What Is a Risk Rating in KYC?

What Factors Determine a Customer's Risk Rating?

Risk ratings are determined by assessing multiple risk factors. The specific factors and their weightings must be documented in the institution's Risk Management and Compliance Programme (RMCP). Common risk factors include:

• Customer type. Is the customer an individual, a company, a trust, or a non-profit? Complex structures (trusts, shell companies) are higher risk.
• PEP status. Is the customer a Politically Exposed Person? PEPs are always high risk.
• Geographic risk. Is the customer from or transacting with a high-risk jurisdiction? Customers from FATF grey-listed or black-listed countries are higher risk.
• Business activity. What industry does the customer operate in? Cash-intensive businesses, gambling, arms dealing, and precious metals are higher risk.
• Transaction patterns. What is the expected volume and nature of transactions? Unusual or complex transaction patterns increase risk.
• Source of funds. Can the customer explain the source of their funds? Customers who cannot explain their source of funds are higher risk.
• Delivery channel. Is the relationship established face-to-face or remotely? Remote onboarding is generally higher risk.

Risk Rating Tiers and Their Implications

Most accountable institutions use a three-tier risk rating system:

• Low risk. Simplified Due Diligence (SDD) applies. Reduced verification requirements and less frequent monitoring. Typical examples: listed companies, government entities, regulated financial institutions.
• Standard/Medium risk. Standard Customer Due Diligence (CDD) applies. This is the default for most customers.
• High risk. Enhanced Due Diligence (EDD) applies. Additional verification, source-of-funds investigation, senior management approval, and more frequent monitoring. Typical examples: PEPs, customers from high-risk jurisdictions, complex ownership structures.

Ongoing Risk Rating Review

A customer's risk rating is not static. It must be reviewed periodically and updated when material changes occur — for example, when a customer is identified as a PEP, when their transaction patterns change significantly, or when new information comes to light that affects their risk profile. The frequency of review must be specified in the RMCP and must be proportionate to the customer's risk rating.

Frequently Asked Questions

Must every customer be assigned a risk rating?

Yes. The risk-based approach requires accountable institutions to assess the risk of every customer and to apply due diligence proportionate to that risk. A risk rating is the formal expression of that assessment.

Can a customer challenge their risk rating?

Customers do not have a legal right to challenge their risk rating. However, if a customer provides additional information that reduces their risk profile, the institution should update the rating accordingly.

What is a risk scoring model?

A risk scoring model is a systematic approach to assigning risk ratings by scoring customers on multiple risk factors and calculating a composite score. The score determines the risk tier. Risk scoring models must be documented in the RMCP and must be reviewed regularly.

Does a low risk rating mean no KYC is required?

No. Even low-risk customers require some level of KYC. Simplified Due Diligence (SDD) still requires identity verification — it simply allows for reduced requirements compared to standard CDD.

What triggers a risk rating upgrade?

Common triggers for a risk rating upgrade include: identification as a PEP, unusual transaction patterns, adverse media coverage, a change in business activity to a higher-risk sector, or a connection to a high-risk jurisdiction.