Addressing an Existing Low-Risk Customer's Shift to High-Risk Status
Financial institutions, Designated Non-Financial Businesses and Professions (DNFBPs), and Virtual Asset Service Providers (VASPs) in UAE are required to follow a systematic mechanism to conduct a customer risk assessment, determine the money laundering, terrorism financing, and proliferation financing (ML/FT and PF) associated with each customer, and deploy adequate measures to manage the identified risks.
Based on the risk assessment, customers are categorised into three risk levels: low-risk, medium-risk, and high-risk. Based on this risk score, proportionate risk mitigation measures are adopted.
In the course of the business relationship, the level of risk the customer poses to the business may change, which requires immediate attention. Thus, the AML laws require the regulated entity not to stop at the initial assessment but also implement ongoing monitoring to observe and track the changes to the customer information and its impact on the risk profile.
When undertaking ongoing monitoring, the regulated entity might encounter a situation where a customer initially designated as low-risk shifts to the high-risk category. Such a shift may occur due to his engagement in certain transactions or his behaviour, which has subsequently changed, indicating increased ML/FT risk. Therefore, understanding the factors contributing to this shift and undertaking appropriate measures are crucial to mitigating ML/FT and PF risk and continuous AML regulatory compliance.
Customer Risk Rating
An essential aspect of risk assessment and adopting the risk-based approach is evaluating the risk the customer poses to the business, assigning the risk score in line with the identified risk and allocating an appropriate risk rating. Such a rating shall help entities determine the level of customer due diligence (CDD) measures to be deployed at the time of onboarding and on an ongoing basis.
Furthermore, risk rating enables regulated entities to make informed decisions about entering into business relationships with customers whose risk is within acceptable parameters.
Risk Rating’s nexus with customer onboarding and post-onboarding measures
The UAE AML laws mandate regulated entities to perform appropriate customer due diligence processes before establishing a business relationship. In this context, based on the outcome of the customer risk profiling and the assigned risk rating, the regulated entities determine the nature and the degree of the CDD measures to be applied.
Here, the regulated entities must apply Enhanced Due Diligence (EDD) measures when the customer is identified as posing higher ML/FT/PF risk, in addition to the standard CDD process. Similarly, for a customer classified as “low-risk”, the regulated entities are permitted to use relaxed CDD measures, i.e., Simplified Customer Due Diligence.
Thus, the customer risk rating shall empower the regulated entities to optimally use the resources and effectively manage the risk, adopting a risk-based approach.
We understand that the customer risk is dynamic and may change over time. Hence, the process of evaluating the customer profile does not end with customer onboarding. Even post-establishing a business relationship with the customers, the regulated entity is obligated to implement measures to monitor customer activities and transactions continuously to ensure that the customer profile developed at the time of onboarding holds good and the transactions executed by the customer do not contradict the original customer risk profile.
The frequency and degree of the ongoing monitoring measures to be applied varies for each customer, depending on the results of the risk assessment and risk rating given to them. As part of the ongoing monitoring of business relationships, the regulated entities must reassess the level of customer risk and decide whether there is a need to adopt enhanced due diligence measures to manage any changes in the risk level.
Factors Shifting Low-Risk Customers to High-Risk Category
Risk scoring, or risk rating, or customer classification varies from entity to entity based on AML policies, procedures, and controls. But primarily, during the initial customer onboarding journey, the customers would be categorised as low-risk, medium-risk, and high-risk (the nomenclature or the methodology to bifurcate customers into three brackets may differ).
Notwithstanding the initial risk classification, the regulated entity might encounter a few instances during ongoing monitoring that warrant a detailed review of the customer, including reassessing the customer risk profile.
Here is the list of such factors that cause the shift in risk rating from low to high due to the following factors:
Being a PEP or association with PEP
A politically exposed person (PEP) is an individual who has been entrusted with a prominent public function and, through their prominent position or influence, is more susceptible to being involved in financial crimes like bribery or corruption.
