Registered Investment Advisers (RIAs) in the U.S. are facing new anti-money laundering (AML) regulations effective January 1, 2026. FinCEN’s final AML rule brings RIAs under Bank Secrecy Act requirements, meaning RIAs must implement risk-based AML programs just like banks. A core element of this is client risk scoring as part of client due diligence – in other words, assessing each client’s money laundering risk level (low, medium, or high) based on defined factors. This article provides a comprehensive guide for U.S.-based RIAs on how to build and implement a client risk scoring model as part of an AML compliance program. We’ll cover the regulatory context (FinCEN, SEC, and BSA guidance), the business value of risk scoring, step-by-step instructions to develop a risk model, a sample risk scoring matrix, and how this ties into transaction monitoring and suspicious activity reporting. Finally, we’ll highlight best practices for ongoing monitoring and how a purpose-built AML software for investment advisers like Flagright can streamline compliance.

Understanding FinCEN’s 2026 AML Rule for RIAs

In August 2024, FinCEN issued a sweeping final rule extending AML/CFT requirements to SEC-registered investment advisers. For the first time, RIAs are defined as “financial institutions” under the BSA, ending a long-standing gap in AML coverage. By January 1, 2026, RIAs must comply fully with AML obligations, or risk regulatory enforcement. The key requirements include:

  • Risk-Based AML Program: RIAs must develop and implement a written AML/CFT compliance program that is risk-based and reasonably designed to prevent misuse by money launderers. This means tailoring the program to the firm’s unique risk profile.
  • Customer Due Diligence (CDD): RIAs are expected to perform risk-based customer due diligence, which involves assessing the risk of each client and understanding the nature and purpose of client relationships. (Notably, FinCEN’s rule for RIAs does not yet mandate a formal CIP or beneficial ownership collection, but those may come in future rules.)
  • Suspicious Activity Reporting (SAR): Just like banks, “covered” RIAs must monitor for suspicious transactions and file SARs with FinCEN for any $5,000+ transactions that could involve illicit activity.
  • Internal Controls and Training: Appointment of an AML compliance officer, ongoing employee training, and independent testing of the program are required pillars.

Importantly, regulators emphasize a risk-focused approach. The SEC will examine RIA firms for compliance after the rule kicks in. Examiners will expect to see that firms have assessed their customer base and services for money laundering risk and are applying commensurate controls. In practice, this means RIAs need to have a documented process to categorize clients by risk level and adjust monitoring accordingly.

Why Risk Scoring for Clients Is Essential

Risk scoring for investment advisers isn’t just a bureaucratic exercise – it’s both a regulatory necessity and a smart business practice. Under FinCEN’s rule, an RIA’s AML program must be risk-based, with special focus on higher-risk clients. Regulators expect firms to identify customers that pose higher risk and apply enhanced scrutiny to those relationships. Without a formal risk scoring model, an RIA could easily misidentify a high-risk client as “low risk,” undermining its entire AML program and exposing the firm to regulatory violations.

From a business perspective, a well-designed AML risk model provides several benefits:

  • Efficient Resource Allocation: By categorizing clients into risk tiers, compliance teams can focus their efforts where it matters most – on high-risk clients and activities. This ensures you’re not over-investigating low-risk customers or missing red flags on risky ones.
  • Better Detection of Illicit Activity: A robust client risk profile (part of the overall risk-based CDD process) aids in detecting unusual or suspicious behavior early. For example, knowing a client has a high risk score (perhaps due to foreign jurisdiction and Politically Exposed Person status) will prompt closer monitoring of that client’s transactions, increasing the chance of catching suspicious patterns.
  • Regulatory Compliance and Avoidance of Penalties: Demonstrating a documented risk scoring methodology shows regulators you are meeting the “risk-based” program expectations of FinCEN and the SEC. This can protect the firm from penalties – or at least mitigate them – by evidencing a good-faith effort to comply. In contrast, failing to implement risk scoring could lead to serious compliance findings or fines once examinations begin in 2026.
  • Protection of Firm Reputation: RIAs often deal with high-net-worth individuals and entities. A robust risk scoring and due diligence process helps avoid doing business with bad actors (e.g. sanctioned individuals, money launderers) that could tarnish the firm’s reputation or lead to costly enforcement actions.

In short, RIA AML compliance in 2025 and beyond will hinge on having a sound risk-based approach. As the Treasury’s 2024 risk assessment highlighted, the RIA sector had vulnerabilities from limited prior AML obligations, and forward-thinking firms recognize that adopting AML best practices is sound risk management not just a regulatory box-tick. A client risk scoring model is the foundation that supports other program elements like enhanced due diligence and transaction monitoring.

