Case Study 10.1: Maya's Risk Rating Rebuild — From Static Scores to Dynamic Monitoring
The Situation
Organization: Verdant Bank (fictional UK challenger bank) Maya's challenge: Rebuilding the customer risk rating methodology after a near-miss enforcement incident Timeline: Q1 2022 — Q4 2022 Context: In late 2021, an FCA-prompted review of Verdant's AML program revealed that the risk rating system had a critical design flaw: ratings assigned at onboarding were not systematically updated unless triggered by a specific analyst action
The Near-Miss That Triggered the Rebuild
In Q4 2021, Verdant's new transaction monitoring system (implemented post-Chapter 7) surfaced an account that had accumulated 22 monitoring alerts over a 6-month period — all of which had been closed by analysts because the customer's risk rating was "Low Risk" and the account activity appeared to be explained by their declared business purpose ("construction subcontracting").
A senior compliance officer conducting a random quality review selected one of the closed alerts. The account belonged to a construction subcontracting company that had been rated "Low Risk" at onboarding in 2020. By 2021, the account was processing approximately £340,000 per month in receipts from multiple customers and making rapid outbound payments to suppliers. The pattern was consistent with legitimate subcontracting — but it was also consistent with the company serving as a pass-through vehicle.
The investigation that followed revealed: the declared customer (a legitimate sole director) had introduced the account to three associates who were apparently using it to process payments from their own undisclosed businesses. The account was being used as a pooled payment vehicle for multiple parties — a material deviation from the declared business purpose.
The regulatory risk: the account had processed approximately £4.2 million while rated "Low Risk" and monitored against low-risk thresholds. Had it been rated "Medium Risk" or higher, the monitoring thresholds would have been more sensitive and the pattern would have generated alerts sooner.
Verdant ultimately filed a SAR and notified the FCA of the incident. The FCA's response was a requirement to conduct a review of the risk rating methodology and remediate systemic gaps within 180 days.
The Methodology Review
Maya commissioned an external review of Verdant's risk rating methodology. The review found four systemic gaps:
Gap 1: No behavioral input to risk rating
The risk rating model used nine factors: entity type, nationality, country of residence, PEP status, adverse media status, industry, products, declared business purpose, and account age. All nine were assessed at onboarding. None were updated based on transaction behavior.
There was no mechanism for the risk rating to change in response to the account's actual behavior — only in response to explicitly triggered analyst actions (annual account review, new product request, customer-initiated changes).
Gap 2: Alert closure did not feed back into risk rating
When analysts closed transaction monitoring alerts, the closure was documented in the alert management system but did not update or flag the customer's risk rating. A customer generating five alerts per month, all of which were closed, appeared identical in the risk rating system to a customer generating no alerts at all.
Gap 3: Insufficient differentiation within "Low Risk"
35% of Verdant's customer base was rated "Low Risk." Within this cohort, there was significant variation in risk profile — a retired individual with a single domestic current account was rated identically to a small business using three accounts with some international activity. The lack of within-tier differentiation meant that monitoring thresholds were the same for both.
Gap 4: No senior management review of monitoring-dense accounts
There was no process for escalating to senior management when a customer generated a consistently high volume of alerts across a sustained period — even if individual alerts were being closed as false positives. The construction subcontracting account had generated 22 alerts in 6 months without any escalation review.
The Rebuild: Four Design Changes
Design Change 1: Behavioral Factor Integration
Maya's team added three behavioral factors to the risk rating model, updated monthly from transaction data:
-
Alert rate factor: Number of monitoring alerts generated in the prior 3 months / average for the customer's industry segment. Score: 1× average = LOW; 2–3× = MEDIUM; >3× = HIGH.
-
Transaction pattern deviation: Comparison of current 3-month transaction pattern (volume, counterparty types, geographic spread) against the customer's established baseline. Significant deviation = MEDIUM trigger; material deviation = HIGH trigger.
-
Cash intensity: Cash as a percentage of total transaction volume, compared to peer group average. Significantly above average = MEDIUM; materially above = HIGH.
Each behavioral factor fed into the monthly risk rating recalculation. The overall rating was updated monthly, not just at review cycles.
Design Change 2: Alert Volume Escalation
A new escalation rule: any customer generating more than 8 monitoring alerts in a rolling 30-day period would be automatically referred to a senior compliance officer for an account review — regardless of whether individual alerts had been closed.
The threshold (8 alerts) was calibrated against historical data: it was above the 99th percentile for Verdant's customer population. Any account consistently at or above this threshold represented statistical outlier behavior warranting senior review.
Design Change 3: Risk Rating Granularity
Maya replaced the three-tier system (Low/Medium/High) with a five-tier system:
Tier 1 (Very Low): Individuals, low-risk jurisdiction, no adverse media, no PEP, domestic activity only. Standard monitoring, 36-month review.
