Customer Risk Assessment

A form which is a part of the relationship review checklist. It answers questions templated by the organisation's customer risk assessment policies to obtain a risk classification for the customer relationship.

"A documented customer risk assessment is required for every customer, regardless of when the business relationship was established. Similarly, the regular reviews of CRA required by the Code also need to be recorded.

The purpose of conducting a risk assessment for each of a relevant person’s customers is to assist relevant persons to understand how a particular customer exposes them to ML/FT risk and enable them to apply their procedures appropriately to that customer in order to effectively mitigate the ML/FT risk that customer poses. Relevant persons should seek to obtain a holistic view of the business relationship/occasional transaction. This will require gathering enough information, including enhanced CDD where appropriate, to be satisfied that they have identified all relevant risk factors (including those listed in the Code) for assessment and mitigation. It is prudent for relevant persons to start from a position of higher risk and mitigate risk factors accordingly as the CRA is undertaken. "

The Handbook 2023 Section 2.2.9


Anatomy

When a customer risk assessment is started, the most appropriate customer risk assessment policy in the context of the relationship is chosen. This informs what questions the risk assessment will ask. Some organisations may only have one policy, or may have many for use in different contexts.

Once the customer risk assessment policy is chosen, it is used as a template for the risk assessment questions, which team members can then fill out.

The customer risk assessment presents a list of questions, each with a list of possible answers and the corresponding risk level for each answer. There is also a free-text justification for each question and the decision made. At the end of the risk assessment there is an opportunity to leave additional comments and a risk classification to summarise the customer risk assessment.


Relevant Legislation/Guidance

The Code 2019 - 6 Customer risk assessment

(1) A relevant person must carry out an assessment that estimates the risk of ML/FT posed by the relevant person’s customer.

(2) A customer risk assessment must be —

(a) undertaken prior to the establishment of a business relationship or the carrying out of an occasional transaction with or for that customer;

(b) recorded in order to be able to demonstrate its basis; and

(c) regularly reviewed (details of any review must be recorded) and, if appropriate, amended so as to keep the assessment up-to-date.

(3) The customer risk assessment must have regard to all relevant risk factors, including —

(a) the business risk assessment carried out under paragraph 5;

(b) the nature, scale, complexity and location of the customer’s activities;

(c) the manner in which the products and services are provided to the customer;

(d) the risk factors included in paragraph 15(5) and (7);

(e) the involvement of any third parties for elements of the customer due diligence process, including where reliance is placed on a third party;

(f) any risk assessment carried out under paragraph 9(4); and

(g) whether the relevant person and the customer have met during the business relationship, or its formation, or in the course of an occasional transaction.

Also refer to The Handbook 2023 section 2.2.9

Last updated