AML & Fraud Risk Assessment in 2025: Risk Matrices, Risk Scoring, and Best Practices

Fraud and money laundering (ML) remain two of the most pressing threats to businesses in 2025. While fraud generates illicit funds through activities such as identity theft, account takeover, or payment scams, money laundering disguises the origins of those funds and integrates them into the legitimate financial system. Together, they create a cycle of financial crime that puts both regulated and unregulated businesses at risk.

In 2024, the Global Financial Crime Report by NASDAQ estimated that $3.1 trillion of illicit funds passed through the global financial system. Another 2024 report from the US Department of the Treasury has estimated that $300 billion is laundered in the United States each year. The consequences are devastating: ML undermines financial integrity, exposing companies to legal penalties and reputational damage while also destabilizing economies through distorted markets and reduced investor confidence. So, it’s more important than ever to employ effective tools to fight financial crimes and money laundering. Risk assessment and risk scoring are among them. 

AML and fraud risk assessment uses pre-determined risk factors for fraud activities and money laundering to analyze customer profiles and determine each customer’s risk level. Proper control measures can then be implemented to mitigate these risks and protect the organization from financial crime.

In practice, almost all large companies conduct risk assessments and build their own risk matrices—sometimes to prevent money laundering, sometimes to reduce losses from fraud, and often for both reasons simultaneously.

This article will explain how a risk assessment can protect companies from money laundering and compliance failures, while also supporting anti-fraud efforts. It will cover key components of the process, including risk scoring, the risk matrix, and how to build an effective risk assessment model.

What is an AML risk assessment?

An AML risk assessment is an essential process used to analyze and evaluate the risk that customers, products, services, or transactions could be exploited for money laundering or terrorist financing (TF) within a business.

There are several factors to consider to achieve effective AML risk management:

• Customer due diligence (CDD). Creating a reliable procedure for CDD is imperative for any successful AML risk assessment. This process includes verifying identity, understanding beneficial ownership, assessing customer risk profiles, and conducting ongoing monitoring. Customers who are deemed to be politically exposed persons (PEPs) are an example of high-risk individuals that require Enhanced due diligence (EDD).

• Geographic risk factors. Financial, political, legal, and regulatory indicators of a specific country can be used to help calculate the risk of money laundering activity. Factors to consider include the AML regulations, the level of corruption, bribery, and the support or involvement of sanctioned activities of a country.

• Product vulnerabilities. Some high-risk product design examples include those that rely on third parties to make payments, where tracking customer behavior is difficult. Another example is products that allow large sums of money to move easily without significant fees or early withdrawal penalties. These are considered product vulnerabilities that increase the risk of suspicious activity and money laundering. 

• Channel risk. There are different ways for customers to utilize products and services while managing finances. Some examples of high-risk channels include the use of intermediaries and non-face-to-face transactions. This creates a degree of separation between the service provider and the customer, enabling identity to be hidden, which is favored by those engaging in money laundering activity.

What is a fraud risk assessment?

A fraud risk assessment focuses on vulnerabilities that enable fraudulent behavior, whether from external actors, insiders, or collusion. It maps how fraud could occur, estimates its likelihood, and quantifies potential impact.

Common fraud risk factors include:

• Identity fraud: Synthetic identities, stolen credentials, or deepfake-enhanced KYC attempts.
• Transaction anomalies: Sudden spikes in volume, unusual timing, or velocity of transactions.
• Behavioral and device signals: Suspicious login patterns, mismatched IP/device fingerprints, or impossible travel activity.
• Insider fraud: Employees abusing access to commit or enable fraud.

Risk assessment in fraud and AML is inevitably connected with risk matrices and risk scoring: while risk assessment is a “big picture” step, risk matrices help visualize and prioritize, and risk scoring provides measurable, data-driven values to support decisions. Let’s now dive deeper into the matrices and risk scoring.

What is a risk matrix?

The risk assessment matrix is an important part of the risk assessment process and plays a critical role in enabling institutions to gauge the risk of money laundering and fraud activities. The risk matrix provides a company with an overall risk score and helps mitigate the risk of financial crime and ML using an effective risk rating system. 

