Join the 7/21 live chat & demo: How to turn KYB & KYC into your competitive advantage


What is a risk-based approach to AML?

Embracing a risk-based approach to AML gives you the flexibility to determine what AML and KYC processes are right for your business.

Read time:
Share this post
Table of contents
⚡ Key takeaways
  • Anti-money laundering is not a one-size-fits-all process.
  • Embracing a risk-based approach to AML gives businesses the flexibility to determine what AML and KYC processes are right for them.
  • Implementing a risk-based approach requires businesses to understand their own risk profiles, as well as the risk profiles of their customers.

This article was reviewed by Emily Sachs, CAMS

Financial institutions are required by law to implement anti-money laundering (AML) processes to prevent criminals from using their products, services, and platforms to launder money. 

While regulators have provided frameworks and guidance around the different components that an AML process should include — for example, KYC, CDD, and transaction monitoring — they have typically refrained from dictating specific measures that all institutions must follow. This provides financial institutions with a lot of flexibility in determining what AML should look like for their situation. 

It also creates industry-wide variability, which has a knock-on effect of making the financial industry as a whole more resilient to money laundering threats. Because a bad actor can’t predict what AML procedures and systems a financial institution may have in place, someone who successfully launders money through one financial institution won’t necessarily be successful using those same strategies at another.

Instead of implementing a standard checklist of required processes, regulations advise financial institutions to take a risk-based approach to AML. But what exactly is a risk-based approach, and how do financial institutions go about putting one in place?

What is a risk-based approach to AML compliance?

A risk-based approach (RBA) is an AML process that is informed by a thorough and ongoing risk analysis typically consisting of two prongs: An internal AML risk assessment and a customer risk assessment.

Through an internal AML risk assessment, a financial institution is able to determine the extent to which the business is exposed to various types of money laundering risk. The institution is then able to craft an AML strategy that best aligns with those risks. Businesses typically conduct risk assessments any time their risk profile changes — for example, if they launch a new product or service, merge with another institution, or expand into a new geography.

A customer risk assessment, on the other hand, is designed to evaluate the AML risk posed by each individual customer. The institution can then determine what type of due diligence (standard, simplified, or enhanced) is required to onboard or retain that customer. By taking a risk-based approach, the institution is able to customize the account creation process based on the risk signals they identify during onboarding.

Why is it important to have a risk-based approach to AML?

The bespoke nature of the risk-based approach allows financial institutions to allocate their AML resources in a way that is commensurate with the findings of their risk assessment. 

By embracing a risk-based approach to AML, financial institutions are forced to think critically about the different types and levels of money laundering risk that their business is exposed to vs. what types and levels they are willing to tolerate. This increases the internal awareness of those risks and ultimately allows for the implementation of a more nuanced AML strategy that is tailored to the unique strengths, weaknesses, and business opportunities of each institution.  

Finally, it should be noted that the concept of risk-based AML originated with the Financial Action Task Force (FATF), which in 2012 called it an “essential foundation” of all anti-money laundering frameworks. The FATF also stated that the risk-based approach is a prerequisite to complying with the organization’s 40 Recommendations.

How to implement a risk-based approach to AML

1. Conduct an AML risk assessment

The first step in implementing a risk-based approach is to conduct an internal AML risk assessment. The purpose of this assessment is to identify the types of money laundering risk your business is subject to, as well as the extent of this exposure. Product risk, service risk, customer risk, and geographic risk should all be thoroughly evaluated. 

In conducting your risk assessment, it’s important to consider the money laundering risk posed by a variety of factors, including:

  • Your target customer
  • The services and products you offer
  • The industry you operate within
  • The jurisdictions you operate within
  • The jurisdictions where your customers are located
  • Your average transaction volume
  • Your average transaction size
  • How you acquire customers
  • How you distribute your products and services
  • The number of customers you’ve already identified as high-risk
  • The findings of internal and third-party or regulatory audits

Armed with the insights gleaned from your risk assessment, it is now possible to compile a list of all of the known money laundering risks your organization is currently exposed to — and prioritize these risks based on the severity of your exposure to each.

2. Determine customer risk

In addition to measuring your organization’s institutional money laundering risk, you must also measure the amount of risk posed by each individual customer that attempts to open an account. This can be achieved by crafting KYC, CDD, identity verification, and transaction monitoring processes that are specifically designed to quantify money laundering risk.

Some questions to consider when assessing customer risk include:

  • What is the customer’s stated reason for opening an account?
  • What industry does the customer work in?
  • What is the customer’s nationality?
  • In what jurisdiction is the customer located?
  • Is the customer subject to sanctions?
  • Is the customer a politically-exposed person (PEP)?
  • Does the customer have a record of financial crime?
  • What is the customer’s monthly or annual income, and how does this compare to their transaction volume?

3. Determine the best way to control for risk

Just as you wouldn’t try to fight all diseases with a single medication, you shouldn’t try to combat all money laundering risks with the same mitigation strategy. To be effective, risk mitigation must be tailored to the unique types of institutional and customer risk your organization is exposed to.

