Case study
Silent Misclassification at Scale
Situation
A legacy customer risk-scoring model — unchanged for six years — silently classified high-risk customers as standard risk through flawed jurisdiction and entity-type weighting. Because the model never flagged, it was assumed to be working.
Risk exposure
2,800 customers in high-risk jurisdictions were sitting on inadequate review frequencies. Only 14 SARs had been filed in 24 months — a volume implausibly low for the customer mix, and itself a symptom of the broken model.
Before & after — the numbers
The most dangerous compliance failures are the quiet ones. This bank’s customer risk-scoring model was not throwing alerts, not generating escalations, not causing visible problems. That was precisely the issue. A model calibrated six years earlier — against a customer population and a regulatory landscape that had since moved on — was confidently and consistently scoring high-risk customers as standard risk, and its silence was being read as success.
The tell was the absence of signal
Two indicators gave it away, both counter-intuitive. First, the EDD escalation rate was far too low for the customer base. Second, only fourteen SARs had been filed across twenty-four months — a figure implausibly small for a Tier 1 retail and private bank with the jurisdictional mix this one carried. A model that never flags is not necessarily a clean book; it is often a broken control whose outputs nobody questions because they look orderly.
What we did
CCL reverse-engineered the live model to expose how jurisdiction weightings and entity-type multipliers combined to produce ratings no experienced practitioner would defend. We then ran a retrospective analysis across the existing customer base — re-scoring the back book against corrected logic to identify exactly which customers had been silently misclassified.
The fix was deliberately two-sided. Recalibrating the model corrected future ratings; the retrospective reclassification corrected the legacy exposure. 2,800 customers were reclassified and routed through a documented EDD escalation workflow, generating 340 EDD escalations that the old model had suppressed.
The outcome
Every reclassification and escalation was documented with its rationale, forming a continuous audit trail, and the recalibrated model was packaged into a Board-approvable validation pack with ongoing review governance. When the framework was subsequently examined, the result was zero regulatory findings — the exposure had been identified, quantified, remediated and evidenced before it became a supervisory matter.
This engagement is the clearest illustration of why risk-model recalibration must be retrospective as well as forward-looking: fixing the logic without re-scoring the back book leaves the original exposure exactly where it was.
Regulator-facing outputs
- Retrospective misclassification analysis across the back book
- Reweighted risk model with documented rationale
- EDD escalation workflow and audit trail for affected customers
- Board-level model validation and governance pack
Capabilities involved
The services behind this work
Risk Model Recalibration
Full review and rebuild of customer risk-rating models — weighting logic, trigger criteria, review thresholds, escalation pathways and Board-level documentation.
Explore serviceKYC Remediation at Scale
Structured remediation programmes from 10,000 to 500,000+ customers — triage, risk-tiering, file completion, MI tracking and regulator-ready outputs.
Explore serviceSpeak to the practice
Before it becomes a regulatory finding, make it a closed action.
A short, confidential advisory call to pressure-test where your KYC, AML, sanctions or risk-classification framework is exposed — and what a defensible fix looks like.