by Matt Rizzo

August 24, 2022

Five Steps to Managing AML Customer Risk

Managing AML risk at the customer level is a fundamental component of an effective Anti-Money Laundering strategy. Here are five steps to ensure you remain on top of your AML obligations.

A risk-based approach (RBA) to anti-money laundering is proven to be the most effective and efficient methodology and is the cornerstone of AML guidelines published by international organisations such as the FATF, and local organisations such as CCAB. In terms of customer due diligence, the RBA means that not all clients should be assigned the same level of checks and scrutiny. Clients should be divided into risk categories such that more attention can then be given to high-risk clients. Whether you work for a financial institution or a DNFBP in sectors such as accountancy, legal, tax advisory or real estate, this article explores five steps that can be followed to ensure that customer risk is being handled efficiently and effectively.

Step 1: Define the Customer Risk Assessment (CRA) Methodology

The starting point is defining the Customer Risk Assessment methodology. This includes identifying the factors that go into a risk assessment, the scores allocated to each risk factor and how the various risk scores are rolled up into an overall customer risk score.

Risk factors typically include attributes related to the client, jurisdiction, service/product, transaction, and delivery channel. In case of corporate clients, you also need to decide how related parties effect the risk of the client. For example, the residence of the UBO is typically included as a factor within the jurisdiction risk associated with a company. But what about directors or minority shareholders? This depends on your risk policy.

For every risk factor you also need to define what values are to be considered high, medium, or low risk. This is usually done via a scoring system of 1-10 or 1-100 where each option is assigned a score based on how risky it is.

Finally, a formula that defines how the individual risk factors and their scores are used to generate the overall risk score needs to be defined. This could be a weighted average across all factors, or could include rules where certain risk factors automatically trigger an overall high-risk result at the customer level (e.g., if the client is a PEP, the customer’s risk should automatically be considered to be high).

The CRA methodology defines the blueprint that is used to eventually stratify clients by risk. If you are using a manual system, you will probably define this methodology as a set of rules and formulas within a spreadsheet which you would then use as a template to generate a CRA for every client. A manual or spreadsheet-based system is not always a good idea. A better approach would be to have specialised AML software which allows you to configure all the rules within your CRA methodology. Such software needs to be easy to set up but also powerful enough to support complex rules and flexible enough to adapt to your methodology.

Step 2: Stratify Clients by Risk

The next step is to stratify all clients into different risk classifications. The inputs to this process are the CRA methodology explained in the previous step and the client information collected.

The good news about this step is that using the right technology, this process can be simplified drastically. To begin with, you should have a centralised customer database containing all the information required to be able to generate the risk score. This information should include structure charts to be able to identify shareholding and ultimate beneficial owners.

Once all the data is collected, specialised AML software can automate the process of applying the CRA methodology across the entire client base and generate a risk classification for each client.

Step 3: Enforce checks based on risk

The biggest advantage of categorising clients by risk is that you can now give more focus to those with a higher risk classification. This is where concepts such Enhanced Due Diligence (EDD) come into play. High-risk clients may trigger the need to collect additional documentation, collect more detailed information or implement more frequent reviews. There are a variety of ways in which this can be implemented but let’s limit ourselves to just one example.

If you have been commissioned to assist in the setting up of a company, you need to understand what the proposed business activities will be and whether the individuals have the right background that enables them to run such a business. During onboarding you may have asked about their professional experience and left it at that. However, if the CRA results in this client being classified as a high risk, you may need to go into more detail. For example, you may want to ask for a detailed CV; references from past business associates or employers; or proof of previous employment.

Once again, technology can simplify this process drastically by immediately triggering a set of warnings and tasks to be carried out as soon as a client is stratified as a high-risk client.

Step 4: Reviewing the bigger picture

Once you have your risk policy in place, your clients classified, and your EDD processes applied, you can generate meaningful reports that can highlight interesting trends across your client base. For example, you could identify how many of your clients are high-risk, how many cash-intensive business are in your portfolio or the breakdown of your clients and their UBOs by jurisdiction.

This information can help drive decisions to reduce your AML exposure; or highlight areas that might need further attention. One key metric, for example, is the ratio between high risk and low risk clients. A very low ratio (or a scenario where there are no clients identified as high risk at all), may indicate the need for a tweak in the risk policies. This is because having a set of clients that are deemed to pose a higher risk is a good thing – it allows you to focus more effort on this subset of clients, in line with the concept of a risk-based approach. On the other hand, a high ratio of high-risk clients may be outside your organisation’s level of comfort and may be exposing your organisation to a higher level of risk. In this case, you may want to embark on a de-risking exercise to bring the client base within acceptable parameters in line with your risk appetite.

Having a process, or applying the right technology, to generate such statistics allows you to improve your processes and become more efficient. Moreover, in some jurisdictions, such reports can also be useful in answering queries or questionnaires issued by authorities, supervisors or oversight bodies.

Step 5. Ongoing Monitoring

Managing the AML risk that clients pose to your organisation is not a one-time activity. Processes and customer risk scores need to be maintained via a process of ongoing monitoring. There are several scenarios that you need to consider throughout your business relationship with a client. For example:

  1. You need to keep tracking changes to client information and update your risk classification accordingly. For example, a share transfer from a UBO in a low-risk jurisdiction to one in a high-risk jurisdiction may move the client into a different risk category and unlock new requirements in line with your Enhanced Due Diligence policies.
  2. External changes could also trigger a client moving from one risk category to another. For example, the inclusion of a country in the FATF list of High-Risk and Other Monitored Jurisdictions, may mean that clients with UBOs from this jurisdiction are now considered to carry a higher risk.
  3. You need to make sure that all documentation remains up to date, including collecting identification documents when the copies you have on file have expired.
  4. External sources of information about your client also need to be monitored to determine whether there are sanctions issued against the client; if any adverse media about the client has been published; or if some client has become politically exposed.
  5. There may also be instances that trigger an internal policy or methodology change. For example, once your processes mature you may want to start considering more variables within the CRA methodology or you may want to treat a scenario differently. Once a change to the CRA methodology is implemented, clients may need to be reassessed and the outcome may trigger EDD requirements for a new set of clients.

Ongoing monitoring is one of the more costly elements of managing client risk because it involves a lot of repetition however it is a prime candidate for automation. Specialised AML software can go a long way in simplifying these tasks. For example, changes to client data, internal risk policies or external factors such as jurisdiction reputation, can automatically identify the clients that require a different risk classification. Another use of technology is alerts. These can be set up to automatically provide advance warning in cases where documents are about to expire. Finally, a fundamental piece of technology is the ability to set up ongoing daily monitors of your clients against sanction lists, PEP and adverse media databases.


These five steps capture a comprehensive process to managing customer risk, and include tasks related to planning the risk methodology, classifying clients, applying EDD measures as applicable, reporting, tweaking the risk methodology parameters, and keep on top of any changes via ongoing monitoring. While some steps may seem complex and daunting, leveraging specialised AML software such as InScope-AML can reduce the effort required at all steps, making it easier to stay on top of your compliance obligations.

For more information about InScope-AML, please download our eBook here.

If you are interested in scheduling a one-on-one discussion with one of our consultants, you can book a call here.

Or schedule a demo for an in-depth look into InScope-AML.

Share this...

Facebook logo Pinterest logo X (formerly Twitter) logo LinkedIn logo

You May Also Like

by InScope-AML

June 18, 2024

Juggling through AML Compliance