Customer Risk Categorisation in KYC: Low, Medium, High (2026)

KYCAML By Ashish Jain · IIBF STORE Editorial · 13 July 2026 · Updated 13 Jul 2026 · 8 min read · 3 views
Customer Risk Categorisation in KYC: Low, Medium, High (2026)

🔍 What Is Customer Risk Categorisation in KYC?

Customer risk categorisation in KYC is the process by which a bank sorts every account holder into a Low, Medium, or High risk bucket at the time of onboarding, and then reviews that bucket at fixed intervals for as long as the relationship lasts. For IIBF candidates, this is one of the most exam-tested ideas in the KYC, AML and CFT paper because it sits at the junction of policy, operations, and monitoring. A bank cannot apply the same level of scrutiny to a salaried pensioner and to a cash-intensive bullion trader — risk categorisation is the mechanism that tells the branch how much attention each relationship deserves, how often documents must be refreshed, and how closely transactions should be watched.

Getting customer risk categorisation in KYC wrong has real consequences. Under-categorising a risky customer lets suspicious transaction patterns go unnoticed for years; over-categorising every ordinary customer as high risk overloads compliance teams and frustrates genuine account holders. The Reserve Bank of India's Master Direction on KYC requires banks to build a documented, risk-based approach rather than a one-size-fits-all checklist, and examiners test candidates on exactly where the boundaries between the three categories fall.

📊 The Three Risk Categories: Low, Medium, High

Banks classify every customer into one of three tiers based on identity, occupation, business activity, location, mode of payment, turnover, and manner of introduction. The table below summarises how the categories differ in practice — a frequent exam favourite because it packs several numbers into one place.

Risk CategoryTypical CustomerRe-KYC CycleTransaction MonitoringExtra Scrutiny Needed?
LowSalaried staff, government/PSU accounts, regulated bodiesEvery 10 yearsRoutine, system-based❌ No
MediumGeneral retail and small business accountsEvery 8 yearsRegular periodic review❌ No
HighNRIs, HNIs, trusts/NGOs, cash-intensive traders, non-face-to-face customersEvery 2 yearsClose, ongoing surveillance✅ Yes
💡 Exam Tip: Remember the periodicity ladder as 2-8-10 for High-Medium-Low. Questions frequently swap these numbers as distractors, so memorise the pairing exactly.
Key Concepts — KYC, AML and CFT
Key Concepts — KYC, AML and CFT

🏦 Factors Banks Use to Assign Risk Categories

No single attribute decides the tier — banks combine several factors before completing customer risk categorisation in KYC. Nature of business activity, expected turnover, source of funds, mode of payment, and geographic exposure all feed into the decision. A customer transacting with counterparties in a jurisdiction with weak controls, for example, is a classic country-risk trigger; candidates should study this alongside the deeper treatment of country risk and its link to money laundering exposure to see how geography alone can push an otherwise ordinary account into the high-risk bucket.

Delivery channel matters too: customers who never visit a branch and are onboarded entirely online or through intermediaries are treated with extra caution because identity verification is harder to anchor. Occupation and stated income versus actual account turnover is another classic mismatch flag — a low-declared-income account suddenly showing large, frequent cash credits invites a review of its risk tier regardless of the customer's original classification. Banks must also record the legal basis for these classification duties, which traces back to the domestic legal architecture; the chapter on legislation at the national level lays out exactly which statutes and directions oblige banks to categorise and monitor customers this way.

⚠️ Common Mistake: Students often assume risk categorisation happens only once, at account opening. In fact it is a living classification — any material change in the customer's profile, transaction behaviour, or ownership structure can trigger a fresh review before the scheduled cycle is due.

⏱️ Periodic Review and Re-KYC Timelines

The periodic re-verification cycle is directly tied to the outcome of customer risk categorisation in KYC: high-risk accounts are re-verified every two years, medium-risk accounts every eight years, and low-risk accounts every ten years, counted from account opening or the last update, whichever is later. Banks must proactively contact customers ahead of the due date rather than waiting for a walk-in, and inability to complete the update within a reasonable window can lead to restrictions on the account until documents are refreshed.

This tiered cycle also governs how deeply a bank probes beyond the base identity and address proof. High-risk files typically carry additional layers of verification and ongoing monitoring, a subject covered in full depth in the companion article on enhanced due diligence for high-risk customers. Where the risk arises specifically from unclear control or ownership structures — trusts, shell-like entities, or layered corporate holdings — the categorisation decision often hinges on the work described in the article on beneficial ownership identification, since an opaque ownership chain almost always pushes an account into the high-risk tier.

📌 Remember: A missed periodic update does not downgrade a customer's risk category — it typically escalates scrutiny, since an un-updated file is itself treated as a risk indicator by examiners and auditors alike.
Process & Framework — KYC, AML and CFT
Process & Framework — KYC, AML and CFT

🧾 Real-World Examples of High-Risk Profiles

IIBF papers love scenario-based questions built around who lands in the high-risk bucket. Typical examples include non-resident customers with limited physical presence, high-net-worth individuals with complex fund flows, trusts and charitable organisations that receive donations from multiple untraceable sources, companies with close family shareholding or nominee directors, partnership firms with "sleeping partners" who never interact with the branch, and individuals holding public office or close family ties to one — a category examined separately under politically exposed persons monitoring. Cash-intensive businesses such as bullion dealers, money changers, and casinos also sit permanently in the high-risk tier because of the volume of untraceable cash they handle.