When first onboarded with a low-risk rating, the customer may subsequently become a PEP or a close associate of a PEP, which increases the potential ML/FT and PF vulnerabilities.
The regulated entity can detect a customer’s transition to PEP through ongoing monitoring of the customer profile, possibly through screening against the PEP database. This continuous screening of the customer scrutinises the data to look for any changes in their status and triggers an alert when any update is observed.
Therefore, when such a shift is detected from non-PEP to PEP, the regulated entity must reassess the customer risk and employ enhanced due diligence measures to manage the increased risk.
Accused with Criminal Charges or Adverse Media Coverage
Any involvement in criminal activities raises questions about the customer’s risk profile and indulgence in illicit financial crimes, necessitating heightened scrutiny.
Similarly, if any adverse media (unfavourable information about individuals, entities, or organisations that could indicate potential involvement in financial crimes, corruption, or other illicit activities) is found, the same indicates reputational risk to the regulated entity and potential involvement of customers in illicit activities.
When the regulated entities initially onboarded a customer, the customer was not involved in any criminal activity. However, after the regulated entity onboarded the customer, the customer engaged in criminal activities and was proven guilty. Such criminal acts of customers raise questions about the customers’ ethics and possible criminal association.
The regulated entity can detect criminal charges associated with the customer by implementing the latest innovations in background screening and continuous ongoing monitoring, which can give alerts when engaged with such charges. This allows the regulated entity to monitor better the customer profile, which is the key to a safe strategy from onboarding to the business relationship ends.
After a shift is detected, the regulated entity should evaluate the customer’s risk profile, monitor the customer’s activities, and, if necessary, terminate the business relationship if the customer is suspected of attempting money laundering or other financial crimes. Considering the nature of the criminal charges or additional suspicion related to ML/FT and PF, an STR/SAR must be reported on the goAML Portal.
Suspicious and Non-Cooperative Behavior
Customer monitoring does not stop with the customer’s onboarding but extends to post-onboarding decisions. It aims to monitor customers and their activities to ensure no ML/FT and PF activities are initiated.
When an existing customer designated as a low-risk customer demonstrates behaviour that deviates from the standard patterns, does not cooperate with the monitoring inquiries or is reluctant to provide any additional information, it raises red flags, which the regulated entity should be aware of and attentive to.
The regulated entity can use a transaction-based ongoing monitoring system to detect any change in the customer’s transactional pattern, which he usually does not engage in, or the overall transactional trend is contrary to the known customer profile.
To effectively counter the change in customer risk rating from low-risk category to high-risk, the regulated entity must initiate a training program to make the employees aware of the red flags and measures to identify such suspicion. Such a training program shall be conducted for compliance officers and staff, as well as methods to be used for handling such alerts, reviewing them, and taking action accordingly.
Once suspicious behaviour or transactional pattern is observed, the regulated entity must evaluate and understand the reasonableness of such change. Considering the changed circumstances and rationale, the regulated entity must reassess the risk and, if required, apply the EDD measures.
Further, if the changes suggest a potential involvement of the client in ML/FT and PF activities, the regulated entity must terminate the business relationship and file SAR/STR on goAML.
Unreasonable Growth in Net Worth
When a low-risk category customer’s profile suggests swift growth and an unexplained increase in wealth without any plausible explanations, such incidents question their engagement in criminal activities and potential illicit sources of funds.
The regulated entity can detect such exponential growth using threshold-based monitoring rules that help to identify any changes in the customer’s profile, such as increasing involvement in high-valued transactions without any economic rationale. This indicates significant growth in wealth; however, the escalated increase shows a linkage with unknown sources of funds and wealth.
The regulated entity should undertake detailed inquiries into this change and apply additional checks and verification measures to understand the legitimacy of the customer’s source of funds and wealth and evaluate its potential connection with ML/FT and PF activities.
