Who are high-risk customers under AML regulations?

According to Anti-Money Laundering (AML) compliance, we know that not all customers are treated as equal.

Some may pose a greater threat to your institution than others do, whether it be money laundering, terrorist financing, bribery, or other financial crimes.

It's your responsibility to identify high-risk customers and take appropriate action. To do it, you need to understand the different types of high-risk clients and be able to identify them from the moment they engage with your organization, whether it’s a bank, fintech, casino, or crypto platform.

In this post, we will define what constitutes an AML high-risk client, list the most common types of high-risk customers, outline how to identify them during the onboarding process, and explain the necessary actions to take regarding them.

What defines a High-Risk Customer in AML?

High-risk customers are individuals or entities that present an increased likelihood of involvement in money laundering or terrorist financing due to their profile, activities, or geographic connections.

There is no single factor that defines a high-risk customer. Instead, a combination of factors elevates a customer's inherent risk to a higher level.

Inherent vs elevated AML risk

Every business has some level of inherent risk. This is the underlying risk associated with the business and its nature.

A small credit union has less inherent risk than a global bank with customers in 100 countries.

Elevated risk refers to specific circumstances or factors that increase an institution's inherent risk.

For example, opening a checking account for someone who lives nearby is inherent risk; opening a complex trust for a foreign politician funded from an offshore account is elevated risk.

Regulatory expectations

The Financial Action Task Force (FATF) sets global AML standards and requires financial institutions to use a risk-based approach (RBA).

This means allocating resources based on the level of risk associated with each customer and activity.

Local regulators such as FinCEN in the United States or the Financial Conduct Authority (FCA) in Great Britain take these global standards and turn them into specific rules for their jurisdictions.

Regulators want firms to be aware of who their high-risk clients are, and to devote proportionate resources to serving them.

Role in customer due diligence (CDD & EDD)

For compliance purposes, AML customer risk rating does the heavy lifting. The classification process determines the course of action for customer due diligence procedures.

• Customer Due Diligence (CDD): Generally, this involves collecting and verifying information about a customer, including their name, address, and date of birth. It is the minimum level of due diligence required for low or standard-risk customers.

• Enhanced Due Diligence (EDD): If a customer has been identified as higher risk through the risk scoring process, then enhanced due diligence will always be required in addition to standard due diligence procedures.

What are the common AML high-risk customer types?

High-risk customer types include PEPs, non-residents, cash-intensive businesses, HNWIs with complex structures, crypto users, MSBs, shell companies, correspondent banks, and clients from sanctioned or high-risk countries.

These groups require enhanced due diligence under AML regulations.

1. Politically Exposed Persons (PEPs)

PEPs are individuals who have held high-ranking positions in government or at state-owned enterprises.

While being a PEP doesn't mean someone is corrupt, their position makes them more susceptible to bribes or other illicit activities. Therefore, all FIs must pay special attention when onboarding PEPs.

Additionally, AML policies also require enhanced due diligence (EDD) for family members and close associates of PEPs, as well as for offshore companies they may control or have connections with.

In fact, most institutions will assign a high-risk score by default to PEPs and offshore entities.

Related content: PEP screening process

2. Non-resident and offshore clients

Customers from other countries can present a higher risk, since it's harder to verify their identities and check their reputations.

It's even more worrisome if they want to open an account in an offshore jurisdiction known for bank secrecy.

3. Cash-intensive businesses

Casinos, restaurants, bars, car washes, and liquor stores all deal in cash. Lots of it. Cash-intensive businesses are considered high-risk clients because cash can be used to launder money.

It's hard to tell "clean" money (the kind earned legally) from "dirty" money (the proceeds of crime), so these businesses are often watched more closely than others.

4. High-net-worth individuals (HNWI) with complex structures

It isn't wealth that's the issue here, but complexity.

If your client has lots of money and has set up numerous shell companies, foundations, and trusts, you may be at risk for money laundering schemes.

