← Blog · Compliance
Customer Risk Rating: Building a Defensible Scoring Model

A customer risk rating (CRR) is the number that drives almost every downstream AML decision: how much due diligence you collect, how often you review a file, and where transaction-monitoring thresholds sit. If the score is arbitrary, so is everything built on it. This is general information, not legal advice, but the engineering principles below hold across most regimes.
Pick Factors You Can Actually Measure
A defensible model scores discrete, evidenced factors rather than analyst intuition. Most programs group inputs into four or five categories:
- Customer type: individual, private company, trust, or entity with nominee arrangements. PEP status and adverse media hits load here.
- Geography: country of residence, incorporation, and the jurisdictions of counterparties, cross-referenced against FATF, sanctions, and tax-haven lists.
- Product and channel: a cash-heavy remittance line carries more inherent risk than a salaried debit account. Non-face-to-face onboarding is often scored, though chat-based verification with liveness and document checks can lower that residual weight.
- Behavior: expected volumes, transaction patterns, and deviations observed after onboarding.
Each factor needs a data source and a capture point. If you cannot say where a value comes from, you cannot defend the score built on it. Collecting only the fields that feed a documented factor also supports data minimization: you are not warehousing attributes that never touch a decision.
Weighting, Scoring, and the Math Behind the Tier
Assign each factor a numeric score and a weight. A common structure uses a 1–5 or 1–100 scale per factor, then a weighted sum that maps to three or four tiers: low, medium, high, and sometimes prohibited. Two design rules keep the model honest:
- Override logic: some factors should cap or force a tier regardless of the weighted average. A confirmed sanctions match or a jurisdiction on your prohibited list should push the customer to the top tier even if every other input is benign.
- Inherent versus residual: score inherent risk first, then apply mitigating controls (verified identity, source-of-funds evidence, reduced product limits) to reach a residual rating. Regulators expect you to show both numbers, not just the final one.
Document the weights and the rationale. "Geography carries 30% because our SAR history concentrates in cross-border flows" is defensible; a weight with no reasoning is a finding waiting to happen.
Calibrate, Test, and Watch for Drift
A model is a hypothesis until you test it against outcomes. Compare rating distributions to actual alerts and filed reports: if 80% of your suspicious activity comes from customers you rated low, the weights are wrong. Practical calibration steps:
- Back-test against 12–24 months of alert and SAR data to check whether high-risk tiers actually generate more true positives.
- Run tuning cycles at least annually, and after any product launch or geographic expansion.
- Monitor rating migration: a spike in customers moving from low to high may signal onboarding gaps rather than genuine risk changes.
- Set thresholds so tier sizes are workable. A model that rates 40% of customers high is not risk-based; it is a resourcing problem.
Perpetual monitoring feeds this loop: behavioral factors should update the score continuously rather than waiting for a scheduled review.
Build the Audit Trail Into the System
Examiners rarely dispute a rating; they dispute whether you can explain it. Store, for every customer, the factor values, the weights applied, the version of the model in force, and the timestamp. When the model changes, version it and record who approved the change and why. Retain these records for the period your regime requires, then delete on schedule so retention stays aligned with your policy rather than accumulating by default.
The payoff is consistency: two analysts scoring the same file reach the same tier, and you can reconstruct any historical decision. A risk rating that is transparent, tested, and versioned turns a subjective judgment into a control you can defend line by line.
General information, not legal advice. Talk to your compliance counsel for guidance on your specific obligations.