How to Assess and Manage Risk in Retail Banking

Retail Banking

This post has already been read 913 times!

How to assess and manage AML and TF risk in Retail Banking

For the purpose of this post, retail banking means the provision of banking services to natural persons and small and medium-sized enterprises. Examples of retail banking products and services include current accounts, mortgages, savings accounts, consumer and term loans, and credit lines.

Due to the nature of the products and services offered, the relative ease of access and the often large volume of transactions and business relationships, retail banking is vulnerable to terrorist financing and to all stages of the money laundering process. At the same time, the volume of business relationships and transactions associated with retail banking can make identifying ML/TF risk associated with individual relationships and spotting suspicious transactions particularly challenging.

Banks should consider the following risk factors and measures alongside those set out in our general risk management post.

Risk factors

Product, service and transaction risk factors

The following factors may contribute to increasing risk:

  • The product’s features favour anonymity;
  • The product allows payments from third parties that are neither associated with the product nor identified upfront, where such payments would not be expected, for example for mortgages or loans;
  • The product places no restrictions on turnover, cross-border transactions or similar product features;
  • New products and new business practices, including new delivery mechanisms, and the use of new or developing technologies for both new and existing products where these are not yet well understood;
  • Lending (including mortgages) secured against the value of assets in other jurisdictions, particularly countries where it is difficult to ascertain whether the customer has legitimate title to the collateral, or where the identities of parties guaranteeing the loan are hard to verify;
  • An unusually high volume or large value of transactions.

The following factors may contribute to reducing risk:

  • The product has limited functionality, for example in the case of:
    • A fixed term savings product with low savings thresholds;
    • A product where the benefits cannot be realised for the benefit of a third party;
    • A product where the benefits are only realisable in the long term or for a specific purpose, such as retirement or a property purchase;
    • A low-value loan facility, including one that is conditional on the purchase of a specific consumer good or service; or
    • A low-value product, including a lease, where the legal and beneficial title to the asset is not transferred to the customer until the contractual relationship is terminated or is never passed at all.
  • The product can only be held by certain categories of customers, for example pensioners, parents on behalf of their children, or minors until they reach the age of majority.
  • Transactions must be carried out through an account in the customer’s name at a credit or financial institution that is subject to AML/CFT requirements that are not less robust than those required by Directive (EU) 2015/849.
  • There is no over-payment facility.

Customer risk factors

The following factors may contribute to increasing risk:

  • The nature of the customer, for example:
    • The customer is a cash-intensive undertaking.
    • The customer is an undertaking associated with higher levels of money laundering risk, for example certain money remitters and gambling businesses.
    • The customer is an undertaking associated with a higher corruption risk, for example operating in the extractive industries or the arms trade.
    • The customer is a non-profit organisation that supports jurisdictions associated with an increased TF risk
    • The customer is a new undertaking without an adequate business profile or track record.
    • The customer is a non-resident. Banks should note that Article 16 of Directive 2014/92/EU creates a right for consumers who are legally resident in the European Union to obtain a basic bank account, although the right to open and use a basic payment account applies only to the extent that banks can comply with their AML/CFT obligations and does not exempt banks from their obligation to identify and assess ML/TF risk, including the risk associated with the customer not being a resident of the Member State in which the bank is based.
    • The customer’s beneficial owner cannot easily be identified, for example because the customer’s ownership structure is unusual, unduly complex or opaque, or because the customer issues bearer shares.
  • The customer’s behaviour, for example:
    • The customer is reluctant to provide CDD information or appears deliberately to avoid face-to-face contact.
    • The customer’s evidence of identity is in a non-standard form for no apparent reason.
    • The customer’s behaviour or transaction volume is not in line with that expected from the category of customer to which they belong, or is unexpected based on the information the customer provided at account opening.
    • The customer’s behaviour is unusual, for example the customer unexpectedly and without reasonable explanation accelerates an agreed repayment schedule, by means either of lump sum repayments or early termination; deposits or demands payout of high-value bank notes without apparent reason; increases activity after a period of dormancy; or makes transactions that appear to have no economic rationale.

The following factor may contribute to reducing risk:

  • The customer is a long-standing client whose previous transactions have not given rise to suspicion or concern, and the product or service sought is in line with the customer’s risk profile.

Country or geographical risk factors

The following factors may contribute to increasing risk:

  • The customer’s funds are derived from personal or business links to jurisdictions associated with higher ML/TF risk.
  • The payee is located in a jurisdiction associated with higher ML/TF risk. Firms should pay particular attention to jurisdictions known to provide funding or support for terrorist activities or where groups committing terrorist offences are known to be operating, and jurisdictions subject to financial sanctions, embargoes or measures that are related to terrorism, financing of terrorism or proliferation.

The following factor may contribute to reducing risk:

  • Countries associated with the transaction have an AML/CFT regime that is not less robust than that required under Directive (EU) 2015/849 and are associated with low levels of predicate offences.

Distribution channel risk factors

The following factors may contribute to increasing risk:

  • Non-face-to-face business relationships, where no adequate additional safeguards – for example electronic signatures, electronic identification certificates issued in accordance with Regulation EU (No) 910/2014 and anti-impersonation fraud checks – are in place;
  • Reliance on a third party’s CDD measures in situations where the bank does not have a long-standing relationship with the referring third party;
  • New delivery channels that have not been tested yet.

