Not all high risk customers are created equal

While planning for a panel on Enhanced Due Diligence (EDD) for high risk clients, I was provided with pre-conference questions submitted by attendees.  One of them started with “All MSBs are high risk…”, and another with, “Since all non-profits are high risk…”.  My immediate reaction to both was to wince for a number of reasons, including that it is simply not true and can have the dramatic effect of preventing financial access to those entities and cause unnecessary economic harm.

As Anti-Money Laundering (AML) Professionals, we sometimes get complacent and fall back on conservative stances when it comes to high risk clients.  It is easier on some level to paint customer types with a wide brush and treat an entire group as high risk, rather than take the time to make more granular or tiered assessments of risk.  While it may take a bit more time up front, the benefits in future time saved can outweigh the investment.

The intent of the Bank Secrecy Act is for financial institutions (FI) to assist law enforcement by detecting and reporting suspicious activity.  Law enforcement does not care what the FIs risk rating of the SAR’d customer is, they just want intelligence to assist with starting and furthering their investigations.  It feels like we have lost track of this on some level and become too wrapped up in identifying high risk clients just for the sake of identifying high risk clients.  The broad swaths of client types identified in the FFIEC manual are being taken too literally; bogging FIs down with manual enhanced due diligence (EDD) reviews of clients in particular business types or with particular affiliations.

As an example, Senior Foreign Political Figures (SFPF) are many times considered by financial institutions as high risk, while discounting the controls applicable to the particular individual. It’s no shock when these SFPFs start with high inherent risk regardless of the mitigants, and then retain a residual rating of high. SFPFs, like any other group of potentially high risk clients, should be considered on a case-by-case basis and open to any risk level in the client risk rating hierarchy.

SFPFs come in many flavors and fall on a spectrum of risk. The most risky would have at least 3 of the following factors:

  • holds a material position in a foreign government that has lax financial monitoring controls
  • holds a position in a foreign government that allows them access to public funds
  • holds a position that has little oversight and/or can act unilaterally
  • is associated with known bad actors
  • has been associated with corruption
  • has the intent to take or earmark public funds for personal gain.

Some of these factors such as intent are normally unknowable but the others should be reasonably easy to identify. Without a significant combination of the above factors, an SFPF may be completely benign, and would not warrant the time and effort of a high risk designation.

A robust framework containing onboarding guidelines for prohibited customer types, restricted customer types and potentially high risk customer types coupled with a weighted customer scoring tree, should identify the lion’s share of potentially high risk customers at or before account opening.  Potentially high risk customers that slip through the net are likely misrepresenting themselves or at least withholding information that would affect their risk profile.

A well-tuned, risk-based Anti-Money Laundering monitoring system should be able to identify potentially high risk customers that bypass the onboarding net based on volume, velocity, historical behavior variance, or significant divergence from peers.

Regardless of how they are identified, SFPFs should be investigated based on the outcome risk assessed at an appropriate level. Base this determination on all factors and mitigants present, rather than checking a particular box and letting that indicate risk.

A future state enhancement should include an application of machine learning to more accurately identify customers with a likelihood of a Suspicious Activity Report (SAR) filing.  Rather than focusing on static attributes and activity thresholds to identify high risk clients, we should start with clients on whom we have filed a SAR and reverse engineer a set of factors and parameters that would lead us to other clients that have similar attributes collected at account onboarding, or during the life of the account.  Some of this is already being done to tune scenarios in Transaction Monitoring (TM) systems but it should also be done for the high risk client space.

Moving the dial from a 98% to 97% false positive rate in the TM system via machine learning can seem huge, but the impact on staffing and risk can be minimal.  Reducing the number of high risk clients while also better identifying clients with an actual propensity for SAR filing, could benefit both staffing and the risk rating of an FIs customer base in a meaningful way.

Posted in
Chuck Taylor

Chuck Taylor

Mr. Taylor serves as Executive VP, Head of Financial Crimes Advisory at AML RightSource. He has over 20 years of regulatory compliance experience with multiple financial institutions. Mr. Taylor is an expert in Bank Secrecy Act (BSA)/Anti-Money Laundering (AML) and Sanctions compliance. He regularly speaks at local and national conferences, is a founding member and former Co-Chair of the ACAMS SoCal Chapter, and serves as Board Chair of the West Coast Anti-Money Laundering Forum. Mr. Taylor obtained his bachelor's degree in communication from University of California, Santa Barbara, earned his juris doctorate at Santa Barbara College of Law and attended Pacific Coast Banking School. Mr. Taylor is a Certified Anti-Money Laundering Specialist (CAMS) and a Certified AML and Fraud Professional (CAFP). In 2014 Mr. Taylor was recognized as the ACAMS AML Professional of the Year.


  1. Avatar Vikash Shrestha on July 11, 2019 at 3:51 pm

    Very rightly said. The risk rating should be based on subjective factors and not on predefined objective logics.

  2. Avatar Scott Williams on July 12, 2019 at 2:53 pm

    While I agree with the general premise that “not all things are equally risky”, I think what needs to be remembered is that large organizations that rely on a myriad of people to surface higher risk customer types don’t always have the acumen or the ability to understand nuance. That is why in my experience a financial institution in an AML/CTF policy or standard will effectively say “all MSBs are high risk”. This way, they can be identified and then escalated to the AML function for further review and action which would include risk determination and mitigation. The other issue at play here is regulator expectations. Again, in my experience, regulators are looking for consistency. (Or at least the perception of the F.I. is that the regulator craves consistency. ) Outliers or non-standard treatment is therefore unlikely. Again, totally understand and agree with your point. I am just saying that “one size fits all” is not a surprising approach based on operational realities.

    • Chuck Taylor Chuck Taylor on July 16, 2019 at 4:17 pm

      Scott, thanks for your comments and I don’t disagree. My caveat would be that the policy should add potentially – “all MSBs are potentially high risk”. If you lock them in as high risk with a black and white policy there is no leeway to rate them at a lower level during your “risk determination and mitigation” by the folks who do have that acumen. Regarding regulators it’s been my experience that if you have a robust and consistent customer risk rating program with well-reasoned customer risk determination documentation they won’t be concerned about a potentially high risk customer being classified as moderate etc. I’m not talking about crazy outliers that none of us would be willing to defend as non-high-risk, but a medium level PEP from a low risk jurisdiction whose only source of funds is a government pension and annuities should not be high risk. After a thorough vetting you could call them moderate risk and let your AML system identify any high risk activity. It would be a waste of valuable analyst time to do a manual high risk client EDD review on a periodic basis. All of that being said it’s up to each financial institution to come up with their own risk appetite and feel for their particular regulators expectations. By all means don’t take my advice if it would get you in regulatory hot water. One size does definitely not fit all but we need to be flexible and creative in the way we use our time and assets.

  3. Avatar Carolyn Nelson on July 24, 2019 at 5:13 pm

    Hi Chuck,
    Great, great discussion yesterday (7/23) on Hot Topics! I don’t see anything posted or any recordings mentioned. Will the session be available?

    • AML RightSource AML RightSource on September 5, 2019 at 2:14 pm

      Hi Carolyn,

      We just wanted to follow up to make sure you received access to our Hot Topics recap page. You can find it here as well.

Leave a Comment