Are your clients using these structures for estate planning or tax purposes? Or are they trying to hide something about who owns the money?

It’s important to identify the beneficial ownership of all assets and determine who the ultimate beneficial owner (UBO) really is.

5. Crypto asset users and exchanges

This one may not have been on your list a few years ago, but it's definitely there now. The reason: Crypto assets can be used to move funds quickly without being detected. They can also make it hard to find out who is behind a transaction.

As a result, FIs view both individuals and businesses involved in cryptocurrency as high-risk.

A multitude of different businesses could be involved in money laundering or terrorist financing and could pose a risk for you.

These companies are called Virtual Asset Service Providers (VASPs) and include crypto exchanges as well as other businesses that facilitate transactions in cryptocurrencies.

Read also: Cryptocurrency AML policies

6. Money service businesses (MSBs)

Money service businesses (MSBs) provide services such as check cashing, currency exchange, and money transmission.

While they can be useful for people who do not have access to traditional banking services (sometimes being referred to as "banks for the unbanked"), they can also be used by criminals.

MSBs may be attractive to money launderers because they often deal in cash and can be used to send large amounts of money in small transactions (known as "structuring").

A money launderer may also choose to use an MSB to send funds to countries that are high-risk from an AML perspective. It is therefore important to apply extra scrutiny when dealing with MSBs as customers.

7. Shell companies and trusts

A shell company has no active business. It may not have any employees or even an office, but it can still hold assets and transfer money.

Because they can be used to disguise the ownership of assets and to move money without being detected, shell companies can pose a significant risk from an AML perspective.

If you are dealing with a company that you suspect may be a shell company (perhaps because it has given a vague description of its business, such as "consulting" or "investment holding"), then you should ask for more information about what the company does on a day-to-day basis.

8. Correspondent banking relationships

A significant danger for financial institutions is posed by correspondent banking relationships. This is when a big bank allows a smaller bank in another country to use its services.

Customers of the smaller bank can then use the bigger bank's services indirectly – even though the bigger bank has no direct contact with those customers.

As a result, your institution has to rely on the AML program of the other bank.

This means there is an inherent risk that the smaller bank might not be following AML rules as stringently as your institution does.

9. Clients from sanctioned or high-risk jurisdictions

The geographic location of a customer or potential customer also plays a role in determining the level of risk they pose. 

If someone is from (or does business with) a country that is subject to international sanctions, it is something that may need extra attention.

There are also what are known as 'grey list' countries.

These are places that have inadequate AML laws, meaning they don't do enough to stop money laundering and terrorist financing.

The Financial Action Task Force (FATF) maintains a list of such countries. If a customer or potential customer comes from one of these countries, they automatically pose a higher risk.

How to identify High-Risk Customers during onboarding

Your organization’s Know Your Customer (KYC) procedures are essential for identifying potential high-risk customers during the onboarding process, whether you operate in banking, fintech, crypto, or gaming.

As we'll see in a moment, it's not just a question of ticking boxes on a form; you also need to collect specific information that can be used to assess the level of risk posed by each individual or business.

Your onboarding form should ask for details, including:

• Geography: Where is the customer based? Where will they be using the account?

• Occupation/Industry: What does the customer do? (Certain jobs and industries are considered higher-risk than others; for example, someone who runs a casino might be classed as higher-risk than someone who works in retail.)

• Expected transactions: What kind of transactions does the customer expect to make using the account? How much money will they be moving around? How often? And to and from which countries?

  
  

  Having this information helps you set a baseline for what normal activity looks like. If there are any deviations from this pattern in the future, these could indicate suspicious behaviour.

Use of questionnaires and risk scoring models

It's not enough just to ask these questions; you also need a system to interpret the answers.

Many regulated entities, including banks, fintechs, crypto platforms, and gaming operators, use risk scoring models that assign points to different risk factors.

