Introduction
Many AML regulators now require reporting entities to assign a risk rating to every new customer as part of customer due diligence (CDD) obligations.
In regions like New Zealand and Australia, this requirement forms part of legislative updates to anti-money laundering and counter-terrorism financing (AML/CTF)
frameworks.
Every new customer must be assigned a risk-rating before you begin your business relationship with them.
This guide walks you through:
Setting up your firm’s Risk Profile
Running and managing Risk Ratings
Staying compliant using Realaml’s tools
Part 1: Set Up Your Firm’s Risk Profile (One-time Setup Only)
Your Risk Profile defines how customers are assessed and what internal actions your staff should take. Realaml provides a default profile but it’s only a starting point.
You must customise it for your firm.
Access this under: Compliance → Risk Profile, which includes three key tabs.
1.1 Profile & Red Flags
This tab controls the structure and logic of your firm’s Risk Rating form.
The 7 fixed sections:
Customer Type
Customer Engagement & Interaction
Identity Verification & Jurisdiction Risk
Products and Services
Transaction Rationale & Customer Involvement
Financial Movement & Red Flags
Matter Value
Note: You can rename section titles to suit your firm, but the sections themselves cannot be removed or reordered.
Each section supports:
Default and editable questions
Unlimited new custom questions
Each question can include:
Multiple choice (multi-select)
Default answers (pre-filled)
Internal notes
High Risk flag (automatically sets score to 5)
Default Risk Rating Disclaimer
By default, risk ratings generated using Realaml include the following disclaimer in the report: "The current risk rating is based on the default profile provided by Realaml."
This message will remain in all reports unless your firm explicitly confirms that the Risk Profile has been reviewed and accepted.
Accepting the Risk Profile
To remove the default disclaimer, your firm must confirm the Risk Profile configuration as suitable. Follow these steps:
Go to your firm's Risk Profile page.
Click the confirmation banner at the top to open a popup.
Type Confirm in the field provided.
Click Yes to submit.
Once confirmed, Realaml will recognize that your firm has reviewed and accepted the Risk Profile. The disclaimer will then be excluded from future reports.
Resetting Your Risk Profile to Realaml Defaults
If needed, you can reset your Risk Profile to the original Realaml default configuration by clicking "Reset to Default Risk Profile" at the bottom of the Risk Profile page and entering Confirm when prompted.
This action will:
Erase all customisations, including custom questions, internal notes, and saved answers
Restore the default out-of-the-box Risk Profile provided by Realaml
After the reset, you will need to review and confirm the default profile again to remove the disclaimer from future reports.
⚠️ Important Compliance Note
Regulatory guidance requires your Risk Profile to accurately reflect your firm’s risk appetite, internal policies, and AML/CTF obligations.
Relying solely on the default profile without proper review and confirmation may result in non-compliance.
1.2 Recommended Actions
Use this tab to define staff guidance shown at the end of a Risk Rating. There are four levels:
Risk Level | Example Staff Guidance |
High Risk | Perform ECDD including source of funds and senior oversight. Consider whether to proceed. |
Medium-High Risk | Perform ECDD and escalate for senior review. |
Medium Risk | CDD may be sufficient. Document reasoning and assess need for ECDD. |
Low Risk | CDD is sufficient. Proceed with onboarding. |
1.3 Compliance Documents
Upload your internal AML/CTF documentation for team use and audit readiness. This may include:
Your AML/CTF programme or policy
Risk assessment methodology
Onboarding workflows or SOPs
A central place for compliance visibility and internal training.
Part 2: Run a Risk Rating for a Customer
Once your firm’s Risk Profile is ready, here’s how your team can assess each new customer in accordance with local AML obligations.
2.1 Complete an IDV or PEP Check (Client Action)
Before a Risk Rating can be initiated, the customer must complete one of the following:
Face IDV
Quick IDV
FaceMatch
PEP check
Realaml uses this data including PEP results, country risk, and other IDV outcomes to inform the Risk Rating process.
Once the check is complete:
You’ll receive a verification email with a “Run Risk Rating” link
Or access the Risk Rating tab directly from the client’s dashboard
2.2 Start and Complete the Risk Rating (Staff Only)
From the client’s dashboard:
Open the Risk Rating tab
Click Start New Risk Rating
The 7-section form will launch and auto-save as staff complete each section
This form reflects your firm’s configured Risk Profile. Staff cannot change questions or structure, they simply complete the predefined workflow.
In each section, staff can:
Select from predefined answers (e.g. dropdowns, multi-select)
View or update any pre-filled default answers
Add internal notes to support compliance decisions
⚠️ If a question was flagged High Risk in the Risk Profile, selecting the associated answer will automatically set the final score to 5 (High Risk) even if the average is lower.
2.3 Review the Final Score
Realaml calculates the average score across all responses and rounds up to the nearest whole number:
Average Score | Risk Level |
1–2 | Low Risk |
3 | Medium Risk |
4 | Medium-High Risk |
5 | High Risk |
Staff can override the score if justified or restart the Risk Rating if needed.
2.4 Submit and Download
Once submitted:
The Risk Rating will appear in the dashboard
It is automatically merged with the related verification
Staff can download:
A standalone PDF, or
A combined full compliance report
Reuse Risk Ratings for Related Customers
If multiple individuals are linked to the same customer/matter (e.g. co-trustees, joint directors):
Individual 2 will inherit answers from individual 1
Staff can edit responses before submission
FAQs
Is a Risk Rating required for every new customer?
✅ Yes — this is a standard requirement under AML/CTF regimes in regions like AU and NZ.
Why does my report say “based on the default profile”?
You’re using the Realaml default profile. Enter Confirm
in your settings to confirm your custom version and remove the message.
Can I reset my Risk Profile?
✅ Yes — enter Confirm
in your Risk Profile to reset to default.
Can customers see their Risk Rating?
🚫 No — Risk Ratings are for internal compliance purposes only.
Need help?
💬 Message us via the chat bubble or email support@realaml.com