Implementation Guide for DNFBPs on Customer Risk Assessment
The Ministry of Economy is the supervisory authority for Designated Non-Financial Businesses and Professions (DNFBPs) in UAE. It has published the Guide to help DNFBPs effectively comply with their Anti-Money Laundering (AML), Combatting the Financing of Terrorism (CFT), and Counter-Proliferation Financing (CPF) compliance obligations, specifically the following:
- Obligation to consider all risk factors to understand the overall risk of financial crimes and determine the required level of risk mitigation measures to be adopted
- Obligation to document the risk assessments, update them on a regular basis, and make them available to the regulatory authorities when requested
In this Update, we will discuss the meaning of CRA, its importance, the risk factors that must be considered for a comprehensive CRA, and the steps for implementing an effective CRA as discussed in the Guide.
The Meaning of Customer Risk Assessment (CRA)
The second segment of the Guide discusses how CRA differs from Institutional Risk Assessment (IRA) or Enterprise risk assessment (EWRA), while the third segment of the Guide discusses the meaning of CRA.
Customer Risk Assessment (CRA) is the process of assessing the Money Laundering (ML), Terrorism Financing (TF), and Proliferation Financing (PF) risks a customer presents. The CRA enables DNFBPs to adopt risk control measures such as Customer Due Diligence (CDD) and ongoing monitoring to mitigate the specific ML/TF and PF risks posed by the customers.
Both CRA and IRA are important parts of the DNFBP’s risk management framework but differ in certain aspects:
Parameter |
CRA |
IRA |
Definition |
CRA is the evaluation of ML/TF and PF risks a customer poses to the DNFBP. |
IRA or EWRA is the assessment of the overall ML/TF and PF risk exposure of the DNFBP. |
Factors to Be Considered |
CRA involves considering factors such as customer characteristics, transaction patterns, behavioural analysis, geographic risks, etc. |
IRA involves considering internal and external factors such as products, services, transactions, customers, jurisdictions, AML/CFT policies and procedures of the DNFBP, its operational processes, industry-specific risks, etc. |
Level |
It is conducted at the customer level. |
It is conducted at the institutional level. |
Purpose |
As discussed in the fifth segment of the Guide, the purpose of the CRA is to enable DNFBP to adopt risk mitigation measures that are proportional to the level of ML/TF and PF risks presented by the customers. Therefore, conducting CRA is of immense importance. |
The purpose of the IRA is to ensure that the DNFBP can effectively respond to the overall ML/TF and PF risks it faces. |
Situations in which Customer Risk Assessment Should Be Conducted
The sixth segment of the Guide discusses the situations in which the CRA is triggered. This includes the following circumstances:
- Onboarding of New Clients: CRA should be conducted before the business relationship with a client is created.
- Throughout Business Relationships with Clients: CRA should be conducted periodically throughout the business relationship with the clients. The frequency of the CRA can vary according to the customer risk rating.
- Change in Customer’s Profile: CRA is triggered whenever there is a change in the Customer’s profile, business relationship with the client changes, the products and services utilised by the client changes, etc.
- Change in Risk Factors: CRA should be reconducted whenever there are changes in risk factors due to the National Risk Assessment (NRA) of UAE and the Sectoral Risk Assessments (SRA). This is to ensure that the findings of the NRA and CRA are incorporated into the CRA process.
Other situations that may result in a change in risk factors include amendments in regulations or guidance released by supervisory authorities, finding adverse media related to the Customer, sanctions listing, etc.
Risk Factors to Consider for Customer Risk Assessment
The seventh segment of the Guide discusses the risk factors that should be considered for a comprehensive CRA. A CRA should take into consideration a multiple range of factors to ensure that ML/TF and PF risks posed by the client are detected at an early stage and mitigated through the adoption of appropriate levels of CDD and other risk control measures. It includes the following risk factors:
- Customer Related Risks
- Geography Related Risks
- Product/Services or Transaction-Related Risks
- Delivery Channel-Related Risks
- Other Applicable Risks
The eighth segment of the Guide discusses the necessity and importance of incorporating the risk factors identified in the NRA and the relevant SRA for a DNFBP.
