Fraud & Compliance / Learning brief
Customer risk rating and enhanced due diligence
Your notes
In simple terms / 01
What this means in plain language
A customer risk rating scores each relationship from factors such as geography, product, channel, and behaviour, and that score decides whether the customer receives standard or enhanced due diligence (EDD) and how often the file is reviewed.
Not every customer carries the same financial-crime risk, so firms do not treat every customer the same way. A customer risk rating is a score, often low, medium, or high, that a firm assigns to each relationship by weighing several factors: the countries involved, the products and services used, how the customer was onboarded, the type of customer, and, over time, how the account behaves. The rating is a control dial, not a label. It decides how much due diligence a customer receives: a lower-rated customer gets standard customer due diligence (CDD), while a higher-rated customer gets enhanced due diligence (EDD), which gathers more information and looks harder at source of funds and ownership. The rating also sets how often the relationship is reviewed, so higher risk means closer, more frequent attention. Because the rating drives real effort and real cost, the factors and their weighting are documented, and the rating is updated as the customer and the world around them change.
Complete lesson / 02
Understand the full idea, step by step
A bank cannot watch every customer with equal attention — no bank has the staff for that. So it does what a careful insurer does before setting a premium: it decides how much attention each relationship deserves, and it decides it with a score. That score is the customer risk rating, and it quietly governs almost everything the bank does next.
Customer risk rating — a score that concentrates due-diligence effort where risk actually sits
A customer risk rating combines factors that experience and regulation associate with financial-crime risk into a single, comparable score — often expressed as low, medium, or high. Its purpose is to let a bank apply its finite due-diligence effort where the risk is, rather than spreading it evenly across customers who are not equally risky.
The four factors in almost every model
- Geography
- Countries the customer is based in, sends to, or receives from — some carry higher sanctions or corruption exposure
- Product / service
- What the customer uses — cash-intensive services, correspondent relationships, and trade finance score higher than a plain savings account
- Channel
- How the customer was onboarded and transacts — face-to-face offers different assurance than fully remote
- Customer type
- Individual, regulated company, trust, or a customer connected to a PEP (politically exposed person)
The weighting is a decision, not an accident
A bank assigns weightings to these factors and combines them into the overall score. Those weightings are a documented risk decision: a supervisor will ask why each factor carries the weight it does, and "the tool came set that way" is not an answer. Applied to our two customers, the salaried resident scores low across geography, product, and channel; the remote, cross-border, cash-intensive company scores higher on all three. The score is what makes that difference comparable and consistent across the whole customer base.
Enhanced Due Diligence (EDD) — a deliberately heavier standard for higher-rated customers
The rating's main job is to set the level of due diligence. Standard-band customers receive standard CDD. Higher-rated customers receive enhanced due diligence: obtaining and verifying source of funds and source of wealth, mapping the full ownership and control structure, seeking senior-management approval to open or continue the relationship, and applying closer, more frequent monitoring. Some regimes also allow simplified due diligence for clearly low-risk, well-understood cases — though even then the customer is still identified and monitored.
If a customer is connected to a PEP, does that mean they are doing something wrong?
No. Being a politically exposed person — or connected to one — is not prohibited, and a PEP is not a criminal by definition. The role simply carries a higher risk of bribery or corruption, which is why it is a common EDD trigger: the bank applies extra care, not suspicion. The principle throughout is proportionality — the depth of due diligence should match the assessed risk. Applying EDD to everyone would waste effort and slow legitimate customers; applying it to no one would miss the relationships most likely to cause harm.
What the rating drives
- VALIDATION
Combine the weighted factors into an overall rating for the customer — low, medium, or high.
- VALIDATION
Set the due-diligence level from the rating: standard CDD for most, enhanced due diligence for higher-risk relationships.
- VALIDATION
Set the review cycle from the rating too: higher-risk files are re-examined more often than lower-risk ones.
- NOTIFICATION
Recalculate the rating whenever the facts change — an event-driven trigger — so a customer moving into a higher band picks up the heavier standard automatically.
