A Customer Risk Assessment (CRA) is the documented assessment, required by §6 of the AML/CFT Code, that estimates the money-laundering, terrorist-financing and proliferation-financing risk a particular customer poses to your business. It is not a know-your-customer checklist and it is not optional for older clients: a documented CRA is required for every customer, regardless of when the relationship began, and its reviews must be recorded. The Code is explicit on timing — the CRA must be undertaken before you establish the business relationship or carry out an occasional transaction, with no concession of the kind allowed for identity verification. A defensible CRA does three things: it draws on your Business Risk Assessment (BRA), it weighs the specific risk factors the Code sets out, and it stays alive as customer due diligence (CDD) reveals more. Get those three right and your CRA holds up under supervision. Treat it as a form to file once and it does not.
That last point is the one firms most often get wrong: the regulator is not looking for a tidy form, but for evidence that you understood this customer's risk and acted on it.
What is a Customer Risk Assessment?
Code §6(1) sets the duty in one line: "A relevant person must carry out an assessment that estimates the risk of ML/FT/PF posed by the relevant person's customer." That is the whole purpose of the CRA — to reach a reasoned, evidenced view of how much risk a specific customer brings, so that everything downstream is calibrated to it. The rating you reach (lower, standard or higher) is not an end in itself; it determines the extent of the CDD you apply, whether enhanced or simplified measures are appropriate, and how closely you monitor the relationship from then on.
Two features make the CRA a real obligation rather than a tick-box. First, it must be documented — a risk rating with no recorded reasoning behind it is not a CRA the Authority can rely on, and it is not one you can defend. Second, it applies to every customer, regardless of when the relationship was established. Firms sometimes assume legacy clients onboarded years ago sit outside the requirement; they do not. Where a documented CRA was never produced, or cannot be found, that is a gap to close, and the reviews you carry out on it must themselves be recorded.
This is the same evidence-led discipline that runs through the whole AML/CFT framework: the assessment is only worth as much as the reasoning you can show for it.
When must you do a CRA?
Before you act. Code §6(2)(a) requires the CRA to be undertaken before establishing a business relationship or carrying out an occasional transaction. There is no timing concession here. The Code does, in defined circumstances, allow identity verification to be completed shortly after a relationship begins — but that latitude does not extend to the CRA. You need a view of the customer's risk in place before you commit to the relationship, because that view is what tells you how much due diligence to do in the first place.
The reason is practical, not bureaucratic. If you onboard first and assess later, you have already taken on a risk you had not measured, with no basis for deciding whether standard CDD was enough or whether enhanced measures were needed. Doing the CRA up front is what lets the rest of the onboarding be proportionate to the customer in front of you rather than a generic default.

The risk factors the Code requires you to weigh
Code §6(3) does not leave the assessment to instinct. It requires you to have regard to all relevant factors, and it names them. The first is your own Business Risk Assessment — the CRA must be read against the BRA, and the National Risk Assessment should inform each one, so that the risks your firm has already identified at business level flow down into how you read each customer. The relationship runs both ways: patterns you see across your CRAs should feed back up into the BRA. Next comes the nature, scale, complexity and location of the customer's activities — a simple local sole trader and a multi-jurisdictional structure are not the same risk, and the Code expects you to say why. You must also weigh the manner in which your products and services are provided to that customer, because the delivery channel itself carries risk.
The fourth factor pulls in the higher-risk matters set out in §15(5) and (7), and this is where most of the substantive risk sits. These include customers connected to higher-risk jurisdictions (the List A and List B countries), politically exposed persons, structures involving nominee shareholdings or bearer shares, higher-risk products, high-net-worth individuals, certain legal arrangements, and relationships established without meeting the customer face to face. A short illustration helps: a high-net-worth client, holding through a legal arrangement, with a connection to a List B jurisdiction, onboarded remotely, is carrying several of these factors at once — and the CRA has to register and reason about each, not net them off into a single comfortable rating.
The remaining factors complete the picture. You must consider any third-party involvement or reliance in the relationship, including where you are relying on another party's CDD; any assessment carried out under §9(4); and, finally, whether your firm and the customer have actually met. Most of this belongs in prose, not a spreadsheet — the Code is asking for a reasoned judgement across these factors, and a judgement is something you write down and explain, not something a tick-box captures.
The point of working through them deliberately is that the resulting rating is traceable. Anyone reviewing it — your MLRO, your auditor, a supervisor — can see which factors drove it.
We help Isle of Man firms turn that list of factors into CRAs that actually hold up when someone reads them.
The CRA is a living document
The Code's own framing is that the CRA and CDD sit in a continuous feedback loop. Your initial CDD gives you enough to form an initial CRA; that initial rating then determines how much further CDD you do, whether enhanced or simplified measures apply, and the extent of ongoing monitoring; and what that monitoring then surfaces feeds back into the CRA. The assessment is not a snapshot taken at onboarding and archived. As the Handbook puts it, the CRA must be viewed as a living document.
This is the same thesis that runs through the AML/CFT statistical return and the BRA: a compliance artefact you file and forget is not evidence of anything. A CRA that has not moved in three years, on a customer whose circumstances clearly have, is a finding waiting to happen. The discipline is reconciliation — the BRA informing the CRA, the CRA driving the CDD, the monitoring updating the CRA, and the whole loop being reflected in the firm-level data you report. We have written before about the evidence behind your BRA and how the statistical return demonstrates that your framework is working; the CRA is where that same logic meets the individual customer. If your CRAs do not reconcile to the risk picture in your BRA, one of the two is wrong.

