Risk-Based Approach Adoption

Anti-Financial Crime

The authors
Andreas Winde Managing Director
Leila Hosseingholizadeh Senior AML Consultant

Introduction

The Risk-Based Approach (RBA) is a foundational principle in modern anti-money laundering (AML) frameworks. It is about understanding the risks of money laundering and terrorist financing (ML/TF) within a business. By identifying and assessing these risks, the RBA supports an effective but also efficient allocation of resources to combat ML/TF effectively. This approach ensures that the greatest attention and resources are directed to areas posing the highest risks, fostering a focus on effectiveness and meaningful impact rather than a mere “tick-box” compliance mentality.

At its core, the RBA involves adopting risk management practices tailored to the dynamic and evolving nature of ML/TF risks. On a national level, governments conduct comprehensive risk assessments to identify and prioritize threats, vulnerabilities, and risks at a macro level. At the institutional level, Obliged Entities (OEs) are required to continuously assess their exposure to ML/TF risks by analysing customers, products, distribution channels, and geographic areas of operation. These risks are not static; they evolve over time due to changes in criminal techniques, economic conditions, and regulatory landscapes.

Following a thorough risk assessment, the identified risks should be evaluated to flag high-risk areas that require more intense mitigative measures and a larger portion of available resources. Once this is done, mitigative measures should be implemented to manage the identified risks, prioritizing those with the highest inherent risk. These mitigative measures can generally be classified as either preventive, such as customer due diligence, or detective, such as transaction monitoring and suspicious activity reporting. The intensity of these measures can be defined by their type, or frequency of controls. For instance, high-risk customers require enhanced due diligence and more frequent monitoring, while low-risk customers may undergo simplified due diligence and less frequent monitoring.

From an operational perspective, the implications of the RBA can be observed in the following controls and processes within an AML framework:

  • Risk Assessment: Conducting an enterprise-wide risk assessment is a foundational step where obliged entities identify and evaluate ML/TF risks. This assessment informs the prioritization of resources and the design of mitigation strategies.
  • Customer Due Diligence (CDD): Implementing tailored approaches for customer risk rating, which may involve Enhanced Due Diligence (EDD) for higher-risk customers and Simplified Due Diligence (SDD) for lower-risk ones.
  • Transaction Monitoring: Utilizing dynamic systems to detect unusual or suspicious patterns of behaviour. Findings may lead to re-rating customer risk profiles or filing Suspicious Transaction Reports (STRs). High-risk areas often require more frequent and detailed analyses.
  • Governance: Establishing strong oversight mechanisms in high-risk areas, implementing targeted employee training programs, and allocating additional resources to address significant threats.
  • Audit and Controls: Planning audit intervals, scope, and focus based on identified high-risk areas and ensuring that controls are proportional to the assessed risks through audit mechanism.

What are the challenges?

The RBA has been endorsed by the FATF and subsequently encouraged in most AML regulatory frameworks. While some may perceive it as an easier option due to the absence of fixed criteria and its reliance on expert judgments to identify areas of higher risks, it shall be said that it is not as simple as it seems as it introduces numerous challenges, requiring a deep understanding of risks, constant vigilance, and the ability to adapt to evolving threats and circumstances. Assuming it is a simple alternative to distributing efforts equally across all risk areas reflects a misunderstanding of the robust and dynamic nature of this approach.

The RBA causes diversity in practice which fosters innovation but at the same time inconsistency in implementation of regulatory requirements. Each OE might have its own unique interpretation of what higher risk means or how these higher risks are to be effectively mitigated, making them difficult to be evaluated in terms of regulatory compliance.

The RBA relies on highly trained employees with a deep understanding of ML/TF risks who can make fair and sound judgments. To succeed, these professionals need timely, accurate data combined with their expertise. Without these elements, the RBA could become a source of risk itself, falling far short of achieving its intended goals.

Where is it not applicable?

Given the complexity of the RBA, it is important to note that certain circumstances do not allow for its application. These include a) asset freezing, if required by law, b) reporting of suspicious transactions although identification of suspicious activities relies heavily on the RBA, c) identification and verification of identities, and d) certain forms of monitoring essential for the categorization of customers into low-risk profiles.

RBA in the context of EU AML regulatory framework

In principle, the EU AML regulation has always been in the spirit of the risk-based approach. However, the new AML package places even greater emphasis on its implementation. Under this new framework, AMLA (the EU Anti-Money Laundering Authority) will issue technical standards and guidelines to ensure the effective application of the RBA across EU, national, and institutional levels. This includes oversight mechanisms where local supervisors will use risk profiles to determine the frequency and intensity of inspections for obliged institutions. These measures align closely with FATF recommendations, promoting proportionality in AML efforts and ensuring that resources are directed toward higher-risk areas. Additionally, the package highlights the need for Member States and financial institutions to dynamically assess risks and prioritize mitigating those that pose the greatest threats. At the institutional level, this includes developing systems that focus on high-risk customers and activities, which is critical to the successful implementation of a robust RBA.