WHAT IF — A previously medium-risk customer becomes connected to a PEP, moves into a higher-risk country, or shows transaction behaviour that no longer fits the expected pattern.
What happens: An event-driven trigger forces an earlier review and re-rating. If the customer moves into a higher band, enhanced due diligence follows without waiting for the next scheduled date.
How it is handled: The rating is treated as a living value, recalculated as facts change rather than fixed at onboarding. Screening runs in parallel throughout, so the customer is re-checked against updated lists regardless of their rating, and any unresolved concern is escalated rather than closed quietly.
STRICTLY SPEAKING
Strictly speaking, the exact factors, their weightings, the number of rating bands, and the review periods for each band are set by each bank's methodology within its regime — they are policy choices, not universal constants, and they change as a bank's risk assessment changes. The durable idea is that the rating is a defensible, documented decision that directs effort, not a number pulled from a tool without a reason.
FOR NOW, REMEMBER
- A customer risk rating combines factors — geography, product, channel, customer type — into one comparable score.
- The weightings are a documented risk decision a supervisor can question, not a default no one can explain.
- The rating sets the level of due diligence: standard CDD for most, enhanced due diligence for higher-risk relationships.
- It is a living value: event-driven triggers and periodic reviews recalculate it, and a move into a higher band pulls up the standard automatically.
TRY IT YOURSELF
The salaried local resident and the remote, cross-border, cash-intensive company both opened accounts this morning. How should Bank Alfa treat them?
Enhanced due diligence on a company means mapping its full ownership and control. The next lesson follows that thread: how a bank looks through a corporate structure to find the real person behind it.
KEEP GOINGKey takeaways / 03
Three things to remember
- 01
A customer risk rating combines factors like geography, product, channel, and behaviour into a single score.
- 02
The rating decides standard versus enhanced due diligence and how often the customer is reviewed.
- 03
Ratings are documented and refreshed, because they change as the customer and their risk factors change.
Practical use cases / 04
Where you would use this
A compliance team designs a risk-rating model that weights country, product, channel, and customer-type factors into a low, medium, or high score.
An analyst applies enhanced due diligence to a customer rated high risk, gathering source-of-funds evidence before approval.
A review team uses the rating to set the schedule for refreshing each customer's due-diligence file.
Worked example / 05
Put the idea into a real situation
Illustrative example: a fictional bank, Aster Bank, rates customers on a scale where a score of 0 to 39 is low, 40 to 69 is medium, and 70 or above is high. A fictional customer, Sable Logistics Ltd, scores points for operating in a higher-risk country (25), using cross-border trade finance (20), and having a politically exposed person (PEP) among its owners (30), reaching 75, high. That rating triggers enhanced due diligence (EDD): the bank obtains source-of-wealth evidence for the PEP owner, verifies the ownership chain, and sets the file for review every 12 months instead of the 36 months a low-risk customer would receive. When the PEP later leaves the ownership structure, the score is recalculated and the review cycle is reassessed.
Evidence & review / 07
Evidence & review
Risk-based customer risk rating and enhanced due diligence as framed by the FATF standards; factors, weightings, bands, and review cycles are set by each institution's methodology within its jurisdiction.
What this brief simplifies: Uses a low/medium/high band and four illustrative factor groups. Real models weight more granular factors, may score continuously, and define EDD measures and simplified-due-diligence eligibility by regime and policy.
Sources for this brief2
- Official requirement
The FATF Recommendations: International Standards on Combating Money Laundering and the Financing of Terrorism & Proliferation ↗ — Financial Action Task Force · Recommendation 1 (risk-based approach); Recommendation 10 (CDD); Recommendation 12 (PEPs)
Adopted in 2012 and updated regularly since; the June 2025 FATF plenary agreed revisions to Recommendation 16 on payment transparency. Consult the live consolidated text for the current wording.
- Simplified educational illustration
Payments Signal editorial teaching models — Payments Signal · Two-accounts scenario and the low/medium/high banding illustration
Used wherever diagrams, scenarios, figures, or example values are didactic constructions rather than sourced facts; every such use carries a simplifications disclosure. All people, companies, banks, and list entries in examples are fictional.