 Section 2.2.4.2.2

Example of a Risk Classification Policy

Every organisation has one risk classification policy form.

The risk classification policy is presented as a a table of risk classifications (see the screenshot above). This structure allows organisations to create as many risk classifications as they like, however they must maintain at least two at all times. This is in order to differentiate between "higher risk" and "not higher risk" for the purpose of applying ECDD (as per the regulator's guidance).

Each risk classification has the following properties:

  • Statistical Return Classification: The standardised classification from the Statistical Return Guidance (Lower, Standard, Higher) that this classification will correspond to on the statistical return.

  • Name: A custom name for the risk classification.

  • Colour: Used across Proofdesk to make each risk classification instantly recognisable.

  • Relationship Review Frequency: The frequency with which the relationship should be scheduled for review, having been assigned this risk classification.

  • Initial Countersignatures: The number of team members required to approve after onboarding reviews of relationships with this risk classification.

  • Subsequent Countersignatures: The number or team members required to approve after periodic reviews of relationships with this risk classification.

Relevant Legislation/Guidance

The Code 2019 - 4 Procedures and controls

(1) A relevant person must not enter into or carry on a business relationship, or carry out an occasional transaction, with or for a customer or another person unless the relevant person —

(a) establishes, records, operates and maintains procedures and controls —

(i) in order to comply with each paragraph within Parts 3 to 9;

(ii) in relation to determining whether a customer, any beneficial owner, beneficiary, introducer or eligible introducer is included on the sanctions list; and

(iii) in relation to internal controls and communication matters that are appropriate for the purposes of forestalling and preventing ML/FT;

(b) takes appropriate measures for the purpose of making its employees and workers aware of —

(i) the AML/CFT legislation; and

(ii) the procedures and controls established, recorded, maintained and operated under head (a).

(2) The procedures and controls referred to in sub-paragraph (1) must —

(a) have regard to the materiality and risk of ML/FT including whether a customer, beneficial owner, beneficiary, introducer or eligible introducer poses a higher risk of ML/FT;

(b) enable the relevant person to manage and mitigate the risks of ML/FT that have been identified by the relevant person when carrying out the requirements of this Code; and

(c) be approved by the senior management of the relevant person.

(3) The ultimate responsibility for ensuring compliance with this Code is that of the relevant person, regardless of any outsourcing or reliance on third parties during the process.

Also refer to The Handbook 2023 section 2.1 through 2.2

PreviousPoliciesNextIdentity Policy

Last updated