Therefore, once you have gone through the steps above, the next step is to determine the best means of controlling for each type of risk. Likewise, you must determine where these controls belong — for example, during customer onboarding vs. transaction monitoring vs. record-keeping and reporting, etc. 

What does a risk-based approach look like in action?

Once you have conducted your risk assessments and prioritized each risk your business is subject to, the findings of your assessment should trickle down into all of your AML and anti-fraud measures, including:

Know Your Customer 

What identity verification methods should you implement during customer onboarding so you will be able to accurately quantify and mitigate customer risk? The exact mix will vary from business to business but may include:

Customer due diligence

Not every customer poses the same level of money laundering risk to your organization. So why should they all go through the same due diligence process? Consider the different data and signals that you can collect during customer onboarding to evaluate customer risk and tailor your due diligence to each customer in real time. 

What does standard due diligence look like to your business? What about simplified due diligence and enhanced due diligence? Who qualifies for each of these flows?

AML screening checks

What supplemental reports or checks do you need to run during customer onboarding and in follow-up reviews to get a more comprehensive picture of customer risk and to ensure that you want to retain a customer? These may include:

Transaction monitoring

What solutions do you need to have in place to monitor customer transactions and other activity once they have been onboarded? What record-keeping and reporting policies are required to comply with the laws of the jurisdictions in which you operate and in which payments originate/are transmitted? What is the ideal ratio of automation vs. manual review for your business when suspicious activity is detected?

Free white paper
See how experts evaluate AML solutions

How Persona can help you embrace the risk-based approach

Here at Persona, we understand that no two businesses — and no two customers — have the same risk profile. With our fully-customizable suite of fintech identity solutions, you can tailor your onboarding flows to the realities of your business in order to follow the true spirit of the risk-based approach.

Implement the verification methods that best counter the specific risks your business is exposed to. Decide whether or not you need supplemental reports to enrich your AML and AML processes. Leverage progressive risk segmentation to serve different flows to different customers based on how much risk you detect in real time. 

Interested in learning more? Start for free or get a demo today.

Frequently asked questions

What is the first step in AML compliance risk-based approach?

The first step in implementing a risk-based approach to AML is to conduct an AML risk assessment. This assessment is designed to identify what types of money laundering risk a business is exposed to, as well as the extent of this exposure.

What are the main risk factors considered in an AML risk assessment?

Some of the most important factors considered during an AML risk assessment include the institution’s:

  • Size
  • Complexity
  • Transaction volume
  • Average transaction size
  • Country or region of operation
  • Target markets
  • Distribution channels
  • Internal audit findings

Who is a high-risk customer based on AML?

There is no single definition of what a “high-risk” customer looks like in regard to money laundering. The presence of certain risk signals may indicate that a customer carries greater risk. These include customers with any one or more of the following:

  • Political exposure
  • Subject to sanctions
  • Based in or connected to high-risk countries
  • Operating in high-risk, cash-intensive industries
  • With a history of financial crimes
  • Whose accounts exhibit suspicious activity
  • With complex ownership or control structures

What are the core requirements of RBA?

In order to implement the risk-based approach, a financial institution must:

  • Conduct an AML risk assessment to determine the types of money laundering risk that the business is exposed to
  • Conduct a customer risk assessment to determine the money laundering risk posed by each customer
  • Implement mitigation measures tailored to the findings of the risk assessments 
  • Monitor customer transactions to identify suspicious activity and continuously reevaluate risk

Continue reading

Continue reading

Trust & safety in the age of AI
Trust & safety in the age of AI

Trust & safety in the age of AI

LLMs and other types of generative AI have the potential to destroy customer trust in your marketplace or platform. Learn more about the risks and solutions.

LLMs + fraud: How criminals use large language models to commit fraud
LLMs + fraud: How criminals use large language models to commit fraud

LLMs + fraud: How criminals use large language models to commit fraud

Large language models (LLMs) have a lot of potential to be used for fraud. Learn how fraudsters have added this and other AI programs to their toolkit.

DAC7 compliance: What is it, and who does it impact?
DAC7 compliance: What is it, and who does it impact?

DAC7 compliance: What is it, and who does it impact?

See how DAC7 impacts businesses, consumers, and governments, and understand what you need to know to stay compliant. Learn how Persona can help.

AML risk assessments: What are they and how do they work?

AML risk assessments: What are they and how do they work?

AML risk assessments are an essential part of implementing a risk-based strategy as required by law. Learn more.

Global AML compliance: Is your business doing enough?

Global AML compliance: Is your business doing enough?

Discover some of the regulations and protocols you’ll need to know and remember when conducting business internationally

Key AML laws and regulations in the US

Key AML laws and regulations in the US

Learn about the history of AML laws in the US, the key components of the laws, and how you can create a compliant AML program.

Ready to get started?

Get in touch or start exploring Persona today.