Knowing how to document a risk rating decision is one of the most underrated skills in AML — and one of the hardest to learn on the job. The system flagged a company as high risk. You agree with the red flag, it’s obvious from the first glance that the client is risky from an AML perspective. Then your manager asks “Walk me through why you rated them high”… and your brain goes blank.
Not because you don’t know your stuff. Because no one taught you how to translate analytical instinct into documentation language that holds up under audit. That’s the gap we want to address.
The Problem: One Sentence Isn’t a Justification
Junior analysts rate a customer’s high risk, write “complex ownership structure” in the notes field, and close the case. Twelve months later an auditor asks for the rationale. The file has one sentence and nobody knows what “complex” is and what was meant back then during the review.
A well-documented risk rating decision answers four questions:
- What did I observe? – Concrete facts, not impressions
- Why does it matter? – Link to your policy, a typology, or regulatory guidance
- What did I do with it? – Verification steps taken, and where you hit a wall
- What’s the conclusion? – The rating, tied directly to the evidence
If your documentation answers all four, you’re audit-ready. If it only answers the first and last, you have a gap.
The “So What?” Test
Every risk factor you list needs to pass the question of “So what?”. Yes, that’s true. It doesn’t sound like a typical phrase from a financial institution’s procedure. But it works.
Here is the example: “UBO is based in Panama.” So what? “Panama appears on the firm’s enhanced scrutiny list due to elevated ML/TF risk. This increases the likelihood of illicit funds integration and warrants additional source of funds verification.”
Another example: The client is a 19-year-old student acting as the sole director of a holding company. The lack of professional experience and age of the director are inconsistent with the management of a holding structure. So what? This creates a high risk of ‘Nominee’ or ‘Front Man’ abuse, suggesting the entity may be controlled by an undisclosed persons.
If you can’t complete the “so what,” the observation isn’t doing work in your file – it’s just noise. Auditors don’t want a list of facts. They want to see that you understood why those facts matter.
This is also where “complex ownership structure” falls apart as documentation. It fails the test immediately. Complex how? So what? Document the specific feature like three offshore holding layers with no stated operational purpose and then explain why that pattern increases risk.
Writing Observations, Not Only Verdicts
“Customer appears to be a shell company” is a verdict. It tells an auditor what you concluded, not what you saw. It’s better if you show the breadcrumbs.
Write what you observed also: “Company has no employees on public record, no physical office address verifiable via registry, and directors sit on 200+ other boards across multiple jurisdictions.” That last bit is gold as it’s not just a fact but also a concrete signal of a nominee director. When you name the specific pattern, the ‘shell company’ conclusion becomes undeniable.
The same logic applies to gaps, so when the trail goes cold. If you couldn’t verify something, document why and show the limitations: “Audited financials requested. Customer provided management accounts only – company incorporated 11 months ago. Independent verification of stated turnover is not possible at this stage”. A documented gap shows you were diligent, and silence looks like you either didnt try or missed it.
Documenting a False Positive
Adverse media and sanctions screening produce a lot of noise. Knowing how to close out a non-match is as important as flagging a true match and it’s where junior analysts often leave files half-finished.
When screening returns a potential match that you’ve assessed and discounted, say it directly:
“Screening returned a potential match for XXX. Match discounted due to middle name discrepancy and a different country of birth. Residential jurisdiction in the hit is inconsistent with the client’s verified address in the file. Profile confirmed as non-match. No further action required.”
One short paragraph. It shows you looked, you assessed, and you made an informed call. That’s all what is needed.
What a Strong Conclusion Looks Like
A weak conclusion leaves the auditor guessing; a strong one ties the whole story together. Final note being a one-liner is not enough. Look at the below.
Weak: “Based on the above, the customer has been rated High Risk.”
Strong: “Based on a three-layer BVI ownership structure with no economic rationale relative to stated business activity, transaction volumes inconsistent with company age, and unverifiable financials – customer rated High Risk.. EDD triggered and filed to MLRO.”
Instead of just giving the rating, you give conclusion, rationale and the next step.
A Compressed Example
To see how this looks in practice, let’s take a system alert for ownership structure complexity, and turn it into a professional narrative.
Risk factors observed:
UBO holds 100% through two BVI entities. No structure diagram provided initially; obtained after two follow-up requests. No business rationale for offshore layering stated.
UBO nationality: high-risk jurisdiction per internal policy. Sanctions/PEP screening: clear.
Stated turnover €2.4M. Company age: 14 months. Audited financials unavailable.
Business references provided were for entities also owned by the UBO, circular, no independent verification of trade activity.
Verification:
Adverse media returned no results, and a potential screening hit was discounted due to clear discrepancies in DOB and nationality. However, because audited financials were unavailable and management accounts alone cannot verify the high turnover, the customer is rated High Risk. The primary drivers were the unexplained structure, unverifiable financials, and circular references. I have triggered an EDD requirement within 30 days and immediate escalation to the MLRO per the escalation matrix.
This format takes the same raw data but weaves it into a logical flow. It tells the auditor: “I saw the red flags, I checked the facts, and here is exactly why I’m escalating this.”
Do This The Next Time You Wonder How To Document Risk Rating Decision
Documentation-making is a muscle and you only get better by exercising it. The next time you’re about to hit “submit” on a high-risk case, stop and look at your notes.
The next time you’re about to hit “submit” on a high-risk case, stop and look at your notes. Ask yourself: Did I just give a verdict, or did I show my work? If your colleague or an auditor reads your file in two years, will they see your logic or just your guess?
If you’re struggling to find the right words, don’t be afraid to lean on AI to help you rephrase. But a word of caution: if you give a lazy prompt, you’ll get so called “AI slop”.
Instead, feed the AI the “So What?” and “how to document a risk rating decision” framework we discussed here. Tell it: “Here are my raw observations. Help me rephrase this into an audit-ready justification that explains the risk mechanism and links it to policy, avoiding vague adjectives”.
Leave a Reply