The following factor may contribute to reducing risk:

  • The product is available only to customers who meet specific eligibility criteria set out by national public authorities, as in the case of state benefit recipients or specific savings products for children registered in a particular Member State.


Where banks use automated systems to identify ML/TF risk associated with individual business relationships or occasional transactions and to identify suspicious transactions, they should ensure that these systems are fit for purpose in line with the criteria set out in our generic risk assessment post. The use of automated IT systems should never be considered a substitute for staff vigilance.

Enhanced customer due diligence

Where the risk associated with a business relationship or occasional transaction is increased, banks must apply EDD measures. These may include:

  • Verifying the customer’s and the beneficial owner’s identity on the basis of more than one reliable and independent source.
  • Identifying, and verifying the identity of, other shareholders who are not the customer’s beneficial owner or any natural persons who have authority to operate an account or give instructions concerning the transfer of funds or the transfer of securities.
  • Obtaining more information about the customer and the nature and purpose of the business relationship to build a more complete customer profile, for example by carrying out open source or adverse media searches or commissioning a third party intelligence report. Examples of the type of information banks may seek include:
    • The nature of the customer’s business or employment;
    • The source of the customer’s wealth and the source of the customer’s funds that are involved in the business relationship, to be reasonably satisfied that these are legitimate;
    • The purpose of the transaction, including, where appropriate, the destination of the customer’s funds;
    • Information on any associations the customer might have with other jurisdictions (headquarters, operating facilities, branches, etc.) and the individuals who may influence its operations; or
    • Where the customer is based in another country, why they seek retail banking services outside their home jurisdiction.
  • Increasing the frequency of transaction monitoring.
  • Reviewing and, where necessary, updating information and documentation held more frequently. Where the risk associated with the relationship is particularly high, banks should review the business relationship annually.

Simplified customer due diligence

In low-risk situations, and to the extent permitted by national legislation, banks may apply SDD measures, which may include:

  • For customers that are subject to a statutory licensing and regulatory regime, verifying identity based on evidence of the customer being subject to that regime, for example through a search of the regulator’s public register;
  • Verifying the customer’s and, where applicable, the beneficial owner’s identities during the establishment of the business relationship in accordance with Article 14(2) of Directive (EU) 2015/849;
  • Assuming that a payment drawn on an account in the sole or joint name of the customer at a regulated credit or financial institution in an EEA country satisfies the requirements stipulated by Article 13(1)(a) and (b) of Directive (EU) 2015/849;
  • Accepting alternative forms of identity that meet the independent and reliable source criterion in Article 13(1)(a) of Directive (EU) 2015/849, such as a letter from a government agency or other reliable public body to the customer, where there are reasonable grounds for the customer not to be able to provide standard evidence of
  • Identity and provided that there are no grounds for suspicion;
  • Updating CDD information only in case of specific trigger events, such as the customer requesting a new or higher risk product, or changes in the customer’s behaviour or transaction profile that suggest that the risk associated with the relationship is no longer low.

Pooled accounts

Where a bank’s customer opens a ‘pooled account’ in order to administer funds that belong to the customer’s own clients, the bank should apply full CDD measures, including treating the customer’s clients as the beneficial owners of funds held in the pooled account and verifying their identities.

Where there are indications that the risk associated with the business relationship is high, banks must apply EDD measures as appropriate.

However, to the extent permitted by national legislation, where the risk associated with the business relationship is low and subject to the conditions set out below, a bank may apply SDD measures provided that:

  • The customer is a firm that is subject to AML/CFT obligations in an EEA state or a third country with an AML/CFT regime that is not less robust than that required by Directive (EU) 2015/849, and is supervised effectively for compliance with these requirements.
  • The customer is not a firm but another obliged entity that is subject to AML/CFT obligations in an EEA state and is supervised effectively for compliance with these requirements.
  • The ML/TF risk associated with the business relationship is low, based on the bank’s assessment of its customer’s business, the types of clients the customer’s business serves and the jurisdictions the customer’s business is exposed to, among other considerations;
  • The bank is satisfied that the customer applies robust and risk-sensitive CDD measures to its own clients and its clients’ beneficial owners (it may be appropriate for the bank to take risk-sensitive measures to assess the adequacy of its customer’s CDD policies and procedures, for example by liaising directly with the customer); and
  • The bank has taken risk-sensitive steps to be satisfied that the customer will provide CDD information and documents on its underlying clients that are the beneficial owners of funds held in the pooled account immediately upon request, for example by including relevant provisions in a contract with the customer or by sample-testing the customer’s ability to provide CDD information upon request.

Where the conditions for the application of SDD to pooled accounts are met, SDD measures may consist of the bank:

  • Identifying and verifying the identity of the customer, including the customer’s beneficial owners (but not the customer’s underlying clients);
  • Assessing the purpose and intended nature of the business relationship; and
  • Conducting ongoing monitoring of the business relationship.

Register for our newsletter today


Register for our newsletter today