Training a KYC Risk Scorer: The Features That Make or Break It
Training a KYC Risk Scorer: The Feature Choices That Determine Whether It Works
Most conversations about KYC risk scoring start with the model. Gradient boosting or logistic regression, how many trees, which threshold. That conversation matters, but it usually isn't where a scorer succeeds or fails. It fails earlier, at the point where a real customer attribute gets turned into a number or a category the model can actually use. Two teams can use an identical algorithm and get very different results, simply because one encoded "country of residence" as a flat risk tier and the other encoded it as a continuous exposure score built from several underlying factors.
This matters because regulators are watching the encoding layer as closely as the model itself. The Financial Action Task Force's risk-based approach — the global standard nearly every AML programme is built on — explicitly names customer, geographic, product, and delivery-channel risk factors as the inputs institutions must weigh. Get the encoding of any one of those wrong, and the "risk-based" part of the approach breaks down, no matter how sophisticated the model layered on top of it is.
Why the Feature Layer Is the Real Bottleneck
A KYC risk scorer only ever knows what its features let it know. If a feature collapses a rich, ongoing status into a single onboarding-time label, the model inherits that blind spot permanently. Three feature choices tend to do the most damage when they're encoded carelessly.
Industry of Employment
Standard industry codes (SIC/NAICS-style classifications) are convenient, but they were built for statistical reporting, not fraud or ML/TF risk differentiation. Encoding a customer purely by industry code — rather than by the cash-intensity, ownership opacity, or transaction pattern that industry typically implies — turns a proxy into the risk driver itself, and bakes in whatever bias existed in the historical labels used to train the model.
Country of Residence
FATF's February 2025 update to Recommendation 1 added a qualifier stating that non-face-to-face relationships should only be treated as potentially higher-risk where appropriate mitigation measures have not been implemented — moving away from treating the channel itself as an automatic risk flag. A model that still encodes geography or onboarding channel as a flat, static tier risks working against that shift rather than with it.
Ownership Structure
FATF Recommendation 10 treats complex or opaque ownership — nominees, bearer shares, layered corporate structures — as a distinct risk factor from country or industry. Encoding "number of beneficial owners" as a simple count misses the actual risk signal, which is structural opacity: how many layers separate the customer from the natural person who ultimately controls it.
What Regulators Are Actually Watching
The UK's Financial Conduct Authority has been unusually direct about where model risk actually sits. Its research note on bias in supervised machine learning found that bias can enter a model at any stage — from how the problem is framed, to whether the training data represents the full customer base, to how individual features are encoded. Firms relying on third-party or transfer-learned models face an added challenge here, since the encoding decisions were made outside their own oversight.
The FCA has also linked this directly to its Consumer Duty: a risk scorer that embeds or amplifies bias through poorly chosen features can produce systematically worse outcomes for particular groups of customers, which is a conduct issue as much as a model-performance one. That reframes feature engineering from a technical decision into a governance one — someone needs to be able to explain, in plain terms, why a given feature is encoded the way it is, and what risk it is actually meant to capture.
For every feature in a KYC risk scorer, ask: does this encoding capture the underlying risk, or does it capture a proxy that correlates with a protected characteristic or a static assumption regulators have already moved away from? If the answer isn't documented, the model isn't ready for production.
Building Features That Hold Up
None of this argues against using industry, geography, or ownership data — they're genuinely predictive and FATF requires institutions to consider all three. The difference between a scorer that works and one that quietly discriminates is usually in the encoding step: using continuous, evidence-based indicators instead of static tiers, documenting why each feature is included, and revisiting encodings as guidance like FATF's 2025 amendments shift what "proportionate" actually means. A model built on well-reasoned features is also simply easier to defend to a supervisor — which, in a risk-based regime, is most of the point.
Sources referenced:
Financial Action Task Force (FATF), Recommendations 1 and 10, and the February 2025 update to Recommendation 1 on proportionality and financial inclusion, fatf-gafi.org
Financial Conduct Authority (FCA), Research Note on bias in supervised machine learning (2024–2025) and joint Bank of England/FCA survey on AI and machine learning in UK financial services, fca.org.uk
Registered at District Court Munich HRB 302338
VAT ID DE454846466 | nanoacademy@ai-thea.com