Key Components of a Risk-Based AML Program for RIAs

Before diving into building the model, let’s clarify what regulators and industry guidance say about risk-based AML programs and client risk assessment. Per FinCEN’s rule and the Federal Financial Institutions Examination Council (FFIEC) BSA/AML Manual:

  • Customer Risk Profiling: Firms should develop a customer risk profile for each client based on the nature and purpose of the account. This profile (often a numeric score or category) reflects the institution’s judgment of how likely the client could be involved in money laundering or terrorist financing. It’s commonly referred to as a customer risk rating.
  • Differentiation of Risk: Not all clients present the same risk. Even within the same category of customers, there’s a spectrum of risk. Therefore, the risk scoring model should be detailed enough to distinguish significant variations in risk among clients. For example, two individual clients may both be retirees with similar portfolios, but one’s foreign citizenship or adverse media hits might warrant a higher risk rating.
  • Risk-Based CDD and Monitoring: The reason you profile client risk is to apply commensurate controls. Guidance states that AML policies and procedures should be commensurate with the firm’s risk profile, with increased focus on higher-risk customers. Higher-risk clients should trigger stronger due diligence (such as verifying source of funds, obtaining senior management approval to onboard, etc.) and more frequent review of their transactions. Lower-risk clients can be monitored with standard procedures. This risk-based allocation of effort is a cornerstone of an effective AML program.
  • Continuous Updating: Risk assessment is not a one-and-done task at onboarding. Firms are expected to maintain and update customer information and risk profiles on an ongoing basis, as risk dictates. Changes in a client’s situation (new negative news, unusual transaction spikes, etc.) should prompt a re-evaluation of their risk score. We will discuss ongoing monitoring in a later section.

With these principles in mind, let’s move on to constructing a practical risk scoring model.

Step-by-Step Guide: Building a Client Risk Scoring Model

Developing a risk scoring model involves identifying what makes a client risky, quantifying those elements, and setting up a system to rate every client. Below is a step-by-step approach to create an AML risk scoring model tailored for RIAs:

1. Identify Key Risk Factors – Start by defining which client risk factors will influence the score. Risk factors are attributes or behaviors of a client that correlate with higher money laundering risk. According to industry best practices, typical factors include the client’s **source of wealth and funds, occupation/industry, country of residence, anticipated transaction behavior, ownership structure complexity, PEP (Politically Exposed Person) status, adverse media,** and so on. The factors should cover the categories of risk relevant to an RIA’s business. For example, an RIA managing private funds might include a factor for “investment vehicle type” (individual account vs. offshore trust). Most firms group factors into areas such as customer profile, geographic risk, product/service risk, and transactional patterns. It’s wise to review U.S. regulatory guidance and the firm’s own risk assessment to choose factors. (The Treasury’s 2024 RIA Risk Assessment can offer insights into risk scenarios identified in the industry.) Make sure each chosen factor has a clear connection to potential illicit finance risk.

2. Gather and Validate Client Data – Once factors are defined, determine what data needs to be collected for each factor. Effective risk scoring relies on having accurate information about the client. During onboarding and periodic refresh, collect data such as: customer identification details, occupation and industry, sources of funds/wealth (e.g. salary, business revenue, inheritance documentation), country of residence or operation, expected account activity (investment amount, frequency of withdrawals), and screening results (sanctions lists, PEP lists, negative news searches). Ensure data quality – inaccurate or missing data will skew the risk scores. Establish processes to verify critical information (for instance, use reliable databases for verifying a client’s country risk or PEP status). If some data is external (like adverse media hits), integrate those sources as well. All this information forms the input variables for your scoring model.

3. Assign Weights and Values to Risk Factors – Next, design the scoring methodology. Each risk factor should be assigned a weight or point value reflecting its relative importance. For example, “PEP status” might be given a high weight (since PEPs typically elevate risk significantly), whereas “length of customer relationship” might have a lower weight. Many models use a numeric scale for each factor – for instance: 1 point for low-risk category, 3 points for medium, 5 points for high-risk category (a simple 1-3-5 scoring). The weights and scoring logic should be grounded in the firm’s risk appetite and regulatory guidance. FinCEN expects the risk scoring to consider the significance, likelihood, and impact of each risk factor. For instance, if the client’s geography is high-risk (say, a country on the FATF “high-risk” list), that factor might contribute a large portion of the total score. Document a scoring rubric for each factor. Example: Client Type: If client is a regulated U.S. financial institution = 1 (low risk); if a private company or individual = 3 (moderate); if a high-risk business (e.g. money service business, cannabis) or a shell company = 5 (high risk). Doing this for all factors creates your scoring matrix (see sample matrix below).

