How to Use NAICS Codes in KYB and AML Risk Scoring

If you have already read our guides on looking up a NAICS code by company name and the high-risk NAICS codes that should pause an onboarding flow, you know two things: how to find a business's code, and which codes carry elevated risk.

This guide is about the step in between — and after. Once you have the code and you know it matters, how do you actually fold it into a customer risk score that drives a compliance decision and keeps driving one for the life of the relationship?

That is the part most published guidance skips. There are plenty of articles listing high-risk industries. There are very few that show a compliance team how to convert "this business is a 522390" into "this case routes to enhanced due diligence, gets a 14-day review cycle, and re-scores automatically if the activity changes."

This is written for the people who own that workflow: risk and compliance teams at banks, fintechs, lenders, and payment processors who need a NAICS-driven scoring model that holds up to an examiner.

Related Solutions

KYB Verification APIAML ScreeningTransaction Monitoring

Why NAICS Codes Belong in Your Risk Model

A customer risk rating is the engine of a risk-based AML program. It is the number — or tier — that decides how much friction, scrutiny, and ongoing attention a customer relationship gets.

That rating is built from a handful of well-established factors. The standard set, reflected across FinCEN and FFIEC guidance, looks like this:

Industry is one of five core inputs — and NAICS is how you operationalize it. A six-digit code is the standardized, machine-readable answer to the question every compliance team has to answer about a business: what does it actually do, and is that something we can bank?

FinCEN's 2018 Joint Statement on the Risk-Based Approach to Assessing Customer Relationships and Conducting CDD puts "the customer's business or occupation" squarely among the factors that determine "the potential risk to a bank." The FFIEC BSA/AML Examination Manual reinforces it: customer risk profiles are institution-specific and must weigh customer type and business activity, not just geography or transaction volume.

The takeaway: industry risk isn't a nice-to-have enrichment field. It is one of the load-bearing inputs regulators expect to see in a defensible risk rating — and NAICS is the cleanest way to feed it.

What Regulators Actually Require (and What They Leave to You)

Here is the nuance that trips up a lot of teams: no US AML regulation requires you to use NAICS codes. Not the FinCEN CDD Rule, not the FFIEC Manual, not FATF.

What they do require is the outcome NAICS helps you achieve:

• Understand the nature and purpose of the relationship. The FinCEN CDD Rule (31 CFR 1010.230 and the broader CDD requirements) requires covered institutions to understand the nature and purpose of customer relationships in order to develop a customer risk profile. Knowing the industry is central to that.
• Build and maintain a customer risk profile. The FFIEC CDD examination procedures direct examiners to check that the bank collects enough information to understand the customer's business and expected activity, and uses it to develop a risk profile.
• Take a risk-based approach. Both FinCEN and FATF expect that higher-risk categories — including certain business types and sectors — receive proportionately more scrutiny.

So the regulatory logic is: you must understand and risk-rate the business's activity; how you encode that is up to you. NAICS (and, on the card side, MCC) is simply the most widely adopted, standardized coding system for doing it consistently across thousands of onboarding decisions.

That gives you freedom and responsibility in equal measure. There is no regulator-issued "high-risk NAICS list" you can copy. You own the mapping — which means it has to be deliberate, documented, and defensible.

Step 1: Turn a NAICS Code Into a Risk Tier

The first job is translating a raw code into a risk tier your model can act on. A practical structure uses three tiers, organized not by industry reputation but by what kind of risk the code signals — because that determines what due diligence it should trigger.

A few notes that matter for accuracy:

• `551112` is the recurring Tier 1 flag. Offices of Other Holding Companies is a legitimate structure for private equity and family offices — and the most common vehicle for layered ownership designed to obscure ultimate control. When it appears, the correct automated response is to pause and initiate a UBO trace, not to wave it through.
• Crypto has no clean code. Virtual asset firms self-classify into `522320`, `523999`, `518210` (Data Processing, Hosting, and Related Services), or `522390`, depending on whether they present as a financial intermediary or a tech platform. The absence of a precise code, combined with a vague business description, is itself a risk indicator worth scoring.
• 2022 NAICS moved tobacco and alcohol retail. Under the 2022 revision, `445320` (Beer, Wine, and Liquor Retailers) now also captures tobacco, e-cigarette, and smoking-supply retail. If your mapping still keys on the legacy `445310`, refresh it.

The output of Step 1 is a tier and a numeric contribution to the overall risk score — not a final decision. That comes next.

Step 2: Let the Tier Trigger the Right Due Diligence

A risk tier that doesn't change anything in the workflow is decorative. The point of scoring is routing.

In a well-built model, the industry tier combines with the other risk factors (geography, ownership, products, behavior) to produce a composite score, and that score maps to a due-diligence path:

• Standard CDD for low-and-moderate composite scores: verify the entity, identify beneficial owners, understand expected activity, and proceed.
• Enhanced Due Diligence (EDD) when the composite — or a single mandatory trigger like a Tier 1 code — crosses a threshold: deeper source-of-funds and source-of-wealth review, full UBO mapping, adverse media screening, senior sign-off, and a tighter review cadence.

