What Risk-Based Really Means
A risk-based approach to Customer Due Diligence means applying more intensive verification and monitoring to higher-risk customers and relationships, and lighter-touch processes to lower-risk ones. The CBN and FATF both mandate this approach because blanket high-intensity verification for every customer is both commercially impractical and creates friction that damages the customer experience without proportionate compliance benefit.
The challenge is that most Nigerian fintechs have implemented CDD as either a one-size-fits-all process or as a binary switch between standard and enhanced due diligence. Neither approach reflects the reality of customer risk, which exists on a spectrum. Building a genuinely risk-based CDD framework requires defining that spectrum, mapping customers onto it, and calibrating verification and monitoring intensity accordingly.
Building Your Risk Tiering Model
Risk tiering starts with identifying the factors that meaningfully predict the risk that a customer could be used for money laundering or financial crime. In Nigeria's context, these include the customer's occupation and source of funds, the products and services they use, the geographic location of their transactions and connections, the customer's legal form if they are a business, and any prior adverse information.
Most institutions use three or four tiers: low risk, medium risk, high risk, and sometimes a very high risk category for PEPs and high-volume cash businesses. The criteria for each tier should be specific and documented. 'High risk' is not a useful category without a definition of what makes a customer high risk at your specific institution.
What Each Tier Requires
Low-risk customers require basic identification and verification, standard transaction monitoring at normal thresholds, and periodic review of their risk classification. Medium-risk customers require the same, with more frequent periodic review and lower transaction thresholds that trigger enhanced scrutiny. High-risk customers require enhanced due diligence at onboarding, including source of funds documentation, more intensive ongoing monitoring, and more frequent relationship reviews.
The periodic review cycle is often the weakest link. Most institutions set a risk tier at onboarding and rarely update it as the customer relationship evolves. A low-risk customer at onboarding can become high-risk after a significant change in transaction behavior. As we have explored in our analysis of continuous risk monitoring, dynamic risk reassessment is far more effective than static tiering.
Documentation Requirements
The CBN expects institutions to maintain records that demonstrate how each customer was assigned their risk tier and what due diligence was conducted in response. For standard customers, this means the verification records from onboarding. For high-risk customers, this means those records plus the EDD documentation: source of funds evidence, source of wealth analysis for PEPs, and records of senior management approval.
Remllo's identity verification platform provides structured documentation workflows that capture the right evidence for each risk tier and maintain an audit trail that satisfies CBN examination requirements.
