From 1 June 2025 changes to the AML/CFT Act means reporting entities are tasked with the responsibility of accurately assessing and rating the AML risk associated with new customers, and updating risk ratings as part of ongoing customer due diligence.
The aim of this legislative change is to provide transparency on how much risk a customer presents, so you can apply the right level of scrutiny throughout the relationship.
This step-by-step guide demystifies the complexities of AML risk rating, providing practical steps and actionable strategies on how to apply this law change to your compliance programme.
Step 1. Establish the factors to determine a customer’s AML risk score
Various risk factors contribute to the overall risk score of a customer. Consider the following:
- The information gathered during the customer due diligence (CDD) process
Take into account the type of customer you are dealing with, and the complexity of ownership structure. A multi-layered entity may generate a higher risk score than an individual or company with a simple structure. - The nature and purpose of transactions
Large, frequent cash transactions, or clients with complex financial situations would sit at the higher end of the risk scale than individuals who have a simple financial and transaction history. - Results of PEP, SIP, sanctions, and adverse media checks
While you can still do business with clients flagged as a politically exposed person (PEP) or who have adverse media results, you should understand the associated risk this brings and score the risk appropriately. For example, a client whose media checks indicate fraud or tax evasion should result in a higher risk score. - Where the customer is based
Some offshore countries are considered a higher risk than others, and being unable to meet your customer in person is considered a higher risk factor than if you were dealing with an individual you can meet face-to-face. Likewise dealing directly with your client is considered a lower risk than dealing with your client through an intermediary or third-party. - What red flags are presented
Red flags are likely to look a little different dependent on your industry and your customer. You should consider the risk associated with each red flag and how it could impact your business. For example, a client who works in the gambling industry may require a higher risk score, but you should understand any risks alongside what else you know about your client and their risk profile.
Knowing this will help you create a consistent approach when deciding how much AML/CFT risk a customer presents.
All this can seem a bit daunting but you can utilise technology to help manage some of the workload. AML software like AMLify can review customers and transactions with automated risk scoring – customised to suit your business needs. This can be a massive time saver for businesses and provides a more consistent, streamlined approach to risk rating.
Step 2. Develop a robust customer risk rating methodology
Your customer risk rating methodology should be individual to your business. There is no one-size-fits-all risk rating model. Base it on the nature and complexity of your business and your company’s appetite for risk.
For example, your risk scores could correspond to risk levels, such as low, low – medium, medium, medium – high, or high.
It is important that the process your business uses to identify and rate risk is understood and used within your team, with the risk rating and score matching the ML/TF red flags identified. Details of how the company determined the customer risk should be transparent and not simply a tick box exercise.
The methodology used to rate risk should be documented in your AML/CFT Programme using Policy, Procedures and Controls which are auditable for both Adequacy and Effectiveness. If your team can explain and demonstrate the methodology, and can document and clearly record how the risk rate was achieved, including the criteria used to evaluate Customers, Products, Services, and geographic risk – you are definitely heading in the right direction.
Step 3. Complete your AML customer risk assessment
Collect Customer Information
Once you have collected and reviewed your customer information carefully review results for red flags,.
Review the client’s residency. If they live overseas, refer to online resources such as the FATF ‘black and grey’ lists to identify jurisdictions with weak measures to monitor and combat money laundering and terrorist financing. The Basel AML Index also provides a report on risk score for countries around the world.
For details of all the information required for customer due diligence use our CDD checklist.
Assign overall risk rating
Consider the information you have gathered on customers against your company’s risk methodology and assign an overall risk rating you feel is suitable for your customer. Validate the reasons for your risk rating. If your risk rating is higher than medium – why is that? What’s driving that elevated risk?
Keep a record of all risk ratings and review them, as appropriate.
Your risk rating methodology should be outlined in your risk assessment and compliance programme documentation, and you should ensure staff are fully trained to carry out the correct procedures.
Apply CDD level
Your risk rating may indicate heightened monitoring is needed, or enhanced due diligence is required. This will involve collecting additional information from your client, such as ensuring you obtain and verify source of wealth and/or source of funds of your customer. You will also need to use increased or more sophisticated measures to obtain and verify your customer’s details, their representatives, other key persons, and details of their beneficial ownership structure.
Ensure that any information regarding a potential red flag or suspicion that is elevating the risk rating, is only given to the Compliance Officer, to prevent inadvertent ‘tipping off’.
Regularly review ratings with ongoing CDD and risk-based monitoring
Customer risk ratings should not be set and then forgotten. Risk ratings may require updating due to changes in a customer’s circumstances. You should ensure any change in risk rating is recorded and outline the reasons for this change. There could be many reasons for this change. Common reasons include, increased risk due to the activity your customer is undertaking, false information being discovered, or changes in ownership.
Establish a process for periodic review and updates to ensure that risk ratings remain accurate and up to date.
Step 4. Train staff on how to use your AML risk rating methodology
Key to the success of carrying out AML compliance successfully is ensuring relevant staff are trained in your compliance approach and understand how to implement it correctly.
Ensure you include your customer risk assessment approach in your staff training and document when training was received so Supervisors can clearly see you are complying with legislative changes.
Step 5. Review and record customer risk ratings and your approach
Record keeping is a key requirement of AML compliance and individual customer risk ratings are required to be included in this.
These records will come under auditor scrutiny particularly in light of the findings from the National Risk Assessment 2024 which outlined new threats and reinforced compliance expectations. You should be able to refer to records to help understand whether more risk has become associated with a client, whether you need to update your risk rating, or do additional or different due diligence to mitigate the risk.
Also ensure you record your customer risk rating methodology in your compliance and risk assessment documents.
Summary
By establishing a thorough customer risk rating methodology, documenting these procedures, and ensuring that staff are adequately trained will help ensure you meet the impending requirement to apply AML risk ratings to customers.
The integration of smart technology to facilitate risk scoring can help streamline these processes, aligning them seamlessly with the unique needs of your business.
For those seeking guidance in defining their customer risk rating approach or interested in witnessing the capabilities of advanced technology firsthand, contact us or book a demo.
About the author
Nicolas Charles
Nick has a background in financial services for nearly 10 years. During his time in retail finance and banking, he was directly involved in the application of AML verification and compliance, which gave him valuable skills for his current role as Head of Operations and Finance at tic company.