Conducts Unusual Transaction
When a customer engages in a transaction that deviates from normal behaviour or industry standards, such incidents warrant investigation to determine and check the transaction’s legitimacy.
When a low-risk customer engages in unusual transactions, which he usually does not engage in or associates with high-value transactions, it increases concerns about their legitimacy and linkage to ML/FT and PF activities.
The regulated entity can install transaction-based and threshold-based monitoring parameters to detect unusual patterns by continuously collecting data, employing detection algorithms, and setting thresholds to identify deviations from standard business practices. Alerts generated based on these monitoring rules must be further investigated to check their authenticity and understand the purpose of such transactions.
The regulated entities must employ EDD measures to understand the source of funds/wealth involved in such unusual transactions and ensure that appropriate risk-mitigating measures are applied.
Shifts in customer’s location from Low-risk to High-risk Jurisdiction
Relocation to or conducting business in high-risk jurisdictions increases exposure to regulatory and financial risks.
a. When a customer moves to a high-risk country
It is one of the red flag indicators for AML/CFT when customers or their representatives are situated in a country prone to high risks. High-risk jurisdictions often lack stringent laws, providing a platform for criminals to engage in illicit activities.
Therefore, when a low-risk customer relocates to a high-risk country, the exposure to ML/FT and PF risk associated with the customer increases.
The regulated entity can detect shifts in customer locations to high-risk jurisdictions by implementing location-based monitoring mechanisms and regularly reviewing customer information and transaction data for any indications of change in location.
The regulated entity, upon obtaining adequate and appropriate consent from the customer under relevant and applicable data privacy laws, deploy geolocation technologies when undertaking an ongoing monitoring process of existing business relationship with a customer so that they may obtain real-time updates on customer whereabouts.
b. When a customer’s country’s status changes to a high-risk jurisdiction
Various factors, such as political instability, global assessment by international overseeing bodies like FATF, economic unrest, and emerging issues, change a country’s status from low risk to high ML/FT risk. Thus, when a country’s status changes from a low-risk jurisdiction to a high-risk jurisdiction, a customer belonging to such a jurisdiction needs more scrutiny and monitoring as they become more vulnerable to ML/FT and PF activities.
When undertaking Know Your Customer (KYC) remediation to validate the customer details, the regulated entity can spot the change in the customer’s jurisdictional risk. Furthermore, the regulated entity must keep tracking independent sources like the FATF site or other local authorities’ websites to stay updated with the countries listed identified or notified as high-risk jurisdictions.
When the customer’s risk profile changes from low to high on account of a change in jurisdiction, the regulated entity must reassess the customer risk, identify the level of increased exposure and deploy additional CDD measures. When the shift in jurisdiction emits risk beyond the regulated entity’s risk appetite, the regulated entity must consider terminating the business relationship.
Further, under UAE AML regulations, the regulated entities are also required to file HRC or HRCA (High-Risk Country Transaction or Activity Report) when the remittances are expected from North Korea, Iran and Myanmar. Thus, if the risk shift suggests the involvement of these countries, the regulated entity must comply with the reporting.
Insistence on involving third parties in executing the transaction or for processing the payment
After onboarding, if the customers insist on involving third parties in executing transactions or paying bills, this practice diverges from standard practice and raises suspicion. Third-party involvement by a low-risk customer, without any business logic, amplifies the risk of financial irregularity. It’s important to note that this risk would vary for each business and is crucial in determining risk tolerance.
The regulated entity can detect such factors by implementing a transaction-based monitoring method to track the name of the party to whom the invoice is being issued or the party involved in processing the payment. In such cases, the regulated entity must reassess the ML/FT/PF risk associated with the business relationship and carry out necessary measures to identify the third party, its location, its activities, etc.
