Customer Risk Assessment – Key Steps

Introduction

The Risk-Based Approach (RBA) is the foundation of the UAE’s Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) framework. Rather than applying the same level of scrutiny to every customer or transaction, the RBA enables businesses to allocate their AML resources proportionately to the level of risk they face.

In essence, the UAE’s AML regime — under Federal Decree-Law No. (20) of 2018 and Cabinet Decision No. (10) of 2019 — mandates all Designated Non-Financial Businesses and Professions (DNFBPs) and financial institutions to identify, assess, and mitigate ML/TF risks through a structured, documented, and dynamic risk-based approach.

________________________________________

1. Understanding the Risk-Based Approach (RBA)

The Risk-Based Approach means recognizing that not all clients, transactions, or activities carry the same risk of money laundering or terrorism financing.

For example:

• A domestic client purchasing a small quantity of gold may pose a low risk, whereas

• A foreign politically exposed person (PEP) purchasing large quantities of gold with cash may represent a high risk.

Therefore, the RBA requires DNFBPs to identify high-risk scenarios and apply enhanced due diligence (EDD) while allowing simpler due diligence for lower-risk relationships.

The Financial Action Task Force (FATF) also emphasizes the RBA as a core principle of effective AML/CFT compliance, ensuring resources are used efficiently and effectively.

________________________________________

2. Legal Foundation of RBA in UAE AML Law

The UAE regulatory framework embeds the RBA in multiple provisions, notably:

• Federal Decree-Law No. 20 of 2018, Article (6)

Mandates entities to assess the risks of money laundering and terrorist financing and apply appropriate measures.

• Cabinet Decision No. 10 of 2019, Articles (7)–(10)

Requires DNFBPs to identify, evaluate, and document ML/TF risks and apply enhanced or simplified measures accordingly.

• Ministry of Economy AML Guidelines for DNFBPs

Provides detailed guidance on how entities should adopt RBA, risk score customers, and maintain ongoing monitoring.

• Cabinet Decision No. 109 of 2023

Strengthens the focus on RBA-based internal controls and MLRO oversight responsibilities.

________________________________________

3. Core Principles of the Risk-Based Approach

a. Risk Identification

Identify risks related to:

• Customers – e.g., PEPs, non-residents, complex ownership structures

• Products & Services – e.g., high-value goods, offshore structures, or nominee arrangements

• Geographic Exposure – e.g., clients from FATF grey-listed countries

• Delivery Channels – e.g., non face-to-face onboarding or intermediaries

b. Risk Assessment

After identification, determine the likelihood and impact of each risk through a structured risk assessment framework, often rated as Low, Medium, or High.

For example, risk matrices and scoring systems help quantify exposure.

c. Risk Mitigation

Develop policies, controls, and procedures to reduce identified risks to acceptable levels.

These include:

• Enhanced due diligence (EDD) for high-risk customers

• Ongoing transaction monitoring

• Periodic review of client risk profiles

• Restricting or refusing high-risk transactions when necessary

d. Risk Monitoring and Review

Monitor customer activity and update risk assessments regularly.

AML risk is dynamic — as clients’ activities or regulations evolve, the risk rating and controls must also evolve.

________________________________________

4. Implementing the RBA in Practice

Step 1 – Conduct an AML Risk Assessment

Every DNFBP must perform an entity-wide risk assessment that evaluates risks across business lines, customers, geography, and services.

This assessment forms the foundation for applying the RBA effectively.

Step 2 – Apply Risk-Based Customer Due Diligence (CDD)

• Simplified Due Diligence (SDD): For low-risk clients such as small local customers with verified identities.

• Standard CDD: For normal-risk customers with standard business profiles.

• Enhanced Due Diligence (EDD): For high-risk cases like PEPs, cross-border clients, or large cash transactions.

Step 3 – Continuous Monitoring

Monitor transactions and customer behavior on an ongoing basis.

Automated tools can flag unusual transactions, triggering further review or Suspicious Transaction Report (STR) filings through the goAML portal.

Step 4 – Documentation and Audit Trail

All risk assessments, CDD decisions, and monitoring actions must be documented and auditable.

During inspections, regulators expect to see documented rationale behind each risk-based decision.

________________________________________

5. Benefits of a Risk-Based Approach

Implementing a strong RBA offers multiple benefits:

• Regulatory Compliance: Aligns with UAE AML laws and FATF recommendations.

• Operational Efficiency: Focuses resources where risks are highest.

• Early Risk Detection: Helps prevent exposure to financial crime.

• Reputation Protection: Demonstrates proactive compliance and integrity.

• Enhanced Inspection Readiness: Provides clear documentation for Ministry of Economy or Free Zone AML reviews.

________________________________________

6. Common Challenges in Applying the RBA

Despite its benefits, many DNFBPs face challenges such as:

• Lack of awareness or training on RBA methodology.

• Difficulty quantifying ML/TF risks.

• Over-reliance on manual CDD processes.

• Inconsistent customer risk scoring systems.

• Limited integration between AML software and accounting systems.

These challenges can be addressed by leveraging automated AML solutions, staff training, and outsourced compliance support from licensed AML professionals.

________________________________________

7. Technology and RBA in the UAE

The UAE encourages the use of digital compliance tools for effective RBA implementation.

Platforms like MyAML.io and Finabooks.com help automate:

• Customer risk scoring

• Screening against sanctions and PEP lists

• Real-time transaction monitoring

• Risk dashboards and documentation storage

This ensures consistency, reduces human error, and enhances regulatory confidence during AML inspections.

________________________________________

8. The Role of Senior Management and the MLRO

The Money Laundering Reporting Officer (MLRO) and senior management play a critical role in ensuring the RBA is applied effectively. They must:

• Approve risk assessment methodologies

• Review high-risk client approvals

• Ensure AML systems are adequate and up-to-date

• Oversee training and internal audits

A risk-based approach without leadership commitment is ineffective — tone from the top defines the compliance culture.

________________________________________

Conclusion

The Risk-Based Approach is not just a compliance requirement — it is the strategic heart of the UAE’s AML framework.

By adopting RBA principles, DNFBPs can protect their operations from financial crime, improve resource efficiency, and demonstrate full compliance with UAE law and FATF expectations.

Building a strong, technology-enabled RBA framework is a long-term investment — one that strengthens both compliance integrity and business reputation.

________________________________________

Sheikh Anwar Accounting & Auditing LLC

Licensed Auditor – Ministry of Economy (Entry No. 5817)

📍 Dubai Creek Tower, Office M35, Dubai, UAE

🌐 www.sa-auditors.com

✉️ info@sa-auditors.com