A risk matrix is usually a chart that evaluates both the likelihood (x-axis) and impact (y-axis) of money laundering or fraudulent activity. It helps companies visualize and categorize risks as low, medium, or high, making it easier to prioritize mitigation efforts. 

The matrix incorporates factors that influence a user’s risk score—such as customer profile, transactions, or geography—and plots them against likelihood and impact.

Since each company defines its own factors, there is no universal risk matrix. The output may be expressed as categories (low, medium, high) or as numerical scores (for example, 0–1 or 0–100, where higher values indicate higher risk). Each organization sets its own scale to align with its compliance framework and risk appetite.

If, for example, a customer is utilizing an offshore bank account to make transactions that are deemed complex, then using the risk matrix, the customer may fall under the “likely” category on the likelihood scale and “moderate” on the impact scale. This would give this customer a high-risk rating using the matrix. 

This helps institutions understand their exposure to financial crime and spot areas that need attention. With this knowledge, they can decide how to allocate resources to strengthen protection against such risks.

What is risk scoring?

Risk scoring assigns a numerical or categorical value to a customer, reflecting the likelihood that they may engage in ML or fraud activities. This score indicates how likely a user is to engage in risky or potentially fraudulent behavior and is calculated based on several factors, including:

• KYC documents
• Email and phone data
• Device fingerprints
• Behavior patterns
• Transaction history, etc.

The risk score helps companies determine whether a customer requires closer monitoring. It can reveal risky behaviors, such as unusual login frequency and timing, anomalies in user location, and security risks related to device usage.

The framework for risk scoring considers multiple dimensions of risk, including geographical, transactional, product/service, channel, and customer-related factors. Each factor is weighted based on its potential impact on the overall risk, allowing organizations to prioritize high-risk customers and implement targeted controls.

It is essential that this process is continuously updated and performed, as customers’ risk scores may increase or decrease over time. In order to effectively assess levels of risk and allocate appropriate resources to monitor those deemed high risk, new information has to be factored into this system regularly. 

Here is an example of how a risk scoring table may look:

Risk Factor	Score (1-10)	Weight (%)
Customer	10	40%
Geography	5	20%
Service/Product usage	6	24%
Channel	4	16%
Total risk rating	25	7.08

The overall risk score calculated can then be placed in a category that determines whether a customer is deemed low, medium, or high risk. For example, customers scoring 0-35 may be considered low risk, 36-65 medium risk, and 66-100 high risk. 

It is important for organizations using this scoring system to carefully assign accurate weighting to risk factors. If this process is done poorly, there is the risk that customers are deemed incorrectly low risk. And if a customer is incorrectly deemed low risk, it can lead to undetected financial crime, regulatory intervention, and serious penalties for the organization. 

Which businesses need risk assessment?

Risk assessments are not just a regulatory checkbox. They are essential for any organization exposed to financial crime, whether in the regulated sector (where AML rules are mandatory) or the non-regulated sector (where fraud risk is the primary driver).

1. Businesses in the regulated sector (AML-focused)

These organizations are legally required to conduct AML risk assessments to comply with global frameworks such as FATF recommendations, EU AML directives, or the US Bank Secrecy Act.

Examples include:

• Banks and credit unions: Manage high volumes of cross-border transactions and customer onboarding.
• Investment and asset management firms: Exposed to complex corporate structures and high-value transfers.
• Cryptocurrency exchanges and wallet providers: Face heightened scrutiny due to anonymity and high fraud rates.
• Insurance companies, especially life insurance and investment-linked products: Face a risk of criminals using insurance products to place, move, or disguise illicit funds.
• Law firms and trust companies: Potential enablers of beneficial ownership concealment.

2. Businesses in the non-regulated sector (Fraud-focused)

While these industries may not have AML compliance obligations, they face enormous fraud exposure. Fraudsters target these sectors due to their high transaction volumes, digital channels, and reliance on customer trust.

Examples include:

• E-commerce platforms: Exposed to card-not-present fraud, account takeover, chargebacks, and fake merchant accounts.
• Telecommunications providers: Targeted for SIM-swap fraud and subscription fraud.
• Gaming and iGaming: At risk of account fraud, bonus abuse, and money laundering through in-game assets or chips.

