What is a risk-based approach to anti-money laundering?

Financial institutions (FIs) face an expanding spectrum of money laundering threats, with emerging typologies set to cause serious problems for the industry. The total amount lost to cybercrime alone is projected to reach $9.5 trillion in 2024. To effectively balance compliance with cost-efficiency, firms must adopt a contextual, risk-based approach to anti-money laundering (AML). 

A risk-based approach means tailoring AML compliance programs to each customer’s specific risk level, ensuring resources are allocated where they are most needed. In principle, this shifts the focus of AML compliance from retrospective data analysis to proactive judgment. FIs must work continuously to understand the money laundering threats they face and deploy commensurate measures to manage their risk exposure. In practice, this means customers may be classified individually by their risk exposure, and ‘higher risk’ customers fall under greater AML scrutiny. 

AML regulations and the risk-based approach

Before the concept of the risk-based approach was developed, banks and other FIs would manage their compliance obligations using a ‘checkbox’ approach – that is, simply fulfilling a standardized list of AML requirements for every customer. While that standardized approach prevailed in the 1990s, the UK’s Financial Services Authority (FSA) first proposed a risk-based approach in its 2000 publication A New Regulator for the New Millennium. In 2007, the idea was adopted by the Financial Action Task Force (FATF), then further codified in its 2012 update to the International Standards on Combating Money Laundering and the Financing of Terrorism and Proliferation, or the ‘40 Recommendations’, which form the basis of global AML standards today. 

The FATF’s 2012 endorsement of risk-based approaches to AML has ensured its centrality to compliance programs, and many major pieces of legislation specify that a risk-based approach should be a starting point for AML compliance. Examples include: 

• The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations (MLRs) in the UK;
• The Bank Secrecy Act (BSA) in the US, and; 
• The EU’s Sixth Anti-Money Laundering Directive (6AMLD).

The benefits of a risk-based approach to AML

The reason for adopting a risk-based approach to AML is simple: efficiency. To break this down, firms see a few clear benefits when they adopt a risk-based approach: 

• Integration of compliance with growth: Implemented effectively, a risk-based approach is the best way of allowing firms to counter financial crime and meet compliance requirements while maintaining strong business growth by onboarding new customers quickly. 
• Money and time saved: Instead of applying a blanket approach to all and any AML risks, no matter how ultimately inconsequential, organizations can allocate resources to where they are most needed, avoiding the financial burden of over-compliance alongside the regulatory risk of under-compliance. 
• Scalability: A risk-based approach means that, when reviewed and audited on an ongoing basis, a firm’s AML compliance program can scale along with them, since it adapts to changes in their business risk profile. 

Speed up your onboarding and boost customer satisfaction

Download our free customer onboarding guide and ensure seamless and compliant onboarding across your organization – packed with expert know-how for effective risk management.

Get ahead of the game

The challenges of implementing a risk-based approach

A risk-based approach is a non-negotiable starting point for modern FIs, but compliance teams should be aware of a few common challenges during implementation:: 

• Maintaining regulatory compliance: The goal of reducing compliance overspending should never tip into a ‘bare minimum’ approach to AML policy, Otherwise, firms leave themselves open to the severe reputational and financial consequences of regulatory non-compliance. This is particularly true in an AML environment characterized by frequent regulatory changes, both over time and across jurisdictions, which firms must stay informed of. 
• Effective data management: The ever-increasing volume of data available is a huge asset to compliance teams, but it also means they need to be sure of the quality of their data and of their ability to collect and analyze it properly. Using a suitable software solution has become a necessary part of a risk-based approach to AML. 
• Changing customer profiles: Due to updates in their financial behavior or profiles, FIs should regard customer risk levels as dynamic, not static. Firms should ensure they are well-placed to reassign and respond to customer risk profiles when necessary. 

3 steps to an effective risk-based approach

1. Identify and assess risks

An accurate and comprehensive risk assessment is a foundational point of a risk-based approach to AML. Three distinct categories of risk inform FIs’ compliance efforts: 

• Client risk: Certain clients present a higher money laundering risk than others due to their status, occupation, or past activity, and therefore may require enhanced due diligence (EDD) at onboarding.
• Geographic risk: Some jurisdictions have weak AML/CFT legislation, are known to be offshore financial havens, or have high levels of corruption, drug trafficking, and other predicate crimes in money laundering.  
• Product and service risk: Products or services that allow clients to conceal their identity or operate anonymously, act independently independently of oversight, or transact with third parties should be considered high-risk.

When performing a risk assessment, firms must take into account:

• Vulnerability: What money laundering and criminal threats – such as drug trafficking or gambling – is the firm exposed to?
• Infrastructure: Does the firm have blind spots or administrative gaps that allow money launderers to thrive?
• Regulations: Does the firm properly understand and satisfy its regulatory obligations?
  

2. Implement policies to mitigate those risks

The nature of a risk-based approach means that no two FIs’ AML policies will look exactly the same. However, all firms should build their compliance program to include several important steps, including:

• Know your customer (KYC) and customer due diligence (CDD) measures to establish and verify a customer’s identity and the nature of their business are who they say they are. This includes establishing ultimate beneficial ownership (UBO), source of wealth (SOW), and source of funds (SOF). 
• EDD for customers identified as high-risk according to the risk factors above.  
• Screening customers against sanctions lists, politically exposed person (PEP) lists, adverse media, and relevant law enforcement data. 
• The appointment of an AML compliance officer to oversee the organization’s compliance program, with both the authority within the company and the AML expertise to identify and act on risks.

3. Conduct ongoing monitoring

A genuinely effective risk-based approach to AML compliance continues beyond onboarding. Instead, firms should regard it as an ongoing process, which means monitoring customers throughout the business relationship to stay alert to any changes in risk profiles, which can change over time. FIs must be able to react to new levels of risk exposure to ensure emerging money laundering threats are identified as quickly as possible, and avoid the ‘checkbox’ approach to AML that the risk-based approach supplanted in the first place. 

Advanced AML solutions for an efficient risk-based approach

Integrating specialist AML software can make it significantly easier for FIs to design a risk-based approach to compliance and see the benefits of that approach going forward. 

ComplyAdvantage’s Mesh platform is built to meet firms’ risk assessment needs, providing teams with access to market-leading data and risk intelligence to ensure highly efficient compliance. For a risk-based approach, Mesh includes features like: 

• A proprietary risk database providing true visibility into suspicious activities and AML risks. 
• Automated customer risk rating to help teams focus on the highest-risk customers first, with fully configurable risk models and dynamically updated risk scores responding in near-real time to changes in customer profiles. 
• Advanced matching algorithms, powered by AI, to screen clients against PEP lists, sanctions lists and watchlists, adverse media, and global enforcement actions. 
• Fully configurable customer screening for compliance officers to meet risk and cost of compliance goals. 
• Easy access to a detailed audit trail showing every event and decision.