Contents
Two AML supervisors have published similar guidance on how reporting entities under the Anti-Money Laundering and Countering Financing of Terrorism Act 2009 should approach the new customer risk-rating requirement effective from 1 June 2025.
We recommend you familiarise yourself with the Financial Markets Authority (FMA) guideline and the Department of Internal Affairs (DIA) guidance.
Developing a risk-rating process
To risk-rate a customer, entities should objectively determine the level of AML/CFT risk based on a risk-rating process or model. This should be informed by their AML/CFT risk assessments and compliance programmes. Factors to consider include:
- the types of customers, countries and institutions involved
- the products and services offered
- the delivery methods used, and
- the 2024 National Risk Assessment and any other applicable sector risk assessment.
The supervisors are flexible on how reporting entities achieve this, emphasising there is no one-size-fits all model. Entities should tailor their approach based on the level of AML/CFT risk they face, and the size, complexity and nature of their business.
A distinction is made between:
- smaller entities with relatively few customers and limited products or services. They may adopt simple manual processes using the basic risk categories of low/medium/high. DIA provides a Customer Risk Rating Onboarding Table setting out the sorts of risk factors that could be considered, although this is presented as an example only and is not mandatory, and
- entities with large customer bases and/or more complex ranges of products and services, which need more sophisticated methodologies. This may include additional risk categories such as low-medium and medium-high, numerical scoring, and/or matrix-based tools that assign weightings to various factors.
Onboarding and ongoing customer due diligence (CDD)
The risk-rating process should begin at the onboarding stage, with information gathered during CDD heavily informing the determination. A two-stage approach is suggested for manual onboarding, in which an initial risk rating is assigned based on early client information and this is then confirmed or adjusted after all CDD checks have been completed.
The risk rating should:
- guide the intensity and frequency of ongoing CDD and account monitoring for that customer, and
- inform whether any controls are needed to mitigate AML/CFT risks, such as transaction limits or requiring senior management approval for certain activities.
Risk ratings should be reviewed and updated as necessary, particularly when customer behaviour or circumstances change.
Record keeping and compliance
Entities must maintain records of each customer’s risk rating, including the dates of any reviews or updates and the rationale behind each determination. These should be easily accessible and retained for at least five years after the business relationship ends.
Entities are required also to document their policies, procedures and controls for initial CDD, ongoing CDD and account monitoring, including the risk-rating process for new customers, in their AML/CFT compliance programmes.
Both the FMA and DIA emphasise the need for periodic reviews and testing of the risk-rating process to ensure its effectiveness.
We can help
If you would like assistance developing or reviewing your customer risk-rating model or would like to discuss any aspects of this guidance or the AML/CFT regime generally, please get in touch one of our experts.
