GLOBAL PAYMENTS KNOWLEDGEISO 20022 / SWIFT / SEPA / MT / MX

Fraud & Compliance / Learning brief

Customer risk rating and enhanced due diligence

Your notes

What this means in plain language

A customer risk rating scores each relationship from factors such as geography, product, channel, and behaviour, and that score decides whether the customer receives standard or enhanced due diligence (EDD) and how often the file is reviewed.

Not every customer carries the same financial-crime risk, so firms do not treat every customer the same way. A customer risk rating is a score, often low, medium, or high, that a firm assigns to each relationship by weighing several factors: the countries involved, the products and services used, how the customer was onboarded, the type of customer, and, over time, how the account behaves. The rating is a control dial, not a label. It decides how much due diligence a customer receives: a lower-rated customer gets standard customer due diligence (CDD), while a higher-rated customer gets enhanced due diligence (EDD), which gathers more information and looks harder at source of funds and ownership. The rating also sets how often the relationship is reviewed, so higher risk means closer, more frequent attention. Because the rating drives real effort and real cost, the factors and their weighting are documented, and the rating is updated as the customer and the world around them change.

Understand the full idea, step by step

A bank cannot watch every customer with equal attention — no bank has the staff for that. So it does what a careful insurer does before setting a premium: it decides how much attention each relationship deserves, and it decides it with a score. That score is the customer risk rating, and it quietly governs almost everything the bank does next.

Customer risk ratinga score that concentrates due-diligence effort where risk actually sits

A customer risk rating combines factors that experience and regulation associate with financial-crime risk into a single, comparable score — often expressed as low, medium, or high. Its purpose is to let a bank apply its finite due-diligence effort where the risk is, rather than spreading it evenly across customers who are not equally risky.

The four factors in almost every model

Geography
Countries the customer is based in, sends to, or receives from — some carry higher sanctions or corruption exposure
Product / service
What the customer uses — cash-intensive services, correspondent relationships, and trade finance score higher than a plain savings account
Channel
How the customer was onboarded and transacts — face-to-face offers different assurance than fully remote
Customer type
Individual, regulated company, trust, or a customer connected to a PEP (politically exposed person)

The weighting is a decision, not an accident

A bank assigns weightings to these factors and combines them into the overall score. Those weightings are a documented risk decision: a supervisor will ask why each factor carries the weight it does, and "the tool came set that way" is not an answer. Applied to our two customers, the salaried resident scores low across geography, product, and channel; the remote, cross-border, cash-intensive company scores higher on all three. The score is what makes that difference comparable and consistent across the whole customer base.

Enhanced Due Diligence (EDD)a deliberately heavier standard for higher-rated customers

The rating's main job is to set the level of due diligence. Standard-band customers receive standard CDD. Higher-rated customers receive enhanced due diligence: obtaining and verifying source of funds and source of wealth, mapping the full ownership and control structure, seeking senior-management approval to open or continue the relationship, and applying closer, more frequent monitoring. Some regimes also allow simplified due diligence for clearly low-risk, well-understood cases — though even then the customer is still identified and monitored.

If a customer is connected to a PEP, does that mean they are doing something wrong?

No. Being a politically exposed person — or connected to one — is not prohibited, and a PEP is not a criminal by definition. The role simply carries a higher risk of bribery or corruption, which is why it is a common EDD trigger: the bank applies extra care, not suspicion. The principle throughout is proportionality — the depth of due diligence should match the assessed risk. Applying EDD to everyone would waste effort and slow legitimate customers; applying it to no one would miss the relationships most likely to cause harm.

What the rating drives

  1. VALIDATION

    Combine the weighted factors into an overall rating for the customer — low, medium, or high.

  2. VALIDATION

    Set the due-diligence level from the rating: standard CDD for most, enhanced due diligence for higher-risk relationships.

  3. VALIDATION

    Set the review cycle from the rating too: higher-risk files are re-examined more often than lower-risk ones.

  4. NOTIFICATION

    Recalculate the rating whenever the facts change — an event-driven trigger — so a customer moving into a higher band picks up the heavier standard automatically.

WHAT IF — A previously medium-risk customer becomes connected to a PEP, moves into a higher-risk country, or shows transaction behaviour that no longer fits the expected pattern.

What happens: An event-driven trigger forces an earlier review and re-rating. If the customer moves into a higher band, enhanced due diligence follows without waiting for the next scheduled date.

How it is handled: The rating is treated as a living value, recalculated as facts change rather than fixed at onboarding. Screening runs in parallel throughout, so the customer is re-checked against updated lists regardless of their rating, and any unresolved concern is escalated rather than closed quietly.

STRICTLY SPEAKING

Strictly speaking, the exact factors, their weightings, the number of rating bands, and the review periods for each band are set by each bank's methodology within its regime — they are policy choices, not universal constants, and they change as a bank's risk assessment changes. The durable idea is that the rating is a defensible, documented decision that directs effort, not a number pulled from a tool without a reason.

