Nikita Veremeev
12.02.2026 | 6 min read
Updated: 12.02.2026
I have been building COREDO since 2016 as a place where entrepreneurs receive not only company registration and licenses, but a comprehensive risk management strategy. During this time the COREDO team has implemented projects in the EU, the United Kingdom, the Czech Republic, Slovakia, Cyprus, Estonia, Singapore and Dubai and sees a common pattern: sustainable international growth is impossible without a risk-based approach (RBA) embedded in the process of registration, licensing, AML compliance and operational management.
My practical focus:
to make the company’s
risk management understandable to the owner and measurable for the CFO. To do this I rely on a risk matrix, a clear risk appetite, KYC/CDD/EDD procedures and automated transaction monitoring. Our experience at COREDO has shown that a properly configured risk matrix reduces TTM when entering a market, lowers the cost of AML controls and increases the trust of regulators and banking partners.
Risks of international company registration
Registration in the EU, Singapore, the United Kingdom or Dubai: it’s about strategy. I consider a jurisdiction through the lens of business risk assessment: the regulatory regime (AMLD5/AMLD6 in the EU, EBA guidelines, standards
FATF and Wolfsberg), the transparency of beneficial ownership registers, substance requirements, taxation, currency and cross-border risks, and GDPR when processing client data.
COREDO’s practice confirms the effectiveness of an approach in which the assessment of commercial and regulatory risk takes place before incorporation. For example, when launching a payments business in the United Kingdom we calculate in advance the impact of FCA requirements for safeguarding, governance and KYC/CDD, and for Singapore: MAS standards on AML/CFT and MPI/SPI licensing. For Cyprus (CySEC) it is important to consider the criteria for forex dealers, for Estonia — the current requirements for VASPs and substance, and for Dubai: VARA’s framework for virtual assets.
AML Compliance: from KYC/CDD to onboarding
A strong
AML compliance is not a sales stop-factor, but a tool for safe growth. At COREDO we deploy KYC and CDD policy around risk-oriented client segmentation: low-threshold and high-risk clients receive different verification scenarios, different transaction monitoring rules and different SLAs. I always include in the scope:
- the process of client identification and verification (e-KYC, biometrics, document verification and trusted registers);
- verification of ultimate beneficial owners (UBO), including complex ownership structures and circumvention schemes (shell companies);
- PEP screening and sanctions lists (OFAC, EU, UN) and sanctions control with regular updates;
- source of funds and source of wealth, as well as assessment of counterparty and third-party risk (vendor Due Diligence).
The key to effectiveness is implementing RBA in AML processes.
I set risk scoring at the entry, disclose rules for segmenting clients by risk and determine where EDD is needed (
Enhanced Due Diligence). For high-risk clients I strengthen monitoring, activate scenarios for layering/structuring/smurfing, increase the frequency of profile reviews and expand the list of documents.
Risk-based approach to onboarding
I start with a risk heat map for the product line and geography. Then I form rules:
- initial assessment of the client’s profile (inherent risk): country, industry, product, onboarding channel, type of transactions;
- assessment of control effectiveness: data quality, verification, sanctions filters, triggers;
- calculation of residual risk, determination of the level of checks (CDD or EDD), configuration of limits and thresholds.
The solution developed at COREDO allows synchronizing risk scoring with front-end onboarding and transaction monitoring. This eliminates the gap between sales promises and real AML requirements.
Risk matrix: building and calibration
The risk matrix is an operational management model, not a “check-the-box” document. I combine qualitative and quantitative methods: interval scales for risk factors (country, product, channel, client), a points-based risk scoring system (risk scoring), weighted ranking of risks and a risk heat map for visualization. I separate inherent risk and residual risk to see the effect of controls and prioritize improvements.
When building it I align the risk appetite and the risk matrix at the board of directors level. Then I form segmentation rules, KRIs, and threshold values for automated monitoring rules. The COREDO team configures threshold setting and tuning to reduce false positives and avoid blind spots, taking into account the cost of errors: false positives vs false negatives and their economic consequences.
Risk matrix for a legal entity in the EU
I use sources: requirements of AMLD5/AMLD6, EBA guidelines, local FIU rules, Wolfsberg practices. I define the risk taxonomy: customer, product, geographic, distribution channels, operational and regulatory. I assess probabilities and impact using probabilistic models and scenario analysis, and include stress-testing for high-risk segments.
