Do we have a customer risk rating problem?
I’ve written previously about the FCA’s thematic paper, concentrating on the BWRA aspects because they align closely with the alternative methodology we’ve been developing. However, I’ve since been compelled to reflect more closely on the other component of the review, the Customer Risk Assessment.
After revisiting the paper with that broader lens, what stood out was how closely the FCA’s observations on customer risk mirror its concerns about the BWRA. Although CRAs and CRR models are generally regarded as mature and operationally entrenched, this very familiarity may conceal their limitations. The thematic review suggests that, despite years of refinement, these frameworks still struggle to deliver the clarity, differentiation and genuinely decision‑useful insight supervisors expect.
What the FCA highlights is not a lack of activity, but the structural way customer risk is conceptualised. Many models move quickly from customer attributes to a single composite rating, with limited articulation of the scenarios that actually drive financial crime exposure. As a result, risk can feel well‑processed but poorly understood.
This has led me to consider whether the assumptions underpinning most CRA frameworks may be constraining what they can realistically deliver. The intention here is not to propose an alternative model, but to question whether a shift in how customer‑level exposure is framed could bring firms closer to the outcomes regulators are increasingly emphasising.
Aggregation: Where insight gets flattened
At the core of most CRA frameworks sits aggregation. Customer type, geography, products, delivery channels, transactional behaviour, adverse information and, in some cases, control overlays are all brought together into a single outcome. This aggregation is often further compounded by policy-driven overrides (most commonly in relation to PEPs) which, while entirely understandable from a risk-governance perspective, can flatten insight even further by collapsing a wide range of underlying risk drivers into a single mandated outcome.
That aggregation is not a design flaw; it is a practical necessity. Without it, customer risk models would quickly become unmanageable.
The difficulty lies in what aggregation does to risk understanding. As the FCA’s review hints, without quite naming it directly, aggregation tends to flatten risk. Distinct financial crime exposures such as sanctions, fraud, facilitation of tax evasion, bribery and corruption are collapsed into a single label. The result may be technically accurate, but it is often analytically thin.
The problem is not that these risks cannot be aggregated. It is that once they are, it becomes difficult to see them clearly again. Comparability is achieved, but at the cost of meaning. What is lost in that process is not nuance for its own sake, but the ability to understand what actually drives exposure and which responses matter most.
One rating, many very different problems
The flattening effect of aggregation becomes most visible when customers sharing the same rating introduce fundamentally different forms of financial crime exposure. Consider two customers, both legitimately assessed as high risk. The first is a privately owned trading company operating across multiple jurisdictions, with a complex ownership structure and limited transparency over beneficial ownership. Here, the primary exposure relates to classic money‑laundering concerns: opacity, layering risk and the potential introduction or movement of illicit funds.
The second is a well‑established corporate customer with a transparent ownership structure but operating in a sector inherently exposed to bribery and corruption. Its reliance on third‑party agents in high‑risk jurisdictions means the core risk lies not in concealment of proceeds, but in the potential facilitation of corrupt payments.
Both customers may quite properly emerge with the same overall rating. The aggregation works. The score is defensible. But the underlying risks, the scenarios that matter, and the firm’s potential exposure are markedly different — and the response should be too.
In practice, however, aggregation often drives convergence. Both customers may be subject to broadly similar enhanced due diligence, review cycles and monitoring expectations. Activity is triggered, but not necessarily the right activity. As a result, firms can over‑control in some areas and under‑control in others, spreading resources thinly across all “high‑risk” customers rather than targeting the scenarios that genuinely drive exposure. Monitoring becomes noisier, escalations increase and yet insight does not deepen.
Over time, the framework can appear robust simply because activity is taking place, even as the connection between risk, control and outcome becomes weaker. Senior management sees cost and volume rising while still struggling to answer the most basic question: what are we actually most worried about here?
What the CRA rarely makes explicit
One of the more telling themes running through the FCA’s observations is the limited visibility of why customers are rated the way they are. Many CRA methodologies move quickly from customer attributes to an overall outcome, with relatively little explicit articulation of the logic that sits in between.
What is often missing is a clear statement of the financial crime scenarios to which the customer introduces exposure, the controls relied upon to mitigate those scenarios, and where residual risk is believed to remain.
This is striking when contrasted with how firm-wide risk assessments are increasingly expected to operate. At BWRA level, supervisors now expect firms to articulate exposure, identify scenarios, link those scenarios to controls, and demonstrate how residual risk informs decision-making. At customer level, by contrast, we often accept a far more abstract treatment — even though customer-level decisions are where risk crystallises into harm, breaches and enforcement outcomes.
A thought experiment: Applying the same discipline
This raises an uncomfortable question. If we are being pushed to adopt a more scenario-led, control-aware approach to firm-wide risk, why do we accept something less demanding for customer risk?
What if customer risk assessment began not with a score, but with an explicit articulation of the financial crime scenarios that a relationship introduces? What if exposure to those scenarios was assessed directly, controls were considered in that context, and residual risk emerged as a consequence of that analysis rather than being inferred from a composite score?
In that world, the central question would shift. Instead of asking whether a customer is high risk in the abstract, firms would be asking which scenarios matter most, which controls are critical, and where discomfort genuinely sits. The rating would still have a role, but it would become an output of understanding rather than a proxy for it.
Why this matters now
The FCA’s thematic review sits squarely within a broader supervisory shift towards effectiveness and outcomes. Frameworks that exist on paper but do not meaningfully shape decisions are increasingly being called into question. It is no longer enough for risk assessments to be internally coherent; supervisors want evidence that they drive proportionate, targeted and defensible action.
Customer risk sits at the intersection of this shift. When aggregation obscures the underlying drivers of risk, the consequences show up quickly. Enhanced due diligence becomes broader but not deeper. Monitoring becomes noisier rather than sharper. Escalations increase, but clarity does not.
Returning to the earlier example, the issue is not whether both customers should be treated seriously. Clearly they should. The issue is that treating them the same makes it harder, not easier, to manage risk effectively. Controls designed to address opacity and layering are not the same controls needed to manage bribery and corruption exposure. Yet aggregation encourages precisely that convergence in response.
Closing reflections
These reflections are deliberately incomplete. They are prompted by the FCA’s review and by a growing sense that, while customer risk frameworks may be compliant and robustly governed, they are often doing less analytical work than we assume.
The models function. The scores are defensible. The processes are embedded.
But the insight is frequently thin.
That observation is not intended as a criticism of any one firm, framework or team. The way customer risk has evolved reflects years of regulatory expectation, operational pragmatism and incremental refinement across the industry. In many respects, today’s CRA frameworks are the logical outcome of how the risk-based approach has been interpreted and implemented over time.
That also means this is not an issue any single firm can solve in isolation. If there are structural limitations in how customer risk is currently conceptualised, then responsibility (and opportunity) sits collectively with the industry to reflect on whether it still serves the outcomes we are now being asked to deliver. That desire to confront the status quo, and to mobilise a shared sense of purpose across the industry to work through the answers together, has been the motivation for this series of blogs.
In future pieces, I intend to explore what a more scenario-led, exposure-driven view of customer risk might look like in practice, and what that could mean for due diligence, monitoring, periodic reviews and escalation. For now, it is enough to observe that if supervisors are asking harder questions of our BWRAs, it may only be a matter of time before they expect us to ask similarly hard questions of customer risk.
When that moment comes, a single number may no longer be enough.