Core advisory
Risk Model Recalibration
Full review and rebuild of customer risk-rating models — weighting logic, trigger criteria, review thresholds, escalation pathways and Board-level documentation.
The problem
Customer risk models are often calibrated once and left for years. Jurisdiction weightings, entity-type multipliers and industry flags drift out of step with the real risk landscape — and high-risk customers are silently scored as standard. The model looks like it is working precisely because it never flags anything.
A customer risk-rating model is the quiet engine underneath every CDD decision: it sets review frequency, EDD eligibility, monitoring intensity and escalation. When it is wrong, it is wrong at scale and in silence — every downstream control inherits the error, and the institution has no idea, because a model that never flags looks exactly like a model that works.
The most dangerous risk models are not the ones throwing alerts. They are the ones that have been calibrated once, years ago, and left untouched while the regulatory landscape, the customer base and the typologies all moved on.
Why models drift into silent failure
Risk weightings encode assumptions about the world: which jurisdictions are high-risk, which entity types warrant scrutiny, which industries carry elevated exposure. Those assumptions have a shelf life. A model built for a customer population that no longer exists will keep producing confident, precise, wrong ratings — and because the outputs look orderly, no one questions them until a regulator or an incident does.
Recalibration is retrospective as well as forward-looking
Fixing the logic for new customers is necessary but not sufficient. The back book was scored on the old model. CCL pairs recalibration with retrospective analysis: re-scoring the existing population against the corrected logic, identifying the customers who were silently misclassified, and routing them through documented EDD escalation. That is the difference between a model upgrade and a defensible remediation — and it is exactly the work that resolved silent misclassification at scale.
Built to be approved and challenged
A recalibrated model that the Board cannot explain is a liability. We document the methodology, assumptions and validation so the model can be genuinely owned at Board level and withstand regulatory challenge — and we leave behind the ongoing review governance so the model is recalibrated on a cycle, not rediscovered in a crisis.
The CCL approach
- 01
Interrogate the existing logic
We reverse-engineer the live model: how each factor is weighted, where thresholds sit, and which combinations produce a rating that no experienced practitioner would defend.
- 02
Test against the real population
Retrospective analysis across the customer base to surface misclassification — customers in high-risk jurisdictions or structures sitting on standard-risk review cycles.
- 03
Rebuild the weighting and triggers
Recalibrate factor weightings, trigger criteria, review frequencies and escalation thresholds against current FATF, FCA and JMLSG risk expectations.
- 04
Document for the Board and the regulator
A model rationale that a Board can approve and a regulator can challenge — assumptions, methodology, validation and ongoing review governance.
Quantified outcomes
Frequently asked questions
How do we know our risk model is misclassifying customers?
The warning signs are counter-intuitive: very low EDD escalation rates, a SAR volume that seems low for your customer mix, and a model that has not been recalibrated in several years. A silent model is often a broken one — it is not flagging because the logic no longer matches the risk, not because the risk is absent.
What happens to customers who were wrongly rated?
Recalibration is only half the work. We design the reclassification and EDD escalation workflow so affected customers are re-reviewed at the correct frequency, with the analysis and escalation documented — turning a model fix into a defensible remediation of the back book.
Will the Board be able to approve and own the new model?
Yes — that is the point of the documentation. We produce a model rationale covering assumptions, methodology, validation and ongoing review governance, written so the Board can approve it with genuine understanding and a regulator can challenge it without finding gaps.
Related case studies
See it in practice
Silent Misclassification at Scale
Tier 1 Retail & Private Bank
A six-year-old risk model silently scored high-risk customers as standard. Retrospective analysis, reweighting and 340 EDD escalations closed the exposure with zero regulatory findings.
Read the caseLarge-Scale KYC Remediation — A Major Post-Merger Backlog
Tier 1 Retail Bank
A large post-merger backlog of unresolved records, no internal capacity. Programme design in 30 days, risk-tiered delivery, weekly MI — 94% completion in 8 months, 0 enforcement actions.
Read the caseRelated insights
Read the thinking
The Illusion of Low Risk: Why Risk Scores Lie and Regulators Know It
Most institutions run customer risk models built for a population that no longer exists. A model that never flags looks like success — and is often a silent, systemic failure the regulator will find first.
Perpetual KYC Is Not an Automation Problem. It's an Architecture Problem.
Perpetual KYC is sold as an automation upgrade. Automate a broken review model and you get faster noise. The real work is architecture: triggers, data and escalation logic designed before any tool is bought.
Speak to the practice
Before it becomes a regulatory finding, make it a closed action.
A short, confidential advisory call to pressure-test where your KYC, AML, sanctions or risk-classification framework is exposed — and what a defensible fix looks like.