Skip to main content

Your Guide to AML Risk Ratings: Build, Run, and Stay Compliant

AML regulations now require all new customers to be risk-rated before onboarding. Set up and run ratings with Realaml in just a few clicks.

Jordan avatar
Written by Jordan
Updated over a week ago

Introduction

Many AML regulators now require reporting entities to assign a risk rating to every new customer as part of customer due diligence (CDD) obligations.

In regions like New Zealand and Australia, this requirement forms part of legislative updates to anti-money laundering and counter-terrorism financing (AML/CTF)
frameworks.

Every new customer must be assigned a risk-rating before you begin your business relationship with them.

This guide walks you through:

  1. Setting up your firm’s Risk Profile

  2. Running and managing Risk Ratings

  3. Staying compliant using Realaml’s tools


Part 1: Set Up Your Firm’s Risk Profile (One-time Setup Only)

Your Risk Profile defines how customers are assessed and what internal actions your staff should take. Realaml provides a default profile but it’s only a starting point.

You must customise it for your firm.

Access this under: Compliance → Risk Profile, which includes three key tabs.

1.1 Profile & Red Flags

This tab controls the structure and logic of your firm’s Risk Rating form.

The 7 fixed sections:

  1. Customer Type

  2. Customer Engagement & Interaction

  3. Identity Verification & Jurisdiction Risk

  4. Products and Services

  5. Transaction Rationale & Customer Involvement

  6. Financial Movement & Red Flags

  7. Matter Value

Note: You can rename section titles to suit your firm, but the sections themselves cannot be removed or reordered.

Each section supports:

  • Default and editable questions

  • Unlimited new custom questions

  • Each question can include:

    • Multiple choice (multi-select)

    • Default answers (pre-filled)

    • Internal notes

    • High Risk flag (automatically sets score to 5)

Default Risk Rating Disclaimer

By default, risk ratings generated using Realaml include the following disclaimer in the report: "The current risk rating is based on the default profile provided by Realaml."

This message will remain in all reports unless your firm explicitly confirms that the Risk Profile has been reviewed and accepted.

Accepting the Risk Profile

To remove the default disclaimer, your firm must confirm the Risk Profile configuration as suitable. Follow these steps:

  1. Go to your firm's Risk Profile page.

  2. Click the confirmation banner at the top to open a popup.

  3. Type Confirm in the field provided.

  4. Click Yes to submit.

Once confirmed, Realaml will recognize that your firm has reviewed and accepted the Risk Profile. The disclaimer will then be excluded from future reports.

Resetting Your Risk Profile to Realaml Defaults

If needed, you can reset your Risk Profile to the original Realaml default configuration by clicking "Reset to Default Risk Profile" at the bottom of the Risk Profile page and entering Confirm when prompted.

This action will:

  • Erase all customisations, including custom questions, internal notes, and saved answers

  • Restore the default out-of-the-box Risk Profile provided by Realaml

After the reset, you will need to review and confirm the default profile again to remove the disclaimer from future reports.

⚠️ Important Compliance Note

Regulatory guidance requires your Risk Profile to accurately reflect your firm’s risk appetite, internal policies, and AML/CTF obligations.


Relying solely on the default profile without proper review and confirmation may result in non-compliance.

1.2 Recommended Actions

Use this tab to define staff guidance shown at the end of a Risk Rating. There are four levels:

Risk Level

Example Staff Guidance

High Risk

Perform ECDD including source of funds and senior oversight. Consider whether to proceed.

Medium-High Risk

Perform ECDD and escalate for senior review.

Medium Risk

CDD may be sufficient. Document reasoning and assess need for ECDD.

Low Risk

CDD is sufficient. Proceed with onboarding.

1.3 Compliance Documents

Upload your internal AML/CTF documentation for team use and audit readiness. This may include:

  • Your AML/CTF programme or policy

  • Risk assessment methodology

  • Onboarding workflows or SOPs

A central place for compliance visibility and internal training.


Part 2: Run a Risk Rating for a Customer

Once your firm’s Risk Profile is ready, here’s how your team can assess each new customer in accordance with local AML obligations.

2.1 Complete an IDV or PEP Check (Client Action)

Before a Risk Rating can be initiated, the customer must complete one of the following:

  • Face IDV

  • Quick IDV

  • FaceMatch

  • PEP check

Realaml uses this data including PEP results, country risk, and other IDV outcomes to inform the Risk Rating process.

Once the check is complete:

  • You’ll receive a verification email with a “Run Risk Rating” link

  • Or access the Risk Rating tab directly from the client’s dashboard

2.2 Start and Complete the Risk Rating (Staff Only)

From the client’s dashboard:

  • Open the Risk Rating tab

  • Click Start New Risk Rating

  • The 7-section form will launch and auto-save as staff complete each section

This form reflects your firm’s configured Risk Profile. Staff cannot change questions or structure, they simply complete the predefined workflow.

In each section, staff can:

  • Select from predefined answers (e.g. dropdowns, multi-select)

  • View or update any pre-filled default answers

  • Add internal notes to support compliance decisions

⚠️ If a question was flagged High Risk in the Risk Profile, selecting the associated answer will automatically set the final score to 5 (High Risk) even if the average is lower.

2.3 Review the Final Score

Realaml calculates the average score across all responses and rounds up to the nearest whole number:

Average Score

Risk Level

1–2

Low Risk

3

Medium Risk

4

Medium-High Risk

5

High Risk

Staff can override the score if justified or restart the Risk Rating if needed.

2.4 Submit and Download

Once submitted:

  • The Risk Rating will appear in the dashboard

  • It is automatically merged with the related verification

  • Staff can download:

    • A standalone PDF, or

    • A combined full compliance report

Reuse Risk Ratings for Related Customers

If multiple individuals are linked to the same customer/matter (e.g. co-trustees, joint directors):

  • Individual 2 will inherit answers from individual 1

  • Staff can edit responses before submission


FAQs

Is a Risk Rating required for every new customer?
✅ Yes — this is a standard requirement under AML/CTF regimes in regions like AU and NZ.

Why does my report say “based on the default profile”?
You’re using the Realaml default profile. Enter Confirm in your settings to confirm your custom version and remove the message.

Can I reset my Risk Profile?
✅ Yes — enter Confirm in your Risk Profile to reset to default.

Can customers see their Risk Rating?
🚫 No — Risk Ratings are for internal compliance purposes only.

Need help?
💬 Message us via the chat bubble or email support@realaml.com

Did this answer your question?