Back
Cayman compliance

What a Compliant Customer Risk Assessment Looks Like Under CIMA Rules in 2026

If you are an MLRO or compliance officer at a Cayman-regulated entity, the Customer Risk Assessment sits at the centre of every client relationship. This guide explains exactly what it must contain, how to structure your risk scoring methodology, and where most teams are still leaving gaps.

If you are an MLRO or compliance officer at a Cayman-regulated fund manager, fund administrator, or corporate service provider, the Customer Risk Assessment is the document that sits at the centre of every client relationship. Get it right, and you have a defensible, auditable record. Get it wrong — or produce something inconsistent across clients — and you are exposed during a CIMA inspection.

This guide explains exactly what a compliant CRA must contain under CIMA’s AML framework in 2026, how to structure your risk scoring methodology, what source of wealth documentation looks like in practice, and where most compliance teams are still leaving gaps.

Why the CRA Matters Under CIMA’s AML Framework

CIMA’s Anti-Money Laundering Regulations and the accompanying Guidance Notes set out a risk-based approach to client due diligence. The CRA is the practical output of that approach. It is not just a checklist — it is a reasoned, documented conclusion about the level of money laundering and terrorist financing risk a client presents, and a record of the steps taken to reach that conclusion.

CIMA expects regulated entities to apply enhanced due diligence to higher-risk clients and simplified due diligence where the risk is demonstrably low. Neither is defensible without a written CRA that shows your reasoning.

During inspections, CIMA examiners will look at whether your CRAs are consistent in structure, whether the risk scores are supported by evidence, and whether the documentation matches the risk rating assigned. A CRA that says “low risk” for a client with PEP connections and complex offshore structures will attract immediate scrutiny.

The Required Components of a CIMA-Compliant CRA in 2026

A compliant CRA is not a single form. It is a structured document that brings together multiple data points, applies your firm’s risk methodology, and records a final determination. Under CIMA’s current framework, a well-constructed CRA should contain the following components.

1. Client Identification and Verification

The CRA must record the full legal name, date of birth (for individuals) or date of incorporation (for entities), nationality or jurisdiction of incorporation, and registered address. This is the baseline — but it is not sufficient on its own.

For entities, you also need the full beneficial ownership structure, identifying any individual who holds 10% or more of the shares or voting rights, or who otherwise exercises control. Each beneficial owner should be individually identified and verified.

Verification means independent documentary evidence: a certified copy of a passport or national ID for individuals, and constitutional documents, certificates of incorporation, and register of members for entities.

2. Business Relationship and Purpose

CIMA requires that you understand the nature and intended purpose of the business relationship. This means documenting what the client intends to do with your services, the expected volume and nature of transactions or activity, and the source of the funds that will flow through the relationship.

Vague entries like “investment purposes” are not sufficient. A compliant CRA should specify the investment strategy, the fund structure, the expected subscription amounts, and where those funds originate.

3. PEP and Sanctions Screening

Every CRA must record the results of screening against relevant sanctions lists — at minimum OFAC, the EU Consolidated List, and the UN Security Council List — as well as PEP databases. The screening must be documented with the date it was conducted, the databases checked, and the result.

A clean result is not simply “no match found.” It should reference the specific lists checked and confirm that any potential matches were reviewed and determined to be false positives, with the reasoning recorded.

For PEPs, you need to document not just whether the individual is a PEP, but the nature of the political exposure, the jurisdiction, and whether it is a current or former position. Family members and close associates of PEPs must also be considered.

4. Adverse Media Screening

CIMA’s Guidance Notes require that you consider adverse information from publicly available sources. In practice, this means a structured search of adverse media — news sources, regulatory announcements, court records — and a documented record of what was found and how it was assessed.

This is one of the areas where manual processes most often fall short. A Google search is not a defensible adverse media check. You need a systematic, repeatable process that covers a defined set of sources and records the results.

5. Source of Wealth and Source of Funds

Source of wealth (SOW) and source of funds (SOF) are distinct concepts, and your CRA must address both for higher-risk clients.

Source of wealth refers to how the client accumulated their overall net worth — employment history, business ownership, inheritance, investment returns. Source of funds refers specifically to the origin of the money entering this particular relationship.

For standard-risk individual clients, a self-declaration supported by corroborating evidence (employment contract, tax returns, business accounts) is typically sufficient. For higher-risk clients — PEPs, clients from high-risk jurisdictions, clients with complex structures — you need independent verification of the SOW narrative.

For entities, SOW analysis should trace funds back through the corporate structure to the ultimate beneficial owner.

