Part of your initial and ongoing customer due diligence (CDD) obligations is understanding the money laundering, terrorism financing and proliferation financing risks (we refer to these as ML/TF risks) of your customers (customer risk).

It’s important to understand that this process is different to an ML/TF risk assessment, as: 

• an ML/TF risk assessment involves identifying broad risks across a business
• assigning customer risk ratings in CDD involves determining customer risk on a case-by-case basis. This is based on the KYC information reasonably available to you during initial CDD, and all ML/TF risk factors present for that customer that you’ve identified during ongoing CDD. 

The steps outlined on this page are designed to help you both: 

• identify customer ML/TF risk as part of your initial CDD  
• review and update the customer’s ML/TF risk as part of ongoing CDD.

Your approach to identifying and assessing customer risk must be appropriate to the nature, size and complexity of your business. We also expect your customer risk rating method to be integrated into the anti-money laundering and counter-terrorism financing (AML/CTF) policies you develop to complete CDD.

Why customer risk ratings matter

Developing a process to assign customer risk ratings helps you accurately and consistently:

• identify the risk of each customer
• assign appropriate risk ratings. For example, low, medium or high risk.

This helps you apply your AML/CTF policies to appropriately manage and mitigate customer risk. It will also determine when you can apply your simplified CDD measures (for low-risk customers) and when you must apply enhanced CDD (for high-risk customers).

Step 1: Develop a customer risk rating system

When assigning a customer risk rating for CDD, you must use the information and factors in your ML/TF risk assessment, and consider how these apply to the individual customer. This includes all of the following:

• the kind of customer
• what kind of designated services you’re providing to the customer
• the delivery channels you will use to provide designated services to the customer
• what countries you’ll provide your designated services in or through.

Learn more about ML/TF risk assessments 

In developing a customer risk rating system for CDD, we expect you to identify risk factors in these categories that may impact the customer risk and assign each factor with a rating. This will help you form a more consistent and reliable customer risk rating system. 

In an ML/TF risk assessment, when rating risk across a business, we recommend determining the likelihood and impact of each factor. When understanding customer risk on a case-by-case basis, a good method may be using the ‘impact’ rating in the ML/TF risk assessment as a starting point. This can be done without considering the ‘likelihood’ rating. 

We then expect you to include a method in your AML/CTF policies that your staff can use to assign a risk rating to each customer by doing all of the following: 

• checking whether each risk factor you’ve identified is present for the customer
• balancing the nature and scale of each risk factor present to reach an overall risk rating for the customer
• considering any indicators of unusual or criminal activity that may be present. 

Examples of customer risk ratings

Common examples of customer risk ratings are below. Note, these are examples and we expect you to adopt an approach that is appropriate for your business.

Low-risk customer: the customer is an Australian resident seeking a low-risk service that only involves interaction with low-risk jurisdictions. No red flags or enhanced CDD triggers are present.

Medium-risk customer: where there are no red flags or enhanced CDD triggers present, but there are some ML/TF risk factors that may have a moderate impact. For example, if one of the following applies to the customer:

• they want a service you’ve assessed as medium risk
• they have a multi-layered control structure (which isn’t unduly complex)
• they have connections to medium-risk jurisdictions
• they are a low-profile domestic politically exposed person (PEP).

High-risk customer: the customer has high-risk indicators with significant complexity. For example, if one or more of the following applies to the customer:

• has a control structure that’s unusually complex
• is a foreign PEP
• has ties to high-risk jurisdictions
• is seeking designated services from you that don’t have a clear economic or lawful purpose or reason.

The presence of particular risk factors, and the customer’s overall risk rating, will then determine the: 

• subsequent KYC information you collect and/or verify (for initial CDD)
• monitoring process (for ongoing CDD).

Step 2: Identify customer risk for initial CDD

During initial CDD, your risk rating for the customer will only be based on KYC information that’s reasonably available before you start to provide a designated service to them. 

One way you can assign a customer risk rating during initial CDD is to follow a process similar to the one outlined below.

1. Determine what information is usually reasonably available before you start to provide a designated service that you could collect and verify to do all of the following:
   • satisfy the required matters for initial CDD on reasonable grounds
   • initially identify your customer’s ML/TF risk, and
   • determine if enhanced CDD applies
2. Collect this information from the customer or their representative through an onboarding process, along with any independent and reliable documents needed to verify this information.
3. Conduct your initial identification of the customer’s ML/TF risk using the method you have developed.
4. Determine any additional KYC information you need to collect and verify based on your initial identification of the customer’s ML/TF risk.
5. Collect and verify sufficient information to establish each of the required matters for initial CDD on reasonable grounds.

We expect you to have AML/CTF policies to identify your customer’s ML/TF risk and whether ECDD applies before you start to provide them with a designated service. 

We also expect these policies to determine what additional KYC information you need to collect and verify as is reasonably appropriate to the ML/TF risk of the customer.  

Learn more about initial CDD and the baseline information you could collect and verify for each customer type. 

Step 3: Identify and assess customer risk for ongoing CDD

Throughout your business relationship with the customer, you must continue to monitor them for anything that might trigger a change to your identification and assessment of their ML/TF risk. This is in order to make sure you’re appropriately managing and mitigating their risk over time. 

