Issue #3 | May 12, 2026 | 6 min read
SECTION 1: The Brief
Customer risk rating models get validated, documented, and presented to examiners as evidence of a functioning AML program. The refresh process that keeps those ratings current gets almost none of that attention and that's where examiners actually find problems.
This issue covers how banks score customer risk, where the process typically breaks down, and why the most common fix doesn't address what's actually broken.
SECTION 2: Main Feature
PRACTITIONER INTELLIGENCE
Customer Risk Rating Programs Break at Refresh, Not at Build
Most CRR models are methodologically sound. Most CRR programs are not. The gap is usually one process.
A customer risk rating is a bank's internal assessment of how much money laundering risk a given customer represents. The rating drives everything downstream: what due diligence is collected at onboarding, how frequently the account is reviewed, what transaction thresholds trigger escalation, and whether the customer qualifies for enhanced due diligence. Get the rating wrong, or let it go stale, and every downstream control is calibrated against a false baseline.
Banks build CRR models by assigning weighted scores to a standard set of risk factors: customer type (individual, entity, trust, foreign correspondent), business type, products and services used, geographic exposure, expected transaction volume, source of funds, and PEP or adverse media flags. Scores aggregate into tiers, typically Low, Medium, and High, with High triggering EDD requirements under FinCEN's Customer Due Diligence rule, which has been effective since May 2018.
FinCEN's CDD Rule requires banks to maintain written procedures for ongoing customer due diligence, including risk-based processes for maintaining and updating customer information when the bank becomes aware of changes relevant to the customer's risk profile.
The model itself is rarely where examiners find problems. The failure point is refresh, which is the process of updating ratings when a customer's risk profile changes. Banks are expected to review ratings on two tracks: periodic reviews tied to the customer's risk tier (annual for high-risk is common, biennial or longer for lower tiers), and event-driven reviews triggered by specific flags like a SAR filing, adverse media hit, change in business activity, or transactions significantly outside the expected pattern.
In practice, both tracks break down in the same ways. The periodic review process creates backlogs when large customer cohorts onboarded around the same time all hit their refresh dates simultaneously. That surfaces as a staffing problem, but the staffing problem is a symptom. Event-driven triggers often fire in the transaction monitoring system without translating into an actual CRR update, because the TM platform and the CRR system aren't connected and no workflow exists to close the loop. And when examiners ask who owns the refresh queue, the answer is usually that three different teams each assumed one of the others did.
What Examiners Look for When They Pull the Refresh Population
High-risk customers with ratings unchanged for 18 months or longer, particularly where account activity has changed materially since the original rating
An entire customer segment with stale ratings at the same vintage, typically indicating a batch process that ran once and was never maintained
Event-triggered reviews that were not completed: SARs filed with no subsequent CRR update in the customer file; adverse media hits that didn't result in a review
Refresh completed on paper with no EDD update in the file; the date changed, the documentation didn't
The instinct when a backlog surfaces is to assign more analysts. That's not wrong, but it treats the symptom. The structural problem is that most CRR refresh processes are manual, dependent on analyst judgment to identify what needs reviewing, and governed by policies that assume a workflow no system is actually enforcing.
A refresh process that functions requires three things: the TM platform or CRM can generate a refresh queue automatically based on tier and last-review date; ownership of that queue sits with a named function; and completion rates are reported to BSA/AML oversight on a defined cadence. Without all three, the backlog isn't a one-time event, it's a recurring condition.
A stale CRR population is evidence that the refresh process was never operationalized, not that it fell behind. That's a harder conversation than explaining a backlog.
Source: FinCEN Customer Due Diligence Requirements for Financial Institutions, Final Rule (May 11, 2018) | FFIEC BSA/AML Examination Manual, Customer Due Diligence and Customer Identification Program sections (2020)
SECTION 3: Intelligence Briefing
INTELLIGENCE BRIEFING
FinCEN — Since January 2025, FinCEN's Rapid Response Program has facilitated the interdiction of more than $268 million in stolen funds on behalf of U.S. victims, bringing the program's total to over $1.8 billion since inception. The RRP operates as a partnership between FinCEN, U.S. law enforcement, and foreign counterparts to help cyber-enabled fraud victims and their financial institutions recover funds sent abroad. For compliance teams, the program is a practical resource: institutions that identify outbound fraud transfers quickly can engage FinCEN through law enforcement to trigger an interdiction request before funds move beyond reach. Speed of detection and internal escalation determines whether recovery is possible.
Source: FinCEN, "FinCEN's Rapid Response Program Interdicts Nearly $2 Billion on Behalf of U.S. Cyber-Enabled Fraud Victims," April 15, 2026.
OFAC — OFAC updated the identifiers for Kovay Gardens, a Mexican timeshare resort designated in February 2026 for operating on behalf of the Cartel de Jalisco Nueva Generacion (CJNG) under E.O. 14059 and E.O. 13224. The entity is now presenting under two aliases: Navira Villas & Residences and Marina Oasis Beachfront Resort. For sanctions screening programs, alias updates are the mechanism designated entities most commonly use to continue operating after designation, a screen that catches Kovay Gardens but misses the new names has a gap. Institutions with any exposure to Mexican hospitality or timeshare sectors should confirm their screening lists reflect the updated identifiers.
Source: OFAC, Counter Terrorism and Counter Narcotics Designation Update, May 8, 2026.
SECTION 4: From the Source
FROM THE SOURCE
"The bank's [customer due diligence] program must include risk-based procedures for conducting ongoing customer due diligence, to include: (i) Understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and (ii) Conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information."
The phrase "on a risk basis" is doing significant regulatory work in that sentence. FinCEN isn't prescribing a specific refresh frequency, it's requiring banks to document their own risk-based rationale for how often each customer tier gets reviewed, then demonstrate that the process runs as documented. The exam finding isn't usually "you reviewed high-risk customers annually instead of quarterly." It's "your policy says annual, and 34% of your high-risk customers haven't been reviewed in 26 months." The standard you write is the standard you'll be held to.
SECTION 5: CTA Block
If someone forwarded this to you, welcome.
The AML Brief goes out every Tuesday. Subscribe for free:
[Subscribe → theamlbrief.com]
Already subscribed? Forward this to one colleague who works in financial crimes. That's how we grow.
The AML Brief | theamlbrief.com/posts
Disclaimer: The AML Brief is an independent financial crimes intelligence publication. All content is sourced from publicly available regulatory documents, enforcement actions, and published research. Nothing published here constitutes legal, compliance, or regulatory advice. The AML Brief is not affiliated with any financial institution, regulator, law firm, or employer. For advice specific to your situation, consult a qualified attorney or compliance professional.