What a Customer Risk Assessment document must contain
A Customer Risk Assessment (CRA) is the document that records, evidences, and justifies a firm’s decision to establish — or decline — a business relationship with a client. It is not a checklist confirming that steps were performed; it is a reasoned file that a regulator can pick up cold and follow from evidence to conclusion. A complete CRA contains six elements.
Client identity. The verified identity of the natural person, or of each natural person standing behind a legal entity, together with the specific evidence documents relied upon — passport, proof of address, corporate registry extract, ownership chain.
Sanctions, PEP, and adverse media screening results. Each check performed, the lists and sources searched, and the result — clear, hit, or false-positive cleared — with the underlying evidence attached, not just a pass/fail flag.
Source-of-wealth narrative. An account of how the client accumulated the assets being invested or transacted, corroborated by supporting documents such as payslips, business records, or distribution statements. This is the section examiners scrutinise most closely, because a narrative without corroboration is an assertion, not evidence.
Risk rating. An overall client risk classification — low, medium, or high — derived transparently from the individual module scores, not assigned as a standalone judgment call.
Regulatory basis. The specific rule each section is written to satisfy, whether that is FATF Recommendation 10, a local AML regulation, or a jurisdiction-specific rulebook provision.
MLRO sign-off space. A record of the compliance officer’s review, questions raised, and approval decision.
Under FATF Recommendation 10 and most national AML frameworks built on it, this documentation must be assembled before a business relationship is established and retained for a minimum of five years. A CRA that is missing any of the six elements above is incomplete by the standard a regulator will apply on examination.
Why manual CRA assembly is a compliance liability
Most compliance teams still assemble the CRA by hand: an analyst runs each check separately, pastes results into a template, and writes the narrative sections themselves. This produces five recurring problems.
Inconsistency. Different analysts apply different evidence standards to the same risk factors, so two files for comparable clients can look materially different in depth and rigour.
Speed. Assembling a complete CRA manually typically takes 4–8 hours for an individual client and 2–4 days for a corporate client with multiple natural persons to screen.
Gaps. Source-of-wealth corroboration is the section most often under-documented, precisely because it is the most time-consuming to do properly.
Audit risk. If a file cannot be reconstructed from contemporaneous records at the time of the decision, the MLRO has no defence on examination — a reconstructed rationale carries far less weight than one produced at the point of decision.
Scale. As onboarding volume grows, manual assembly becomes the bottleneck that delays revenue, forcing a choice between hiring more analysts or slowing client acquisition.
What automated CRA generation actually does
“Automated CRA” is used loosely across the market, and the label covers three genuinely different categories of tool.
Workflow tools — form portals and checklist platforms — collect documents and track task completion, but leave the actual analysis and write-up to a human. They automate paperwork, not judgment.
Screening platforms — identity verification and watchlist tools — check identity and run sanctions or PEP screens, but do not write the CRA. They produce raw results that still need to be interpreted, narrated, and assembled into a file.
AI reasoning agents, such as Tarth, sit a level above both: they receive the inputs, run all the checks, reason through the evidence, and produce a complete written CRA with citations — ready for MLRO review without manual assembly in between. This is the distinction that matters when evaluating a tool against the word “automatic”: does it remove the analysis step, or only the paperwork around it?
How Tarth generates a Customer Risk Assessment automatically
Tarth’s workflow is built to take a case from intake to MLRO-ready file without manual assembly at any point.
1. The compliance team configures an onboarding profile — the KYC modules required, the jurisdiction, and the risk matrix that applies.
2. The client provides identity documents and source-of-wealth evidence.
3. Tarth runs identity verification (via a selectable third-party provider), sanctions screening, PEP screening, adverse media screening, and source-of-wealth analysis in parallel.
4. For each check, the agent states the result, explains the reasoning behind it, and cites the specific source document or database entry it relied on.
5. Risk scores are calculated per module and aggregated into an overall risk rating.
6. A structured CRA document is output — per natural person, written in narrative form, fully cited, with every module recorded.
7. The MLRO reviews the file, asks any questions the agent’s output surfaces, and approves or escalates.
Total time: under 10 minutes per natural person — against 4–8 hours manually. Tarth has onboarded 900 individuals since August 2025 across ADGM, DIFC, the Cayman Islands, BVI, Singapore, and Mauritius, and is ISO 27001 certified with GDPR and UAE PDPL-aligned data handling.
What to look for in an automated CRA tool
Not every product marketed as CRA automation clears the bar. Five questions separate genuine automation from a screening dashboard with extra branding.
Does it produce a full written CRA, or just a screening result that still needs to be written up?
Are conclusions cited to the specific evidence and the specific rule they satisfy, or presented as an unexplained score?
Does it cover the regulatory requirements of your actual operating jurisdiction, rather than a generic template?
Can the MLRO review, question, and sign off within the platform itself, rather than exporting the file elsewhere?
Is the file audit-ready as produced — can you hand it to a regulator without additional annotation, or does someone still need to fill in the gaps?
A tool that answers yes to all five removes the bottleneck of manual assembly rather than simply rearranging where the manual work happens.
Frequently asked questions
Is an automatically generated CRA legally valid for AML compliance?
An automatically generated CRA is legally valid if it satisfies the substantive requirements of the applicable AML framework — complete evidence, documented methodology, and MLRO sign-off. The obligation under FATF Recommendation 10 and national frameworks is to apply customer due diligence and document it, not to produce the documentation manually. Tarth’s output is designed to satisfy the documentation standard for ADGM, DIFC, Cayman Islands, BVI, Singapore, and Mauritius.
What happens if the automated CRA flags a high-risk client?
When Tarth’s risk assessment produces a high-risk rating, the output file documents the specific factors driving the rating — the PEP connection, the adverse media match, the source-of-wealth gap, or the jurisdictional risk. The MLRO reviews these factors and determines whether enhanced due diligence is required, whether to proceed with additional controls, or whether to decline the relationship. Tarth produces the evidence; the MLRO makes the decision.
How long does Tarth take to generate a CRA?
Tarth produces a citation-backed Customer Risk Assessment for a natural person in under 10 minutes. This compares with a manual process that typically takes 4–8 hours for an individual client and 2–4 days for a corporate client with multiple natural persons to screen.
Does the CRA cover source-of-wealth analysis?
Yes. Source-of-wealth analysis is a core module in Tarth’s CRA output. The agent analyses the corroborating documents provided (employment records, financial statements, distribution records) against the declared wealth narrative, notes any gaps or inconsistencies, and produces a written source-of-wealth section with citations. This is one of the most time-consuming sections to write manually and one of the areas most scrutinised in regulatory examinations.
Which financial services firms need a Customer Risk Assessment?
Any firm operating under an AML/CFT regulatory framework that requires customer due diligence — which includes banks, fund managers, corporate service providers, trust and company service providers, fintechs, family offices, law firms handling client money, and accountancy practices in regulated jurisdictions. In ADGM, DIFC, the Cayman Islands, BVI, Singapore, and Mauritius, a documented CRA is a regulatory requirement for all new client relationships.