Not every customer carries the same risk. A salaried employee making regular domestic transfers sits in a very different risk category from a politically exposed person moving funds across multiple jurisdictions. Customer risk assessment in AML is how a financial institution identifies that difference, documents it, and decides what controls apply to each customer because of it.

Getting it wrong could mean you are either over-monitoring low-risk customers or under-monitoring the ones that actually matter. This article covers what AML customer risk assessment entails, how to classify customers into tiers, and who qualifies as high-risk by regulatory definition.

What Customer Risk Assessment Actually Is

Customer risk assessment is the process of evaluating how likely a customer is to be involved in money laundering or financial crime based on specific factors. It is a scored process that determines what level of due diligence applies to each customer and how closely their activity is monitored going forward.

Every other AML control flows from it. Transaction monitoring thresholds, due diligence requirements, review frequency, and STR filing decisions are all set against the customer's risk rating. A programme with weak risk classification ends up applying the wrong controls to the wrong customers.

The CBN's AML/CFT/CPF Regulations 2022 and FATF's risk-based approach both require financial institutions to demonstrate a consistent customer risk classification process, not just a KYC process.

Related: Learn all about the updated CBN AML standards for fintechs in 2026

Risk Factors, Tiers, and What Each Tier Requires

Customer risk classification starts with identifying the factors that drive risk, scoring them, and assigning the customer to a tier that determines what due diligence and monitoring applies.

Risk factors:

• Identity type: Individual customers, corporate entities, PEPs, and beneficial owners each carry different baseline risk levels. A corporate customer with a complex ownership structure carries more inherent risk than a salaried individual with a straightforward income source.
• Transaction behaviour: Expected transaction volumes, frequencies, and counterparties relative to the customer's stated purpose of account. Mismatches between stated and actual behaviour are a primary risk signal.
• Geography: Where the customer is based, where their funds originate, and where their counterparties are located. Customers in or transacting with FATF grey-listed jurisdictions score higher on geographic risk.
• Product usage: Which products the customer uses and how exploitable they are for financial crime. High-value instant transfers, crypto products, and third-party wallet funding carry higher product risk than low-limit savings accounts.
• Source of funds: Whether the customer's income source is verifiable and consistent with their transaction activity. Undocumented or inconsistent sources of funds increase customer risk regardless of other factors.

Risk tiers:

What moves a customer from one tier to the next is the combination of risk factors present, not any single factor in isolation. The CBN's AML/CFT framework sets out the risk-based due diligence requirements that apply at each tier.

Who Counts as a High-Risk Customer

High-risk classification is not discretionary. Certain customer types carry elevated risk by regulatory definition and must be treated accordingly regardless of individual circumstances.

1. Politically exposed persons (PEPs)

 Individuals who hold or have held prominent public positions, including their immediate family members and close associates. PEP status does not mean the customer is involved in financial crime, but the risk of bribery, corruption, and misuse of public funds is higher. The CBN and FATF both require PEPs to be treated as high-risk by default.

2. Customers from high-risk jurisdictions

 Customers based in or transacting with countries on the FATF grey list or black list, or countries subject to Nigerian government or UN sanctions. Geographic risk elevates the overall customer risk rating regardless of the individual's profile.

3. Customers with unusual transaction patterns

 Customers whose actual transaction activity does not match their stated purpose of account, income level, or business type. This category is defined by behaviour rather than profile, which means it requires ongoing monitoring to identify rather than a one-time assessment at onboarding.

4. Non-resident customers and correspondent relationships

 Cross-border customers and correspondent banking relationships carry elevated risk because verification is harder and the transaction corridors involved may include high-risk jurisdictions.

This list is not exhaustive. Your institution's own risk assessment may identify additional high-risk categories based on your specific business model and customer base.

What Enhanced Due Diligence Looks Like for High-Risk Customers

When a customer is classified as high-risk, standard due diligence is not enough. The CBN's Customer Due Diligence Regulations 2023 sets out what enhanced due diligence requires for PEPs and high-risk jurisdictions, and it goes well beyond what happens at onboarding:

• Additional identity verification: Beyond standard KYC, EDD requires verification of source of funds, source of wealth, and beneficial ownership for corporate customers. For PEPs this includes verifying the nature of their public role and any associated relationships.
• Senior management approval: Onboarding a high-risk customer requires sign-off from a senior compliance officer or the MLRO, not just the analyst who processed the application. This approval needs to be recorded.
• Ongoing monitoring at tighter thresholds:  High-risk customers should have transaction monitoring thresholds set lower than standard customers so that activity that would not trigger a standard alert generates a review for a high-risk account.
• More frequent relationship reviews: High-risk customer relationships should be reviewed at least quarterly, with the review triggered earlier if transaction patterns change materially. The review should update the risk rating, not just confirm it.