3. Convergence sector (AML + fraud risks)

Some businesses face both AML and fraud risks simultaneously. For example, fintech and crypto companies must comply with AML regulations and fend off sophisticated fraud schemes.

Examples include:

• Digital banks and neobanks: Attract both fraudsters (for account takeover) and launderers (due to fast cross-border payments).
• Crypto exchanges and NFT marketplaces: Face fraud (scams, wash trading) alongside AML concerns.
• Payment service providers (PSPs): Operate in a dual risk zone, managing regulatory oversight and fraud detection simultaneously.

How to build an effective risk assessment model in 2025

Building a structured risk assessment model allows regulated and non-regulated institutions to guarantee consistency throughout the entire process. While AML assessments are often regulatory-driven, fraud assessments are business-driven. Yet, the process of building an effective framework is very similar. Below is a five-step guide adapted for AML and fraud risk management in 2025.

Step 1: Acceptable risk exposure

Every organization must first define its risk appetite—the level of AML and fraud risk it is willing to accept.

In AML, this means setting thresholds consistent with regulatory obligations. Some exposure to higher-risk customers (e.g., international remittances) may be permissible, but there must be zero tolerance for knowingly facilitating money laundering or terrorist financing.

In fraud, businesses may tolerate small-scale fraud (e.g., return fraud in retail) as part of operational costs, but high-value fraud such as account takeover or APP scams must be considered unacceptable.

Suggested read: Authorized Pushed Payment Fraud: From Reaction to Prevention

Step 2: Risk identification

Identify the specific threats that pose the greatest danger to the organization.

AML risk factors: customer types, transaction categories, geographic regions, delivery channels, and product vulnerabilities.

Fraud risk factors: identity theft, synthetic IDs, account takeover attempts, phishing campaigns, abnormal transaction flows, and insider threats.

At this stage, organizations should collect data from both internal (transactions, customer records) and external sources (regulatory lists, fraud intelligence feeds).

Step 3: Risk analysis

Conducting appropriate risk analysis involves applying a risk scoring system and risk matrices to understand the significance of each risk factor, taking into account both the likelihood and impact that they may cause. This step highlights the level of risk that an organization is exposed to with the current control measures in place. This is known as residual risk.

Step 4: Risk prioritization

Following risk analysis, decisions must then be made to prioritize managing risks that pose the greatest threat. This step involves allocating resources to areas that need addressing, as well as assessing the effectiveness of current control measures. Doing this helps to determine whether adjustments need to be made to reduce risk exposure. Examples of control measures include transaction monitoring systems, screening tools, and employee training. 

Step 5: Strategies for risk mitigation

Last but not least, an actionable plan to manage each risk appropriately should then be created. This may involve improving transaction monitoring systems and screening tools. It is also important to regularly monitor the effectiveness of these control measures to ensure that they are performing their desired function properly. 

Risk categories and tiers explained

Risk factors in an AML and fraud risk assessment can be classified into categories and tiers, which are then used to assess the overall risk of each individual customer.

Common risk categories

1. Geographic risk

• Customer residency or nationality
• IP location
• regions under sanctions—Iran, North Korea, Syria, Russia, Cuba, Venezuela, Belarus, Afghanistan
• Jurisdictions under increased FATF monitoring—Algeria, Angola, Bolivia, Bulgaria, Burkina Faso, Cameroon, Côte d’Ivoire, Democratic Republic of the Congo, etc.

2. Customer risk

• Age
• Employment status
• PEP status
• Source of Funds
• Reputational & adverse media risks

3. Product, service, or transaction risk

This largely depends on the industry and type of business. For example, a gambling software development company might look at indicators such as:

• Percentage of total deposits made using high-risk payment methods (relative to the lifetime value of all transactions)
• Percentage of declared annual income spent
• Number of payment accounts used (lifetime)
• Percentage of bets placed in live games

Other factors may include:

• capability of anonymity—makes it difficult to verify the source of funds, which is an important component of the AML framework, e.g., crypto-asset accounts
• third-party involvement—third-party payments can be used to obscure the origin of funds, often used in money laundering activity

4. Delivery channels risk

• Non-face-to-face interactions (e.g., remote account opening, e-commerce transactions, online loan applications, etc.)
• Introducers (third parties who introduce potential clients to financial institutions or service providers, e.g. law firms, accountants): illegitimate introducers can be used to connect entities or individuals with illicit origins to organizations to unknowingly launder money

Risk tiers

Risk tiers (e.g., in KYB) are used to categorize customers into groups that reflect their risk of financial crime. Customers are assigned a score using the risk matrix, which is then used to place them into one of the following risk tiers below. 

