How to Perform AML-Compliant Risk Assessments and Risk Classifications of Your Customers

Carl-Fredrik Hedengren
Written by Carl-Fredrik Hedengren,
Advisor and CEO
AML Audit & Advisory AB
Carl-Fredrik Hedengren is a highly experienced AML advisor and CEO of AML Audit & Advisory AB, specializing in providing comprehensive solutions for businesses affected by AML regulations. With over a decade of expertise, Hedengren has served as a trusted advisor in AML and other regulatory matters, bringing extensive experience in FinTech and asset management. His deep knowledge and dedication to regulatory compliance make him a go-to expert for businesses navigating AML complexities.

 

Swedish supervisory authorities often expose shortcomings in companies’ risk classifications of customer relationships, and the documentation of them.

Many companies struggle to understand how the risk classification of individual customer relationships should be carried out in practice. The uncertainty concerns both the general methodology and the risk factors that should be taken into account.

In this article, we navigate the rules set out by the Swedish AML Act to give you practical insights on how to classify your customers’ risk levels.

 

The easy situations: factors to look out for to determine the risk level right away

In some situations, classifying the customer’s risk is objectively easier.

That happens, for example, in the case of customers that are PEP or established in a high-risk third country. In such cases, the customer should be classified as a high-risk customer without needing further assessments unless the Swedish AML Act or equivalent legislation establishes otherwise.

 

Risk classification methods

In situations other than those mentioned above, all relevant risk factors need to be weighed together to classify the customer’s risk. However, legislation and regulations do not clarify how to do it; they merely state that the risk must be assessed.

Therefore, it can be assumed that risk factors may be assigned different weight classes and calculated mathematically or may be assessed more arbitrarily — which is also acceptable if the reasoning behind the assessment is sound and documented.

Companies with a very large number of customers often choose to determine the risk classification using algorithms — a system that automatically assigns a risk class to each customer based on different weightings of certain elements of which they became aware during the KYC process. In such situations, the Swedish Money Laundering Act’s rules on model risk management need to be applied.

More commonly, companies perform a manual (non-mathematical) assessment of each new customer that is onboarded.

 

Which factors should be taken into account when performing the risk assessment?

To assess the risk presented by customers, companies should start by taking into account their own internal general risk assessment, as well as the experience gained from transaction monitoring. This means that certain situations and transactions may require a high-risk classification of a customer relationship without the customer itself necessarily being associated with specific high-risk factors.

The legislation (specifically, Chapter 2, Sections 4-5 of the Swedish Money Laundering Act) merely provides some examples of the circumstances that may indicate a low or high risk of money laundering and terrorism financing, which may not be sufficient to assess the risk presented by each specific customer.

Furthermore, some of the circumstances listed may even be misleading — for example, the Swedish AML Act’s assumption of low-risk level for companies established in the EEA, as some EEA countries are associated with a very high risk instead.

Additional risk factors can be inferred from other official sources, such as the European Banking Authority’s guidelines, the EU’s fourth Anti-Money Laundering Directive, the recommendations from the Coordination Function (samordningsfunktionen), the FATF, as well as decisions from the Swedish Financial Supervisory Authority and the county administrative boards.

Based on these supplementary sources, below is a (non-exhaustive) list of questions you should consider when assessing a customer’s risk level:

  1. Is the customer a Politically Exposed Person (PEP)?
  2. Does the customer have a complex ownership or control structure?
  3. Is the customer a Reputationally Exposed Person (REP) — i.e., an individual or entity that may pose a reputation risk due to their association with high-risk activities, such as money laundering, terrorist financing, or other financial crimes?
  4. Does the customer operate in a high-risk industry?
  5. Does the service provided to the customer present a high-risk situation (e.g., a complex real estate transaction)?
  6. Are the customer’s beneficial owners established in a high-risk country?
  7. Do the channels through which initial and ongoing contacts with the customer take place seem suspicious?

 

To ensure compliance with KYC requirements, CDD and risk assessment must go hand in hand

Many companies fail to comply with the KYC requirements as they don’t take into account all the relevant risk factors.

For example, they may obtain information on the company’s beneficial owners but not on its ownership and control structure, which can involve a high-risk situation.

Another example occurs when companies obtain information from company registers and population registers, but they fail to collect information about the customers’ citizenships and transactions — which is relevant for assessing geographical risk.

To avoid these situations, customer due diligence measures and risk assessment inquiries must be closely linked.

Moreover, the risk classifications of each individual customer relationship shall be kept up to date, and this update can be made in connection with the periodic update of KYC information – or when specific events trigger the need to perform a new risk assessment and classification.

 

The way forward

You are likely already performing the risk assessment and classification based on a list of factors to take into account and their description.

To achieve full AML compliance, we encourage you to ensure that your current risk assessment process includes risk factors related to your own internal risk assessment, as well as the other factors listed above.

Should you have any doubts or concerns, please do not hesitate to reach out.

 

Meeting Swedish AML requirements with Penneo KYC

I collaborated with Penneo to develop the legal framework for their KYC software, adapted to the requirements of the Swedish AML laws.

Penneo KYC is now available in Sweden. Book a personalized session with our KYC experts.

Disclaimer: Disclaimer: This article applies to the AML updates in Sweden. Be aware that country-specific differences exist, if you are dealing with AML compliance in a country different from Sweden.

If you're looking to learn more, we have a few suggestions for you

EU unveils ambitious AML package

EU unveils ambitious AML package
AML and Industry Predictions for Auditors and Accountants in 2024

What to Expect From 2024: AML and Industry Predictions for Auditors and Accountants
AML violations found in Swedish accounting firms 2023

AML violations found by the County Administrative Boards and the Swedish Inspectorate of Auditors when inspecting accounting firms’ compliance in 2023