Risk classification

Customer due diligence measures shall be adapted based on an assessment of the extent of the risk of being used for money laundering and terrorist financing.

The assessment of being used for money laundering and terrorist financing shall be performed based on the firm's general risk assessment and its knowledge of the customer. Due consideration shall also be given to the descriptions set out in law of circumstances that could indicate low or high risk. The European supervisory authorities for the financial market have also published Risk Factor Guidelines that further exemplify various risks.

Risk in the firm's operations

A firm shall perform a general risk assessment of its operations, i.e. it shall risk-classify

  • its products and services
  • the geographic area in which it is located and operates
  • the type of customers the firm has
  • the transactions and distribution channels used by customers

An example of an area where a higher risk classification might be needed is products and services with a complex structure. Another example is if a firm approaches an international market.

Risks associated with the individual customer

Besides the firm's general risk assessment, the firm shall also assess the risk associated with the individual customer and business relationship. Depending on the risk associated with the customer, different customer due diligence measures shall be taken. If the risk in a business relationship is considered low, the firm may take simplified due diligence measures. If the risk is considered high, enhanced due diligence measures shall be taken.


Last reviewed: 2022-03-07