A Guide to Risk Scoring in 2026

Find out about risk scoring and how to do it right in line with AML requirements. Learn which risk factors are relevant, depending on the industry, and how automated risk scoring solutions can elevate your daily due diligence processes.

Gabija Stankevičiūtė

January 2, 2026

Blog
Risk scoring. Practical steps and automated solutions that are worth it.

Predefined criteria and risk factors shape the overall risk or fraud score, an indicator that explains the danger and level of risk you might be dealing with. In the context of regulatory compliance and risk management, AI and special Anti-Money Laundering (AML) solutions have helped analysts and various sectors to better understand and detect risks linked to concrete customer profiles or the general company’s background, like ties to sanctions, in real-time, and without the need to sift through multiple documents or endless lists of government databases manually. 

In the past, without the power and abilities of automated solutions, it was much harder to predict or calculate the risk of serious threats or catch the risk before it escalated to something even more serious, such as money laundering. In contrast, a proper modern risk scoring system is based on clearly defined standards that are designed to detect and indicate the level of potential fraud based on factors like regulatory compliance or changes in the financial market. In other words, you need to build a risk scoring system that’s actually based on and adapted to real-life risks. 

In this blog post, we’ll explain what a proper risk scoring system should include and how to assess and monitor risks, so you can clearly see the value of this risk management strategy.

What is Risk Scoring?

Risk scoring is the process of determining a value, often low, medium, or high (or a concrete number), in order to show the level or severity of a risk, based on multiple factors. It depends on the type of data used and what sort of risk scoring model the company chooses. 

For example, data can be qualitative or quantitative. This means that:

  • Qualitative data is descriptive. For example, adverse media finds, inconsistencies, or AML flags during enhanced due diligence (EDD), and similar atypical and suspicious behavioral signs that can’t be measured numerically but provide important compliance context.
  • Quantitative data is expressed in numbers. For example, failed Know Your Customer (KYC) attempts, transaction volume, or the times that the user had logged in from high-risk regions, which are all numbers that can be measured using predefined scoring rules. 

Infographic providing an overview of risk scoring and outlining the main types of risks that affect the final score.

Modern risk scoring models react to triggers in real-time, meaning that they use AI and machine learning to adapt using new data, rather than always relying on the same rigid checklist. This allows for the risk scoring to be based on various factors that generate the final risk score, improving accuracy and efficiency. Ultimately, this is what all regulated businesses with a large volume of customers and transactions want. 

Is Risk Scoring Mandatory?

Yes, most jurisdictions require some sort of rating or scoring systems as a legal requirement of the risk-based approach to AML. For example, the Financial Action Task Force (FATF) recommends applying the risk-based approach as a core AML strategy to treat and react to threats effectively. So, in this sense, risk scoring works like a foundation and one of the first steps in AML compliance.

Each customer and each transaction needs to be assessed based on individual risk factors. The same rules can’t be applied because fraud patterns evolve, and so does customer behavior. Even the ones with a completely clean profile and a sleek history can develop bad tendencies. 

What is a Risk-Based Approach?

A risk-based approach (RBA) is the concept of measures in AML compliance that are designed to:

  • Detect and better understand existing risks
  • Create and update risk management strategies
  • Perform ongoing risk assessments

Controls need to be adjusted to specific threats, and not all risks and customers are treated equally. That’s why compliance officers spend more time on elevated risks like high-risk countries or corporate clients from high-risk industries, product-wise. In practice, such accounts are treated using EDD measures, while simplified due diligence (SDD) is used for low-risk profiles. 

Companies need to adapt and understand the money laundering risks they face in real-time while applying risk management measures that can combat those risks proportionately. To manage their risk intelligently, companies often use AI for ongoing monitoring.

Related: What is the Difference Between CDD and EDD?

Risk-Based Approach vs Risk Scoring 

Risk scoring can also be part of the risk-based approach in the sense that the RBA helps create a strategy, or a focus on high-risk risks, while risk scoring helps shape the metric, or a score, which helps execute that strategy. A company can use a risk scoring solution that automatically assigns a concrete number (0-100, for instance) to a customer that shows how severe and urgent the risk is. 