For example, onboarding a PEP means verifying their public role and associated relationships, then getting sign-off from the compliance officer before the account goes live. From day one, tighter transaction monitoring thresholds apply, and a regular review is scheduled to reassess their risk profile based on actual observed behaviour.

Common Mistakes Financial Institutions Make

Most customer risk assessment failures come down to the same recurring gaps:

• Static risk ratings that never update: A customer rated low-risk at onboarding three years ago may have changed their transaction behaviour significantly since then. Without a review process tied to observed behaviour, the rating no longer reflects reality and the controls applied to that customer are wrong.
• No documented methodology: Saying a customer is high-risk is not enough. The institution needs to record why, based on which specific factors, scored against which criteria. A methodology that exists only in someone's head cannot be examined, defended, or applied consistently across the compliance team.
• Applying the same due diligence to all customers regardless of risk: Running every customer through the same verification and monitoring process defeats the purpose of risk-based compliance. It overloads compliance teams with low-risk noise and underinvests in high-risk relationships that need more attention.
• Onboarding high-risk customers without senior management approval: Bringing on a PEP or a customer from a high-risk jurisdiction without senior management sign-off is a direct CBN examination finding, not just a process gap.
• Not linking risk ratings to monitoring thresholds: A high-risk customer whose transaction monitoring thresholds are set the same as a low-risk customer is not being monitored in line with their risk profile. The risk rating and monitoring thresholds need to match. 

How Customer Risk Ratings Should Be Reviewed and Updated Over Time

A risk rating set at onboarding reflects what the institution knew about the customer at that point. As the customer transacts and their behaviour evolves, that rating needs to keep up. 

• Scheduled reviews: Every customer relationship should have a review frequency tied to their risk tier. For example, high-risk customers 3-6 months at minimum, medium-risk every 6-12 months, low-risk every 12-24 months. The schedule needs to be followed, not just written down.
• Event-triggered reviews: Certain events should trigger an immediate review outside the scheduled cycle: a material change in transaction patterns, a sanctions list update affecting the customer or their counterparties, a change in business ownership, or a new adverse media finding.
• What the review should cover: The review is not a re-verification of identity. It is a reassessment of risk based on actual observed behaviour since the last review. Transaction patterns, counterparty changes, and alerts generated during the period should all feed into the updated rating.
• Record keeping: Every review needs a written record showing what was assessed, what the updated rating is, and who approved the change. An unrecorded review is indistinguishable from no review at all during an examination.

How Profiled Risk Supports Dynamic Customer Risk Assessment

A customer risk rating is only useful if it reflects how the customer actually behaves, not just what they said about themselves when they signed up. As transaction patterns evolve and new risk signals emerge, the rating needs to keep up. That is where static, onboarding-only assessments break down.

Profiled Risk builds a living risk profile per user that updates with every event, giving compliance teams the data they need to maintain accurate customer risk ratings over time.

• Risk profiles that stay current. Every interaction updates the customer's profile automatically. Score changes come with clear reasons, so compliance teams can see exactly what drove a rating change and explain it to a regulator if needed.
• Behavioural signals that go beyond static rules. Profiled Risk tracks velocity abuse, device pattern shifts, location changes, and behavioural drift over time. These are the signals that indicate a customer's risk profile is changing, often before a scheduled review would catch it.
• An audit-ready case management record. Every decision, escalation, and risk signal is logged as it happens. When a regulator asks how a specific customer's risk rating was assessed and updated, the answer is already documented and retrievable.

Keeping up with high-risk customers requires more than a scheduled review. Profiled Risk gives your compliance team real-time visibility into how customer risk is shifting, so rating changes are driven by actual behaviour.

Ready to move beyond static risk ratings? See how Profiled Risk helps your team identify and respond to high-risk customer behaviour in real time. 

FAQs

1. What is customer risk assessment in AML?
It is the process of evaluating how likely a customer is to be involved in financial crime based on specific factors, and using that evaluation to determine what level of due diligence and monitoring applies to them.

2. Who counts as a high-risk customer under Nigerian AML rules?
PEPs, customers from FATF grey-listed or sanctioned jurisdictions, non-resident customers, and customers whose transaction behaviour does not match their stated account purpose all qualify as high-risk by regulatory definition.

3. How often should customer risk ratings be reviewed?
High-risk customers should be reviewed at least 3-6 months. Medium-risk every 6-12 months, low-risk every 12-24 months. Reviews should also be triggered immediately by material changes in transaction behaviour, ownership, or sanctions list updates.

4. What is the difference between standard due diligence and enhanced due diligence?
Standard due diligence confirms who the customer is at onboarding. Enhanced due diligence goes further, verifying source of funds, source of wealth, and beneficial ownership, and requires senior management sign-off before the relationship proceeds.