How Does a Risk-Based Approach in AML Compliance Work?

Selling a luxury car in a town where residents struggle with basic needs wastes everyone’s time. The same happens in AML when a firm applies the same level of scrutiny to a low-risk salaried customer and a high-exposure public official. The low-risk person hits needless friction, whereas the higher-risk profile can slip through controls that were never optimally designed to capture it. Uniform standard sounds fair, but in risk management, equal control for every risk is not an effective strategy. 

Controls implemented to comply with KYC/AML regulations must be proportionate to the level of exposure to the risk. That is the core of the RBA risk based approach to AML.

What is a risk based approach in AML compliance?

A risk based approach (RBA) means businesses identify where money-laundering and terrorist-financing risks (ML/TF risks) are highest in their business and apply proportionate controls. Proportionality means stronger scrutiny where risk is high, and lighter where risk is low. The idea that sits at the heart of global AML standards took root in the modern regulation of the UK Financial Services Authority, now known as FCA. In January 2000, its paper A New Regulator for the New Millennium set out a risk-focused model for allocating supervisory effort.

A few years later, the Financial Action Task Force (FATF) formalized RBA at the global level. FATF issued high-level RBA principles in 2007, followed by sector guidance, such as casinos in 2008 and the banking sector in 2014, and embedded RBA as a cornerstone of the 2012 FATF Recommendations.

What is the significance of a risk based approach in AML compliance?

Businesses must balance limited resources against rapid regulatory changes and shifting market demands. In this volatile setting, risk is not uniform; it varies by customer, product, and region.

A Risk-Based Approach (RBA) addresses this by directing finite people, technology, and time specifically toward the highest risks. This strategy ensures controls are both effective and efficient, allowing compliance to adapt to new standards without major new costs. This targeted focus is exactly what supervisors look for during risk-focused audits.

The RBA is even more critical for larger institutions such as banks operating across multiple jurisdictions with diverse regulations, spending a sizable portion of their budgets on compliance.

The reason this matters now is because one-size-fits-all controls can push institutions toward blanket “de-risking” and shut out whole categories of customers. This approach is not only ineffective for implementing AML laws but also pushes de-risked customers out of the monitoring net, leading them to seek illegal channels for their financial needs. Additionally, it puts a dent in the broader cause of financial inclusion. Recent U.S. Treasury and FinCEN materials stress that AML programs should be risk-based, not categorical, to avoid those harms.

What is the relationship between a risk-based approach, de-risking, and financial inclusion?

Proportionality is the basic principle behind RBA, which aims to promote financial inclusion through tailored controls. But historically, RBA was not being implemented in its true essence, leading to the denial of financial services to marginalized communities. This also included the mistreatment of NPOs, hindering the delivery of humanitarian works.

In 2014, the FATF plenary discussed these consequences and clarified that the de-risking should never be an excuse to implement the risk-based approach. FATF further noted that the RBA doesn’t mean declining services to whole categories of customers because of higher risks, and that the decisions must be made on a case-by-case basis. De-risking is exactly opposite of a risk based approach meaning.

Higher compliance costs, lower profitability, or any other reason can’t justify de-risking. In 2024, FinCEN’s proposed rulemaking suggested that firms should look for ways to use innovative techniques and artificial intelligence to reduce compliance costs and improve efficiency. This is another step towards FinCen’s policy goals of promoting financial inclusion by extending services to the underbanked.

This is also how businesses should operationalize a “no de-risking” strategy and terminate a relationship only when risks cannot be mitigated on a case-by-case basis.

What are the basic elements of a risk-based approach?

Risk Assessment

The risk assessment process is the bedrock of a risk-based approach. Only when a firm understands where risk concentrates can it apply proportionate controls and monitor their effectiveness.

Some products/services, customers, delivery channels, and geographies may present higher ML/TF risks than others. Businesses should carefully identify the inherent risks in categories relevant to their size and complexity and score each identified risk according to its severity level, consistently across each category. For example, the risk of a bank with a significant number of cross-border transfers would be higher than that of a small bank serving domestic clients with no international transfers.