Tier 2 (Low): Individuals with some international exposure, or small businesses with domestic activity. Slightly enhanced monitoring, 24-month review.
Tier 3 (Medium): Companies with mixed jurisdiction exposure, sole traders with international activity, individuals with moderate adverse media. Enhanced monitoring, 12-month review.
Tier 4 (High): Companies in high-risk industries, trust structures, foreign companies, PEP-adjacent. EDD, 6-month review.
Tier 5 (Very High): Current PEPs, confirmed adverse media, high-risk jurisdictions, complex structures. Full EDD, senior management oversight, 3-month review.
Design Change 4: Monthly Behavioral Review for Tier 3+
For all Tier 3, Tier 4, and Tier 5 customers, Maya implemented a monthly automated behavioral review: - System pulls current 30-day transaction data - Compares against established baseline - Calculates behavioral factor scores - If behavioral factors indicate risk increase: auto-escalate to analyst review; recommend rating upgrade - If behavioral factors stable: auto-confirm current rating; document in compliance system
For Tier 1 and Tier 2, the monthly behavioral review ran but only escalated if behavioral factors significantly deteriorated.
Implementation: Technical and Human Challenges
Technical challenge: Integrating the monthly behavioral review with the customer risk rating system required data engineering work — the transaction monitoring system and the CRR system had separate data models that had never been connected. Maya's team spent six weeks on the integration, involving three vendor systems and an internal data warehouse.
Human challenge: The enhanced monitoring for Tier 3+ customers increased alert volume for that cohort by approximately 35%. Maya had to train analysts on the new tiered review process — explaining why a Tier 3 alert was handled differently from a Tier 4 alert.
Calibration challenge: Setting the alert rate thresholds for the behavioral factor required calibration against historical data. The initial settings were too sensitive, generating a surge in Tier 4 escalations. After three weeks of live data, the thresholds were adjusted based on observed false positive rates.
Six-Month Post-Implementation Results
| Metric | Pre-Rebuild | 6 Months Post |
|---|---|---|
| Customer cohort rated Tier 1/Very Low | N/A | 38% |
| Customer cohort rated Tier 2/Low | 35% | 29% |
| Customer cohort rated Tier 3/Medium | 52% | 22% |
| Customer cohort rated Tier 4/High | 12% | 9% |
| Customer cohort rated Tier 5/Very High | 1% | 2% |
| Customers with rating change in past 3 months (behavioral) | ~0% | 4.2% |
| Alert escalations to senior management per month | 0 (no mechanism) | 8 |
| SARs filed in 6-month period | Baseline | +22% vs. prior 6 months |
The +22% SAR filing rate increase was significant. Maya's interpretation: "We weren't filing more SARs because we were seeing more suspicious activity. We were filing more SARs because the behavioral risk rating was surfacing suspicious activity that was previously invisible — it was being misclassified as low-risk and monitored at inadequate sensitivity."
The FCA Review
The FCA assessed Verdant's remediation at the 180-day mark. The review included: - Examination of the new risk rating methodology documentation - Testing of the behavioral factor integration (was it actually updating ratings?) - Review of the alert escalation mechanism - Sample review of accounts that had had risk rating changes in the prior 60 days
The FCA's assessment: the remediation was adequate. No further enforcement action. The written feedback included a note of encouragement for the five-tier granularity approach — which the FCA had been recommending to other firms facing similar binary (Low/High) rating problems.
Maya's reflection: "The FCA wasn't looking for perfection. They were looking for a system that made honest assessments based on current evidence and updated those assessments as evidence changed. That's all risk rating is supposed to be."
Discussion Questions
1. Gap 2 identified that alert closures did not feed back into risk ratings. Design a specific feedback mechanism: what data from alert closure should feed into risk rating, how should it be weighted, and over what time window?
2. Maya moved from a 3-tier to a 5-tier risk rating system. What are the operational advantages and disadvantages of greater granularity? Is there a point at which more tiers become counterproductive?
3. The behavioral factor integration required six weeks of data engineering work. For an institution evaluating a new CRR system, what API and data integration requirements should be included in the vendor evaluation criteria to avoid this kind of implementation complexity?
4. The SAR filing rate increased 22% post-implementation. Maya attributed this to improved detection, not increased suspicious activity. How would you validate this attribution? What evidence would distinguish "better detection" from "over-filing due to over-sensitive thresholds"?
5. The construction subcontracting account was being used by the customer to process payments for associates. This represented a material deviation from declared business purpose. What specific monitoring rule or behavioral trigger, implemented before the incident, would most likely have detected this pattern earlier?