1 June 2025 marked a substantial change around customer risk-rating. If your business has AML/CFT obligations, you’ll need to risk-rate every new customer at the time of onboarding and ensure the rating is kept up to date. These changes are part of new guidance from the Department of Internal Affairs (DIA) and aim to make sure reporting entities are applying a clear, consistent, and risk-based approach.

 

Key Takeaways at a Glance

• Every new customer must be risk-rated at onboarding. This applies when a business relationship starts, or an occasional transaction takes place.
• Risk-rating at onboarding will inform the level and frequency of ongoing Customer Due Diligence (CDD), account monitoring, and level of CDD or ECDD you will need conduct. This should also inform any controls that may need to be put in place to mitigate ML/TF risks (e.g., transaction limits, or senior management approval).
• There is no one-size-fits-all risk-rating process or model. Allow for flexibility in the approach that is implemented.
• Both qualitative and quantitative approaches are considered appropriate, depending on the nature of the business operations.
• Each reporting entity will have its own unique way of approaching these obligations, and it’s important that this is tailored to the risk-rating framework to align with the context of the business.
• For many reporting entities, the risk-rating process or model can be straightforward. An objective determination against a rating scale of low, medium and high risk can be made.
• For other reporting entities with a larger customer base, or a more complex range of products and services, a more sophisticated methodology may be required. This reflects the multiple and more nuanced variables associated with risk across a large or complex business and its products and services.
• Reporting entities should consider using ongoing CDD as an opportunity to align their approach and risk-rate customers who were onboarded prior to 1 June 2025. Over time, this will contribute to greater consistency across the customer base and support a more integrated and effective risk-based approach.

 

Risk-Rating at Onboarding: What is Expected?

When a new customer starts doing business with a reporting entity, an initial risk-rating should take place based on your risk assessment and the information from the customer when commencing the onboarding (CDD).  This rating helps determine the level of onboarding (CDD or ECDD), and what monitoring and controls should be applied from the beginning and upon completion of CDD to confirm that initial risk rating is correct.

The risk-rating should be based on objective factors, such as:

• Entity type of customers
• Jurisdictional risk
• The nature and purpose of the business relationship
• Any red flags that may trigger conducting enhanced CDD, such as politically exposed person (PEPs) or unusual transaction patterns

The goal is to identify customers who may present a higher risk of money laundering or terrorism financing, so that appropriate controls can be put in place right from the beginning.

 

Risk-Rating and Monitoring as Part of Ongoing CDD and wider compliance requirements.

Risk-rating doesn’t stop at onboarding. The customer’s risk level must be kept under review throughout the business relationship.

Reporting entities are expected to:

• Training staff on the new ICRR requirements as well as the reporting entities own processes, procedures and controls.
• Risk-rating scores guide how often and what type of ongoing checks and monitoring are carried out.
• Triggers from account monitoring processes or a particular transaction to prompt the reporting entity to review the risk rating of the customer, it is expected findings from these activities will naturally increase client risk scores.
• Adapt their ICRR methodology as new typologies, risk events and business operations evolve.

This reassessment of risk helps ensure that resources are focused where they are most needed and that reporting entities remain compliant as circumstances change.

 

Why the Right Approach Matters?

Risk-rating isn’t just about ticking a compliance box – it’s a valuable tool for smarter, more efficient monitoring. A well-designed methodology supports early detection of changes in customer behavior that could increase risk, making it easier to trigger timely reviews. Most importantly, a strong and consistent risk-rating approach helps demonstrate to supervisors that AML/CFT obligations are being met in a thorough and efficient way.

 

Practical Support for Meeting Risk-Rating Obligations

AML Solutions has already helped many reporting entities prepare for these changes. Our consultants have been in discussion with the DIA and Financial Intelligence Unit (FIU) to refine our risk-rating methodology. Their feedback? We’ve nailed it. Our approach gives businesses confidence that their processes meet regulatory expectations and are aligned with what supervisors want to see.

If you need assistance, we offer:

• Risk Rating Methodology – We’ll design a risk-rating approach that fits your business, reflects your unique risks, and meets AML/CFT compliance requirements.
• Annual Document Upgrade Subscription – Stay covered as changes evolve. Our subscription service keeps your documents up to date with changing legislation, giving you ongoing peace of mind.

Get in touch with our team to find out how we can support your risk-rating process and help keep your compliance documentation up to date.