by Matt Rizzo

September 14, 2023

What the World Knows About Your Client

We live in a world where we are constantly connected to the Internet. We have come to rely on being constantly connected, receiving news in real-time, and keeping ourselves up to date. Consider the challenge of visiting a new city and having to find your way around. In the days before mobile phones, you would have to rely on a street map you may have bought from the nearest newsagent, or the one you picked up from your hotel. Most of us might remember those days, and we all have stories about the times our trusted printed guide failed us.

Street maps may give a highly accurate representation of the layout of the city. But using a connected app provides invaluable real time information on weather conditions, construction and road closures, traffic updates, and alternative routes.

The information you have collected about your customer is akin to the street map. It can be highly accurate but without complimenting it with external information, it may not provide you with the correct information to be able to properly assess and mitigate your AML customer risk.

Lacking real-time external information while navigating a new city may make your task harder. But when it comes to Anti-Money Laundering (AML) processes, keeping your client knowledge disconnected from online sources may have dire consequences. In this article we look at what external sources you should be checking on a regular basis to ensure that you supplement your Know Your Client (KYC) data with external information.

Jurisdiction Risk

In line with the Risk-Based Approach (RBA), you need to make sure that you apply Enhanced Due Diligence (EDD) on your high-risk clients and jurisdiction risk is an important component of your Customer Risk Assessment (CRA).

As part of your KYC process, you would have collected information about the jurisdictions your customer is connected to. This could include the customer’s nationality, residence, or domicile as well as the jurisdictions your customer does business in. But what is the risk associated with each of these jurisdictions? A simple way to answer this question is to consult with various country lists that are published by various organisations.

The most widely used international lists are the High-Risk Jurisdictions subject to a Call for Action and the Jurisdictions under Increased Monitoring. These are published by the international Financial Action Task Force (FATF) and are also known as the FATF blacklist and “grey list”. The lists are updated three times a year and contain a number of jurisdictions that are considered to have the highest risk from a money-laundering perspective.

While the FATF list is international in nature, there are lists that are published by regional or local bodies. The European Union, for example, maintains a list of countries “with strategic deficiencies in their anti-money laundering and counter-terrorist financing framework” and also a list of “non-cooperative jurisdictions for tax purposes”. The United Kingdom’s HM Treasury maintains a list of “high risk third countries”.

These lists published by government or intergovernmental organisations, contain the countries that are exposed to the highest level of risks. Taking these lists into consideration and applying EDD if a country is on these lists may be mandated by your local regulations. However, a comprehensive risk framework should go beyond these lists.

An effective AML policy should reference other sources that allow you to include additional countries as high risk or divide the remaining countries into low or medium risk. One popular list is published by KnowYourCountry which ranks more than 240 countries based on a number of factors to help assess money laundering and sanctions risks. Another commonly used list is Transparency International’s Corruption Perception Index (CPI), which ranks 180 countries by the level of corruption within the country – an important indicator of money laundering risk.

Some of these lists are updated on a yearly basis, but others change more frequently. It is important to ensure that you are always making use of the latest available information. Using sophisticated lists that change regularly (such as KnowYourCountry) helps build a robust AML process but would require automation to track changes on a regular basis.


Another important set of external data sources that need to be incorporated into your AML processes is sanction lists. These sanctions, prepared by intergovernmental or governmental organisations define measures imposed on individuals, companies or countries. By law, you are obliged to take these sanctions into consideration and ensure that you do not offer any professional services to clients in breach of such sanctions.

As with country lists, the particular lists that service providers are required to check will vary based on the jurisdiction you operate in. The most common sanction list is the United Nations Security Council Consolidated List which all 193 UN member states are obliged to implement and enforce. The individuals and companies listed on these sanctions are considered by the UN as a threat to global peace and security and the list is designed to address concerns such as human trafficking, terrorism, nuclear trafficking, arms trafficking, human rights violations, and money laundering.

Other popular regional lists include the European Union Consolidated Financial Sanctions List, and the ones published in the United Kingdom by the Office of Sanctions Implementation (OFSI), and the one in the United States by the Office of Foreign Assets Control (OFAC).

In addition to staying up to date with the sanction lists that are mandatory within your local legislation, keeping track of additional sanction lists is always good practice. Some sanction lists are updated multiple times within a week so it’s important to ensure that you can keep up to date with the latest versions.

Politically Exposed Person (PEP) Lists

Politically exposed persons (PEPs) should be considered as high-risk clients. In fact, asking your client whether they are politically exposed or not is a common question of an onboarding questionnaire. Customers may, however, intentionally lie and incorrectly claim they are not PEPs. They may also fail to understand the definition of a PEP and mistakenly assume they are not. As a result, information supplied by the customer should be corroborated with appropriate online searches.

Moreover, a client may become a PEP after they are onboarded. In fact, it is important to check the client against PEP lists during onboarding as well as on an ongoing basis throughout your business relationship with the customer.

Checking whether a client is a PEP is much more complex than checking whether a client is sanctioned. This is due to several reasons including the fact that there is no central authoritative list of all PEPs across the world. Moreover, changes occur daily and maintaining a comprehensive list of global PEPs would, at least, require tracking every election or political appointment across the world. The definition of PEP itself is also complex and extends to family members and close associates.

Using a search engine such as Google or Bing could help shed some light as to whether an individual is politically exposed or not. You can also leverage some free online tools such as WikiData but given the complexity around PEP screening, this is usually carried out using specialized commercial tools.

Adverse Media

Monitoring media for negative news is another important source of information. Your risk policy might prevent you from servicing individuals who have certain criminal convictions or serious allegations of financial crimes, bribery, money laundering or corruption. Even if such a client is acceptable to your organisation, you would probably want to consider these clients as high risk and apply EDD.

As with PEP data, building a global database of individuals and entities that have been subject to adverse media is a non-trivial task. The data is also constantly changing. In fact, whilst running a search against a search engine like Google or Bing could uncover some interesting new fact about your client, monitoring for adverse media is usually done via specialized commercial tools as well.


In this article we looked at what external sources you should be checking on a regular basis to ensure that you supplement your Know Your Client (KYC) data with external information. You cannot really claim to “know your client” if you’re failing to take into account information that the rest of the world already knows about your client or the jurisdictions they are based or operate in.

On the other hand, keeping track of these large, ever-changing datasets is a non-trivial task. This is where automation come in handy. Software like InScope-AML can be configured to understand your risk framework and parameters, and with continuous access to both your client list and the various data sources, it can allow you to react quickly to changes.

Share this...

Facebook logo Pinterest logo X (formerly Twitter) logo LinkedIn logo

You May Also Like

by InScope-AML

June 18, 2024

Juggling through AML Compliance