Conclusion

The RBA represents a significant evolution in anti-money laundering frameworks, shifting the focus from rigid compliance to dynamic, risk-sensitive practices. By directing attention and resources to areas of higher risk, the RBA enhances the efficiency and effectiveness of AML efforts and avoids overcompliance. However, it can be challenging to truly implement the RBA and needs a deep understanding of money-laundering risks, mitigative measures and regulatory frameworks. Obliged entities must not only develop this expertise but also apply it practically to integrate the RBA into their policies and procedures effectively. This integration often requires a maturity cycle and cannot happen overnight. Engaging experienced professionals initially is a strategic step to not only establish a risk-based AML framework but also to ensure that essential knowledge is transferred to employees for long-term success.

At WIACON, we have developed the knowledge and expertise necessary through extensive hands-on experience. Our team is skilled at identifying money laundering threats and presenting effective strategies to mitigate them. We are ready to support obliged entities of all kinds in navigating the complexities of the RBA, helping them leverage its benefits without being overwhelmed by its challenges. 

Other articles

EU’s 15th Sanctions Package

Russia’s persistent efforts to bypass the oil price cap have prompted the European Union to take decisive action in its 15th sanctions package. This new set of measures targets loopholes that have enabled Russia to continue exporting oil and sustaining its revenues. By blacklisting 52 additional vessels—bringing the total to 79—the EU is focusing on Russia’s shadow fleet, a network of aging, underregulated ships central to its evasion strategies. This initiative has the potential to increase the cost and complexity of sanctions evasion while addressing the significant safety and environmental concerns associated with these high-risk vessels.

Risk-Based Approach Adoption

The Risk-Based Approach (RBA) is a foundational principle in modern anti-money laundering (AML) frameworks. It is about understanding the risks of money laundering and terrorist financing (ML/TF) within a business. By identifying and assessing these risks, the RBA supports an effective but also efficient allocation of resources to combat ML/TF effectively.

Suspicious Activities Detection

Identifying suspicious activities is a cornerstone of combating money laundering, helping Obliged Entities (OEs) detect and deter fraud and other illicit activities. To this end, OEs must closely monitor high-risk criteria to flag transactions or behaviours that deviate from standard patterns. All red flags should be investigated to determine whether they represent legitimate transactions or warrant further scrutiny.

The Risks of Using AI in Compliance

Artificial Intelligence (AI) offers transformative potential for enhancing compliance processes, from automating routine tasks to identifying patterns in data that could indicate regulatory risks. However, the adoption of AI in compliance is not without its challenges. While the technology brings significant advantages, it also introduces risks that businesses must be mindful of to avoid regulatory and legal pitfalls.

Challenges in AML Compliance

The threat of money laundering has become a major problem for financial institutions worldwide. Both banks and non-bank financial institutions, such as insurance or investment companies, are under increasing regulatory pressure to implement effective and efficient anti-money laundering (AML) solutions to prevent illicit financial activities. These institutions must not only protect their business and reputation, but also ensure that they do not become unwitting accomplices of criminal individuals or organisations.

Implementing Effective AML Solutions

The threat of money laundering has become a major problem for financial institutions worldwide. Both banks and non-bank financial institutions, such as insurance or investment companies, are under increasing regulatory pressure to implement effective and efficient anti-money laundering (AML) solutions to prevent illicit financial activities. These institutions must not only protect their business and reputation, but also ensure that they do not become unwitting accomplices of criminal individuals or organisations.
Confused man in suit looking at two similar doors

Overcompliance in Sanctions Compliance

The proliferation of unilateral and secondary sanctions has led to a concerning trend of overcompliance by businesses, particularly banks and financial institutions. Overcompliance refers to excessively restrictive practices that go beyond the requirements of sanctions regulations.
Sources:

FATF (2007), FATF Guidance on the Risk-Based Approach to Combating Money Laundering and Terrorist Financing, High Level Principles and Procedures

FATF (2014), FATF Guidance for a Risk-Based Approach, The Banking Sector

European Union Anti-Money Laundering and Countering the Financing of Terrorism Legislative Package, 2024

 

©Paul - stock.adobe.com

AFC News

Subscribe on LinkedIn

ESG News

Subscribe on LinkedIn