Field Guide

Customer Risk Rating: How to Score Customer Risk

The short version

Customer risk rating is the part of customer due diligence that scores each customer's money-laundering risk so the program can treat customers differently. It combines who the customer is, where they are, what products they use, and how they behave into a rating, usually low, moderate, or high. The rating sets the depth of due diligence, the monitoring applied, and whether enhanced due diligence is required, and it is supposed to update as the customer's activity changes.

Risk-based compliance only works if customers are sorted by risk, and customer risk rating is the sort. It is where the enterprise risk assessment meets a real account: the institution's view of which products, geographies, and customer types are risky, applied to the specific person or business in front of it. Get the rating right and due diligence, monitoring, and review effort flow to the customers who warrant them. Get it wrong and the program spends attention evenly on customers who do not need it and misses the ones who do.

What customer risk rating is

Customer risk rating assigns each customer a money-laundering risk level that drives how the institution handles the relationship. It is a requirement of risk-based customer due diligence under FinCEN's CDD rule (31 CFR 1010.230), which expects institutions to understand the nature and purpose of customer relationships and to conduct ongoing monitoring. A rating is the mechanism that turns those expectations into different treatment for different customers.

The inputs

A rating combines several risk factors. The categories below are standard; the weight each carries is specific to the institution's own risk profile.

FactorExamples that raise risk
Customer type and occupationCash-intensive businesses, money services businesses, and complex or opaque ownership structures.
GeographyCustomers, counterparties, or activity tied to sanctioned or high-risk jurisdictions, or domestic high-intensity financial-crime areas.
Products and services usedInternational wires, prepaid access, virtual currency, and other products that move value quickly or across borders.
ChannelNon-face-to-face onboarding and relationships intermediated by a third party or platform.
Status flagsPolitically exposed person status, negative news, and prior suspicious activity.
Expected activityA profile of expected volume and behavior at onboarding, against which actual activity is later compared.

Building the model

Most programs score these factors into a rating in one of two ways. A weighted-points model assigns each factor a score and a weight and sums them into a tier. A matrix model maps combinations of factors to a rating using defined rules. Either is defensible. What matters is that the logic is written down, applied consistently, and produces a rating a reviewer can reproduce. Define what low, moderate, and high mean before rating anyone against them.

What the tiers trigger

The rating only matters if it changes how the customer is handled.

A rating that never changes the depth of diligence or the monitoring applied is decorative, and an examiner reads it that way.

Dynamic re-rating

A risk rating set at onboarding and never revisited goes stale. Ratings should update on a periodic cycle and on trigger events: a change in the customer's business, a new product, a move into a higher-risk geography, a hit in screening, or activity that diverges from the expected profile. The comparison of expected activity to actual activity is one of the most useful re-rating signals a program has, and it ties customer risk rating directly to transaction monitoring.

Where customer risk rating fails an exam

Customer risk rating is small and load-bearing. Keep the model explicit, make sure each tier changes how the customer is treated, and re-rate as the relationship changes. For where the rating fits the wider program, see the fifth pillar, customer due diligence; for the institution-level view it draws on, see the BSA/AML risk assessment guide.

Primary sources

Common questions

What is customer risk rating?
Customer risk rating is the part of customer due diligence that scores each customer's money-laundering risk into a level, usually low, moderate, or high, that drives how the institution handles the relationship: the depth of due diligence, the monitoring applied, and whether enhanced due diligence is required.
What factors go into a customer risk rating?
Common factors are customer type and occupation, geography, the products and services used, the onboarding and transaction channel, status flags such as politically exposed person status or adverse media, and a profile of expected activity. The weight each factor carries is specific to the institution's own risk profile.
What is the difference between low, moderate, and high risk customers?
Low risk warrants standard due diligence and baseline monitoring. Moderate risk warrants closer attention and tighter thresholds. High risk warrants enhanced due diligence, more information on source of funds and purpose, closer monitoring, and often senior approval to open or keep the account.
How often should a customer risk rating be updated?
Ratings should update on a periodic cycle and on trigger events: a change in the customer's business, a new product, a move into a higher-risk geography, a screening hit, or activity that diverges from the expected profile. A rating set at onboarding and never revisited is treated as stale.
From the team behind this guide

Customer risk ratings that actually drive the program

Compliance Command Center connects customer risk rating to the rest of the program: the rating draws on an enforcement-calibrated risk assessment, drives the diligence and monitoring each tier requires, and re-rates on the signals that matter. Practitioners build it (JD, CAMS), with a human reviewing every deliverable, so the ratings hold up when an examiner asks what they change.

See Compliance Command Center Talk to a Practitioner