Sector, Product, Customer, Jurisdiction, and Channel Risk

The Four Pillars of the Risk-Based Approach

The risk-based approach (RBA) is the foundation of every modern AFC program and a heavy CAMS focus. Rather than treating all customers identically, an institution allocates resources where risk is highest. FATF and the Wolfsberg Group frame inherent risk across four pillars, which the exam expects you to assess together:

The rating is not additive in a simple way — factors interact. A low-risk product sold to a high-risk customer in a high-risk jurisdiction through a non-face-to-face channel can yield a high overall rating. The exam routinely gives a multi-factor scenario and asks for the resulting rating or the appropriate due-diligence level.

Jurisdiction Risk and the FATF Lists

Geographic risk is anchored to objective references the exam expects you to name:

• FATF "black list" — Jurisdictions subject to a Call for Action (high-risk jurisdictions). Enhanced measures, sometimes countermeasures, apply.
• FATF "grey list" — Jurisdictions under Increased Monitoring with action plans; enhanced due diligence (EDD) is warranted.
• Other inputs: Transparency International's Corruption Perceptions Index, EU high-risk third-country lists, and OFAC-sanctioned countries.

Never judge a country by reputation alone; cite the framework. A jurisdiction can be a major financial center and high risk for specific predicates. Geographic risk also includes a customer's connections to high-risk countries — where they are tax-resident, where their counterparties sit, and where funds originate or terminate — not merely the booking location of the account. A domestic customer who routes most payments through a conflict zone inherits that geographic risk even though the relationship looks local.

Channel Risk in Detail

Delivery channel risk has grown with digital onboarding. Non-face-to-face relationships, third-party introducers, and anonymous or stored-value products weaken identity assurance. Mitigants include liveness checks, document verification, and database cross-checks. The exam tests whether you can match a channel weakness to the right control rather than reflexively rejecting the customer.

Worked Example

A fintech onboards customers fully online (non-face-to-face channel), offers reloadable prepaid cards (higher-risk product), and serves a customer base including individuals in a FATF grey-list country (higher-risk geography). Even if individual transactions are small, the combination yields a high inherent-risk rating. The appropriate response is EDD: stronger identity verification, source-of-funds checks, lower transaction limits, and intensified monitoring — not necessarily refusal.

Common Traps

• Rating risk on a single factor while ignoring how factors compound.
• Equating a wealthy or well-known customer with low risk — wealth can elevate risk.
• Forgetting that EDD is a response to high risk, not a reason to exit the relationship automatically.
• Treating all online onboarding as unacceptable; the question is which mitigants apply.

Inherent Risk, Controls, and Residual Risk

The exam draws a sharp line between inherent risk (the risk before controls) and residual risk (what remains after controls are applied). The four pillars describe inherent risk. Controls — identity verification, transaction monitoring, screening, EDD — reduce it to residual risk, which the institution must keep within its risk appetite. A scenario may ask why two customers with identical inherent risk end up rated differently: the answer is the strength of mitigating controls. This framing also explains risk acceptance: management may knowingly accept residual risk if it is within appetite and properly documented and monitored.

Customer Risk Rating and Due-Diligence Tiers

The combined assessment produces a customer risk rating that drives the due-diligence tier:

• Simplified due diligence (SDD) — permitted only for demonstrably low-risk situations (e.g., a regulated, listed entity); reduced information, not no diligence.
• Standard customer due diligence (CDD) — identify and verify the customer and, where relevant, the beneficial owner; understand the purpose and intended nature of the relationship.
• Enhanced due diligence (EDD) — for high-risk customers; obtain source of wealth and funds, senior-management approval where required, and intensified ongoing monitoring.

A repeated exam point: SDD is never no due diligence, and you cannot apply SDD to offset a high-risk factor.

Dynamic Risk and Trigger Events

Risk ratings are not set once at onboarding. Trigger events — a customer becoming a PEP, a change in beneficial ownership, a new product, a move to a higher-risk jurisdiction, or unusual activity — require reassessment and possible reclassification. Periodic reviews occur on a cadence tied to the rating (e.g., high-risk annually, low-risk less often). The Wolfsberg Group and FATF both emphasize that the RBA is continuous, and a stale review is itself an examination finding.

Transaction monitoring feeds the dynamic rating: a customer whose actual activity diverges sharply from the expected activity captured at onboarding should be re-rated, because the original assumptions no longer hold. When scoring a scenario, walk all four pillars explicitly, then state the overall rating and the matching due-diligence tier (simplified, standard, or enhanced), and check whether a trigger event has changed the picture.