KYB Risk Scoring Strategies

Ambriel evaluates company risk by checking various business signals (rules) and calculating a final risk score using a scoring strategy.

Think of it this way: each rule is like a red flag detector. When a flag is raised, the scoring strategy decides how serious it is and how it affects the overall risk picture.

How Rules Work

Each rule evaluates a specific risk factor and has three components:

• Impact: How severe would this risk be if it materialized? (1 = Minor issue, 5 = Critical threat)
• Likelihood: How probable is this risk in practice? (1 = Rare, 5 = Very common)
• Weight: How important is this rule category to your business? (typically 1, but adjustable)

When a rule triggers, its score is calculated as:

Rule Score = Impact × Likelihood × Weight

Risk Matrix Reference

This 5×5 matrix shows how Impact and Likelihood combine into risk classifications:

Example: A company operating in a high-risk jurisdiction might have Impact=4 (Major) and Likelihood=5 (Very High), resulting in a "Critical" classification.

Three Scoring Strategies

Ambriel offers three proven strategies for calculating final risk scores. Each reflects different compliance philosophies used by banks, fintechs, and regulated institutions worldwide.

Your choice depends on:

• Your industry's regulatory requirements
• Your organization's risk tolerance
• How you want to handle multiple simultaneous risk signals

Strategy 1: Cumulative Risk (Sum of Scores)

How It Works

This strategy adds up all triggered rule scores to create a total risk score.

Philosophy: Multiple smaller risks accumulate into significant exposure. A company with many minor issues may be riskier than one with a single moderate concern.

Formula

Total Score = Σ (Impact × Likelihood × Weight)

Real-World Example

You're onboarding a payment processor. Three rules trigger:

Total Score = 6 + 16 + 4 = 26

With thresholds set as:

• Low: 0–10
• Medium: 11–25
• High: 26–40
• Severe: 41+

→ Final Risk Level: High

Why this matters: Even though no single rule was catastrophic, the combination of new company + risky jurisdiction + poor documentation creates elevated risk requiring enhanced due diligence.

Configuration Options

• Risk Level Thresholds
  Define score ranges for Low/Medium/High/Severe classifications.
  Tip: Set based on your approval workflows (e.g., scores under 15 = auto-approve, 15-30 = manual review, 30+ = escalate to compliance).

• Score Cap
  Set a maximum total score to prevent outliers.
  Use case: Cap at 100 to avoid a company with 20 triggered rules skewing your analytics.

• Category Weights
  Multiply specific rule categories by custom weights.
  Example: Set "Sanctions & PEP" category weight to 2× if regulatory fines in your jurisdiction are severe.

Best Use Cases

✅ General KYB programs: Most versatile approach, suitable for 80% of businesses
✅ Proportionate risk assessment: Want risk to scale with number of issues
✅ Customer segmentation: Differentiate between "clean," "some concerns," and "high-risk" tiers
✅ Regulated industries: Banks, payment processors, crypto exchanges with graduated compliance requirements

Real scenario: A neobank uses this strategy to segment customers into risk tiers. Scores 0-20 get instant approval, 21-40 need document verification, 41+ require senior compliance sign-off.

Strategy 2: Critical Risk (Highest Score Wins)

How It Works

This strategy uses only the single highest rule score as the final result. All other triggered rules are ignored for scoring purposes.

Philosophy: In compliance, one critical red flag (sanctions hit, fraud indicator, PEP exposure) should override everything else. A company can't be "low risk" just because it scored well on other criteria.

Formula

Final Score = MAX(Impact × Likelihood × Weight)

Real-World Example

You're screening a corporate services provider. Three rules trigger:

Final Score = MAX(6, 25, 2) = 25

With thresholds:

• Low: 0–5
• Medium: 6–15
• High: 16–24
• Severe: 25+

→ Final Risk Level: Severe

Why this matters: The PEP connection alone warrants enhanced due diligence, regardless of company size or minor documentation gaps. The compliance team must investigate before onboarding.

Configuration Options

• Risk Level Thresholds
  Map maximum scores to risk classifications.
  Tip: Set conservative thresholds since you're only looking at the worst signal.

• Noise Filtering
  Ignore rules below a minimum score threshold.
  Use case: Set minimum to 5 to exclude trivial findings like "missing social media handle" from consideration.

Best Use Cases

✅ Sanctions screening programs: Any sanctions match = instant escalation
✅ Anti-fraud operations: Single fraud indicator triggers full investigation
✅ Conservative compliance cultures: Financial institutions with low risk appetite
✅ Regulatory-driven workflows: Where specific flags mandate automatic actions
✅ High-stakes partnerships: Strategic vendors, correspondent banking relationships

Real scenario: A cryptocurrency exchange uses this strategy because any single sanctions hit, regardless of a company's otherwise clean profile, requires immediate account freeze per regulatory obligations.

Common pitfall to avoid: Don't use this if you need nuanced risk scoring. A company with 10 moderate risks will score the same as one with 1 moderate risk and nothing else.

Strategy 3: Normalized Scoring (Percentage-Based)

How It Works

This strategy calculates risk as a percentage of the maximum possible score, creating a standardized 0-100% scale.

Philosophy: Fair comparison requires context. A company triggering 3 out of 5 applicable rules (60%) is riskier than one triggering 5 out of 20 rules (25%), even if raw scores are similar.