You can do this by using the customer risk rating method above, which will be supplemented by information you gather through the business relationship. 

You must monitor your customers for unusual transactions and behaviours.

Examples of transactions and behaviours that may be unusual include:

• unexplained transactions with new third parties with no apparent lawful or economic purpose
• high-value transactions that don’t align with what you know about their source of funds or wealth
• transactions which appear to be structured below the $10,000 reporting threshold
• refusing to provide information or documents to you when you ask them for ongoing CDD
• avoiding answering questions about their transactional activity or behaviour.

Learn more about ongoing CDD. 

Document and keep records

You must make and keep records of CDD, including:

• what customer information you collected and steps to verify that information
• customer risk identification and assessment, decisions and rationale
• any outcomes from regular reviews and monitoring activities.

Your business could establish an electronic model to document these records. This may help you to:

• store the CDD information
• establish standardised naming conventions
• help you to easily locate customer files.

Learn more about record keeping.

Example of a conveyancer’s risk assessment

A conveyancer’s ML/TF risk assessment determines that large cash transactions have a low likelihood of occurring but have a high ML/TF impact if they do occur. This is because we’ve identified cash and real estate as a very high ML/TF risk and it’s highly unusual to use cash transactions to purchase real estate.

The conveyancer draws on the impact ratings in the risk assessment to build a customer risk rating system based on the following risk factors (among others): 

• purchase or sale of real property using physical currency (cash) transaction (high risk)
• purchase or sale of real property using bank-approved loan (low risk)
• client is a domestic PEP (medium risk)
• client is an individual with no medium to high-risk factors, or triggers for enhanced CDD (low risk)
• client is an Australian resident (low risk).

The conveyancer develops a method for assigning a customer risk rating which states that the presence of any high-risk factors will lead to a high customer risk rating. 

The conveyancer collects customer information through its onboarding form on: 

• the kind of customer they are. For example, a person, trust, incorporated association or private company
• the kind of service they want. For example, whether they’re seeking to purchase property using a high-value physical currency transaction, bank-approved loan or unfinanced transaction
• personal information. For example, their name, date of birth, address and occupation
• business information. For example, their registered address, business name and beneficial ownership information (if applicable)
• whether the customer is acting for anyone. For example, as an agent or under a power of attorney
• the countries the customer will be engaging with when using their designated services and whether the customer is a resident of a foreign country
• the purpose and intended nature of the business relationship. For example, why they want to use the conveyancer’s services
• whether the customer is a PEP, sanctioned individual, or a relative or close associate of a PEP or sanctioned individual.

The conveyancer’s AML/CTF policies for initial CDD then determine how they sort each customer into a typical customer risk category. This includes corresponding KYC information collection and verification requirements. 

Low-risk customer

Through their onboarding form, the conveyancer identifies that a potential buyer is an individual and Australian resident who wants to purchase a property using a bank-approved loan without using any representative. There are no medium- to high-risk factors or enhanced CDD triggers. 

Under the conveyancer’s risk rating system, they identify the customer as low risk. 

The conveyancer’s AML/CTF policies outline that the following simplified initial CDD checks can be used on this customer. 

1. Verify the full name of the customer and their date of birth, and that the customer is who they claim to be, by:
   • obtaining one original primary document or a copy of it
   • comparing details on the document with information the customer provided on onboarding
   • comparing the photograph on the identity document (if any) with the individual’s appearance either in person or by video link.
2. Verify the PEP status of the customer by checking their details through an internet search and their sanctions status by checking them against the DFAT consolidated list.
3. Assuming the PEP and sanctions checks come back negative, for ongoing CDD, the conveyancer monitors the customer against:
   • the risk factors outlined in their customer risk rating system
   • sector-specific ML/TF risk indicators, criminal activity and unusual behaviour as outlined in their program. 

Where new risk factors and indicators arise, the conveyancer’s AML/CTF policies outline steps to review and, if necessary, update the customer’s risk rating. 

High-risk customer

Through their onboarding form, the conveyancer identifies a potential buyer who wants to purchase high-value real estate with physical currency (cash) (high risk). They also identify the customer as a domestic PEP (medium risk). 

Under the conveyancer’s risk rating system, they identify the customer as high risk. 

In addition to the initial CDD steps above, they complete enhanced CDD measures under their AML/CTF policies: 

• a source of funds and source of wealth check – to determine the source of the cash and whether the buyer’s wealth came from a legitimate source
• additional checks to verify the politically exposed status of the person – including proof of their current employment from their employer
• additional reliable and independent data to verify the customer’s identity – including additional photographic identification such as the buyer’s passport and drivers licence
• ongoing monitoring for indications of corruption and bribery – with staff monitoring the customer against indicators specified in the business’s customer monitoring program.

Based on the results of these additional actions, the conveyancer also considers whether:

• to request that the customer purchase the real estate via bank transfer, or the
• if the customer does not wish to do this, whether it is appropriate to keep providing designated services to the customer 

Related pages

• Initial customer due diligence
• Enhanced customer due diligence
• Ongoing customer due diligence
• Record keeping