For example, a customer receives:

  • A risk score of 15, and is monitored using standard compliance controls.
  • A risk score of 85 due to factors like high transaction volumes, exposure to a high-risk country, or adverse media finds, which automatically triggers EDD and extra checks.

Risk scoring evaluates multiple risk factors, such as customer information, transaction behavior, geographic exposure, or delivery channels, combining them to produce an overall risk score. This works as a structured scoring model that assigns weighted values to other custom factors like adverse media links or a Politically Exposed Person (PEP) status, depending on the concrete company and its operating environment.

Examples of Industries that Use Risk Scoring 

Various businesses use risk scoring both as a fraud prevention measure and a regulatory compliance requirement. 

For example:

  • Financial institutions. This helps banks, fintechs, credit institutions, and similar service providers onboard low-risk clients faster and treat high-risk clients by applying EDD measures. 
  • Insurance service providers. This helps assess applicant risks and detect potentially fraudulent claims with suspicious behavioral indicators that could lead to service abuse. 
  • Marketplaces. This helps spot suspicious sellers that might need extra checks based on their location, IP, or transaction history. It can be bot used as an onboarding tool and an ongoing verification method. 
  • iGaming and gambling. This helps detect bonus abuse, underage bypassing attempts and other player behavior that’s tied to fraud or even money laundering. 
  • Crypto and digital asset platforms. This helps assess multiple factors, such as suspicious wallet behavior or jurisdictional risks, while complying with the Travel Rule and AML requirements. 

What Key Risks Should I Concentrate On?

You can identify risks anywhere: among your partners or vendors, across new and existing customers and their transactions, as well as different geographies. There are industry standards or key risks that you should consider when monitoring customers. 

This includes:

  • AML and counter-terrorist financing (CFT) risk
  • Regulatory risk due to changing compliance requirements
  • Fraud risk, which includes all sorts of fraud forms
  • Operational risk
  • Cybersecurity and data privacy risk
  • Third-party risk linked to vendors 
  • Consumer risk, such as the misuse of financial services
  • Merchant risk, particularly valuable for assessing high-risk industries

Over the years, factors like the use of digital payments, the volume and high speed of cross-border transactions, or new digital assets like crypto have contributed to making monitoring risk profiles a challenge. 

Criminals now use AI for document forgery, deepfakes, and other forms of fraud. They open business accounts and use complex corporate structures to hide true ownership, for example, through shell companies that exist only on paper and are used for money laundering. 

Related: KYC Risk Assessment Automation Rules & Key Risk Factors to Consider

What Factors Can Influence a Risk Score?

Multiple checks and data points affect the final risk score, depending on your risk appetite. This helps analysts make the right decision and apply extra checks on high-risk customers. 

The most common factors that influence and raise the risk score include:

  • IP address (including suspicious locations or blocklisted devices)  
  • High-risk countries (meaning transactions coming from such regions)
  • The user’s source of funds (SOF) (if they are not in line with their reported income)
  • Suspicious behavior (often during onboarding, such as refusal to provide personal info)
  • Transaction patterns (for example, atypical transaction spikes, like large transactions within a short period of time)
  • Payment method (especially if it’s a prepaid card or crypto, which are often automatically marked as higher risk)

Using these parameters, risk scoring solutions can categorize customers into low, medium, or high-risk users. For example, there are solutions like iDenfy’s Shopify ID verification that can be enabled only when a high-risk transaction alert is received. So, even in e-commerce, the user would have to go through an additional, automatically triggered Know Your Customer (KYC) check in order to approve their purchase. This helps minimize fraudulent charges and unauthorized purchases.

Infographic listing the factors affecting user risk scores e.g. source of funds and location.

Apart from risk scoring, there are many checkpoints in an AML risk assessment, such as identifying the highest-risk customers or which products are most likely to be abused, as well as identifying the areas that can pose the greatest risks to your company. 

