Customer risk rating is the part of customer due diligence that scores each customer's money-laundering risk so the program can treat customers differently. It combines who the customer is, where they are, what products they use, and how they behave into a rating, usually low, moderate, or high. The rating sets the depth of due diligence, the monitoring applied, and whether enhanced due diligence is required, and it is supposed to update as the customer's activity changes.
Risk-based compliance only works if customers are sorted by risk, and customer risk rating is the sort. It is where the enterprise risk assessment meets a real account: the institution's view of which products, geographies, and customer types are risky, applied to the specific person or business in front of it. Get the rating right and due diligence, monitoring, and review effort flow to the customers who warrant them. Get it wrong and the program spends attention evenly on customers who do not need it and misses the ones who do.
What customer risk rating is
Customer risk rating assigns each customer a money-laundering risk level that drives how the institution handles the relationship. It is a requirement of risk-based customer due diligence under FinCEN's CDD rule (31 CFR 1010.230), which expects institutions to understand the nature and purpose of customer relationships and to conduct ongoing monitoring. A rating is the mechanism that turns those expectations into different treatment for different customers.
The inputs
A rating combines several risk factors. The categories below are standard; the weight each carries is specific to the institution's own risk profile.
| Factor | Examples that raise risk |
|---|---|
| Customer type and occupation | Cash-intensive businesses, money services businesses, and complex or opaque ownership structures. |
| Geography | Customers, counterparties, or activity tied to sanctioned or high-risk jurisdictions, or domestic high-intensity financial-crime areas. |
| Products and services used | International wires, prepaid access, virtual currency, and other products that move value quickly or across borders. |
| Channel | Non-face-to-face onboarding and relationships intermediated by a third party or platform. |
| Status flags | Politically exposed person status, negative news, and prior suspicious activity. |
| Expected activity | A profile of expected volume and behavior at onboarding, against which actual activity is later compared. |
Building the model
Most programs score these factors into a rating in one of two ways. A weighted-points model assigns each factor a score and a weight and sums them into a tier. A matrix model maps combinations of factors to a rating using defined rules. Either is defensible. What matters is that the logic is written down, applied consistently, and produces a rating a reviewer can reproduce. Define what low, moderate, and high mean before rating anyone against them.
What the tiers trigger
The rating only matters if it changes how the customer is handled.
- Low risk warrants standard due diligence and baseline monitoring.
- Moderate risk warrants closer attention and tighter monitoring thresholds.
- High risk warrants enhanced due diligence, additional information about the source of funds and purpose, closer ongoing monitoring, and often senior approval to open or keep the account.
A rating that never changes the depth of diligence or the monitoring applied is decorative, and an examiner reads it that way.
Dynamic re-rating
A risk rating set at onboarding and never revisited goes stale. Ratings should update on a periodic cycle and on trigger events: a change in the customer's business, a new product, a move into a higher-risk geography, a hit in screening, or activity that diverges from the expected profile. The comparison of expected activity to actual activity is one of the most useful re-rating signals a program has, and it ties customer risk rating directly to transaction monitoring.
Where customer risk rating fails an exam
- Collected but not used. The information feeds a rating that drives nothing downstream.
- Everyone is moderate. The model lacks the spread to distinguish real risk, so it sorts nothing.
- Static. Ratings are set once and never refreshed as the customer changes.
- Disconnected from monitoring. A high rating does not actually result in closer monitoring or enhanced due diligence.
Customer risk rating is small and load-bearing. Keep the model explicit, make sure each tier changes how the customer is treated, and re-rate as the relationship changes. For where the rating fits the wider program, see the fifth pillar, customer due diligence; for the institution-level view it draws on, see the BSA/AML risk assessment guide.
Primary sources
- 31 CFR 1010.230: Beneficial ownership requirements for legal entity customers (the CDD rule, effective 2018).
- 31 CFR 1020.210: Anti-money laundering program requirements for banks (the program pillars, including independent testing and customer due diligence).
- FFIEC BSA/AML Examination Manual: The interagency supervisory standard; see the BSA/AML Risk Assessment and Independent Testing sections, including the risk-based approach to scope and frequency.