They also provide customers with questionnaires during onboarding to assess their overall risk profile.

For example:

• Are you a politically exposed person (PEP)?

• Do you deal in cryptocurrency?

• Where do you live?

• What is your job?

The answers to these questions feed into the risk model. Each one is given a score.

Depending on the total score at the end, the customer might be classified as low-risk, medium-risk, or high-risk.

In an ideal world, this process would be completely objective; however, in some cases, there may be an element of human judgment too.

Role of automated tools and AML software

It’s impossible to perform these checks manually at scale. Most regulated businesses now rely on technology solutions such as AML screening and monitoring software to automate the process.

This can help with everything from collecting information during onboarding to monitoring customer accounts for suspicious activity on an ongoing basis.

It's impossible to manually screen new customers against the vast number of PEP lists, sanctions lists, and negative news articles that are out there.

This is why AML software is so important when it comes to identifying high-risk customers; it automates the screening process.

Read also: What is AML screening?

What are the Enhanced Due Diligence measures for high-risk clients?

Enhanced Due Diligence (EDD) measures for high-risk clients include verifying the source of funds and wealth, continuous monitoring and escalation, senior management approval, and more frequent review cycles.

These controls go beyond standard Customer Due Diligence (CDD) to ensure that relationships with high-risk individuals or entities are managed safely and transparently.

Source of funds/wealth verification

These are important areas for any individual, but they become even more so for high-risk individuals.

Whilst it is sufficient to merely identify a regular individual, their source of wealth and source of funds become important issues that need to be expanded upon.

Typical SOW documentation might include:

• Payslips

• Tax returns

• Business sale documentation

• Inheritance documentation

Continuous monitoring and escalation

As a high-risk individual, they are subject to continuous monitoring, with all their transactions being subjected to closer scrutiny. They must be aware of this.

Any suspicious activity should immediately be escalated to your MLRO or senior compliance officer for them to decide whether or not to file a Suspicious Activity Report (SAR).

Senior management approval

One important aspect of the EDD process is the requirement for senior management approval.

This is a crucial control feature, as the acceptance of any customer represents a risk to the organisation that must be formally accepted by senior management.

This ensures that they are aware of all of the high-risk individuals on their books.

More frequent review cycles

A regular review cycle for low-risk individuals might be every five years; however, for AML high-risk customers, this is likely to be on an annual basis.

This review will incorporate elements of the CDD process, as well as looking at the ongoing business relationship with the customer, and may involve some or all of the following:

• Checking whether they are still a politically exposed person (PEP)

• Whether there have been any adverse media reports on them

• Whether the nature of their business has changed

Frequently Asked Questions

Who qualifies as a high-risk customer under AML?

A high-risk customer is defined as any individual or organisation that poses a greater risk of money laundering, based on several factors.

Are all offshore companies considered high risk?

No. Whilst all offshore companies do present certain challenges from a money laundering perspective, particularly in respect of beneficial ownership, they are not all categorised as high risk.

How does being a PEP affect a person's risk score?

When determining risk scores for Anti-Money Laundering purposes, individuals who fall under the category of being a PEP are considered high-risk. Due to their influential position, PEPs are frequently targeted by bribery and corruption.

Conclusion

Identifying high-risk clients is not just an AML compliance requirement. It is also the core of an effective compliance program.

AML compliance officers, compliance teams, and companies must be aware of potential threats and high-risk customers to protect their firms from financial crimes.

Businesses need to move away from mere 'box-ticking' to a system where actual risks are assessed and managed. To do that, they must first identify the customers who pose the greatest risks.

Risk assessment involves several complexities that make manual risk assessment unreliable. This has led to an increased demand for an automated AML risk assessment system.

Book a demo to know how Azakaw can strengthen your overall AML compliance framework.

Related articles

• The best AML & KYC software solutions in the UAE

• When does smurfing occur in money laundering?

• How to report money laundering

• Real estate money laundering red flags