ASK MAT: how does a Customer Risk Assessment (CRA) determine whether my customer is involved in illicit activities such as money laundering 

ASK MAT:

• How does a Customer Risk Assessment (CRA) determine whether my customer is involved in illicit activities such as money laundering 

MATS ANSWER:-

• Thank you for such a great question. 
• For me, the CRA is, in part, a crystal ball and, in part, a looking glass on knowing your customer's history and background

MY THOUGHT ON THE PURPOSE OF THE CRA IS OUTLINED BELOW

The Customer Risk Assessment (CRA) is a key piece of the AML Customer Due Diligence (CDD) puzzle.  

• The CRA is, in part, a crystal ball and, in part, a looking glass on knowing a customer's history and background

This metaphor blends the proactive and reactive sides —trying to see the future while magnifying the past. 

• The CRA straddles both worlds:
  • • It’s a TOOL TO PREDICT and a LENS TO INSPECT, all wrapped into ONE PROCESS.
• The CRA is asking:-
  • • “Based on who you’ve been, what might you do?”  
• The “CRYSTAL BALL” fits the CRA’s role in gauging future risk—
  • • AML/CTF/CPF Regulated Financial Services (FSBs) use it to assign a risk rating and analyse factors like geography, industry, or transaction habits to forecast potential trouble.
    • It’s their way of peering ahead, trying to spot illicit activity before it plays out.
    • It captures how FSB try to predict risk—using patterns, risk scores, and red flags to foresee if the customer might be up to no good.
    • It’s not magic; it’s more like educated guesswork based on data and rules. They ask,
      • “What could this customer do, given what we know about people like them?”
• The “LOOKING GLASS” works just as well for the historical side of CRA within CDD.
  • • It’s all about reflecting on what the FSB knows—their customer background, financial history, and any ties to shady players. They’re zooming in on the past to ground their assessment, ensuring the story checks out.
    • The CRA nails the historical piece—digging into the customer's past, transactions, and story.
    • It’s all about context: who they are, where their money has gone/going, and whether the story adds up.
    • The CRA is not just peering at the customer – it is piecing together a picture (profile) from the paper trail the FSB has requested.
• The CRA is a mix of forward-looking guesswork and backwards-looking scrutiny. Together, it is:-
  • • LESS ABOUT CERTAINTY and
    • MORE ABOUT PROBABILITY.
• The CRA is:-
  • • NOT saying this CUSTOMER is a crook
    • BUT rather, the customer has attributes that give cause for a closer look and ask more questions.”

To explain this further, I can offer more thoughts about a customer risk assessment (CRA)

• Some say the Customer Risk Assessment (CRA) is the most critical piece of the AML Customer Due Diligence (CDD) puzzle

The above statement is a bold claim, and it’s worth unpacking whether it genuinely holds that title—or if it’s more of a linchpin among equals – so let’s break it down.

• The CRA is important because it’s the foundation for everything else in CDD.
  • • It’s where the FSB takes all the raw data—
      • • Their customers' ID and profile (e.g. occupation, transaction patterns, where the customer is from (born, lives, pays taxes, etc.) etc.—and
        • Turns it into a JUDGMENT CALL to one of RISK based on a RAG, e.g. low, medium, high, highest
        • That RAG doesn’t just sit there; it dictates how much scrutiny their customer faces now and through the life cycle of the business relationship.
    • The standard FSB RAG categories are:-
      • • Lower - allows minimal and or simplified CUSTOMER DUE DILIGENCE in limited circumstances
        • Standard - requires minimum CUSTOMER DUE DILIGENCE (CDD) and oversight
        • HIGH-ER - trigger ENHANCED DUE DILIGENCE (EDD).
        • HIGH-EST - triggering ENHANCED DUE DILIGENCE (EDD) and possible suspicions
    • A CRA profile will categorise customers on factors like:-
      • • Client type, e.g. ties to politically exposed persons (PEPs).
        • Their occupation, e.g. real estate developer
        • Geographic location, e.g. Iran
        • Product and or service being provided to the customer, e.g. asset holding structure that includes trusts and companies
        • Delivery of the product and or service, e.g. remotely through website applications and certified documents by third parties
        • Transaction types and patterns, e.g., transfer from a South American FSB
• Without CRA, the FSB’s flying blind, unsure who needs a light touch versus a full shakedown.
• In gauging the above, an FSB must risk categorising them for CDD/EDD, oversight, monitoring, and scrutiny Purposes – It’s also the proactive piece.
  • • • While gathering their customers' info (the basic CDD) is about knowing the customer, CRA is about understanding them—
        • Spotting red flags before they become crimes.
      • Think of it like triage in a hospital: it prioritises resources.
        • With billions in transactions daily, FSBs can’t grill everyone equally—CRA tells them where to focus, catching the “sketchy stuff” early.
      • Regulators love this, too.
        • It’s baked into global standards like FATF’s risk-based approach. Screw it up, and fines or reputational hits follow.
• But is it the most important? That’s trickier.
  • • • Basic CDD—collecting and verifying their customer identity—is the bedrock; without it, there’s nothing to assess.
      • And ongoing monitoring, which tracks customer activity over time, often catches what CRA misses upfront—people can look clean first, then drift into dodgy behaviour.
      • If CRA is the compass, those other pieces are the map and the journey. Miss anyone, and the whole system stumbles.
• Still, CRA’s edge is its role as the decision engine. It’s not just data collection or after-the-fact alerts—it’s the point where the FSB says,
  • • • “This is what it all means.” And
• That’s why it feels so critical: it shapes the entire AML response.