Next, scaling. For example, country by FATF and local lists, industry by historical frequency of incidents, product by level of anonymity and speed of funds turnover, channel by presence controls. I obtain a risk heat map, approve thresholds for CDD/EDD and the review frequency of profilers.
Risk matrix for an international group
In an international group I maintain common principles and local adaptation. The group level sets the baseline risk appetite and minimum KYC standards/CDD/EDD. Subsidiaries in Estonia and Cyprus inherit the matrix but receive local weights and data sources. In the UK I add FCA emphases, in Singapore – MAS, in Dubai, VARA. This model preserves comparability of metrics and covers multi-jurisdictional risk.
Client risk scoring and residual risk
I set the formula:
Risk Score = Σ(weight_i × factor_i)
where factor_i are normalized values for country, product, channel, customer profile, counterparties and transactional patterns. For residual risk I apply the model:
Residual Risk = Inherent Risk × (1 − Control Effectiveness)
Control effectiveness is calculated based on backtesting results, precision/recall and FPR for monitoring rules.
I use Explainable AI so the model’s transparency holds up in an audit. The COREDO team performs calibration, comparing ROC/AUC and the alerting economics, and adjusts threshold optimization taking into account the cost of errors and investigation resources.
Thresholds for moving a client into high risk
I rely on risk appetite and operational capacity. Above the critical threshold the client moves into the elevated risk segment and receives EDD: an expanded document package, an in-depth analysis of source of wealth, additional sanctions and PEP checks, limits and enhanced monitoring. For low-threshold clients the thresholds are softer, SLAs shorter, but with control of transactional anomalies.
RegTech: data lineage and Explainable AI
Automation delivers the greatest impact when the business owns its data. I implement normalization and consolidation of data from different jurisdictions, ensure data lineage, build unified reference directories and data quality controls. As RegTech layers I use graph analytics and entity resolution to uncover hidden connections and structures, machine learning to detect anomalies, and orchestration of investigations in case management.
Automated transaction monitoring rules derived from the matrix cover key scenarios: structuring, layering, smurfing, evasion schemes and cross-border anomalies. I build human-in-the-loop verification so that analysts augment ML signals with their expertise. Model risk management includes backtesting, calibration of scoring models and regular parameter reviews.
Data sources for the risk matrix
I use a combination: sanctions lists and PEP registers, corporate registries and beneficial owner registers, verified e-KYC providers, transaction logs, internal customer profiles and external negative
news. For data quality I apply deduplication, name standardization, geo-normalization and completeness checks. GDPR and local data protection in the EU are mandatory requirements for architecture and processes.
Transaction monitoring and false positives
First I create baseline rules by risk segments and jurisdictions, then perform iterative tuning. I measure precision, recall, FPR, AUC, calculate the cost of empirical errors and adjust thresholds taking team capacity into account. I reduce false positives by combining contextual attributes and graph features, which improves signal quality without loss of sensitivity.
Orchestration of investigations in GRC
I integrate the risk matrix and
AML processes into the corporate GRC platform to provide a unified control cycle: planning – monitoring – adjustment. In case management I build workflows with an escalation matrix and SLAs, automate SAR (Suspicious Activity Report) preparation and interaction with the FIU, and add dashboards for KRIs and KPIs of the compliance unit.
How to manage the board of directors’ risks
The strategy begins with risk appetite. The board approves risk limits, target KRIs, and the budget for controlled automation. Then I document roles and responsibilities: risk owners in business lines, compliance as the second line of defense, internal audit as the third. I regularly prepare risk reporting for management and the board of directors with a heatmap, incident trends and control economics.
Structure of the risk-oriented approach
The policy covers: risk taxonomy and risk universe, quantitative and qualitative assessment methods, rules for client segmentation by risk, KYC/CDD/EDD procedures, sanctions screening, transaction monitoring, rules for threshold setting and tuning, third-party control and vendor due diligence, governance models and escalation matrix.
Documentation, control and audit testing
I establish a mandatory audit trail, requirements for documenting risk assessments and evidence of client ranking. Testing the effectiveness of controls (control testing) is carried out according to the plan, with a sample of cases, backtesting, threshold calibration and model adjustments. Regular internal and external audits confirm process maturity and readiness for regulator inspections.
Change management
I maintain regular trainings on AML, scenario analyses and working with systems. Change management includes the approval process for new products (compliance by design), migration to the cloud or on-premise, TCO analysis and scalability for multi-jurisdictional business.
