67. The bank should have a thorough understanding of all the risks associated with its customers across the group, either individually or as a category, and should document and update these on a regular basis, commensurate with the level and nature of risk in the group. In assessing customer risk, a bank should identify all relevant risk factors such as geographical location and patterns of transaction activity (declared or self-stated) and usage of bank products and services and establish criteria for identifying higher-risk customers. These criteria should be applied across the bank, its branches and its subsidiaries and through outsourced activities (see Annex 1). Customers that pose a higher risk of ML/FT to the bank should be identified across the group using these criteria. Customer risk assessments should be applied on a group-wide basis or at least be consistent with the group-wide risk assessment. Taking into account differences in risks associated with customer categories, group policy should recognise that customers in the same category may pose different risks in different jurisdictions. The information collected in the assessment process should then be used to determine the level and nature of overall group risk and support the design of appropriate group controls to mitigate these risks. The mitigating factors can comprise additional information from the customer, tighter monitoring, more frequent updating of personal data and visits by bank staff to the customer location.