AML Measures upon the shift of a Low-Risk Customer to a High-Risk
It is of utmost importance to know about the factors that lead to the transition of a low-risk customer to a high-risk one. With such knowledge, the regulated entity can take sufficient measures for better regulatory compliance, help avoid penalties, and safeguard itself from any risk associated with such customers.
The UAE’s AML/CFT regulatory framework mandates the regulated entity to conduct an Enhanced Due Diligence process for every high-risk customer. Similarly, EDD measures must be undertaken when a low-risk customer shifts to a high-risk status. With EDD, adequate increased controls and risk mitigation measures can be taken to manage the heightened risk.
The following EDD measures should be taken by the regulated entity when a low-risk customer shifts to a high-risk status:
Request Additional Information and Conduct Verification
The primary measure that every regulated entity should undertake to tackle such customers is to seek supplementary information to validate their identities and transactions. Updating the current information and documents according to changes in risk rating helps it implement a better monitoring system and manage risks.
Details regarding Customer’s Source of Funds and Wealth
The regulated entity should thoroughly examine the source of funds and wealth to ensure legality and legitimacy and restrict the facilitation of transactions involving funds whose source is unknown or linked to any criminal activity.
The regulated entity must make independent inquiries and use reliable documents to establish the legitimacy of the source of funds and wealth involved in the transaction.
Review Criminal Charges and Adverse Media and connection with Financial Crimes
When the regulated entity encounters information related to criminal charges or adverse media concerning a customer, it must thoroughly investigate the nature and circumstances of these allegations. This measure differentiates between criminal charges and adverse media related to financial crimes, including activities concerning ML/FT and PF and those unrelated to financial misconduct. Upon finding such an assessment, the regulated entity must evaluate the potential inferred risk associated with the customer profile and subsequently take measures.
Additionally, when the customer profile shifts due to adverse media, the regulated entity must ensure that it rules out fake news or news posts not backed by reliable data sources. Such measures are required to protect customers and maintain the integrity of the regulated entities.
Furthermore, in cases where the criminal charges are unrelated to financial crimes, the regulated entity should maintain enhanced observation of such customer’s activities. However, in cases where the criminal charges are related to ML/FT and PF, thorough investigations are needed, necessitating vigilant customer monitoring. If it is determined that the customer is still engaged in ML/FT and PF activities, the regulated entity must immediately report them on the goAML Portal and terminate the business relationship.
Obtain Management approval
In cases where a customer is initially categorised as low-risk, however, employing ongoing monitoring shifts to the high-risk category, the regulated entity is mandated to seek management to proceed with the existing business relationship with such a customer.
This measure helps safeguard the regulated entity by validating the business’s commitment to risk management protocols and regulatory compliance standards in dealing with high-risk customers.
Get the payment from the customer’s bank account
For enhanced traceability and transparency, the regulated entity should demand payment from the customer’s bank account, as prescribed under the UAE AML laws as one of the EDD measures. Thus, for the low-risk customer now rated as high-risk, the regulated entity must not accept the payment using alternate modes like cash or a third-party bank account.
This helps document financial transactions and makes monitoring for AML regulatory compliance easier. By aligning payments with the customer’s bank account, the regulated entity can mitigate the risk of transferring funds to an unauthorised channel and prompt greater accountability throughout the transaction.
Increased ongoing monitoring
For the customer now classified as high-risk, the regulated entity must enhance the degree and frequency of ongoing monitoring of the business relationship, transactions and CDD updates. This continuous review shall help the regulated entity keep a close eye on this customer and spot any red flags that may potentially arise during the course of the business relationship.
Determining future relations with the High-Risk Customer
When a customer shifts from a low-risk category to high-risk, careful consideration and strategic actions are required to manage associated risks and ensure regulatory compliance. For which the regulated entity takes EDD measures. The analysis and implementation of such EDD measures determine how to proceed with such customers. Here is the list of findings and recommendations which regulated entities can adopt to address the challenges posed by high-risk customers effectively:
Continue Business Relationships with Increased Monitoring
When customers are designated as high-risk, the regulated entity continues to engage with them to conduct transactions but with a more stringent monitoring system.
