Why upgrading the legacy ‘customer risk model’ is an AML imperative for banks




While all banks have in place a customer risk assessment framework to comply with their anti-money laundering (AML) programme, many of these are not robust and do not capture the complexities of the current day customer risk management. Most banks use risk scoring systems designed years ago, where the risk score is usually generated manually by bank staff completing a risk assessment form either on paper or on a computer. The overall risk score is then arrived at by adding together all the scores (or using an average) for different AML risk factors.

The legacy risk models used by banks stand out as a weak framework in the current AML era, as they are plagued by certain constraints. Most models do not adequately cover the risk factors specific to each customer type with due weightage to each of the factors. This might lead to some potential high risk customers being tagged as medium or low risk. A change of risk rating to any risk factor (e.g., revising the risk rating of a particular country from low to high) cannot be automatically applied by the system to existing customers, thus lacking in dynamic risk revision capability and keeping customer risk rating current. Most of these models are not sophisticated enough to apply approval level rules (e.g., if a customer is a politically exposed person (PEP) or if the risk rating of a customer is revised from low to high, it would go for a higher level of approval in the bank), thus missing the enhanced due diligence (EDD) required for certain high risk customers.

The new generation risk-based ‘customer risk models’

A robust risk assessment framework to effectively capture customer risk, not just during onboarding but on a continuous dynamic basis, should have the following features.

Customer category based risk model. ‘One size fits all’ does not apply to risk models for various customer categories, as every customer type has different risk parameters. Whereas source of wealth would be a risk factor for an individual customer, the ownership pattern and whether it is publicly or privately held would contribute to a corporation’s risk score. Ideally, a bank must have risk models defined for each of the broad customer categories (e.g., individuals, corporations, financial institutions, government bodies and so on).

Defining relevant risk parameters for each risk model. A variety of factors need to be considered while defining each risk model, specific to the customer type to which the model would apply. For example, the factors which contribute to a corporation’s risk score should include (but not be limited to) company ownership structures, beneficial owners, whether listed on a recognised stock exchange, political links (the board and owners, etc.), country risk (for country of incorporation or country of operations, etc.), industry in which the company operates, length of relationship with the bank, reputation and negative news about the company or its owners, and so on.

Weighted average scores for final risk scoring. This gives due weightage to risk factors rather than considering all factors to contribute equally towards a customer’s risk score. So while the country of domicile of the customer may be given a 15 percent weight, the PEP status can be fixed at 20 percent weight (as decided by the bank’s compliance office).

Handling missing risk data elements. When responses to any of the risk factors are missing for a customer record, the risk model should be designed to either default a certain risk score for that missing field or prorate the weight of the missing factor among the others where risk responses are available.

Event based risk rating modification. Customer risk rating may undergo change either during periodic reviews (conducted at predefined frequencies), or on an ad-hoc basis when there is any change to their risk specific parameters. The risk model should be designed to generate a revised risk score and rating when such an event is triggered.

An exhaustive audit trail. This should indicate why customers have been rated as high, medium or low, and also if any customer has been overridden manually to a higher or lower risk rating over the system generated risk score and rating.

Regular updates to risk models for changes in risk factors. There are times when risk scores for certain parameters are changed by a bank, e.g., a country which was tagged as ‘medium risk’ may be changed to ‘high risk’ based on certain conditions. These changes need to be immediately updated in the risk model database, and risk scores of all customers (where this factor applies) should be automatically recalculated.

Once a final risk score is generated, the customer is categorised as high, medium or low risk. This rating should determine the level of due diligence required (simple or enhanced), the levels of approvals required for entering into the relationship with the customer (the higher the risk, the higher the level of approval required), and the frequency at which the customer record has to be mandatorily reviewed.

Finally, all this should be part of an automated workflow.

Changing the old order: the way forward

Customer due diligence rules are getting more stringent with every passing day, as regulators across the globe have been emphasising a risk based approach towards customer due diligence (CDD) of banks’ customers as well as beneficial owners of entity (non-individual) customers. Frequency of periodic review of customers, as well as their account and transaction entitlements, are tagged to their risk levels. This makes it imperative for banks to continuously monitor customer risk levels and revise such risk ratings as soon as their risk parameters undergo a change. Given the huge customer base of most mid and large sized banks, embarking on this activity manually is a near impossible task. And that is where automated dynamic risk engines can bring about a huge impact in customer risk assessment, thereby enhancing a bank’s CDD process.

The advantages of upgrading from a rule-based risk model with periodic risk level updates, to a risk-based one with dynamic monitoring, cannot be over emphasised. Several large global banks have already transitioned, or are in the process of upgrading, to the next-generation dynamic risk-based models as a result of strict CDD rules being enacted worldwide. It is only a matter of time before risk-based dynamic assessment of customer risk levels will become a necessity for routine compliance in banks – and not a differentiator.


Sujata Dasgupta is a banking regulatory compliance consultant at Tata Consultancy Services Ltd. She can be contacted by email: sujata.dasgupta@tcs.com.

© Financier Worldwide


Sujata Dasgupta

Tata Consultancy Services Ltd.

©2001-2019 Financier Worldwide Ltd. All rights reserved.