4. Calculate Risk Scores and Calibrate the Model – With factor weights in place, you can calculate a total risk score for a client by aggregating the points from all applicable factors. The raw score then maps to a risk rating (e.g. a total score of X = Low, Y = Medium, Z = High). Score calibration is critical to ensure the model is neither too sensitive nor too lenient. Calibration involves testing the model on a sample of clients and tweaking thresholds or weights as needed. For example, if your model initially flags 40% of your clients as “High Risk,” that might be unrealistic and could overwhelm your compliance capacity. You might decide to raise the threshold for High Risk to make that category more selective (or adjust factor scores down in some areas). Use a combination of expert judgment and data analysis to calibrate. Techniques include back-testing and scenario analysis – e.g. take known low-risk clients and ensure they indeed score low, and known high-risk profiles to see that they score high. According to best practices, institutions should conduct periodic testing and fine-tune weightings to validate that the risk scores align with real risk levels. Calibration is not a one-time task; plan to revisit it after the model has been in use and refine as you gather more data on how it performs.

5. Classify Clients into Risk Tiers – Finally, clearly define the risk tiers (typically Low, Medium, High) based on score ranges or qualitative thresholds. Each client’s total score will place them into one of these categories. The definitions should align with your firm’s risk appetite and regulatory expectations. Below is a sample risk scoring matrix illustrating how various risk factors might be scored and how a client’s risk tier is determined:

Sample Client Risk Scoring Matrix:

Risk FactorLow Risk (Score)Medium Risk (Score)High Risk (Score)Client Identity/TypeLow-risk entity (e.g. U.S. regulated company) – 1 pointStandard client (e.g. individual with clear background) – 3 pointsHigh-risk client type (e.g. cash-intensive business, high-risk industry) – 5 pointsGeographic RiskClient based in U.S. or FATF member country – 1Client based in moderately risky jurisdiction – 3Client from high-risk country or sanctioned region – 5Source of Funds/WealthTransparent source (e.g. salary, public company proceeds) – 1Somewhat opaque or mixed sources – 3Unclear or high-risk sources (cash, offshore trusts) – 5PEP/Adverse MediaNot a PEP; no negative news – 0N/A (no mid-tier – factor is binary) – 0Politically Exposed Person or notable adverse news – 5Expected Activity LevelLow volume & simple transactions – 1Moderate activity or complexity – 3High transaction volume or complex asset movements – 5

Scoring example: A client who is an individual (3 points), U.S.-based (1 point), with verified salary as source of funds (1 point), not a PEP (0), and moderate expected activity (3) would score 8 points. According to our defined thresholds, let's say 0-8 = Low Risk, 9-16 = Medium, 17+ = High. In this case, 8 points puts the client in Low Risk. By contrast, an offshore company client in a high-risk country with vague source of wealth and a PEP beneficial owner might score 5+5+5+5 = 20 points, i.e. High Risk.

Each risk tier should have corresponding due diligence and monitoring actions. For instance, Low Risk clients might undergo standard due diligence and annual reviews, Medium Risk clients get intermediate due diligence and semiannual reviews, and High Risk clients require Enhanced Due Diligence (EDD), senior management approval to onboard, and quarterly (or more frequent) reviews. Defining these actions is part of implementing the risk model in practice.

Integrating Risk Scoring with Transaction Monitoring and SAR Reporting

A client risk scoring model doesn’t exist in a vacuum – it directly feeds into your transaction monitoring for RIAs and suspicious activity reporting processes. Here’s how they integrate:

