Ask what single idea holds modern anti-money laundering together and the answer is the risk-based approach (RBA). Rather than treating every customer and transaction identically, firms must direct their effort where the money-laundering and terrorist-financing risk is greatest — and ease off where it is genuinely low. It sounds simple. Done well it is powerful; done as a tick-box it fails completely.
What the risk-based approach is
The RBA accepts a basic truth: not all customers carry the same risk, and resources are finite. So the rules ask you to understand your risks and target your controls — applying enhanced measures to higher-risk relationships and simplified measures to genuinely lower-risk ones. Per FATF and the MLRs, this is mandatory, not optional.
- Lower riskSimplified due diligence
- Standard riskStandard customer due diligence
- Higher riskEnhanced due diligence
The two levels of risk assessment
| Business-wide risk assessment | Customer risk assessment | |
|---|---|---|
| Question | What ML/TF risks does the firm face overall? | What risk does THIS customer present? |
| Looks at | Products, customers, geographies, channels | This customer's profile and behaviour |
| Required by | MLR reg. 18 | MLR reg. 27-28 (drives CDD level) |
| Output | The firm's risk appetite and control framework | The CDD tier applied to the customer |
The business-wide assessment shapes your policies; the customer assessment decides how much due diligence a given relationship needs.
The risk factors that matter
Risk is judged across recognised categories. No single factor decides it — you weigh them together.
| Category | Higher-risk examples |
|---|---|
| Customer | PEPs, complex ownership, cash-intensive business, reluctance to provide info |
| Product/service | Anonymity, ease of moving value, private banking, correspondent banking |
| Geography | High-risk third countries, weak AML regimes, sanctions exposure |
| Delivery channel | Non-face-to-face onboarding, intermediaries, rapid remote access |
Score the risk
For each customer, make the risk-based call: does this profile point to HIGHER risk (enhanced measures) or LOWER risk?
A politically exposed person from overseas, holding assets through layered offshore companies.
Why tick-box AML fails
- Assess the businessDocument the ML/TF risks across your products, customers, geographies and channels.
- Set your frameworkBuild policies and controls proportionate to those risks.
- Assess each customerRate the risk of each relationship using the factor categories.
- Apply proportionate CDDSimplified, standard or enhanced, matched to the rating.
- Monitor and reassessRisk changes — review ratings and controls over time.
- Document everythingRecord the reasoning so a supervisor can follow it.
Where Probitas fits
A sound risk assessment needs evidence about the customer. A Probitas check screens individuals and companies against sanctions, PEP and adverse media sources and surfaces ownership and public-record signals — anchored to their source — feeding the customer-risk factors directly. The risk rating and controls remain your judgement.
The
What is the risk-based approach to AML?
It is the principle that firms should direct their anti-money-laundering effort according to risk — applying more scrutiny to higher-risk customers and transactions and less to genuinely lower-risk ones — rather than treating everyone identically.
Is the risk-based approach mandatory?
Yes. It is required by the Money Laundering Regulations and is the global standard set by FATF. Firms must carry out risk assessments and apply proportionate, risk-sensitive controls.
What are the main AML risk factors?
They cluster into four categories: customer (e.g. PEPs, opaque ownership, cash-intensive business), product or service (e.g. anonymity, ease of moving value), geography (e.g. high-risk jurisdictions), and delivery channel (e.g. non-face-to-face onboarding).
What is the difference between a business-wide and a customer risk assessment?
The business-wide assessment identifies the ML/TF risks the whole firm faces and shapes its policies. The customer risk assessment rates the risk of each individual relationship and determines the level of due diligence applied.
Why is a tick-box approach to AML criticised?
Because the risk-based approach requires genuine, evidenced judgement — assessing real factors and justifying decisions — not mechanically completing forms. A tick-box approach misses real risk and fails regulatory expectations.
Sources
This guide is written from primary sources. Each is linked below; claims in the text link to the specific reference they rely on.