Keeping CRAs and the BRA reconciled is exactly the kind of thing that drifts when nobody owns it.
Higher-risk customers are allowed — undocumented risk is not
A higher-risk rating is not a verdict that a customer is a money launderer, and a lower-risk rating does not mean no risk at all. The Code's logic is about calibration, not exclusion. There is no regulatory bar to taking on a higher-risk customer, provided your procedures demonstrably manage and mitigate that risk and the enhanced customer due diligence (ECDD) requirements are met. A sound approach is to start each assessment from a position of higher risk and let the CRA bring it down only as far as the evidence justifies — the opposite of defaulting everyone to "low" and looking for reasons to stay there.
What is not permitted is undocumented risk. The failure the Authority cares about is not that you onboarded a higher-risk customer; it is that you did so without assessing the risk, without recording why your mitigation was adequate, or without applying the ECDD that the rating demanded. Where a customer is a politically exposed person, for instance, the framework is specific: PEPs are dealt with under Code §14, with the Handbook's treatment at §3.8.8 setting the expectation for source-of-funds and source-of-wealth rigour. Taking on that customer is allowed; doing it without the §14 measures and a documented CRA that explains them is not.
This is the practical heart of an evidence-led approach. The firms that get into difficulty are rarely the ones with higher-risk clients on the book — they are the ones who cannot show their reasoning for accepting them.

Common mistakes we see
The most common is the static CRA: an assessment produced at onboarding and never revisited, even as the customer's activity, ownership or jurisdiction changes. The second is the generic template — a CRA that records a rating but no customer-specific reasoning, so it reads identically for every client and proves nothing about any of them. The third is ignoring the BRA and NRA: a CRA that does not connect to the firm's own business risk assessment is assessing the customer in a vacuum, missing the §6(3)(a) requirement entirely. And the fourth is unrecorded reviews — firms that do, in practice, revisit risk but keep no record of having done so, leaving themselves with no evidence when it is asked for.
Each of these is fixable, and the fix is the same in every case: make the reasoning explicit, keep it current, and tie it back to the firm-level picture. For the wider compliance context these assessments sit within, our overview of the April 2026 AML/CFT Handbook sets out how the BRA, CRA and the rest of the framework fit together.
We review CRAs that have drifted, and rebuild them into something a supervisor will recognise as evidence.
Frequently asked questions
Do older customers need a documented CRA?
Yes. Code §6 requires a documented CRA for every customer regardless of when the relationship was established. Legacy clients onboarded before your current process was in place are not exempt — where a documented assessment was never produced, that is a gap to close, and any reviews you carry out must be recorded.
When must a Customer Risk Assessment be done?
Before you act. Code §6(2)(a) requires the CRA to be undertaken before establishing the business relationship or carrying out an occasional transaction. Unlike identity verification, which can in defined circumstances be completed shortly after onboarding, the CRA carries no timing concession — you need the risk view in place before you commit.
Can we take on a higher-risk customer?
There is no regulatory bar, provided your procedures demonstrably manage and mitigate the risk and the enhanced due diligence (ECDD) requirements are met. A higher-risk rating does not mean the customer is a launderer. What is not permitted is accepting that customer without a documented assessment and the measures the rating demands — for a politically exposed person, for example, the requirements under Code §14.
How is the CRA connected to the BRA?
Code §6(3)(a) requires each CRA to have regard to the Business Risk Assessment, with the National Risk Assessment informing it too. The relationship is a feedback loop: the BRA shapes how you read individual customers, and the patterns across your CRAs should feed back into the BRA. If your CRAs do not reconcile to your firm-level risk picture, one of the two needs revisiting.