6. Risk Score and Rating

The CRA must produce a documented risk score and an overall risk rating: typically low, medium, or high. The score should be derived from your firm’s risk methodology, applying weighted factors across the relevant risk categories.

Standard risk factors include:

  • Client type — individual, corporate, trust, foundation, PEP, government entity
  • Jurisdiction — country of residence, nationality, jurisdiction of incorporation, and whether any of these appear on FATF grey or black lists
  • Product and service — the nature of the fund or service, whether it involves complex structures or high-risk asset classes
  • Delivery channel — whether the client was introduced by a regulated intermediary, onboarded directly, or referred through an unregulated third party
  • Transaction profile — expected activity, transaction volumes, and whether these are consistent with the client’s stated profile

Each factor should carry a defined weight in your methodology, and the final score should follow logically from the inputs. A CRA where the individual factors suggest elevated risk but the overall rating is “low” will not survive scrutiny.

7. Due Diligence Level Applied

The CRA must state clearly whether standard, simplified, or enhanced due diligence was applied, and why. If simplified CDD was applied, you need to document the basis — for example, that the client is a regulated entity in a FATF-equivalent jurisdiction. If enhanced CDD was applied, you need to document the additional measures taken.

8. Approval and Sign-Off

Every CRA should carry a clear record of who reviewed it, who approved it, and when. For higher-risk clients, CIMA expects senior management sign-off. The approval record should be part of the document itself, not a separate email chain.

9. Periodic Review Date

A CRA is not a one-time exercise. CIMA requires that you review client risk assessments on a periodic basis, and more frequently when there is a trigger event — a change in beneficial ownership, an adverse media alert, or a significant change in the client’s activity profile.

The CRA should record the date of the next scheduled review, and your compliance programme should have a process for flagging when reviews are due.

Where Cayman Compliance Teams Are Still Getting This Wrong

Even well-resourced compliance teams make the same mistakes. The most common gaps in CRAs produced under CIMA’s framework are:

Inconsistency across clients. When KYC is done manually by different team members, the structure and depth of CRAs varies. One client file has a detailed SOW narrative; another has a one-line entry. CIMA inspectors look for consistency, and gaps stand out.

Screening without documentation. Running a sanctions check and not recording the date, the lists checked, and the outcome is as problematic as not running the check at all. The CRA must show the work.

Risk scores that do not match the evidence. Assigning a low-risk rating to a client whose file contains PEP flags, high-risk jurisdiction indicators, and complex ownership structures is a red flag. The score must follow from the documented evidence.

SOW narratives that are not verified. Accepting a client’s self-declaration of source of wealth without corroborating evidence — particularly for high-net-worth individuals or PEPs — is a consistent finding in CIMA inspection reports.

Missing or overdue periodic reviews. Onboarding a client correctly and then never updating the CRA is a compliance failure. CIMA expects your programme to include a systematic review cycle.

How AI-Assisted Tools Are Changing CRA Production

The manual process of assembling a CRA — collecting documents, running checks across multiple platforms, consolidating results into a single document, and writing up the risk narrative — typically takes days. For a compliance team handling 50 to 200 new clients per year, that is a significant portion of available bandwidth.

AI-assisted KYC platforms are now able to run all of the required checks in parallel and return a consolidated, scored CRA in minutes rather than days. Tarth is built specifically for this workflow: it runs sanctions screening across OFAC, EU, and UN lists, PEP checks against World-Check, adverse media searches, and source of wealth analysis simultaneously, then outputs a single annotated CRA with cited sources, an overall risk score, and an approve or reject recommendation.

The output is designed to be filed directly. Each finding is cited, the risk scoring methodology is visible, and the document can be exported as a PDF for your compliance records. For compliance teams operating under CIMA’s framework, this means the CRA is not just faster to produce — it is more consistent and more defensible than one assembled manually across disconnected tools.

Tarth also supports configurable onboarding profiles, so you can build templates that reflect your firm’s specific risk methodology and the requirements of your CIMA licence category, and reuse them across client groups without rebuilding the process each time.

Structuring Your CRA Template for CIMA Compliance

If you are building or updating your CRA template, the structure below reflects what CIMA’s framework requires and what examiners expect to see.

Section 1: Client Identification
Full legal name, date of birth / incorporation, nationality / jurisdiction, registered address, identification documents obtained and verified.

Section 2: Beneficial Ownership
Full ownership structure, names and details of all beneficial owners above the 10% threshold, verification documents obtained.

Section 3: Business Relationship
Nature and purpose of the relationship, expected activity, investment strategy or service type.

