Case snapshot: risk on paper vs. risk in practice
Max, sitting at his desk in first-line compliance, leaned over the latest onboarding file. The automated tool had confidently stamped the customer as "low risk".
The case appeared simple on the surface: a local Portuguese retail business specializing in electronics import and resale, with no red flags regarding sanctions or adverse media. However, something felt amiss. Max reviewed the transactional forecasts, noting high monthly volumes, frequent payments to suppliers in Southeast Asia, and a dependence on cash settlements at delivery. Something felt amiss.
“If this is low risk, then I’m missing something,” Max muttered, his finger hovering over the "override" button. The system’s green light felt less like a sign of safety and more like a challenge. Every click to a new tab showed a picture that was different from the clean summary screen. He knew the model was designed to weigh geographic exposure heavily. Because the company’s headquarters were in the EU, the score tilted toward “safe”. However, the business model itself revealed a different reality, characterized by its cash-intensive nature, cross-border operations, and heavy reliance on suppliers.
Ella dropped by from the second line.
“You seem like there is something on your mind,” she said, peering over his shoulder. “The geography looks fine, but the inherent risk in the activity screams medium-to-high. Electronics imports are a well-known method for money laundering, representing a classic trade-based technique. This is due to the ease with which invoices can be manipulated, allowing for the movement of significant value without the actual exchange of physical goods.
“The model says one thing, but the reality says another,” Max remarked as he wrote in the online case comments section.
“That's is the value of the first line review. isn’t about fixing models. It’s about catching what autocheck models miss.” Ella added with a smile.
Max updated the file, pushing for a manual override of the risk rating from low to medium. He could almost hear the system’s quiet protest.
Why it matters: first line is the sense-check
Customer risk ratings often blend automated scoring models with human review. But automation can create false comfort, particularly when:
- Geographic weighting overshadows sectoral and activity risks
- Business models are poorly mapped to risk taxonomies
- “Clean” adverse media checks are misinterpreted as low risk
- Volumes and patterns forecasted at onboarding don’t align with declared profile
This is where the first line comes in. Max’s role isn’t just to click “approve” but to challenge the rating when the narrative doesn’t match the number.
The regulatory lens
Under the AMLR:
- Article 10 requires obliged entities to carry out a business-wide risk assessment to identify and mitigate money laundering and terrorism financing risks.
- Article 19 and 25 outlines the customer due diligence requirements, obliging institutions to verify customer identity and assess the purpose and nature of the business relationship.
This framework mandates that institutions must be able to justify their rating decisions to supervisors, demonstrating why a customer is rated low, medium, or high.
Final thought: the model is a tool, not a truth
In modern compliance, especially with the rise of AI and machine learning, it is important to realise that while automated systems can process vast amounts of data and identify patterns with incredible speed, they are not infallible and cannot replace human judgment.
Max's story perfectly illustrates this. The model, with its narrow focus on geographic risk, failed to see the story of a high-risk business model. By overriding the automated score, Max wasn't acting against the system; he was fulfilling his role as the human-in-the-loop, the final line of defense, who can connect the dots that a machine cannot.
As compliance professionals, we must understand our role and responsibilities in the bigger picture.