Firms should also take into account results from national or sectoral risk assessments to inform their business-wide risk assessment process. A firm should update its risk assessment as material changes occur in its products, customers, or jurisdictional reach.

Risk Mitigation

After identifying the relevant AML risks a business faces, the next step is to choose proportionate controls that actually reduce them to an acceptable level, also known as the risk appetite of a company.

A business that is likely to face payments to or from sanctioned entities needs to implement a real-time sanctions screening process for customers, counter-parties, and risk corridors. Similarly, a fintech platform that allows remote onboarding needs to have controls like biometric verification, liveness detection, and a document validation process in order to mitigate risks like first-party fraud, deepfakes, synthetic identities, impersonation, and presentation attacks. These are some risk based approach examples of risk mitigation.

Firms should track metrics that measure the performance of mitigation controls to know if the AML risk-based approach is really working as intended. Based on their function, controls can be divided into two categories:

• Prevention Controls: These controls prevent a risk from materializing in the first place. Preventive controls include identity verification, KYC & Know Your Business procedures at onboarding, sanctions, PEP, and adverse media screening at onboarding, biometrics, and liveness detection at remote onboarding, including risk-based due diligence.
• Detection Controls: Detection controls are used to identify any risks that may have slipped through preventive controls or arise at a later stage. This includes measures like ongoing transaction monitoring, adverse media monitoring, real-time sanctions and PEP screening (reaction to list changes), and periodic KYC refreshes.

Businesses should set measurable targets for controls to keep track of how a risk based approach AML is performing. For example, where remote customer onboarding was paired with liveness + document authenticity check, measurable targets can be:

• 95% of onboarding decisions should be in <30 seconds 
• 100% remotely onboarded customers should pass liveness + document authenticity checks

Internal Controls, Governance, and Monitoring

Businesses should maintain policies, segregation of duties, QA/validation of models, threshold reviews, and an exception register in written form with expiry dates. RBA performance should be tracked with alert outcomes, suspicious activity reports, and the total alerts ratio, including periodic and event-driven reviews of higher-risk customers.

Benefits of a risk-based approach in AML/Identity Verification

• Better customer experience: Applying proportionate controls means low-risk users face fewer steps, raising true acceptance rate (TAR) while keeping false rejection rate (FRR) low.

• Sharper risk control: Stricter controls for higher-risk cases improve the false acceptance rate (FAR) without blocking the many legitimate customers.
• Efficient operations: Fewer false positives reduce workload and free up compliance resources for clearer escalated cases, resulting in faster time-to-decision. Faster decision and fewer false rejections also means fewer customer drop-offs and improved revenues.
• Regulatory confidence: Risk-based AML compliance is an evidence-first approach that examiners can trace from risk to control to outcome.

How to Smartly Use Regtech to Implement a Risk-Based Approach?

Identity verification is central to any know your customer (KYC) flow. Therefore, the right KYC tool that can help you comply with the risk-based approach is the one that lets you customize your identity verification flow according to your risk exposure and risk appetite. This approach not only defends against many threats like synthetic identities and impersonation fraud, but also lets more legitimate users smoothly onboard, helping your business to contribute to financial inclusion.

When implementing a risk-based approach, institutions should avoid:

• Gaps in data, because fragmented data of identity, transaction, and device, reduce the effectiveness of controls.
• One-size-fits-all policies, such as applying a uniform transaction threshold for all customers, result in backlogs, poor results, and unnecessary friction.
• De-risk the entire segment of customers as it conflicts with FATF’s RBA intent and leads to financial exclusion.
• Tracking performance with only activity like alerts and reviews without taking into account SAR conversion, SLA threshold breaches, residual risk, and recall & precision of screening systems.

Track the following metrics to determine if your risk-based approach is working as intended:

• Track Screening results to check if the system is catching true risks without drowning in false positives
  • Recall (% of true matches identified by system)
  • Precision (% of true matches out of total alerts flagged by system) (by segment)
  • For improvement, track these metrics separately across different segments
• