CLARITY - our library of practical, frank compliance information for regulated businesses

High-Risk Clients: Designing a Client Risk Assessment That Actually Drives Decisions

All firms have a client risk assessment. Fewer have one that works effectively. The gap between a CRA that’s a checklist and one that genuinely shapes how you manage a client relationship is almost entirely a design question, not a resourcing one.

Sword and shield

The CRA does two jobs simultaneously. It is your shield: documented evidence that you assessed the risk, applied your framework, and made a reasoned decision. It is also your sword: the tool that tells you what level of attention a relationship actually warrants and gives you the commercial and regulatory authority to act on that.

A CRA that only does the shield job is a liability dressed as an asset. It protects you in the narrow sense of showing that a process was followed, but it tells you nothing useful about how to manage the relationship, and it will not hold up well under scrutiny if the process it documents is perfunctory. The sword matters as much as the shield.

The moment of highest risk and greatest control

Onboarding is the point at which your exposure is highest. You cannot control who approaches you for services. A prospective client with complex ownership, opaque source of wealth, or connections to higher-risk jurisdictions does not announce themselves as such. They present as a business opportunity, and it is your CRA that has to do the work of identifying what you are actually taking on.

It is also the point at which your control is greatest. You set the parameters on whether you accept the business at all, and on what terms. The management framework you put in place at onboarding is what insulates you from whatever risk that client brings in. Once the relationship is established, your options narrow. At the point of onboarding, they are at their widest.

That tension between maximum exposure and maximum control is exactly what a well-designed CRA is built to navigate. Done well, it makes onboarding faster and cleaner for low-risk clients and defensible for high-risk ones. Done badly, it does neither.

Starting from higher risk

The Handbook is now explicit that it is prudent to start from a position of higher risk and mitigate down, rather than starting neutral and escalating. For firms that built their CRAs the other way around, that is worth sitting with.

Starting from higher risk produces a more honest assessment because it forces you to actively justify a lower rating rather than passively accepting a neutral one. The question becomes not whether there is anything here that worries you, but what tells you this relationship is lower risk than your default position. That is a meaningfully different exercise, and it tends to surface things that the neutral-start approach misses.

Risk factors that matter, and the gaps they leave

The most common CRA failure is a long list of equally weighted risk factors that produces a score nobody trusts and everyone ignores. What makes a risk factor meaningful is that it changes what you do. Geography, ownership complexity, source of wealth opacity, sector exposure and introducer reliance are the factors that consistently move the dial in practice. Your CRA should be built around factors with that kind of operational consequence, not around exhaustive coverage of every theoretical risk category.

But objective risk factors only take you so far. Do not expect a CRA to capture everything. Background information that is highly relevant to risk does not stop being relevant just because the form did not ask for it. If you know something, it belongs in the assessment. The CRA is a framework for organising your thinking, not a permission slip for ignoring what you already know.

A client whose story has shifted between meetings, whose introducer is pressing harder than the circumstances seem to warrant, or whose explanation of their wealth does not quite cohere with what you know of their background has told you something. That subjective intelligence should have a home in your assessment and should be able to push a rating higher even when the boxes do not demand it.

Ratings that drive behaviour

The CRA rating should determine monitoring frequency, EDD triggers, review timelines and escalation thresholds. If your high-risk rating produces the same file review schedule as your medium rating, the rating is decorative.

A word on calibration. Starting from a position of higher risk does not mean everyone ends up at higher risk. A CRA that rates every client as high risk is not a cautious approach. It is a red flag to the regulator that you do not understand the risk-based approach. The framework should produce a spread of ratings that reflects your actual client base. If it doesn’t, the problem is in the design, not the clients.

Knowing when to say no

The CRA is the mechanism through which your risk appetite operates in practice. Defining a risk appetite is straightforward enough; applying it consistently at the point of onboarding is where it either means something or it does not.

A firm that never declines business on risk grounds either has no high-risk clients or has a CRA that is not working. Saying no is not a compliance failure. It is not a commercial failure either, though it can feel like one in the moment. It is the framework functioning exactly as designed: you assessed the risk, you concluded it exceeded what your business is built to manage, and you acted on that conclusion. That is what risk appetite is for.

Designing for the real world

A well-designed CRA is not more work. It’s the same work, better directed. The firms that get this right spend less time on low-risk clients because their CRA tells them clearly that less is appropriate. They have better, more structured conversations with high-risk clients because the CRA has already identified what needs to be established and why. And when the regulator asks how they manage their highest-risk relationships, they have a clear, documented answer that reflects what they actually do.

That combination of clarity, proportionality and operational usefulness is what a CRA is supposed to deliver. If yours is not delivering it, the design is worth revisiting.