Risk assessment

Client risk assessment for AML compliance

Every client onboarding requires a risk decision. Certivus gives you a structured framework to assess, record, and evidence your client risk ratings — with clear Low, Medium, High, and EDD categories.

Includes 2 free checks · No credit card required

TL;DR — Quick Summary

  • Structured Low, Medium, High, and EDD risk ratings for every client
  • Evidence trail for every decision — timestamps, factors considered, and outcome
  • HMRC-ready risk records exportable as PDF at any time
  • Works alongside KYC, CDD, and PEP and sanctions screening workflows

Answer-first summary

What is client risk assessment in AML compliance?

Client risk assessment is the regulatory requirement to evaluate the money laundering and terrorist financing risk each client presents before onboarding and throughout the relationship. Under the Money Laundering Regulations 2017, UK-regulated accountants and law firms must assess risk based on client type, geography, business activity, transaction patterns, and PEP or sanctions status. The outcome determines whether standard CDD or Enhanced Due Diligence applies. Certivus structures this process with a consistent framework and keeps the evidence automatically.

  • Required for all clients — the level of scrutiny varies, not the obligation to assess
  • Must be documented and kept up to date throughout the client relationship
  • Certivus stores risk decisions with full evidence trails, ready for HMRC or supervisor review
Risk factors

The five risk factors every firm must consider

Client type and industry

Certain business types carry inherently higher money laundering risk. Cash-intensive businesses, complex corporate structures, and high-risk sectors all require more scrutiny at onboarding and during ongoing review.

Geography and jurisdiction

Clients with connections to high-risk third countries, offshore structures, or jurisdictions with weak AML oversight represent an elevated risk profile that must be captured and evidenced.

Transaction patterns

Unusual transaction volumes, irregular payment structures, or activity inconsistent with the client's stated business profile are key indicators that inform ongoing risk monitoring.

PEP or sanctions matches

A politically exposed person (PEP) match or sanctions hit automatically elevates the risk rating. These clients require enhanced due diligence and ongoing monitoring as a regulatory minimum.

Business relationship complexity

Complex ownership chains, multiple beneficial owners, trusts, or unusual relationship structures add risk that must be documented and factored into the overall client risk score.

Risk levels

Four risk levels — clear, consistent, defensible

Low risk

Low

Standard customer due diligence applies. The client presents no significant risk indicators. Ongoing monitoring at standard frequency.

Medium risk

Medium

Standard CDD with closer monitoring. One or more risk factors present — the relationship requires more frequent review and attention.

High risk

High

Heightened scrutiny required. Multiple risk factors or a single significant indicator. Detailed evidence and senior sign-off recommended.

EDD

Enhanced Due Diligence

Mandatory for PEPs, high-risk third country connections, and the highest-risk profiles. Requires additional source of funds/wealth evidence and ongoing enhanced monitoring.

How it works

A four-step risk assessment workflow

1

Gather client information

Collect identity documents, beneficial ownership details, business type, jurisdiction, and source of funds. Certivus guides you through what to capture for each client type.

2

Apply risk criteria

Certivus applies your firm's risk framework across the five key factors — client type, geography, transaction patterns, PEP/sanctions status, and relationship complexity.

3

Assign risk rating

The platform surfaces a risk-rated outcome: Low, Medium, High, or EDD. The responsible person reviews the factors and confirms or adjusts the final rating.

4

Document and evidence the decision

Every decision is logged with a timestamp, the factors considered, and any supporting evidence. The record is stored securely and exportable for audit purposes.

Compliance notice: Certivus supports your risk assessment workflow. Final compliance decisions — including the risk rating assigned to each client — remain with the authorised person or firm. Certivus does not provide legal or compliance advice.

Common questions

Questions about client risk assessment

What is client risk assessment in AML compliance?

Client risk assessment is the process of evaluating the money laundering and terrorist financing risk posed by each individual client before and during the business relationship. UK-regulated firms must assess risk based on factors such as client type, jurisdiction, business activity, transaction patterns, and PEP or sanctions exposure. The assessment determines the level of due diligence required — standard CDD or enhanced due diligence (EDD) — and must be kept up to date throughout the relationship.

What are the risk levels in Certivus?

Certivus uses four risk levels: Low (standard CDD required), Medium (standard CDD with closer monitoring), High (heightened scrutiny and closer review required), and Enhanced Due Diligence (EDD — the highest level, triggered by PEP matches, sanctions exposure, or other significant risk factors). Each level determines the appropriate CDD workflow and monitoring frequency.

What is Enhanced Due Diligence?

Enhanced Due Diligence (EDD) is the most stringent level of client scrutiny under the Money Laundering Regulations 2017. It is mandatory for politically exposed persons (PEPs), clients with connections to high-risk third countries, and any situation where the risk of money laundering or terrorist financing is assessed as high. EDD requires gathering additional information about the client, their source of funds and wealth, and the purpose of the business relationship.

How often should risk assessments be updated?

Risk assessments should be reviewed on a risk-sensitive basis. For low-risk clients, annual review is typically sufficient. For medium and high-risk clients, more frequent reviews are appropriate — especially if there are changes in the client's circumstances, transaction patterns, or ownership. PEP and sanctions screening should run continuously. Certivus lets you schedule re-verification reminders and flags when a review is due.

Does Certivus handle the whole CDD process?

Certivus supports the full CDD workflow — identity verification, beneficial ownership checks, PEP and sanctions screening, risk scoring, and risk assessment evidence. The platform structures the process and keeps the evidence, but the responsible person at the firm retains ownership of compliance decisions. Certivus does not replace professional judgement or the firm's AML policies.

Related reading

What is CDD?

How risk assessment fits into the full Customer Due Diligence process.

AML compliance for accountants

The full AML framework — client intake, KYC, risk review, and record keeping.

CDD software

Certivus structures CDD into a clear workflow with evidence capture at every step.

AML software for MLROs

Give compliance owners visibility over every risk decision across the practice.

Build your risk assessment workflow today

Structured risk ratings, full evidence trails, and HMRC-ready records — set up in minutes, not days.

Includes 2 free checks · No credit card required · Cancel anytime