The risk assessment is performed in two steps:
- A scoring based on objective or quantifiable criteria – which allow the process to be automated or delegated to a KYC Operations team.
- The final risk level determination, taking into consideration qualitative elements requiring an analysis or a judgment.
The decision makers on the final risk level are set forth in §7.
6.1 Scoring system
The scoring system is made of a set of criteria that is adapted to each client segment:
- Countries of incorporation, registration or residence
- Date of foundation
- Related country (public sector)
- Countries of activity (MSCs, sensitive countries)
- Sectors of activity
- Presence of PEP
- Country of residence of UBOs
- Voting rights (in supranational administrations)
- Sanctions on client or related persons
- Financial security incidents
- Introduction channel
- Cross-border flows
- Assets under management
- Access to insider information
- Usage of sensitive products
- Complexity of shareholding structure
In case of incomplete or missing information, specific rules apply.
Each criterion breaks down into scenarios. Each scenario is weighted with a number of points between zero and 100. As an example, the criterion “country of residence” of individual clients would be scored based on the following possible scenarios:
|Scenario A||Same country as business relationship, or LS country||0 points|
|Scenario B||MS country||15 points|
|Scenario C||HS country||25 points|
|Scenario D||VHS country (excluding MSCs and P0 countries)||50 points|
|Scenario E||MSCs and P0 countries||100 points|
The score is computed by adding up the points related to the applicable scenario in each criterion:
|Example||Scenario A||Scenario B||Scenario C||Score|
The score provides with an initial assessment of the risk level:
|Low Risk (LR)||from zero to 49 points|
|Medium Risk (MR)||from 50 to 99 points|
|High Risk (HR)||100 points and above|
The detailed criteria, scenarios and weightings applicable to each client segment are defined in the COMPENDIUM and the segment policies.
6.2 Final risk level determination
By default, the risk level is given by the scoring system.
However, some of the collected information may lead the RM to propose, or Compliance or the CAC to require, a modification of this risk level, upward or downward – more specifically:
- The transactional profile, as determined at onboarding, and updated at recertification.
- Adverse information, if any.
- More generally, any information collected from the client, other sources, or internally.
- When required, the RM Assessment (§7).
The RM’s proposal must be validated by Compliance.
6.3 Multi-site clients
The client risk level must be identical across all BUs having a business relationship with the client.
The initial scoring is performed by the Primary Site. Should the actual or intended usage of sensitive products in a Secondary Site impact the score, this Secondary Site must inform the Primary Site.
Taking into account the qualitative elements of the risk assessment, and/or any other relevant information, the Secondary Site may recommend a risk level that is different from the original one. In such a case, both sites need to communicate and to agree on a revised risk level. If a disagreement remains, the higher level applies.
6.4 Business groups
The risk assessment of a client entity is not directly impacted by the risk level of the other client entities belonging to the same business group. However, some scoring criteria (sectors of activity, countries of activity) are based on the consolidated activities of the client entity and its subsidiaries. In addition, the RM Assessment takes into account information related to the parent companies and subsidiaries (§4.7).