Comsure view -Customer Risk Assessments (CRAs) as articulated by the Wolfsberg Group and FATF

This briefing focuses on (i) conceptual expectations, (ii) methodological guidance, and (iii) how customer risk assessment fits within the wider risk-based approach (RBA) used by financial institutions.

1. Context: Customer Risk Assessment within the Risk-Based Approach

Both FATF and the Wolfsberg Group position customer risk assessment as a core operational component of the risk-based approach, rather than a standalone compliance exercise. It is designed to:

• Inform the depth of customer due diligence (CDD) and enhanced due diligence (EDD)
• Drive the intensity of ongoing monitoring
• Support resource prioritisation
• Prevent blanket de-risking

This integration is explicit in FATF Recommendations 1 (risk assessment and RBA) and 10 (CDD), and is reinforced in Wolfsberg’s RBA guidance and statements on effectiveness.

2. FATF Guidance on Customer Risk Assessment

2.1 FATF’s Conceptual Model

FATF does not mandate a single customer risk scoring model. Instead, it requires institutions to identify, assess, and understand money laundering/terrorist financing (ML/TF) risks at the customer relationship level, incorporating risk factors and professional judgment.

Customer risk is evaluated using a combination of:

• Customer risk factors (e.g., type, occupation, reputation)
• Product/service risk factors (e.g., complexity, anonymity)
• Geographic risk factors (e.g., high-risk jurisdictions)
• Delivery channel risk factors (e.g., non-face-to-face onboarding)

These factors are outlined in FATF’s Risk-Based Approach Guidance for the Banking Sector and related interpretive notes.

2.2 FATF Methodological Expectations for Customer Risk Assessment

FATF expects institutions to adopt a methodology that:

1. Builds a customer risk profile
• Based on the nature and purpose of the relationship
• Updated through ongoing monitoring
• Reflecting both inherent risk and the effectiveness of mitigating controls
2. Differentiates risk
• FATF emphasises that no "one size fits all" approach should be applied
• No customer type is automatically high or low risk
• Risk must be assessed on a case-by-case basis
3. Allows proportionality
• Simplified due diligence in lower-risk scenarios, or enhanced due diligence where risk is higher
• Risk assessment serves as a decision engine, not merely a label
4. Is dynamic
• Customer risk is not static
• Trigger events, behavioural changes, and shifts in circumstances must inform reassessments

FATF accepts both qualitative and quantitative methods, provided institutions can explain and evidence their reasoning to supervisors.

3. Wolfsberg Group Guidance on Customer Risk Assessment

3.1 Wolfsberg’s Position on Methodology

The Wolfsberg Group states that "there is no universally agreed methodology for risk-based customer assessment." Institutions should design reasonable, defensible, and risk-sensitive methodologies aligned with their business models. Wolfsberg’s guidance emphasises principles and practical considerations over prescriptive scoring models.

3.2 Core Wolfsberg Principles Relevant to Customer Risk Assessment

Across its RBA guidance, FAQs, and effectiveness statements, Wolfsberg emphasises that customer risk assessment should:

• Be holistic, not driven by a single factor
• Consider context and behaviour, not just static attributes
• Be integrated across the customer lifecycle
• Support effective outcomes, rather than excessive documentation

3.3 Wolfsberg Methodological Guidance (Practical Detail)

Wolfsberg materials (particularly the Risk Assessment FAQs and RBA Guidance) provide operational insights on common structures for customer risk assessments:

a) Risk Identification Institutions typically identify customer risk drivers such as:

• Customer type and ownership structure
• Source of wealth and funds
• Expected account activity
• Geographic exposure
• Delivery channel (including non-face-to-face)

b)Risk Analysis (Inherent vs. Residual Risk) Wolfsberg distinguishes between:

• Inherent risk (before controls)
• Residual risk (after controls). Controls must be relevant and effective, not merely present.

c) Use of Qualitative Judgment Wolfsberg supports:

• Expert judgment
• Escalation mechanisms
• Override capabilities. This is essential where risk cannot be meaningfully reduced to numeric scores alone.

d) Lifecycle Approach Wolfsberg stresses dynamic, lifecycle-based assessment, where risk is refreshed based on:

• Transaction behaviour
• Trigger events
• Changes in ownership, control, or geography

e) Key Differences Between FATF and Wolfsberg

This is why regulators often expect alignment with both: FATF for foundational compliance, Wolfsberg for practical credibility and effectiveness.

6) Supervisory Expectations (Combined Reading)

Taken together, FATF and Wolfsberg imply that a defensible customer risk assessment framework should:

• Clearly explain the rationale for a customer’s risk rating
• Demonstrate linkage between risk assessment and applied controls
• Be adaptable to changes
• Avoid purely mechanical, unchallengeable scoring
• Support proportional CDD and monitoring decisions

7) Key Source Documents and Links

Wolfsberg Group

• Wolfsberg Group – Guidance on a Risk-Based Approach for Managing Money Laundering Risks (2006)
• https://db.wolfsberg-group.org/assets/d7747549-5dca-40a9-aaf7-d9d83df67fd0/15.%20Wolfsberg_RBA_Guidance_(2006).pdf
• Wolfsberg Group – Risk Assessment FAQs (2015)
• https://db.wolfsberg-group.org/assets/3deb66d7-6aca-490c-bcd9-c1a3d34a807b/17.%20Wolfsberg-Risk-Assessment-FAQs-2015.pdf
• Also attached
• Wolfsberg Group – Guidance on Digital Customer Lifecycle Risk Management (2023)
• https://wolfsberg-group.org/news/publication-of-guidance-on-digital-customer-lifecycle-risk-management
• Wolfsberg Group – Statement on the Risk-Based Approach (2025)
• https://wolfsberg-group.org/resources/203

Financial Action Task Force (FATF)

• FATF – Risk-Based Approach Guidance for the Banking Sector (2014, with ongoing relevance)
• https://www.fatf-gafi.org/en/publications/Fatfrecommendations/Risk-based-approach-banking-sector.html
• FATF Recommendations (as amended October 2025, including R.1 and R.10)
• https://www.fatf-gafi.org/en/publications/Fatfrecommendations/Fatf-recommendations.html

 SOURCE 

https://www.comsuregroup.com/media/ab3k3hxb/17-wolfsberg-risk-assessment-faqs-2015.pdf