Section 4: Screening Results
Sanctions screening — lists checked, date, result. PEP screening — database checked, date, result, nature of any exposure. Adverse media — sources checked, date, result, assessment of any findings.

Section 5: Source of Wealth and Source of Funds
SOW narrative with supporting evidence. SOF documentation. Assessment of consistency between stated profile and expected activity.

Section 6: Risk Assessment
Risk factors assessed, scores applied, overall risk rating, due diligence level applied and basis.

Section 7: Approval
Reviewer name and role, approver name and role (senior management sign-off for high-risk), date of approval.

Section 8: Review Schedule
Date of next periodic review, trigger events that would require earlier review.

Keeping Your CRA Programme Audit-Ready

A compliant CRA programme is not just about the documents themselves. It is about the process that produces them. CIMA examiners will look at your written AML policies and procedures, your staff training records, your risk appetite statement, and whether your CRAs are consistent with all of these.

A few practical steps that strengthen your programme:

  • Document your risk methodology explicitly, including the factors you assess and how you weight them. This should be in your AML policies, not just in the heads of your compliance team.
  • Run a sample review of your existing CRA files before your next inspection. Look for the gaps described above — inconsistency, missing screening records, unsupported risk ratings.
  • Set up a systematic review cycle with calendar reminders or workflow triggers for periodic CRA reviews.
  • Keep your screening current. A CRA produced at onboarding that has never been refreshed is a liability, particularly for clients in higher-risk categories.

A compliant CRA is the foundation of your AML programme. The standard CIMA expects is not just that you have one — it is that every CRA is consistent, evidence-based, and reflects a genuine risk assessment rather than a box-ticking exercise. If your current process makes that difficult to achieve at scale, it is worth looking at how the workflow can be tightened. Learn more at tarth.ai.

Frequently asked questions

What is a Customer Risk Assessment under CIMA rules?

A Customer Risk Assessment is a documented evaluation of the money laundering and terrorist financing risk that a client presents. Under CIMA’s AML Regulations, regulated entities must produce a CRA for each client that records the due diligence conducted, the risk factors assessed, the overall risk rating, and the due diligence level applied. It is the primary record of your firm’s compliance with the risk-based approach.

What must a CIMA-compliant CRA include in 2026?

A compliant CRA must include client identification and verification details, beneficial ownership information, the purpose and nature of the business relationship, results of sanctions and PEP screening, adverse media findings, source of wealth and source of funds documentation, a risk score and overall risk rating, the due diligence level applied, approval sign-off, and a scheduled review date.

How often do CRAs need to be reviewed under CIMA requirements?

CIMA requires periodic review of CRAs, with the frequency determined by the client’s risk rating. Higher-risk clients should be reviewed more frequently — typically annually or when a trigger event occurs. Trigger events include changes in beneficial ownership, adverse media alerts, or material changes in the client’s activity or circumstances.

What is the difference between source of wealth and source of funds in a CRA?

Source of wealth refers to how the client accumulated their overall net worth over time, such as through employment, business ownership, or inheritance. Source of funds refers specifically to the origin of the money entering the current business relationship. Both must be documented in the CRA, and for higher-risk clients, both should be independently verified rather than accepted on the basis of a self-declaration alone.

What happens if a CRA is incomplete or inconsistent during a CIMA inspection?

Incomplete or inconsistent CRAs are a common finding in CIMA inspections and can result in regulatory findings, remediation requirements, or enforcement action depending on the severity and pattern of the gaps. Examiners look specifically for CRAs where the risk score does not match the documented evidence, where screening records are missing, or where the programme lacks consistency across clients.

Can AI tools produce CRAs that meet CIMA’s requirements?

Yes, provided the tool runs the required checks against appropriate data sources, documents the results with cited evidence, applies a transparent risk scoring methodology, and produces output that can be reviewed, approved, and filed by a qualified compliance officer. The compliance officer remains responsible for the final determination — the tool accelerates and standardises the process, it does not replace professional judgement.

How does Tarth support CIMA KYC requirements?

Tarth runs sanctions, PEP, adverse media, and source of wealth checks in parallel and outputs a consolidated CRA with cited sources, a risk score, and an approve or reject recommendation. It supports configurable onboarding profiles aligned to CIMA’s framework and exports a PDF-ready document suitable for filing. It is built for compliance teams at fund managers, fund administrators, and CSPs operating in Cayman and other regulated jurisdictions.

Produce consistent, defensible CRAs at scale

Tarth runs the required checks simultaneously and outputs a single annotated CRA with cited sources, an overall risk score, and an approve or reject recommendation — in minutes rather than days. Tarth is in pre-launch.

Request early access