Formula

Risk Score (%) = (Actual Score ÷ Maximum Possible Score) × 100

Real-World Example

Company A (E-commerce startup):

• Actual score from triggered rules: 60
• Maximum possible score (all enabled rules): 300
• Normalized Score: (60 ÷ 300) × 100 = 20%

Company B (Established manufacturer):

• Actual score from triggered rules: 60
• Maximum possible score: 150 (fewer rules apply)
• Normalized Score: (60 ÷ 150) × 100 = 40%

Same raw score, but Company B shows higher risk density.

With percentage thresholds:

• Low: 0–20%
• Medium: 21–40%
• High: 41–70%
• Severe: 71%+

→ Company A: Low-Medium Risk | Company B: Medium-High Risk

Configuration Options

1. Maximum Score Calculation Method

Choose what "100%" represents — this is critical:

Option A: All Rules (Including Disabled)

• Max score stays constant even when you modify rules
• ✅ Use for: Historical trend analysis, consistent benchmarking
• ✅ Example: Quarterly board reports comparing Q1 vs Q2 risk levels
• ⚠️ Limitation: Includes rules you no longer use in calculations

Option B: Enabled Rules Only ⭐ Most Common

• Max score reflects your current active policy
• ✅ Use for: Production KYB screening, current risk assessments
• ✅ Example: You deprecated old jurisdiction rules last month; scores now reflect updated compliance framework
• 📊 Recommended for: 90% of organizations

Option C: Triggered Rules Only

• Max score changes per company based on which rules actually fired
• ⚠️ Use rarely: Only when companies are truly incomparable
• ❌ Problem: Company triggering 2/2 rules = 100%, company triggering 2/10 rules = 20%, even if same 2 rules
• 🚫 Avoid for: Portfolio comparison, risk reporting

Option D: Triggered + Enabled Rules

• Max score = enabled rules that could apply to this company
• ✅ Use for: Different business types requiring different rule subsets
• ✅ Example: Fintech startups vs. banks — different rules naturally apply, but still comparable within segments
• 📊 Good for: Multi-vertical portfolios

Option E: Custom Fixed Value

• You set max score (e.g., always 100)
• ✅ Use for: External reporting, third-party integrations
• ✅ Example: Board dashboards showing "45/100 risk score" or API integrations expecting 0-100 scale
• 💡 Benefit: Simple, predictable, stakeholder-friendly

2. Percentage Thresholds

Define risk bands as percentages (e.g., 0-25% = Low, 26-50% = Medium).

3. Category Weights

Multiply scores from specific categories before calculating percentage.

Best Use Cases

✅ Portfolio risk management: Compare 1,000+ customers fairly
✅ Risk-based pricing: Insurance, lending where premiums scale with risk percentage
✅ Benchmarking & analytics: "Our average customer scores 28%, industry average is 35%"
✅ Dynamic rule environments: Frequently adding/removing rules
✅ Cross-segment comparison: Comparing startups vs. enterprises fairly
✅ Regulatory reporting: Need consistent metrics over time

Real scenario: A B2B SaaS platform onboards companies from 50+ countries. They use normalized scoring with "Enabled Rules Only" as max because:

• Different jurisdictions trigger different rule sets
• They need fair comparison across all customers
• Monthly risk reports show percentage trends to the board
• Compliance team adds new rules quarterly without breaking historical analysis

Quick Decision Guide

Choose your strategy based on your primary goal:

Strategy Combinations

Advanced tip: Many organizations use different strategies for different purposes:

• Onboarding: Cumulative Risk (for tiered approval workflows)
• Ongoing monitoring: Critical Risk (to catch emerging red flags)
• Portfolio reporting: Normalized Scoring (for executive dashboards)

Configuration Best Practices

1. Set Realistic Thresholds

Base your Low/Medium/High thresholds on operational capacity:

• Low: Auto-approve or minimal review
• Medium: Standard due diligence
• High: Enhanced due diligence
• Severe: Senior approval or reject

Example: If your team can handle 20 manual reviews daily, set thresholds so ~80% of companies fall in "Low."

2. Calibrate Using Real Data

Run your strategy on existing customers before going live:

- What % fall into each risk tier?
- Do high-risk classifications match your intuition?
- Are obvious risks being caught?

3. Document Your Choices

Regulators expect you to explain your methodology:

• Why this strategy?
• How were thresholds determined?
• What's your process for high-risk cases?

4. Review Quarterly

Risk landscapes change:

• Are new fraud patterns emerging?
• Did regulations update?
• Is your rule set still relevant?

Important Notes

✅ Strategies are flexible: Change anytime to match evolving needs
✅ Audit trail preserved: Past assessments keep their original scores and strategy for compliance records
✅ Rules run identically: Strategy only affects score calculation, not which rules trigger
✅ Full transparency: Every assessment shows exactly which rules fired and their individual scores

Compliance Note: All three strategies are acceptable under current AML/KYC regulations. Your choice should align with your documented risk appetite and be consistently applied. Changes to scoring strategy should be documented with business justification.

Need Help Deciding?

Common starting point: Use Cumulative Risk with moderate thresholds. It's the most versatile and easiest to explain to stakeholders.

Then adjust if:

• You're seeing too many false positives → Switch to Critical Risk or raise thresholds
• You need better portfolio analytics → Switch to Normalized Scoring
• Regulators want consistent metrics → Use Normalized with fixed max value

Your Ambriel support team can analyze your rule set and recommend optimal strategy configuration based on your industry and use case.