  • Risk-Based Transaction Monitoring: Once clients are classified by risk, you can calibrate your transaction monitoring rules or systems accordingly. Higher-risk clients should be subject to more stringent monitoring criteria. For example, you might set lower thresholds for triggering alerts on high-risk clients (since even smaller transactions could be suspicious given their profile), whereas low-risk clients might have higher thresholds. Many AML software solutions allow risk-based rules – meaning the risk rating can be an input into whether an alert fires. This approach ensures that high-risk customers’ transactions are scrutinized more closely, aligning with regulatory expectations to focus on higher risk customers. Conversely, it helps reduce “false positives” from low-risk clients doing routine activities. Customer risk profiles and transaction monitoring should continuously inform each other: unusual transactional behavior may raise a client’s risk score, and a high risk score may cause you to look more closely at their transactions.
  • Suspicious Activity Detection and SAR Filing: Risk scores also play a role in your investigation and SAR decision process. Analysts reviewing alerts will weigh the client’s risk rating as a factor – a potentially suspicious transaction by a high-risk client will be viewed with greater concern than the same by a low-risk client. Your internal SAR escalation procedures can incorporate risk tier as a criterion (e.g. any high-risk client alert is automatically escalated to a compliance officer for review). The client risk rating, along with transaction details, will guide whether a SAR should be filed. Regulators expect that by having robust risk scoring and monitoring, RIAs will be able to identify reportable suspicious activities in a timely manner.
  • Case Management and Investigations: It’s important to document in each case investigation how the client’s risk profile influenced the analysis. For instance, if you decide not to file a SAR on a high-risk client’s activity, you should document why (perhaps the activity was verified as expected despite the high risk status). Conversely, if a low-risk client suddenly behaves irregularly, that might prompt you to both file a SAR and bump their risk rating to high going forward.

In summary, the risk scoring model works hand-in-hand with transaction monitoring and SAR reporting. A feedback loop should exist: client risk scores inform the intensity of monitoring, and monitoring outcomes (alerts, SARs, new information) should prompt updates to risk scores. This integrated approach makes the overall AML program more effective at catching suspicious patterns. As McKinsey noted, modern approaches to customer risk rating integrate aspects of transaction monitoring and screening to identify high-risk customers far more effectively.

Ongoing Monitoring, Periodic Review, and Documentation

Building the risk model is not a one-time project – ongoing maintenance is critical. FinCEN’s rule (and good compliance practice) requires that RIAs continuously monitor and update their understanding of client risk:

  • Periodic Risk Re-Evaluation: Set a schedule for reviewing and updating client risk scores. Many firms do annual reviews for moderate risk clients, and more frequent (e.g. quarterly or semiannual) for high-risk clients. Low-risk clients might be reviewed every 1-2 years. During a review, refresh the KYC information: Has the client’s profile changed? New adverse media or sanctions hits? Changes in ownership or business activities? If yes, adjust the score accordingly and document the reasons. Also consider trigger-based reviews: certain events should prompt an immediate re-assessment outside the periodic cycle. Triggers include a new suspicious transaction alert, a law enforcement inquiry, a material change in account activity, or updates to country risk lists that affect the client’s geography score.
  • Continuous Monitoring & Profile Updates: In addition to periodic file reviews, implement processes to keep customer information up-to-date on a rolling basis. For example, if your transaction monitoring system or screening tool finds something (like a client appears in a negative news article), feed that into the risk scoring system promptly. Modern AML programs aim for perpetual KYC – dynamically updating risk profiles in real time as new data comes in. Flagright’s platform, for instance, offers dynamic risk profiling in real-time based on behavioral and inherent risk factors, which is an example of how technology can automate this continuous update.
  • Record-Keeping and Documentation: Every element of the risk scoring process should be documented. This includes the methodology (factors and weighting rationale), each client’s risk score and how you arrived at it, and any overrides or manual adjustments. If you ever adjust a client’s risk rating outside the model (perhaps a judgment call by compliance), make sure to log who approved it and why. Documentation is vital for internal audit and for demonstrating to examiners that your risk-based approach is consistent and defensible. Remember that regulators will evaluate if your program is “reasonably designed” for your risks – thorough records will help prove that. The risk rating of each client should also be easily accessible in case you need to reference it during an investigation or an audit.
  • Independent Testing and Model Validation: The FinCEN rule requires independent testing of the AML program. Part of that testing (whether by internal audit or an outside party) should include evaluating the risk scoring model’s effectiveness. Are the risk criteria still current with regulatory standards? Is the model producing too many or too few high-risk classifications? Periodic model validation and calibration exercises (such as back-testing the scores against known risk outcomes) are recommended. If the regulators change their lists of high-risk countries or the firm enters a new market, update the model factors or weights accordingly.
  • Ongoing Training: Ensure that relevant staff understand the risk scoring process. This includes those collecting KYC information (so they know why it’s needed), the analysts using the risk scores in monitoring, and senior management who need to know the risk profile of the firm’s clientele. Training should cover how to interpret the risk ratings and the procedures for escalating issues with high-risk clients.

