Commencing in June 2025, Anti-Money Laundering regulations will introduce a mandated Customer Risk-Rating (CRR) process, as part of the regime’s wider move to a truly risk based approach.

Reporting Entities will be required to risk-rate each new customer during the Customer Due Diligence process (refer to section 12AC of the regulations). This new framework aims to strengthen the management and mitigation of risks within financial institutions by providing a more structured approach to customer risk assessments. These entities must also maintain a record of the customer’s risk ratings and periodically review them as part of wider ongoing CDD obligations.

The approach as to how Reporting Entities will risk rate clients is likely to remain flexible (note: guidance has not been released) and while a flexible approach is desirable, it can also lead to uncertainty for AML Compliance Officers and teams. One of the key challenges for Reporting Entities will be developing a consistent methodology for risk-rating their customers. This involves creating a meaningful risk methodology, ensuring the accuracy of data used in the assessments, and providing adequate training for staff involved in the process.

Additionally, Entities will need to validate and calibrate their risk-rating methodologies to avoid under or over-estimating risk long term.

A dynamic risk-scoring system will be essential; one that encompasses evolving transactional patterns, behaviours, and interactions to provide an accurate reflection of a customer’s risk over time.

Given the scale of these changes, we recommend that Reporting Entities begin planning and implementing their CRR systems as soon as possible. Preparing ahead of the June 2025 deadline will help ensure compliance and enable organisations to effectively manage the risks associated with money laundering.