COREDO cases: international launches
One of our recent projects, Licensing of a crypto service in Estonia. The COREDO team built a risk matrix based on AMLD5/AMLD6, integrated e-KYC and graph analytics for UBOs, included PEP and sanctions lists, and configured EDD for high-risk clients. We demonstrated a mature RBA to the regulator and agreed on an internal control plan and regular testing.
In the UK I supported the team in obtaining a payment institution license. We built a risk heat map by product, agreed on safeguarding and SAR process orchestration, implemented Explainable AI for scoring and carried out backtesting of rules. As a result, the business gained transparent onboarding, performance metrics, and stable interaction with banks.
In Cyprus we launched a forex broker under CySEC. The solution developed at COREDO included counterparty risk assessment, monitoring scenarios for suspicious schemes, threshold tuning taking market volatility into account, and EDD for clients from high-risk jurisdictions. We proved the economics of compliance: reduced FPR while maintaining high recall and controllable investigation times.
In Singapore we helped a fintech with a MAS license. I integrated risk-based processes into the product lifecycle, implemented third-party controls and vendor due diligence, performed data normalization across different geographies, and ensured compliance with GDPR and local data protection requirements. For Dubai we adapted the matrix for VARA, accounted for the specifics of virtual assets and the provider’s risk management requirements.
The economics of compliance: ROI and TCO
I view compliance as an investment in reliability. Assessing the ROI from implementing a risk-based approach includes reducing the share of false positives, decreasing manual workload, speeding up onboarding, and increasing the share of customers who pass initial screening. Total Cost of Ownership changes when moving to the cloud. At the same time, on-premise retains an advantage when data control requirements are high. The COREDO team helps choose an architecture taking into account KPIs, SLAs, budget, and regional constraints.
Scaling risk-based processes as the business grows requires centralization of methodology and local teams for execution. I evaluate outsourcing
AML services vs an in-house team, and build a hybrid model to support peak loads and standardize quality. This approach speeds up the launch of new jurisdictions and maintains a consistent level of maturity.
Roadmap for implementing RBA in 90 days
First 30 days: diagnostics.
I document the risk appetite, build the initial risk matrix, describe KYC/CDD/EDD, assess data quality and sources, create an automation plan and quick wins. Meanwhile the COREDO team configures basic sanctions and PEP processes and prepares policy templates.
Days 31–60: design and pilot.
I run risk scoring, integrate onboarding and transaction monitoring, enable case management and the escalation matrix, configure KRI dashboards. We carry out backtesting, threshold tuning and train the investigations team.
Days 61–90: production environment.
I expand rule coverage, introduce regular control testing, approve risk reporting to the board of directors, finalize the audit trail and the SAR/FIU procedure. After that, quarterly calibrations and an annual scenario analysis with stress tests.
Questions from leaders: recommendations
How to align risk appetite and the risk matrix?
I start with the business strategy: geography, products, channels. Then I set acceptable risk levels and translate them into controllable KRIs. The board approves thresholds, and business lines receive clear rules.
How to assess third-party and vendor risks?
I conduct vendor due diligence: corporate registries, UBO, sanctions, PEP, data quality control and SLAs, scenario analysis of incident impact. For critical vendors, EDD and regular review.
How to adapt the risk matrix to EU and Asian legislation?
I build the core of the matrix, then add local weights and sources, taking into account guidance from FATF, EBA, MAS, VARA and local FIUs. This approach preserves comparability and covers local requirements.
How to manage false positives in transaction monitoring?
I combine rules and ML, use graph features, perform calibration on precision/recall/FPR, calculate the economics of errors and adjust thresholds to the team’s SLA. Human-in-the-loop reduces the risks of incorrect automation.
What resources are needed at the RBA implementation stage?
A methodologist, data lead, transaction analyst, integration engineers,
compliance officer and a business representative. The COREDO team covers roles for key modules to speed up deployment and transfer the practice to the internal team.
A reliable partner for complex challenges
I build COREDO as a partner that takes on not only company registration and obtaining licenses, but also real responsibility for risk management. When a company enters a new market in the EU, Singapore, the UK or Dubai, I provide a structured RBA: a risk matrix, effective KYC/CDD/EDD, automated monitoring, GRC integration and measurable reporting. This approach creates resilience to regulatory requirements, increases the trust of banks and investors and accelerates scaling.
If you are planning a launch in a new jurisdiction, preparing a crypto, payments or forex license, building AML compliance or reviewing your current risk matrix, the COREDO team is ready to offer a practical solution. I am responsible for the architecture and strategy, colleagues handle methodology and implementation. As a result you get a transparent process, time savings and confidence in every subsequent step.