The ninth segment of the Guide examines the Risk-Based Approach (RBA) and its importance in AML/CFT/CPF compliance. CRA is a facet of the RBA, enabling DNFBPs to categorise customers based on the level of ML/TF and PF risks they pose and adopt risk mitigation measures accordingly. This allows effective allocation of resources by ensuring that more stringent risk control measures are applied for high-risk customers.
For a comprehensive discussion of the factors to be considered for CRA, refer to our infographic here.
Steps for Successful Implementation of Customer Risk Assessment Process
The tenth segment of the Guide discusses the steps of implementing a comprehensive CRA process. Here’s an overview of these essential steps that DNFBPs must incorporate to undertake the CRA process successfully.
Defining Risk Factors:
The first step is to define the risk factors. These risk factors are to be used to assess the ML/TF and PF risks presented by the Customer.
Establishing Risk Levels and Defining Risk Scales and Risk Scores:
This step involves defining a scale for assessing the risk level with respect to each risk factor. For this purpose, risk scores can be utilised.
Creating a Risk Matrix to Represent the Risk Levels:
This step involves the creation of a risk matrix to represent the risk factors, levels, scales, and scores defined in the previous step.
Collecting Relevant Information and Documentation:
After defining their own risk factors and risk scores and creating the risk matrix, the DNFBPs need to use the same information during the CRA process. Therefore, when the Customer is onboarded, the DNFBP needs to collect the relevant information to aid its CRA process. This includes information such as the Customer’s identification documents, business activities, source of funds, information related to the transaction, etc.
Classifying Customers into Risk Categories:
The next step after gathering customer information is using the risk matrix created in Step 3 to categorise the customers in risk categories.
Calculating Customer Risk Scores:
The DNFBP needs to determine the overall risk score to be assigned to the Customer. This can be done in two ways:
- Averaging the risk scores assigned to factors
- Assigning risk weightage to each factor according to the importance of the factor to the specific DNFBP
Updating Risk Controls Based on Risk Scores:
The purpose of risk categorising customers is to adopt risk control measures that are in proportion to the level of risk that the customer presents. This step involves updating risk control measures as per the risk scores. For example, if the Customer is categorised as belonging to the higher risk category, the DNFBP should adopt suitable risk control measures such as conducting Enhanced Due Diligence, conducting ongoing monitoring of transactions, reporting suspicious activities and transactions, etc.
The Guide provides a detailed list of examples of risk mitigation measures that can be adopted.
Regularly Reviewing and Updating the CRA:
CRA should be regularly reviewed so that any changes in the risk factors are incorporated into the risk matrix.
Documenting the CRA Process:
The entire CRA process should be documented.
Maintaining Audit Trail of all Interactions with the Customer and CRA:
An audit trail must be maintained of all customer interactions, information collected, CRA conducted, risk mitigation measures adopted and its justification, etc.
Implementation Guide for DNFBPs on Customer Risk Assessment: A Summary
The Guide is divided into several segments. Here’s a final summary of the segments for a brief overview:
- The first segment introduces the Guide and explains the purpose of conducting a CRA
- The second segment discusses the difference between CRA and IRA
- The third segment explains the meaning of a CRA
- The fourth segment examines the means of high-risk customers and the importance of adopting stringent risk control measures for them
- The fifth segment discusses the significance of the CRA process
- The sixth segment lays down the situations in which it is necessary to conduct CRA
- The seventh segment details the risk factors that must be considered while conducting the CRA
- The eighth segment discusses the significance of incorporating the findings of the NRA and SRA for a comprehensive CRA
- The ninth segment deliberates upon the implementation of the Risk-Based Approach and its importance in enhancing AML/CFT/CPF controls by focusing resources on higher ML/TF and PF risk areas
- The tenth segment lays down a step-by-step approach to implementing the CRA process
- The eleventh segment concludes the Guide by reiterating the importance of a comprehensive CRA in mitigating ML/TF and PF risks a DNFBP faces from its customers and meeting AML/CFT/CPF regulatory obligations.
Share via :
Share via :