Jul 7

Training a KYC Risk Scorer: The Features That Make or Break It

Fraud & Financial Crime

Training a KYC Risk Scorer: The Feature Choices That Determine Whether It Works

Industry of employment, country of residence, ownership structure. How each one gets encoded shapes what the model can and cannot tell apart — long before anyone tunes a single hyperparameter.

Most conversations about KYC risk scoring start with the model. Gradient boosting or logistic regression, how many trees, which threshold. That conversation matters, but it usually isn't where a scorer succeeds or fails. It fails earlier, at the point where a real customer attribute gets turned into a number or a category the model can actually use. Two teams can use an identical algorithm and get very different results, simply because one encoded "country of residence" as a flat risk tier and the other encoded it as a continuous exposure score built from several underlying factors.

This matters because regulators are watching the encoding layer as closely as the model itself. The Financial Action Task Force's risk-based approach — the global standard nearly every AML programme is built on — explicitly names customer, geographic, product, and delivery-channel risk factors as the inputs institutions must weigh. Get the encoding of any one of those wrong, and the "risk-based" part of the approach breaks down, no matter how sophisticated the model layered on top of it is.

Why the Feature Layer Is the Real Bottleneck

A KYC risk scorer only ever knows what its features let it know. If a feature collapses a rich, ongoing status into a single onboarding-time label, the model inherits that blind spot permanently. Three feature choices tend to do the most damage when they're encoded carelessly.

Feature 1

Industry of Employment

Standard industry codes (SIC/NAICS-style classifications) are convenient, but they were built for statistical reporting, not fraud or ML/TF risk differentiation. Encoding a customer purely by industry code — rather than by the cash-intensity, ownership opacity, or transaction pattern that industry typically implies — turns a proxy into the risk driver itself, and bakes in whatever bias existed in the historical labels used to train the model.

Feature 2

Country of Residence

FATF's February 2025 update to Recommendation 1 added a qualifier stating that non-face-to-face relationships should only be treated as potentially higher-risk where appropriate mitigation measures have not been implemented — moving away from treating the channel itself as an automatic risk flag. A model that still encodes geography or onboarding channel as a flat, static tier risks working against that shift rather than with it.

Feature 3

Ownership Structure

FATF Recommendation 10 treats complex or opaque ownership — nominees, bearer shares, layered corporate structures — as a distinct risk factor from country or industry. Encoding "number of beneficial owners" as a simple count misses the actual risk signal, which is structural opacity: how many layers separate the customer from the natural person who ultimately controls it.

75% Of UK financial firms already use AI or ML, per the Bank of England and FCA's third joint survey (published November 2024, still the most recent edition)
Feb 2025 FATF amends Recommendation 1, adding proportionality language and qualifying the non-face-to-face risk assumption
34% Of firms report "complete understanding" of the AI models they use, per the same 2024 survey — the rest have only partial visibility

What Regulators Are Actually Watching

The UK's Financial Conduct Authority has been unusually direct about where model risk actually sits. Its research note on bias in supervised machine learning found that bias can enter a model at any stage — from how the problem is framed, to whether the training data represents the full customer base, to how individual features are encoded. Firms relying on third-party or transfer-learned models face an added challenge here, since the encoding decisions were made outside their own oversight.

The FCA has also linked this directly to its Consumer Duty: a risk scorer that embeds or amplifies bias through poorly chosen features can produce systematically worse outcomes for particular groups of customers, which is a conduct issue as much as a model-performance one. That reframes feature engineering from a technical decision into a governance one — someone needs to be able to explain, in plain terms, why a given feature is encoded the way it is, and what risk it is actually meant to capture.

The practical test

For every feature in a KYC risk scorer, ask: does this encoding capture the underlying risk, or does it capture a proxy that correlates with a protected characteristic or a static assumption regulators have already moved away from? If the answer isn't documented, the model isn't ready for production.

Building Features That Hold Up

None of this argues against using industry, geography, or ownership data — they're genuinely predictive and FATF requires institutions to consider all three. The difference between a scorer that works and one that quietly discriminates is usually in the encoding step: using continuous, evidence-based indicators instead of static tiers, documenting why each feature is included, and revisiting encodings as guidance like FATF's 2025 amendments shift what "proportionate" actually means. A model built on well-reasoned features is also simply easier to defend to a supervisor — which, in a risk-based regime, is most of the point.

Sources referenced:

Financial Action Task Force (FATF), Recommendations 1 and 10, and the February 2025 update to Recommendation 1 on proportionality and financial inclusion, fatf-gafi.org

Financial Conduct Authority (FCA), Research Note on bias in supervised machine learning (2024–2025) and joint Bank of England/FCA survey on AI and machine learning in UK financial services, fca.org.uk

Disclaimer & Copyright

This article is published by AITHEA GmbH for informational and educational purposes only. It is intended to provide general insights into compliance, technology, and related topics, and does not constitute legal, regulatory, or professional advice. Readers should seek appropriate professional guidance before making decisions based on the content provided.

The views and opinions expressed in this article are those of the author(s) and do not necessarily reflect the official position of AITHEA GmbH, its partners, or affiliated organisations.

Artificial intelligence (AI) tools are actively used in the creation of this content. AI may support the drafting of text and the improvement of structure, clarity, and readability. However, all content is based on human-defined topics, reviewed against relevant sources, and critically validated by the author(s). AI is not used as a source of truth, but as a supporting tool to enhance communication.

All content is the intellectual property of AITHEA GmbH unless otherwise stated. Reproduction, distribution, or translation for non-commercial purposes is permitted, provided that appropriate credit is given and the source is clearly acknowledged. For any commercial use, prior written permission is required. © Aithea, 2026.
Created with