A BSA /  AML Roadmap for Effective Customer Risk Modeling

Printable versionSend by emailPDF version
September 19, 2013

Over the last decade, many financial institutions have implemented significant changes in customer profiling and risk assessment processes in an effort to meet the increasing Bank Secrecy Act / Anti-Money Laundering (BSA / AML) regulatory expectations. In particular, Customer Risk Modeling and Ranking have become crucial differentiators in a financial institution’s ability to determine the:

  • Quality of customer profile data required to adequately monitor and report

               -- Customer responses to Knowing-Your-Customer (KYC) questions
               -- Customer and Enhanced due diligence information

  • Quality of alerts

               -- Analyzing effectiveness of transaction monitoring output

Customer Risk Modeling represents activity in the following four categories:

 1. Risk Modeling – Identifying specific customer segments that pose an inherent risk, including the recognition of static (DOB, name, etc.) and dynamic (transactional behavior) attributes

 2. Risk Scoring – Assigning relevant risk factors and calculating an overall Customer Risk score;

 3. Risk Ranking – Partitioning customer risk scores into relative tiers (e.g., high, medium, low, excessive)

 4. Risk Management – Policies, procedures, processes and executive decisions governing treatment of customers in each risk tier

Key Components
Financial institutions must clearly define the factors and / or attributes that should be considered for its risk model in both static and dynamic categories:

  • Static Factor Examples

               -- Type of business (NAICS)
               -- Type of occupation
               -- Customer net worth
               -- Source of funds

  • Dynamic Factor Examples

               -- Anticipated activity (number and dollars)
               -- Frequency of activity

The above examples also illustrate common risk factors when developing risk models. The key takeaways are: there is a degree of judgment when selecting the components of interest because institutions will have varying definitions of risk; and, financial institutions should undergo a formal process to select the key risk components with which they are most concerned — assigning a risk coefficient for each attribute that will be used in their risk model. In today’s marketplace, there is an inherent need to integrate monitoring environments with customer master files — joined by the common threads of risk modeling and ranking. While transaction monitoring software has attempted to build a bridge connecting these two functions, organizations have realized shortcomings in their ability to unify these processes. Why? Customer risk modeling and ranking, in most cases, runs parallel to transaction monitoring, requiring that investigators and / or analysts take additional steps to connect the dots and draw inferences on the overall activities being conducted.

Key Challenges
In the process of successfully implementing an automated customer risk modeling and ranking process, Alvarez & Marsal (A&M) has observed many organizations’ attempts to overcome major challenges, sometimes resulting in failure and / or significant roll-out delays. Some challenges include:

  • Missing and / or inadequate business requirements
  • Poorly developed functional requirements
  • Inability to understand dependencies on current projects
  • Missing and / or inadequate data migration strategy
  • Use of poor data or attempting to perform data cleansing and remediation during the implementation

These areas are interdependent — causing a potential ripple effect in the implementation should any be inadequate. Moreover, not performing a data quality assessment during the requirements definition stage of the implementation lifecycle may drive the likelihood of failure even higher. Diagram A below outlines these interdependencies and maps a best-case implementation lifecycle.


Diagram A

A Prerequisite

Before an institution can perform risk modeling and ranking, customers must be uniquely identified across the organization. Most entities utilize an intermediary repository or data warehouse in which an enterprise view of the customer is maintained. In theory, the use of an enterprise view makes the most business sense given that the information can be leveraged and shared. However, this approach opens the door to risk if not properly implemented, monitored and maintained. Is your organization’s enterprise view capable of all the areas described below?

  • Growth and Scalability

               -- Changing business requirements, impacting users and technology performance demands
               -- Additional data loads
               -- Ongoing trained support staff

  • Testing – Test all integration points, for example:

               -- Feeds from the source systems to a data warehouse to Risk Modeling staging tables
               -- Extraction, Transformation and Load (ETL) process between each integration point

  • Alignment – Ensure source system changes cascade through to the risk scoring models (especially transaction and service codes)

Dynamic Customer Risk Scoring and Periodic Reviews

When customer behavior is continuously tracked, institutions can adjust risk scores in real time. The use of dynamic risk scoring and periodic reviews assists the institution in the identification of suspicious activities related to higher risk customers. Most financial institutions risk-rate their customers during the on-boarding process by answering KYC questions and then periodically thereafter to determine if there have been any deviations in anticipated versus actual activity. See Diagram B below.

Core Processing Activity Relationships

Diagram B

There are a variety of factors that indicate how frequently an institution will review its high-risk customers, for example:

  • Demographics
  • Products and services
  • Type of business
  • Source of funds / wealth

Using an automated risk modeling tool in conjunction with a transaction monitoring application provides the institution with a reference to the customer’s risk rating against his or her monthly activities and alerts. In addition, the ability to schedule periodic risk scoring reviews, along with risk score override capabilities, in also helpful, particularly in cases in which “white list” customers are perceived to be innocuous.

Institutions realize benefits from implementing, reviewing and periodically tuning customer risk scoring. These include:

  • Providing transparency of higher-risk customer across lines of business
  • Better data gathering practices (CDD, EDD)
  • Tighter processing controls
  • Increasing the quality of the transaction monitoring process (e.g., reduce false positive rates)


One size does not fit all when it comes to financial institutions that have continually kept pace with process fine-tuning in order to assist in the identification of money laundering activities.

Customer Risk Modeling and Ranking are key tools that help fill the compliance gap by linking core review processing activities and assuring that customers that pose a higher risk are identified in a timely and judicious manner. It is also important to remember that high-risk customers may never engage in money laundering activities. Therefore, there is no set formula as to the identification of customers that pose a higher risk for potential money laundering.

Meeting an institution’s regulatory obligations is dependent upon two key factors: (1) The sound use of technology to assure that customer information is reliable and accessible, and (2) pragmatic selection of the components that fit with its risk model.

A&M finds financial institutions that have embraced the use of risk modeling clearly understand the long-term benefits of the approach; organizations that do not are steadily putting themselves at “high risk.”