Low-risk customers are considered to have minimal financial crime risk due to factors such as transparent ownership, stable transactions, and operating in regulated environments. Examples include publicly owned enterprises, companies with securities listed on a regulated market, and routine retail customers.

Medium-risk customers fall between the low- and high-risk categories. These may include small business owners who send international wire transfers, customers with transactions of moderate size, or businesses located in countries considered moderately risky.

High-risk customers present significant money laundering risks and often require enhanced due diligence as well as frequent reviews. Examples include non-face-to-face business relationships, politically exposed persons (PEPs), companies with excessively complex corporate structures, or those operating in high-risk geographical areas.

Suggested read: High-Priority and High-Risk: What You Need to Know About Politically Exposed Persons (PEPs) in 2025

Common mistakes in AML and fraud risk assessments

The goal of AML and fraud risk assessments is to reduce exposure, strengthen internal controls, and ensure compliance. However, many organizations make critical mistakes that leave them vulnerable to financial crime. These errors can result in regulatory fines, reputational damage, or direct financial losses.

Here are some of the most common mistakes made in AML risk assessments:

Over-reliance on manual processes. Many organizations believe that a manual approach to risk assessment offers a more thorough screening of customers. 

• AML context: manual reviews of KYC documents and transaction data often introduce human error, allowing red flags to slip through the cracks.
• Fraud context: fraudsters move in real-time, but manual review cycles are too slow to detect fast-evolving scams such as account takeover or phishing.

💡Best practice: automate wherever possible: AI-powered transaction monitoring and fraud detection can identify anomalies instantly.

Failure to comply with updated policies. Regulations change frequently, and outdated policies can lead to multi-billion-dollar fines. While fraud regulations are less formalized, consumer protection standards (e.g., UK APP fraud liability rules) are expanding. Failure to align exposes companies to legal and reputational risks.

💡Best practice: continuously track regulatory and industry developments, and update frameworks accordingly.

Ineffective data management. If the client data is not collected appropriately and integrated into the AML framework and/or fraud prevention strategy, it can lead to gaps in risk assessments, increasing the risk of suspicious activity going unnoticed.

• AML context: poor data integration between onboarding, KYC, and transaction monitoring systems leads to incomplete customer profiles and gaps in risk analysis.
• Fraud context: fraud prevention tools often work in silos (device analytics, payments, chargeback systems). Without integration, signals are missed (e.g., fraud flagged at checkout but ignored at login).

💡Best practice: consolidate data sources into a unified risk assessment platform.

Outdated scoring models. Organizations that fail to update their scoring systems will fail to identify new trends in activity, reducing their effectiveness in preventing money laundering activities, whilst also not meeting regulatory standards.

• AML context: using static scoring models that don’t adapt to new laundering typologies (e.g., crypto mixers, trade-based laundering) causes blind spots.
• Fraud context: relying only on static rules (e.g., “flag all transactions above $10,000”) misses new schemes like micro-fraud (small-value but high-frequency fraud).

💡Best practice: use dynamic, adaptive scoring models that update in real time as new behaviors and typologies emerge.

Treating AML and fraud as separate functions. Many organizations maintain distinct AML compliance teams and fraud prevention teams. While this may satisfy organizational charts, it creates data silos and duplicated effort. Criminals exploit this gap—fraud generates illicit funds, which are then laundered through AML blind spots.

💡Best practice: move toward integrated financial crime risk management frameworks that combine AML and fraud monitoring into a single view of risk.

Reactive instead of a proactive approach.

• AML context: updating models only after a regulatory audit or enforcement action.
• Fraud context: reacting only after losses occur (e.g., refunding chargebacks) rather than preventing fraud at the point of transaction.

