What is a risk-based approach (RBA) to anti-money laundering (AML)?

Financial institutions (FIs) face an expanding spectrum of money laundering threats, including emerging typologies such as AI-enabled fraud and crypto-linked laundering, which are set to disrupt the industry. In fact, the total amount lost to cybercrime alone is projected to reach $23 trillion by 2027. To effectively balance compliance with cost-efficiency, firms need to adopt a contextual, risk-based approach (RBA) to anti-money laundering (AML). 

An RBA means tailoring AML compliance programs to each customer’s specific risk level, ensuring resources are allocated where they are most needed. In principle, this shifts the focus of AML compliance from retrospective data analysis to proactive judgment. 

FIs should continuously assess the money laundering threats they face and deploy robust measures to manage their risk exposure. In practice, this means customers are classified individually by their risk exposure, with higher-risk relationships subject to greater AML scrutiny.

AML regulations and the risk-based approach

Historically, banks and other FIs managed their compliance obligations using a ‘checkbox’ approach – simply fulfilling a standardized list of AML requirements for every customer.  

Although that standardized approach prevailed in the 1990s, the UK’s Financial Services Authority (FSA) – the country’s former regulator – first proposed a risk-based approach in its 2000 publication A New Regulator for the New Millennium. 

In 2007, the concept was adopted by the Financial Action Task Force (FATF), then codified in its 2012 update to the International Standards on Combating Money Laundering and the Financing of Terrorism and Proliferation – also known as the ‘40 Recommendations’ – which form the basis of global AML standards today. 

The FATF’s endorsement cemented the risk-based approach at the core of modern compliance, and major global regulations now mandate it as the starting point for AML programs, such as:

• The UK: The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations (MLRs).
• The US: The Bank Secrecy Act (BSA).
• The EU: The EU’s Sixth Anti-Money Laundering Directive (6AMLD).
• Australia: The Anti-Money Laundering and Counter-Terrorism Financing Act (AML/CTF Act).
• Singapore: The Anti-Money Laundering and Other Matters Act (AMLA) alongside the Monetary Authority of Singapore (MAS) Notice 626.
• The Philippines: The Anti-Money Laundering Act (AMLA) of 2001.
• Malaysia: The Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act (AMLA) 2001.

What are the benefits of a risk-based approach to AML?

Why adopt a risk-based approach? The answer is simple: efficiency. Rather than applying uniform compliance checks to every customer, an RBA allows firms to align their resources directly with real risk levels: 

• Smarter resource allocation: Instead of applying uniform compliance checks to every customer, firms can direct their time, budget, and personnel toward the areas that pose the greatest threat – avoiding both the cost of over-compliance and the regulatory exposure of under-compliance.
• Faster, frictionless onboarding: Low-risk customers experience streamlined verification and fewer delays, improving the user experience while freeing compliance teams to focus on genuinely higher-risk cases. This makes it easier to onboard new customers quickly without sacrificing security.
• Better financial crime detection: By reducing noise from unnecessary alerts for low-risk clients, compliance teams can focus on genuinely suspicious activity, improving detection rates and the quality of reporting.
• Proactive risk management and scalability: Rather than reacting to problems after they occur, a risk-based approach encourages firms to actively assess emerging risks before they escalate. When reviewed on an ongoing basis, the compliance program scales with the business and adapts as the firm’s risk profile evolves.
• Regulatory alignment and reduced de-risking: Global regulators – including FATF and national authorities like the UK’s FCA – consider the risk-based approach the compliance gold standard and mandate it directly. Accurate risk assessment also prevents the overbroad assumptions that lead firms to withdraw services from entire countries or customer segments unnecessarily.

What are the most common challenges of implementing a risk-based approach?