CONCLUSION

• A CRA evaluates the  
  • • The probability of their customer being involved/connected to illicit activities and or property
    • Whether their customer fits their CUSTOMER RISK APPETITE and
    • Whether their customer's behaviour or circumstances fit their CUSTOMER RISK APPETITE
• By onboarding customers and monitoring and scrutinising their behaviour during a business relationship (or one-off transaction), if red flags pop up—like unusual cash flows or “sketchy” sources of funds—it’s
  • • Less about slapping a “money launderer” label on them and
    • More about deciding if the FSB needs to dig deeper with EDD to protect their business and comply with regulations.  
• AND THE CRA CAN BE SEEN AS:-
  • • THE LINCHPIN AMONG EQUALS OF THE AML CUSTOMER DUE DILIGENCE (CDD) PUZZLE

IF YOU WANT TO KNOW MORE OR WANT TRAINING ON THE ABOVE MATTERS PLEASE CONTACT COMSURE.

• MATHEW@COMSUREGROUP.COM

ALSO, IF YOU WANT A RISK RATING TOOL THAT TAKES YOU BEYOND PAPER AND EXCEL, check out iTRACK  

iTRACK  

Based on a methodology designed by public and private sector AML experts and mapped against local and international standards, Comsure's Risk Assessment tool (iTRACK) is a web-based solution that delivers a comprehensive, automated risk-based reportable profile of an institution's products, services, geographies, and customer entities through a flexible and scalable platform for institutions of all sizes.

Comsure's Risk Assessment is a trusted, standardised means of measuring, understanding, and explaining an institution's money laundering risks.

1. Establishing AML standards based on global best practices and the latest guidance and regulation from authoritative sources worldwide
2. Providing Automation which aggregates multiple risk categories and provides seamless updates to address any regulatory changes
3. Utilising qualitative and quantitative data features which score risk and offer a comprehensive money laundering risk profile
4. Creating presentation-ready reports, charts and tables, allowing you to communicate your risk to stakeholders, including regulators while eliminating the need for cumbersome manual reporting
5. Benchmarking and comparative reporting, providing a framework for future AML standards. Further to the above, you can also verify your risks

Comsure has developed a simple but effective risk measurement online tool (currently called “iTrackAML”). Along with local requirements (JFSC/GFC, MFSC, SFSA etc.) ITrack meets the standards required by international regulatory bodies and international standard setters such as:

• Wolfsberg methodology guidance – click here https://www.wolfsberg-principles.com/sites/default/files/wb/pdfs/wolfsberg-standards/15.%20Wolfsberg_RBA_Guidance_%282006%29.pdf
• FATF (click here for FATF guidance) -https://www.fatf-gafi.org/content/dam/fatf-gafi/guidance/High%20Level%20Principles%20and%20Procedures.pdf.coredownload.inline.pdf

ITrack provides a bulletproof system to allow firms to demonstrate to “Regulators” the robustness of their AML systems, including:

1. Client Take On,
2. Verification[*],
3. Risk Assessments,
4. Monitoring,
5. Management reporting (e.g. Pie/Bar summary graphs)
6. Reporting (Inc. Suspicious Activity Reports [SARs]) and
7. Record-Keeping (and GDPR data management)

*As an enhancement to the core functionality of iTrackRisk, Comsure can also offer ITrackSanctions - ITrackSanctions offers data screening through APIs into Sanction data (OFAC, UN, EU*) and Politically Exposed Person [PEP] [and other high-risk information] and Adverse Media data through a dedicated matching engine and Data suppliers such as

These data sets can be matched singularly or batched as and when requested.

For further information and to see at a glance the core functionality of iTrackRisk, CONTACT MATHEW@COMSUREGROUP.COM or click here: https://www.comsuregroup.com/media/1336/itrack-booklet.pdf

SOURCE - https://www.comsuregroup.com/advisory-product-support/itrack-aml/