Similarly, when a low-risk category customer shifts to a high-risk status, the regulated entity shall maintain the business relationship while intensifying monitoring efforts to detect any associated risks promptly.
Terminate Business Relationship
In certain circumstances, the regulated entity must terminate the business relationship with a customer when its status changes from low-risk category to high-risk.
When the increased risk exceeds the management-approved risk appetite
In cases where the risk rating exceeds the regulated entity’s management-approved risk appetite, termination of the business relationship may be necessary to mitigate exposure. Risk appetite is set for the degree of risk a business is willing to accept, and it helps the regulated entity make decisions regarding customer onboarding.
Therefore, when a low-risk category customer shifts to a high-risk status, the regulated entity must ensure that the customer remains within its risk appetite after a change in risk profile before continuing with the business relationship.
When there’s a lack of Information
Insufficient information or the inability to verify critical details raises concerns about involvement in ML/FT and PF and also hinders the entity’s efforts toward applying the EDD process. Therefore, to safeguard itself from probable ML/FT and PF risk, the regulated entity may terminate the business relationship to avoid risk and also comply with the requirement of not transacting with the customer without the successful completion of adequate CDD measures.
File SAR/STR on the goAML Portal
As part of regulatory requirements in the UAE, the regulated entity must file a Suspicious Activity Report (SAR) or Suspicious Transaction Report (STR) on the goAML portal when suspicious activity pertaining to ML/FT and PF is detected.
If the customer’s risk shift is attributed to engagement in such suspicious activity, the regulated entity must file SAR or STR on the goAML Portal while ensuring compliance with the “no tipping off” requirement.
Concluding thoughts on addressing the shift of low-Risk customers to high-Risk status
The transition of a customer from a low-risk category to a high-risk underlines the changing nature of financial risk associated with customers. Timely evaluation of the customer’s shift is not just a necessity but an essential component for maintaining the integrity of the AML framework. This shift demands vigilant monitoring, proactive measures, and adherence to robust AML compliance protocols, which are vital in mitigating potential risks.
With a proactive approach and robust measures, regulated entities can effectively address such shifts and mitigate the risks associated with high-risk customers. Implementing measures related to such shifts helps to make decisions that underscore its commitment to uphold its regulatory obligations to combat illicit financial crimes.
FAQs about Customer Risk Ratings and AML Measures
The Customer Risk Assessment is a critical AML measure that identifies each customer’s money laundering, financing of terrorism or proliferation financing (ML/FT and PF) risk and categorises them according to their associated risk. Customer risk assessment is crucial as it helps the entity determine the nature of CDD measures to be applied.
In the UAE, customers are classified into three main categories: low risk, medium risk, and high risk, based on ML/FT/PF risk associated with the customer.
Customers classified as high-risk require enhanced due diligence (EDD) measures to mitigate the elevated risk associated with their business relationship. EDD measures include conducting additional background checks, verifying the source of funds and wealth, obtaining approval from senior management before establishing or continuing the relationship, and monitoring transactions with more scrutiny.
Ongoing monitoring refers to continuously reviewing the customer profile and transactions throughout the business relationship. It involves regularly reviewing customer information, transaction patterns, and any relevant changes in risk factors.
Begin your AML compliance journey with a positive first step.
Contact our team to handle your Ongoing Monitoring.
Add a comment
About the Author
Pathik Shah
FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)
Pathik is a Chartered Accountant with more than 25 years of experience in compliance management, Anti-Money Laundering, tax consultancy, risk management, accounting, system audits, IT consultancy, and digital marketing.
He has extensive knowledge of local and international Anti-Money Laundering rules and regulations. He helps companies with end-to-end AML compliance services, from understanding the AML business-specific risk to implementing the robust AML Compliance framework.