AML risk scoring: understanding the essence

Mažvydas Miliauskas
Mažvydas Miliauskas
March 27, 2024
Risk scoring

Risk scoring is an important tool used by financial and other institutions to assess the level of money laundering risk associated with a particular customer.

By assessing the different factors, companies can identify high-risk customers and take appropriate measures to prevent fraudulent activities.

There is no single AML risk scoring model or methodology that fits for all organizations. Why? Simply because the business context across all organizations is different.

It depends heavily on the industry in which the company operates, the customer base it serves and the company’s appetite for risk:

  • Industry

The AML risk scoring model for banks has to be tailored to take account of the risks relevant to account-based relationships, so the identical model cannot be used by other industries, such as insurance. 

  • Customer portfolio

The same AML risk scoring methodology that is used for scoring retail customers cannot be used for corporate customers/legal entities. 

  • Risk appetite

If the bank has been in the country for many decades, it is likely to have a large proportion of lower-risk customers, so it makes sense for it to have a lower risk appetite. However, smaller institutions tend to have a higher risk appetite, so they can expand and survive in such an environment.

When assessing the risk of money laundering, terrorist financing and other crimes, the organization’s AML risk scoring methodology must also take into account the following four factors:

  1. Customer risk factors – these are those factors related to the customer’s profile that could increase the risk to the organization. For example, is the customer a politically exposed person (PEP) or a family member of a PEP? Is the customer resident or non-resident? What is the age and employment status of the customer? Is the customer a vulnerable customer (e.g. the elderly are more susceptible to all types of fraud)?
  2. Product and service risk factors – these are the factors that relate to the customer’s use of the organization’s products and services. For example, what products do they use? Do they expect to use higher risk products, such as cash deposits and withdrawals? If so, what is the estimated amount for the full year? 
  3. Risk factors related to delivery methods – these are risk scoring factors related to the channels through which the organization’s products are offered to the customer. Does the organization have a face-to-face interaction with the customer, or is the relationship only through digital channels? Perhaps the organization offers both channels?
  4. Geographical risk factors – these are risk scoring factors that relate to the geography of the customer. For example, does the customer plan to send or receive cross-border transactions to/from high-risk jurisdictions? Is the country on the FATF and/or European Union list of high-risk jurisdictions? In which country was the customer’s identity document issued, and could these jurisdictions expose the organization to certain types of sanctions (e.g. if the customer’s identity document was issued by North Korea or Iran, this factor should increase the organization’s sanctions risk)? What about other countries such as Colombia or Mexico? What ML/TF typologies come to mind?

Once the risk factors in all four categories have been identified, it is time to create the risk spectrum for the available scenarios and determine what level of risk they represent. For example, if the customer is a domestic PEP who lives and works in the same country, does this customer pose a higher ML/TF (or more specifically, bribery and corruption) risk than an international PEP who travels to different countries and regions? 

What about cash withdrawals? Imagine an elderly client who has survived multiple currencies being used in the country during his lifetime, and many local banks going bankrupt. Do these events play a role in the way such a population currently manages their finances? Does an elderly person have the right not to fully trust the current banking system and withdraw 100 or 200 euros each month simply because he prefers to buy food at the farmers’ market and leave tips in cash rather than with a card? Does this customer pose the same ML/TF risk as someone who runs a small construction business and wants to withdraw €10,000 a month? Should they be placed in the same customer risk bucket?

Introducing a rating system

The final step is to assign appropriate weights/scores to these risk factors and combine them into a single overall risk score. 

But why is this important? Some risk factors are more important than others, so they should receive a larger share of the score. If the weights are not properly balanced, it could attract unwanted attention from regulators and expose the organization to fines for artificially lowering the risk level of the customer and forcing higher risk customers to undergo the EDD process. Let’s look at how these weights can affect the same scores and the overall risk rating.

Rating system


Scenario 1 has evenly distributed weights across the 4 risk factors and results in a score of 6.5. These weights are not bad, but it is possible that this scoring engine did not produce the desired result. For example, the creator may have intended the final score for this particular consumer scenario to be higher, resulting in a score of at least 7. Does this mean that the scoring methodology itself is bad? Well, no. If we adjust the weights to those given in Scenario 2, we would get the desired result without rebuilding everything. By doing this, the organization is drawing attention to the fact that more weight is being given to the categories that are most relevant to their business. 

Scenario 3 may seem odd at first glance and requires further explanation to the reader. Let’s say the organization uses weights from scenario 1 or 2 on a daily basis. However, the customer is an international PEP and represents a high risk of bribery and corruption to the organization, so the customer risk factor has been given the maximum available risk score of 10/10. If the methodology requires the EDD process to be triggered only when the score is 8 or above, then the standard scenarios 1 & 2 will not deliver the intended result. Therefore, Scenario 3 could act as an extension of Scenarios 1.1 or 2.1. If a single category or factor needs to increase the risk, it can override other remaining scores and the customer would automatically be assigned the maximum score, forcing them to go through the EDD process. 

Scenario 4 provides an example of how the risk score for the same customer could be artificially reduced by focusing only on the area where the risk score contains the lowest score. 

Appearance of the risk scoring system in the AMLYZE platform
Appearance of the risk scoring system in the AMLYZE platform

Summing up AML risk scoring

There is no one-size-fits-all solution for customer risk scoring. Each organization develops its own client risk scoring framework tailored to its size, business model complexity, and risk appetite. Moreover, the dynamic and volatile nature of the financial crime environment necessitates continual advancement in AML/CFT processes to better detect indications of possible wrongdoing without disrupting day-to-day business operations.

Static risk scoring falls short in meeting the demands of institutions to stay ahead of evolving risks and the expectations of regulatory bodies. Recognizing this gap, dynamic risk scoring, which accounts for the ever-changing nature of customer behavior, emerges as the latest trend that AMLYZE is exploring. We are committed to keeping you informed about the latest trends. Stay updated by following our articles.

Read more here related topic about AML risk assessment and its importance to AML/CFT compliance programmes.

About the author

Mažvydas Miliauskas
Mažvydas Miliauskas
Mažvydas is AMLYZE contributing author. CAMS certified high achiever who is passionate about financial crime compliance, ML/TF typologies and enterprise risk management.


AML in crypto

AML in the crypto space

Explanation of the importance of AML measures and guidance on how to achieve them in the fast-changing crypto world.
12 min read
AML for Fintechs

AML for Fintechs: a detailed guide

Explaining the working model of Fintechs, the main myths surrounding the sector and the role of AML/CFT in their day-to-day operations.
by Eglė Kontautaitė
13 min read

Empower your compliance

Let us know how we can help

    Fill in the form bellow to contact us

    Why request a demo?

    It doesn’t matter whether you are interested in a complete end-to-end AML/CFT solution or just a single module from our range. We can help.

    Experience up to a 62% reduction in false positives

    Benefit from a library of over 100 risk rules

    Complete investigations in 3x less time than manually

    Save up to 3 hours per STRs/SARs filing

    Access a library of over 200 pre-defined scenarios