💡Best practice: adopt real-time monitoring, predictive analytics, and red-team testing to stay ahead of threats.

How often should AML and fraud risk assessments be updated?

Financial crime is constantly evolving, which means risk assessments cannot remain static. Both AML and fraud risk assessments must be reviewed and updated regularly to stay effective. While the drivers differ—regulatory requirements for AML and operational threats for fraud—the principle is the same: adaptation is key to protection.

Best practices for updating an AML risk assessment include:

• Triggers prompting updates. If changes are made, for example, new products are introduced, legislation is amended, or the business expands into new areas, then updates to the AML risk assessment must be made.
• Regular reviews of the AML risk assessment. There are no regulatory requirements for updating an AML risk assessment. However, a full and comprehensive review of the AML risk assessment should be made every year at the very least. This is to ensure compliance with the latest AML laws, optimize protection against evolving money laundering techniques, and reflect any changes to a business that may alter current risks in the organization. 
• Real-time risk analytics. The most effective AML risk assessments incorporate real-time monitoring of customers and update risk scoring continuously.
• Prompt updates post-incidents. If a customer is found to be engaging in illegal activities, it is essential to update the AML risk assessment to prevent the same incident from recurring. 

Fraudsters adapt instantly to new technologies, products, and customer behaviors, which makes outdated models dangerous. So, fraud risk assessments require continuous or near-real-time updates.

Best practices for updating fraud risk assessment:

• Ongoing monitoring and analytics. Update fraud scoring models dynamically with live transaction and behavioral data.
• Post-breach updates. If a fraud event occurs (e.g., mass phishing attack, account takeover), the assessment must be revised immediately.
• Product and channel changes. Introducing instant payments, BNPL, or new authentication methods requires fresh risk analysis.
• Quarterly or semi-annual reviews. Even with real-time monitoring, formal reassessment cycles ensure strategic oversight.

How to choose the right risk scoring solution in 2025

When selecting a tool to automate your risk matrix for individuals, merchants, and transactions, focus on solutions that provide dynamic, multi-factor risk scoring across both onboarding and ongoing customer behavior. Here are the key features to consider:

• Automation: The system should continuously assess and update risk scores in real time, eliminating manual effort, reducing human error, and freeing up resources.
• Dynamic & adaptive scoring: Look for tools that adjust scores automatically as new data and behaviors emerge, so your risk decisions are always based on the latest context.
• No-code configuration: A strong solution empowers business users to set up and fine-tune scoring models without needing developers, ensuring flexibility and faster changes.
• Full lifecycle coverage: Choose a platform that monitors risk from onboarding through ongoing engagement, giving you continuous protection and compliance across the entire customer journey.

Fraud and money laundering aren’t slowing down—ensure your business stays protected with a reliable risk scoring and advanced risk assessment today.

FAQ

• What are the key components of an AML risk assessment?

  The key components of an AML risk assessment include assessing the geographical, customer, transaction, and product/service risk that a client may pose with regard to money laundering. By identifying high-risk customers, controls and measures can be put in place to prevent money laundering.

• What is the difference between risk matrix and risk scoring?

  A risk matrix involves using a table to establish the likelihood and impact of a customer participating in money laundering activity and determining whether they are considered to be low, medium, or high risk. Risk scoring, on the other hand, assigns numerical values to risk factors and provides a quantitative measure used to rank the customers’ risk.

• How is customer risk calculated in AML?

  Customer risk in AML is calculated by identifying risk factors for money laundering and assigning a risk score using these factors. The risk score can then be used to decide what level of due diligence is necessary for each individual customer.

• How often should AML risk assessments be performed?

  In general, an AML risk assessment should be performed at least once a year, however, if updates are made that alter risk factors and scores, then it may be required more frequently.

• What is a risk-based approach in AML compliance?

  In AML compliance, a risk-based approach refers to identifying risk factors and implementing measures based on these risk factors. The goal is to mitigate the identified risk factors that have been determined to have the highest level of threat and reduce the risk of money laundering activity.

• How do financial institutions assign AML risk scores?

  Financial institutions create an AML risk scoring model that reflects the relevant risk of their customers. This AML framework can then be used to assign an AML risk score to each customer, which provides guidance on control measures and due diligence levels.