By regularly revisiting the risk model, RIAs can keep it aligned with evolving risks and regulations. A static model that was set up in 2025 may become outdated by 2027 if not tended to – threats change, and so must the risk scoring. Keeping the model current and audit-ready will ensure it continues to serve its purpose: helping the firm stay compliant and safe from financial crime.

Leveraging Technology: AML Software for Investment Advisers (Flagright)

Implementing a client risk scoring model and broader AML program can be challenging, especially for smaller or mid-sized investment advisers. This is where AML software for investment advisers becomes invaluable. A purpose-built technology platform can automate much of the heavy lifting – from data collection to real-time risk scoring and case management. One such recommended solution is Flagright, which offers an all-in-one AML compliance platform tailored to RIAs.

Why Flagright? Flagright’s platform is designed to help RIAs quickly deploy a complete AML solution that meets the 2026 requirements. Key advantages of choosing Flagright include:

  • Rapid Deployment: Flagright is a secure, cloud-based SaaS solution that can be up and running in days, not months. This rapid deployment means an RIA can quickly integrate the tools and ensure they become compliant well before the deadline. Time is of the essence with the FinCEN rule, and a fast rollout is a huge benefit.
  • AI-Enhanced Risk Scoring: Flagright provides dynamic risk scoring capabilities powered by both rule-based logic and AI analytics. The platform can automatically adjust client risk profiles in real time as new data (transactions, alerts, screening hits) comes in, which aligns with best practices of continuous risk monitoring. AI algorithms help identify patterns or anomalies that might be missed by static rules, enhancing the accuracy of risk ratings. (For example, Flagright’s AI agents can analyze transaction behaviors across clients to flag outliers.)
  • Comprehensive Transaction Monitoring: Out of the box, the software includes transaction monitoring with a high-performance rules engine and machine-learning augmentations. Scenarios can be tailored for the investment advisory context (e.g. monitoring transfers in investment accounts, unusual asset movements, etc.). The system’s real-time alerting ensures suspicious activities are caught and can be investigated promptly.
  • Sanctions Screening and Client Due Diligence: Flagright also covers AML screening by checking clients against sanctions, PEP, and adverse media databases automatically. This continuous screening feeds into the risk score (for instance, if a client pops up on a watchlist, their risk rating will update). All CDD information can be stored and managed within the platform for easy reference and updating.
  • Case Management & SAR Workflow: A critical part of an AML program is managing investigations and reporting. Flagright offers an integrated case management system that organizes alerts, client profile data, and investigation notes in one place. Compliance analysts can escalate cases, add findings, and decide on SAR filing within the tool. The platform even supports automated SAR filing templates to FinCEN, streamlining the reporting process. This end-to-end workflow capability saves time and ensures nothing falls through the cracks.
  • Audit-Ready Reporting: The software logs all actions and changes, producing an audit trail that examiners will appreciate. Flagright provides dashboards and reports that show your customer risk distribution, alerts trend, and compliance KPIs – useful for both internal oversight and demonstrating effectiveness to regulators.
  • Expert Support: Beyond the software itself, Flagright takes a partnership approach. Their team offers guidance on best practices and help with customization, effectively acting as an extension of your compliance team. For an RIA new to AML requirements, this support can be as valuable as the technology, ensuring the firm interprets the regulations correctly and sets the right parameters in the system.

By leveraging a platform like Flagright, RIAs can significantly reduce the burden of implementing a risk scoring model and broader AML infrastructure on their own. The platform’s rapid deployment, AI-driven analytics, and built-in case management address the major pain points in establishing an AML program from scratch. Rather than reinventing the wheel, RIAs can configure Flagright’s out-of-the-box solution – which already aligns with regulatory standards – and be up to speed well before the FinCEN deadline. This not only ensures compliance but can turn AML into a business advantage (by building trust with clients and regulators).

Conclusion

Building a client risk scoring model is a core component of RIA AML compliance under FinCEN’s 2026 rule. By focusing on U.S.-specific guidance and regulations, we’ve outlined how RIAs can create a robust, risk-based program.

By implementing a strong client risk scoring model and overall AML framework now, RIAs will not only meet the impending regulatory requirements but also strengthen their defense against financial crimes. In the long run, this means a more secure business and the confidence to grow knowing that compliance is under control. RIA AML compliance is becoming mandatory, but with the right approach and tools, it can be achieved in a way that is sustainable and adds value to your firm’s operations.

Schedule A Demo Today!