Customer Risk Rating & Scoring Models

Everything in modern AML rests on a single idea: the risk-based approach, set out in FATF Recommendation 1 and echoed in FinCEN's CDD Rule. You can't apply the same intensity of scrutiny to every customer — there aren't enough analysts on earth — so you concentrate effort where the risk is highest. The customer risk rating is how you make that call.

It's a score, usually low, medium, or high, that drives real consequences: how much due diligence the customer gets, whether enhanced due diligence kicks in, and how often you'll review the file. Rate too low and you're blind to a real threat; rate too high and you waste scarce resources and may unfairly de-bank someone. Calibration is the craft.

Risk factors group into four buckets you should be able to recite. First, product and service risk: cash-intensive products, wire transfers, trade finance, correspondent accounts, and private banking carry more risk than a basic savings account. Second, geographic risk: customers connected to high-risk or sanctioned jurisdictions, or to countries FATF flags under Recommendation 19, score higher.

Third, channel or delivery risk: a customer onboarded face-to-face is generally lower risk than one onboarded remotely or through a third-party introducer, where impersonation is easier. Fourth, customer-type risk: money services businesses, cash-intensive businesses like casinos, PEPs, and complex or opaque ownership structures all raise the score. Every framework you'll meet is some version of these four.

Now a distinction examiners and interviewers love. Inherent risk is the risk a customer poses before you apply any controls — raw exposure based on those four factor categories. But you don't leave it there.

You apply controls: enhanced screening, EDD, transaction limits, more frequent review. Residual risk is what remains after those controls. So a customer might be high inherent risk — say a foreign PEP — but with strong EDD and close monitoring, the residual risk you're actually carrying is acceptable.

The point of a rating model is to make inherent risk visible so you can apply the right controls and bring residual risk down to a level the institution has decided it can tolerate.

How does a rating get built? A model assigns a score to each risk factor, then weights those scores by how much each matters to the institution. A sanctions-nexus factor will carry far more weight than, say, the customer's tenure.

The weighted scores combine into an overall rating — low, medium, or high — against thresholds the institution sets based on its risk appetite. The two things examiners check: is the methodology documented, and is it applied consistently, so two analysts looking at the same customer reach the same rating? A risk rating is a defensible, repeatable calculation, not a gut feeling.

If you can't explain in writing why a customer scored where it did, the model isn't doing its job.

Models are blunt, so analysts can override the automated rating — but with discipline. Sometimes you override up: the model says medium, but you've found credible adverse media, so you raise it to high. Sometimes you override down: the model flags geographic risk, but you've confirmed the activity is fully explained and legitimate.

Either way, an override must carry a documented rationale, and downgrades typically require senior approval, because that's where abuse and error hide. Every override is recorded in the audit trail. The lesson: your judgment matters, but it has to be visible and justified.

An undocumented downgrade is exactly the kind of thing an examiner — or an interviewer probing your judgment — will home in on.

Let's recap. Risk rating exists because the whole system is risk-based — you prioritize scrutiny where it's needed most. You score four factor categories: product, geography, channel, and customer type.

You separate inherent risk from residual risk, the part left after controls. The methodology must be documented, weighted, and consistent, and any analyst override needs a written rationale and an audit trail. A high rating doesn't end the process — it starts the next one.

When risk is high, you go deeper, and that deeper dive is enhanced due diligence. Test yourself on risk rating, then join me for lecture six. Nail this lecture and you'll find the rest of the role clicks into place, because almost every downstream decision flows from the rating you set here.