Best Practices for Effective Risk Scoring

A proper risk scoring system is powered by AI, meaning it can adapt and update customer risk profiles based on their behavior, not only during the account opening process, but through the whole business relationship. This helps adjust risk scores and reduce false positives, keeping the monitoring part efficient and accurate

For instance, instead of multiple hits and notifications, the system should only flag users or transactions that require EDD. 

Infographic listing four steps of calculating a risk score.

To achieve this goal, in practice, risk scoring should also rely on these processes:

  • Identity verification or KYC checks during user onboarding and in a high-risk scenario 
  • AML screening against PEPs and sanctions lists, watchlists and adverse media 
  • Transaction monitoring to detect AML red flags and inconsistencies
  • Custom workflow optimization, including tailored risk scoring adjustments based on factors like the client’s occupation or geographic location
  • Ongoing compliance measures that would help react to received AML alerts, for example, filing a Suspicious Activity Report (SAR) within the reporting time 

Risk scoring is not a one-and-done deal, and it shouldn’t be treated as a static measure. Risk management should always align with regulatory expectations, yet, in a perfect scenario, should support automation and improve the end-user experience. That means low-risk customers should be onboarded quickly and seamlessly. More importantly, failing to adjust scores over time or ignoring changes in customer behavior can lead to non-compliance fines. 

Sounds like a tricky mission? We can help you update your AML program through automated risk assessment and risk scoring solutions. Book a free demo for more info. 

What is Risk Scoring?
Is Risk Scoring Mandatory?
What is a Risk-Based Approach?
Examples of Industries that Use Risk Scoring 
What Key Risks Should I Concentrate On?
What Factors Can Influence a Risk Score?
Best Practices for Effective Risk Scoring

Automatically Detect Low, Medium & High-Risk Customers

Verify and screen high-risk customers while onboarding low-risk users at scale. Reduce false positives.

Try for free

Frequently asked questions

1

How Often Should I Update User Risk Scores?

Arrow

Risk scores should be reviewed continuously, not just at onboarding. Regulatory guidelines recommend updating scores whenever there are significant changes in customer behavior, transactions, geographic exposure, or when new adverse information emerges. 

2

Can Risk Scoring Reduce the Number of SAR Filings For Financial Institutions?

Arrow
3

Can Smaller Organizations Benefit From Risk Scoring?

Arrow
4

Are There Industry-Specific Risk Scoring Factors to Consider?

Arrow
Gabija Stankevičiūtė

Gabija’s a consistent writer for the blog and the first ever in-house copywriter at iDenfy, who joined the company in 2021. With a background in journalism, she covers all things related to the RegTech ecosystem and its innovations.

Read more articles

Blog

January 20, 2026

Mastering Complex B2B Onboarding Flows

B2B onboarding has become more complex as businesses face higher risk and pressure to move fast, but it is where trust really begins, as onboarding is clear and well-designed, helping teams move forward with confidence instead of slowing growth.

Written by Andrius Juodis
Blog KYB/AML

January 8, 2026

Germany’s Unique KYB Issue and Its Possible Solution

Germany’s KYB process is formed by complex legal forms and registries. Generic verification frameworks often struggle in this environment, making it essential to design KYB processes that works well in Germany’s environment.

Written by Andrius Juodis
Merchant fraud. How to fight it using practical solutions.
Blog KYB/AML

January 6, 2026

Top 5 Merchant Fraud Types & How to Avoid Them

Find out how criminals use various online platforms for merchant fraud and learn why protecting your B2B relationships is vital if you want to manage third-party risks properly, with other relevant challenges like an increased chargeback rate with a bunch of flagged, high-risk orders.

Written by Gabija Stankevičiūtė

Save costs by onboarding more verified users

Join hundreds of businesses that successfully integrated iDenfy in their processes and saved money on failed verifications.

Try for free Talk to sales mr-10 Try for free
LLOYDS

All iDenfy’s products are protected with the number one cyber insurance package and the Technology Errors & Omissions insurance.

GDPR ready badge CCPA compliant badge SOC certificate ISO 27001 standard iBeta ISO 30107 standard