FOR NOW, REMEMBER

  • A customer risk rating combines factors — geography, product, channel, customer type — into one comparable score.
  • The weightings are a documented risk decision a supervisor can question, not a default no one can explain.
  • The rating sets the level of due diligence: standard CDD for most, enhanced due diligence for higher-risk relationships.
  • It is a living value: event-driven triggers and periodic reviews recalculate it, and a move into a higher band pulls up the standard automatically.

TRY IT YOURSELF

The salaried local resident and the remote, cross-border, cash-intensive company both opened accounts this morning. How should Bank Alfa treat them?

Identically — both are brand-new customers, so both should get exactly the same checks.

Not this one — Treating unequal risks equally is the opposite of a risk-based approach: it wastes effort on the low-risk customer and under-covers the high-risk one.

The company scores higher on geography, channel, and product, so it receives enhanced due diligence and a more frequent review cycle than the resident.

Correct — Correct. The rating concentrates effort where the risk sits: heavier diligence and closer review for the higher-scoring relationship, proportionate checks for the lower-scoring one.

The company should be refused outright, because remote onboarding and cross-border flows are not permitted.

Not this one — Higher risk is a reason for enhanced due diligence, not automatic refusal. The point of the rating is to serve higher-risk customers carefully, not to turn them away by default.

Enhanced due diligence on a company means mapping its full ownership and control. The next lesson follows that thread: how a bank looks through a corporate structure to find the real person behind it.

KEEP GOING

Three things to remember

  1. 01

    A customer risk rating combines factors like geography, product, channel, and behaviour into a single score.

  2. 02

    The rating decides standard versus enhanced due diligence and how often the customer is reviewed.

  3. 03

    Ratings are documented and refreshed, because they change as the customer and their risk factors change.

Where you would use this

USE CASE 01

A compliance team designs a risk-rating model that weights country, product, channel, and customer-type factors into a low, medium, or high score.

USE CASE 02

An analyst applies enhanced due diligence to a customer rated high risk, gathering source-of-funds evidence before approval.

USE CASE 03

A review team uses the rating to set the schedule for refreshing each customer's due-diligence file.

Put the idea into a real situation

Illustrative example: a fictional bank, Aster Bank, rates customers on a scale where a score of 0 to 39 is low, 40 to 69 is medium, and 70 or above is high. A fictional customer, Sable Logistics Ltd, scores points for operating in a higher-risk country (25), using cross-border trade finance (20), and having a politically exposed person (PEP) among its owners (30), reaching 75, high. That rating triggers enhanced due diligence (EDD): the bank obtains source-of-wealth evidence for the PEP owner, verifies the ownership chain, and sets the file for review every 12 months instead of the 36 months a low-risk customer would receive. When the PEP later leaves the ownership structure, the score is recalculated and the review cycle is reassessed.

Evidence & review

REVIEWED 2026-07-13

Risk-based customer risk rating and enhanced due diligence as framed by the FATF standards; factors, weightings, bands, and review cycles are set by each institution's methodology within its jurisdiction.

What this brief simplifies: Uses a low/medium/high band and four illustrative factor groups. Real models weight more granular factors, may score continuously, and define EDD measures and simplified-due-diligence eligibility by regime and policy.

Sources for this brief2
  1. Official requirement

    The FATF Recommendations: International Standards on Combating Money Laundering and the Financing of Terrorism & ProliferationFinancial Action Task Force · Recommendation 1 (risk-based approach); Recommendation 10 (CDD); Recommendation 12 (PEPs)

    The global standards countries implement against money laundering, terrorist financing, and proliferation financing, including targeted financial sanctions and payment transparency under Recommendation 16. · Checked 2026-07-12

    Adopted in 2012 and updated regularly since; the June 2025 FATF plenary agreed revisions to Recommendation 16 on payment transparency. Consult the live consolidated text for the current wording.

  2. Simplified educational illustration

    Payments Signal editorial teaching modelsPayments Signal · Two-accounts scenario and the low/medium/high banding illustration

    This site's own simplified teaching models. · Checked 2026-07-12

    Used wherever diagrams, scenarios, figures, or example values are didactic constructions rather than sourced facts; every such use carries a simplifications disclosure. All people, companies, banks, and list entries in examples are fictional.

Learn this properly

Related briefs

View Fraud & Compliance archive

KYC and customer due diligence basics

Know your customer (KYC) identity checks and customer due diligence (CDD) establish who a customer is, who owns them, and how much risk they carry, before an account opens and throughout the relationship, with screening as one input.

READ BRIEF

Correspondent banking risk

Correspondent banking lets one bank move money through another's accounts to reach places it cannot serve directly. That reliance on a customer's customers raises financial-crime risk, so it is managed through structured due diligence.

READ BRIEF

Screening for politically exposed persons (PEPs)

Politically exposed persons hold prominent public roles that carry higher corruption risk. Screening flags them so a bank applies enhanced due diligence — a deeper, documented review and senior sign-off — rather than the hard payment stop a sanctions match triggers.

READ BRIEF