7 min read


October 5, 2022

What is Risk Rating Policy in KYC?

A high risk customer KYC is as necessary as a low risk customer kyc. Want to know how does risk rating policy works? Click here to know about factors affecting risk rating

Financial lenders have a big problem on their hands. As a financial lender, how do you know if a borrower will pay you back within the stipulated period? Also how does a digital lender ensure that the customer does pay the whole amount, with the interest levied? How do you know if it is a high-risk customer KYC? The responsibility falls on risk assessment models that help predict the probability of borrowers defaulting on their loans very accurately, with little bias based on their credit history and their overall credit worthiness (in terms of education, employment, salary, etc. at the time of application. The risk rating is generated as a number or a symbol( to mark different ranges). 

Risk rating models

To assess the overall credit risk for any transaction ranging from high to low risk for customer KYC, companies generally focus on different credit risk components. They are:

  • Probability of default - The probability that a borrower will default on a loan or not be able to pay it back at all.
  • Exposure at default - This defines the extent of loss that will be faced by a digital lender if and when the borrower defaults on the loan.
  • Loss given default - This is the extent of loss for a digital lender also taking into account any repayment that has been made before a default is declared. 
  • Effective maturity - The average number of years that will be required for repayment of each principal amount weighted by the principal amount.

For probability of default component, there are two types of risk estimation methods: 

  • Statistical method 
  • Judgemental method

The latter is where they use the help of a credit risk evaluator to judge if the person is eligible for a loan. The former is the statistical method, where a mathematical equation helps solve the problem. This is much faster and provides a more quantitative decision on whether it is a high-risk customer KYC to increase the feasibility of a loan. 

The process of risk rating

As outlined by RBI, there is a risk rating process that all banks must follow based on a CRF (Credit risk rating framework). The CRF assigns a number or grade or symbol as an indicator of the risks associated with an exposure. The rating system also provides a means to assess the tenure of assistance provided to the borrower post KYC.

Within the bank too, the credit approval process will be dependent on the CRF rating. The CRF  could be designed such that the risk rating would have some connection with the tenure of the loan, the amount disbursed and the pricing on exposure. These may be defined empirically or developed over a period of time. Any decision related to amount, tenure, and eventual rejection or approval of the loan depends on the risk rating, high, medium or low defined at the time of customer KYC.

The credit risk staff would follow up on an automated system’s approval or rejection and may sometimes even override a rejection (on customer’s request). This application is then forwarded to a higher level credit risk assessment team. At the time of final assessment, the credit risk is re-affirmed or is re-calibrated according to other factors and a high or low risk rating is generated for the customer KYC. The CRF score and operating guidelines may be updated or upgraded respectively for ease of process. The CRF thus is incrementally upgradeable and changes in the lending environment directly affect it. The credit surveillance process can also make use of the credit risk ratings. Remedial action may be taken at any time.

Factors that impact risk rating

Risk rating models are affected by several factors. Some of these factors are mathematical in nature (objective) whereas others may be based on the judgment of a person and are very subjective. Financial institutions, specifically digital lenders, may  combine both subjective and objective elements too to arrive at a final decision on the credit.

  1. Judgment vs. Statistical

If there is a dearth of data, a difficulty to access or store it, or an inaccuracy present, then the digital lender may combine human judgment with the data. Most data-driven decision-making systems use predictive analytics driven by AI and are very accurate during the high-risk customer KYC process and generate accurate risk ratings. 

  1. Borrower’s Financial Health

When assessing a borrower’s financial health, digital lenders look at several points: .

  • Leverage ratios (also referred to as solvency ratios) decide the extent of the long-term financial responsibilities a company or an individual has.
  • Profitability ratios allow the financial institution to decide whether the business is profitable or not. They look at the operating margin, the return on invested capital, etc.
  • Cash flow ratios are a measure of the capability of an individual or business to pay off the obligations faced by them. An example is the cash flow to net income ratio.
  1. Industry Characteristics

A borrower’s, especially a company’s capability to pay off a loan may also be affected by the industry it is in and other macroeconomic factors. 

For example: In an industry where the barriers to entry are relatively low, the cash flow generation of the company may be subject to huge risks.

In a commoditized industry too, the cash flow generation may not be steady. A company’s credit worthiness is also determined by the business cycle or the current state of the industry.

  1. Management’s Quality and Reliability

A management’s past experience will also be a factor in understanding the credit worthiness of a company. If the management is  experienced and has made great decisions in the past, then it will be a favorable credit decision by the digital lender and the risk rating will be low. In the case of an individual, the credit decision would be based on past experience and educational qualifications during a high-risk customer KYC.

  1. Political and Environmental Risks

Risk rating models also use additional categories of risk factors such as political risks, the risk of war, a change in laws etc. and environmental, or the financial penalties that may result from destruction of the environment by the company. In the case of disasters or wars, every KYC done from a country affected will be considered a high-risk customer KYC.

Risk rating matrix and likelihood


A risk assessment matrix is a way to measure at first the scale of likelihood of an event (delayed payment, default, industry or political changes) against the acceptability of the event on a scale of severity. As the likelihood of an event increases and if the associated severity with it is high, then it is classified as a higher risk event. These are represented by pink in the above table. The beige represents events of medium risk and the coral green color represents low risk events. 

Please note that the above risk rating matrix is a simplified one and usually there are five levels on the scale of likelihood and five levels of severity as well.


A risk rating policy helps equip the digital lender to support a diverse crowd of borrowers across industries and income levels. The classification on varied risk ratings ranging from very high to very low helps the financial institution make decisions that are useful and credible once customer KYC is done. But having a credit risk rating in place may not be enough. There’s a lot of documentation for every borrower and to verify the legitimacy of a business, it must be ensured that the data is captured appropriately. HyperVerge’s OCR solutions can help you negotiate the bends and curves on the highway to customer acquisition by making the KYC process and onboarding much easier.


What are the five risk rating levels in a full fledged risk rating matrix?
1. Highly likely - The likelihood of the event is very high 2. Likely - the likelihood of the event is medium 3. Possible - The chance of occurrence of the event is 50% 4. Unlikely - It is unlikely the event will happen. 5. Highly unlikely - It is highly unlikely that the event will happen. The range of each level depends on the way the risk rating is designed and will vary on a case to case basis.
What is meant by risk rating?
Risk rating involves assessing the risks involved in a credit transaction based on how well the business is doing and measuring their impact.
Is KYC risk rating customer focused or company focused?
The KYC risk rating could be calculated from a customer’s perspective (whether the person will default) or from the perspective of the institution (if it is possible to manage debts) that is dispensing the loan.
What are some of the treatment options for credit risk?
Based on the risk assessment and the ratings, there are four main things a financial institution can do to treat risk: Accepting the risk: A financial institution may accept the risk and proceed with the disbursal. Mitigate the risk: Reduce the amount or increase the tenure to reduce the possibility of default is an example of mitigating the risk involved. Reject the proposal: It may decide not to proceed with the borrower at all. Transfer the risks to a third party: It may also place the risks on the shoulders of a third party that is willing to take them on for the sake of the borrower.
Curve lines for BG