If you are a Compliance professional and/or are working in the area of AML/CFT, surely you have heard the term “Customer Risk Rating”. Although less understood and discussed than topics like KYC, CDD/EDD, Sanctions, etc., the customer risk rating process is a critical piece of a financial institution’s AML/CFT framework.
The customer risk rating process is also critical since the scrutiny applied by regulators in recent years has certainly increased since the grey listing of the UAE by FATF. On top of that, the Central Bank of the UAE (CBUAE) has announced in March 2023 the mandatory annual “Skilled Persons Review” (by a third party) for all entities regulated by CBUAE. This means, the AML/CFT framework of all entities will be reviewed and tested according to a predefined scope of work. Of course, this includes the customer risk rating methodology.
In this article we cover the legislative background in the UAE, the reasons and impact of conducting customer risk ratings and we will give a practical example of how a risk rating methodology could look like and what has to be considered during the implementation of the rating methodology.
Legislative Background
The AML/CFT Law and the AML/CFT Cabinet Decision do not explicitly state that each customer has to be risk-rated. But the necessity is implied by stating that financial institutions are obliged to “take the necessary due diligence measures and procedures and define their scope, taking into account the various risk factors ….”. Further, financial institutions have to carry out enhanced due diligence (EDD) measures to manage identified high risks and simplified due diligence (SDD) to manage identified low risks. With that, the regulator mandates a risk-based approach: Managing risks according to the risks inherent in each customer. Therefore, a financial institution has do develop a methodology that identifies the risk of each customer. The above applies to all entities in the UAE, irrespective if they are regulated by CBUAE, DFSA, FSRA or the Ministry of Economy.
Regulators have subsequently issued further guidance on how the customer risk rating should be carried out. The main point of reference for financial institutions is the Guidelines on AML/CFT that have been prepared as a joint effort between the Supervisory Authorities of the UAE and set out the minimum expectations. A very similar guidance document exists for DNFBPs. Point 6.1 in the Guidelines contains details relating to the customer risk rating methodology.
Why is Customer Risk Rating so important?
This is a very essential question and can only be answered by understanding the whole customer lifecycle within the financial institution. The risk rating of a customer has impact on various aspects of the customer due diligence and on-going monitoring of the relationship.
- During onboarding, the financial institution has to decide if it conducts simplified, standard or enhanced due diligence on a customer. This will be mainly determined by the risk rating.
- Customers with a higher inherent risk usually require a more rigid approval process.
- During the customer relationship, the financial institution has to decide if the customer information and documents are reviewed more or less frequent, depending on the risk of the customer. A high-risk customer should be reviewed annually, while a low risk customer is only reviewed every 5 or 7 years.
- The transaction monitoring system that monitors customer transactions during the customer relationship has thresholds (for which a red flag is triggered) that could be higher or lower depending on the risk rating of a customer.
What are the advantages of risk rating customers?
Risk rating customers is not only a regulatory requirement, but it can contribute to the efficiency of a financial institution’s operations and even the level of customer satisfaction.
Let’s say there is a customer that is a resident, Indian national, salary of 15,000/month, current account only, mainly UAE transactions (salary and cost of living). If that customer is risk rated as ‘high’ risk during onboarding, the account opening will require more documentation from the customer and will take longer because of added approval levels. During the relationship, the customer will be more likely to receive requests to provide further documents to substantiate his transactions and his KYC will be updated more frequently.
As a result, not only will the customer get dissatisfied with the banking experience, but the financial institution is spending resources on a customer that is actually not high risk. Since resources are limited, the time and effort spent on this customer are not available for the review and monitoring of customers that are actually high risk.
Therefore, it is of paramount importance to develop a risk rating methodology that captures the risk profile of each customer as accurate as possible since this will contribute to the overall efficiency of compliance efforts.
Where to start?
We want to make it clear that the sophistication of the risk rating methodology depends on each financial institution and there is no general ‘one size fits all’ approach. Even if a rating methodology is purchased from an external provider, the methodology has to be tuned to the specific customer base and the respective customer risks.
Although many financial institutions elect to purchase a solution from a third party, it is possible to develop a risk rating methodology in house. An in-house solution is not only more cost-effective but will also be more ‘spot-on’ since the financial institution understands the risks associated with their customers better than a third party.
Following FATF’s 40 recommendations, the four factors that should be considered in a risk rating methodology are: type of customer, location, channel and product. Also, each customer’s risk profile is dynamic and subject to change over a period of time and therefore the risk rating can not be static but has to be refreshed periodically e.g., every month.
The assessment processes and the rationale for the methodology used should be well-documented and approved by senior management and communicated at the appropriate levels of the organisation. The methodology should be reviewed from time to time to ensure it is adequate and up to date. Management override of a system generated risk rating should only be possible in one direction e.g., from ‘low’ to ‘high’ but never from ‘high’ to ‘low’.
A practical example
A methodology can be developed using a point or weightage system, where multiple factors are considered. Above a certain threshold, the customer is not risk rated as ‘low’ but either ‘medium’ and ‘high’ risk. It is also useful to define a threshold that leads to a risk rating of ‘extreme’ – this means that the customer is prohibited or outside the risk appetite of the financial institution e.g. shell banks, casinos.
Sometimes it useful to define factors that lead to a default ‘high’ risk rating e.g. Politically Exposed Persons, High Net Worth Individuals, Cash Intensive Businesses, Money Service Businesses (MSB), Precious Metal Dealers, Virtual Asset Service Providers.
The below lists should give examples of the factors that could be considered for individual and entity customers. To each of the factors a different weightage can be assigned. Within the factors different risk points can be allocated.
#1 INDIVIDUALS
- Nationality
- Domicile (resident vs. non-resident)
- Remittances (high-risk vs. low-risk jurisdictions)
- Expected and actual turnover
- Salaried vs. self-employed (high risk industry?)
- Products used (current vs. savings only account)
- Cash intensity
#2 ENTITIES
- Industry (e.g., precious metals, general trading, real estate, charity)
- Country of Incorporation (resident vs. non-resident, freezones)
- Country of Operation (high risk vs. low risk)
- Remittances (high-risk vs. low-risk jurisdictions)
- Expected and actual turnover
- Products used (Trade Finance?)
- Cash intensity
Implementation considerations
Implementing a risk rating methodology can be a lengthy process since the data needed might not be available for the existing customer base. Transactional data should be available in any case but the nationality, industry, country of operation, salary amount for example might not be available in the operational system of the financial institution.
In a first step, the IT system has to be changed so that this information will be mandatorily requested and inserted during the onboarding stage (digital onboarding processes that might be already implemented might help in this regard). For the existing customers where information is missing, a maximum of risk points can be assigned. This will lead to a higher risk rating and a more frequent KYC renewal which will result in a more accurate risk profile over time. Alternatively, and to speed up the process, all customers where essential information is missing could be assigned to a remediation plan. Under that plan, additional manpower will be utilized to gather all missing information from customers.
A second consideration while implementing a new risk rating is the fine-tuning of the methodology. Many test runs should be performed to ensure that the overall risk categorisation is ‘making sense’. If after a test run, the percentage of high-risk customers is 40%, then the financial institution should either question their risk appetite or the operational ability to manage such a large high-risk customer population. A reasonable ratio of high-risk customer is anywhere between 1 % to 10 %.
Final Thoughts
In summary, customer risk rating is a critical process that helps financial institutions identify risks associated with their customers. By conducting thorough customer risk ratings financial institutions have the opportunity to identify those customers that require closer monitoring and more frequent KYC. Getting this process right, will not only satisfy regulatory expectations but will also enable financial institutions to utilize their resources efficiently and effectively.