A risk-based approach is a non-negotiable starting point for modern FIs, but compliance teams should be aware of a few common challenges during implementation:: 

• Maintaining regulatory compliance: The goal of reducing compliance overspending should never tip into a ‘bare minimum’ approach to AML policy, Otherwise, firms leave themselves open to the severe reputational and financial consequences of regulatory non-compliance. This is particularly true in an AML environment characterized by frequent regulatory changes, both over time and across jurisdictions, which firms must stay informed of. 
• Effective data management: The ever-increasing volume of data available is a huge asset to compliance teams, but it also means they need to be sure of the quality of their data and of their ability to collect and analyze it properly. Using a suitable software solution has become a necessary part of a risk-based approach to AML. 
• Changing customer profiles: Due to updates in their financial behavior or profiles, FIs should regard customer risk levels as dynamic, not static. Firms should ensure they are well-placed to reassign and respond to customer risk profiles when necessary. 

How to implement an effective risk-based approach?

1. Identify and assess risks

A comprehensive risk assessment is the baseline of any RBA. FIs should evaluate three core categories of risk: 

• Customer risk: Certain clients pose a higher money laundering risk than others due to their status, occupation, or past activity, and may therefore require enhanced due diligence (EDD) at onboarding.
• Geographic risk: Some jurisdictions have weak regulations, are known offshore financial havens, or have high levels of corruption, drug trafficking, and other predicate offenses.
• Product and service risk: Products or services that allow clients to conceal their identity, operate anonymously, act independently of oversight, or transact with third parties should be considered high-risk. This increasingly includes crypto assets and digital payment channels.

When performing a risk assessment, firms should take into account:

• Vulnerability: What financial crime threats – such as fraud, tax evasion, or trafficking – target the business model?
• Infrastructure: Are there system gaps, manual processes, or data silos that criminals could exploit? 
• Compliance posture: Does the firm fully understand and meet its global regulatory obligations?

2. Implement policies to mitigate those risks

Because an RBA is tailored, no two compliance programs look identical. However, every effective program should include several critical elements:

• Verification & customer due diligence (CDD): Know your customer (KYC) and CDD measures verify a customer’s identity and the nature of their business to ensure they are who they claim to be. This includes establishing ultimate beneficial ownership (UBO), source of wealth (SOW), and source of funds (SOF). 
• Enhanced due diligence (EDD): Applying EDD to customers identified as high-risk to gather deeper background details to mitigate elevated risk exposure.
• Real-time screening: Screening customers against sanctions lists, politically exposed person (PEP) lists, adverse media, and relevant law enforcement data to instantly flag high-risk or PEP entities before onboarding.
• Dedicated governance: The appointment of a certified AML compliance officer to oversee the organization’s compliance program, with both the authority within the company and the AML expertise to identify and act on risks.

3. Conduct ongoing monitoring

A genuinely effective risk-based approach to AML compliance continues well beyond onboarding. Firms should regard it as an ongoing process, monitoring customers throughout the business relationship to stay alert to any changes in their risk profile. 

FIs must be able to react to new levels of risk exposure to ensure emerging money laundering threats are identified as quickly as possible – and to avoid reverting to the ‘checkbox’ approach that the risk-based approach was designed to replace.

Advanced AML solutions for an efficient risk-based approach

Integrating specialist AML software can significantly ease FIs’ ability to design and maintain a risk-based compliance approach. Replacing the legacy “one-size-fits-all” model,  ComplyAdvantage Mesh is designed with firms’ varying risk appetites in mind, providing compliance teams with greater flexibility, as it can be tuned by client type, transaction profile, and jurisdiction. 

For a risk-based approach, Mesh includes:

• A proprietary risk database: This gives true visibility into suspicious activities and AML risks.
• Automated customer risk rating: To help teams focus on the highest-risk customers first, with fully configurable risk models and dynamically updated risk scores responding in near-real time to changes in customer profiles.
• Advanced AI-powered matching algorithms: To screen clients against PEP lists, sanctions lists, watchlists, adverse media, and global enforcement actions.
• Fully configurable customer screening: For compliance officers to meet risk and cost of compliance goals.
• Explainable audits: Easy access to a detailed audit trail showing every event and decision.