On the other end, low-risk accounts are usually salaried employees of well-established companies, government departments, public sector undertakings, and regulators or statutory bodies whose funds are traceable and whose transaction behaviour is predictable. Everything that does not clearly fit either extreme — most ordinary retail and small-business accounts — defaults to the medium category, which is why medium-risk accounts form the bulk of any bank's book. Risk categorisation also interacts with the bank's broader defences against financial crime; where a high-risk profile later shows account-takeover or mule-account patterns, the response overlaps with the techniques covered under fraud management in banking, since risk tiering and fraud controls feed the same monitoring dashboard.

In Practice — KYC, AML and CFT
In Practice — KYC, AML and CFT

🧠 Practice MCQs: Customer Risk Categorisation in KYC

Q1. As per RBI's risk-based approach, how often must a bank complete periodic KYC updation for a high-risk customer? (a) Every 1 year (b) Every 2 years (c) Every 5 years (d) Every 10 years

Answer: (b) — High-risk accounts are re-verified every two years, the shortest cycle among the three tiers.

Q2. Which of the following is generally classified as a low-risk customer? (a) Bullion dealer (b) Non-resident HNI (c) Salaried employee of a well-known company (d) Trust receiving anonymous donations

Answer: (c) — Salaried employees with traceable, stable income are a standard low-risk example.

Q3. What is the periodic KYC updation cycle prescribed for medium-risk customers? (a) Every 2 years (b) Every 4 years (c) Every 8 years (d) Every 10 years

Answer: (c) — Medium-risk accounts sit between high and low risk and are reviewed every eight years.

Q4. A firm with "sleeping partners" who never visit the branch is typically categorised as: (a) Low risk (b) Medium risk (c) High risk (d) Risk-exempt

Answer: (c) — Partners who have no direct interaction with the bank are a classic high-risk indicator due to identity and control-verification gaps.

Q5. Which factor alone can push an otherwise ordinary account into a higher risk category during customer risk categorisation in KYC? (a) Long account tenure (b) Salary credited monthly (c) Exposure to a jurisdiction with weak AML controls (d) Holding a savings account

Answer: (c) — Country and geographic risk is an independent trigger that can override an otherwise low or medium profile.

Want chapter-wise mock tests with 100+ MCQs? Start practising free →

Frequently Asked Questions

Who decides the risk category of a bank customer?

The bank's branch or central compliance team assigns the category at account opening based on the customer's profile, business activity, and documentation, following the risk-based policy approved by the bank's board.

Can a customer's risk category change after account opening?

Yes. Any material change in occupation, transaction pattern, ownership structure, or adverse information can trigger a re-assessment before the scheduled periodic review is even due.

Does a higher risk category mean the account will be closed?

No. A high-risk tag means closer monitoring and more frequent document updation, not automatic closure — the account continues as long as the customer cooperates with verification requirements.

Is customer risk categorisation in KYC a one-time exercise?

No. It is reviewed on a fixed cycle — two years for high risk, eight for medium, and ten for low risk — and can be revisited earlier if the customer's profile changes materially.

Conclusion: Master This Topic Before Exam Day

Customer risk categorisation in KYC is a compact but high-yield topic: know the three tiers, the 2-8-10 review cycle, and the standard examples of who falls where, and you can confidently handle both direct recall questions and scenario-based ones. Pair this article with the companion pieces on high-risk due diligence and ownership verification, then test your recall under exam conditions with a full-length paper on the CAIIB course page or browse more topics on the KYC, AML and CFT tag hub to keep building your score.

Quick quiz

Quick quiz on this topic

5 exam-style questions from our free test bank — check yourself before you move on.

KYC, AML and CFT · 5 questions · instant result
Q1. Mr. X deposits Rs. 7 lakh cash in his personal savings account and the same month deposits Rs. 5 lakh cash in his proprietary firm M/s. XX, plus Rs. 4 lakh cash in M/s. XYZ, a partnership firm in which he is a partner. For integrally connected CTR aggregation, which combination is counted together?
Q2. Rule 8(4) of PMLR and Section 13 of PMLA together govern the consequences of reporting failures. Which statement is correct?
Q3. A branch officer notices that a customer made three separate cash deposits of Rs. 4 lakh, Rs. 3.5 lakh and Rs. 3 lakh (all credits) into his accounts during the same calendar month. None of the single deposits crosses Rs. 10 lakh. How should this be treated for CTR reporting?
Q4. After an STR is filed on a customer's account, a junior officer suggests freezing the account and informing the customer to deter further laundering. As per the KYC Master Directions described in the chapter, what is the correct conduct?
Q5. A proprietor deposits cash of ₹4 lakh, ₹3.5 lakh and ₹4 lakh on three different dates of the same calendar month into his proprietorship account, all as receipts. No single deposit crosses ₹10 lakh. What is the bank's primary obligation under PMLR?
Next step

Practice this topic

Ready to put this into practice?

Take a free mock test, download chapter PDFs, or watch a video class — all included on iibf.store.

Keep reading