This mirrors how EDD is described across FinCEN/FATF-aligned guidance: cash-intensive businesses, high-risk industries (gaming, precious metals, real estate, virtual assets), opaque ownership, high-risk geographies, and adverse media are recognized risk-based triggers for escalation. An elevated NAICS tier is one of those triggers — and the cleanest one to automate, because it's a structured field you already capture at onboarding.

The design principle: a Tier 1 code should be able to route a case to EDD on its own, regardless of how clean the rest of the profile looks. Structural risk doesn't average out.

Step 3: Score the Mismatch, Not Just the Code

Here is where a sophisticated model separates itself from a lookup table. The NAICS code a business reports is self-reported — and self-reported data is exactly where risk hides.

A 2022 peer-reviewed study in Statistics and Public Policy, conducted by IRS researchers analyzing tax filings, found that NAICS codes are self-reported with no tax consequence for reporting the wrong code or none at all. The researchers built predictive models precisely because so many filed codes were unusable. The practical consequence for compliance: a meaningful share of the codes you ingest are wrong, stale, or strategically benign.

That means the highest-value signal often isn't the code itself — it's the mismatch between the code and the business's real-world footprint:

• A company files `541611` (Management Consulting) but its website processes payments and advertises money transfer. The mismatch is the risk, and a code-only model never sees it.
• An entity registers as `722513` (Limited-Service Restaurant) but its expected transaction volume and cross-border pattern look nothing like a sandwich shop.

A scoring model that holds up adds a mismatch dimension: compare the registered NAICS against signals derived from the entity's actual operations — website content, registry filings, observed activity — and raise the score when they disagree. This is the difference between a model that classifies and one that detects.

Step 4: Keep Scoring After Onboarding (Perpetual KYB)

A NAICS code captured at onboarding is a snapshot of a moving target. Businesses pivot, add lines of activity, restructure ownership, and sometimes deliberately reclassify to shed scrutiny. A risk score frozen at account opening goes stale the moment the business changes.

This isn't just best practice — it's the fourth element of the FinCEN CDD Rule. Alongside customer identification, beneficial ownership, and understanding nature and purpose, the Rule requires ongoing monitoring to identify and report suspicious activity and, on a risk basis, to maintain and update customer information. The FFIEC Manual operationalizes the same expectation: the customer risk profile should be updated as new information emerges.

"Perpetual KYB" is the industry term for implementing that requirement continuously and automatically rather than through periodic manual refreshes. In a NAICS-driven model, that means:

• Re-screening the registered classification against fresh data on a risk-based cadence (more often for higher tiers).
• Re-scoring when the business's observed activity, ownership, or filings change.
• Re-routing a relationship into EDD if a previously Tier 2 business starts showing Tier 1 behavior.

The code is where monitoring starts, not where it ends.

A Worked Example: Three Businesses, Three Outcomes

To make the model concrete, here's how three onboarding cases move through it.

Business A — "Apex Horizon Capital LLC," files `551112`. Tier 1, structural. The score crosses the EDD threshold on the code alone. The case is paused, a UBO trace is initiated, and source-of-funds documentation is requested before any standard onboarding proceeds. Clean financials don't override the structural flag.

Business B — "Riverside Grill," files `722511`. Tier 2, cash-intensive. Standard CDD plus cash-activity monitoring. The model validates expected transaction volume against the profile of a full-service restaurant. Nothing escalates — unless the volume or pattern later contradicts the stated business.

Business C — "Summit Advisory Group," files `541990`. Tier 3, catch-all. The vague code itself doesn't condemn the business, but it can't be scored confidently either. The model routes it to a clarification step: confirm the actual activity, run a mismatch check against website and registry signals, and re-score with a real classification. If the "advisory" firm turns out to be moving money, the mismatch dimension catches what the code hid.

Three businesses, one model, three correctly differentiated outcomes. That is what a NAICS-driven risk score is supposed to produce.

Where Manual Scoring Breaks Down

Teams can absolutely build a NAICS risk matrix by hand — a spreadsheet of codes mapped to tiers, applied at onboarding. It works until it has to scale and stay current. Three failure modes show up repeatedly:

• Stale self-reported codes. If you score the code the business hands you, you inherit its errors. Manual processes rarely re-derive the code from real-world data.
• No mismatch detection. A static matrix scores the code in isolation. It has no way to flag the consulting firm that's actually a payment processor.
• No ongoing re-scoring. Manual reviews happen on a calendar, not on a trigger. A business that changes its activity the day after a periodic review goes a full cycle with the wrong score attached.

This is the gap automated KYB is built to close: deriving the classification from live, cross-referenced sources instead of a single self-reported form; scoring the mismatch between registered and observed activity; and re-scoring continuously rather than annually. The risk matrix tells you what each code should trigger. Automated KYB makes sure the code is right, stays right, and keeps driving the workflow after onboarding.

Bottom Line

A NAICS code is not a risk decision — it's the most useful single input into one. The work is in the wiring: mapping codes to tiers that reflect the kind of risk they signal, letting those tiers route cases to the right due diligence, scoring the mismatch between what a business claims and what it does, and keeping that score alive long after onboarding.

Regulators won't hand you the mapping. They require the outcome — an understood, risk-rated, continuously monitored customer profile — and leave the encoding to you. NAICS is how you get there consistently, at scale, in a way that holds up when an examiner asks how the score was built.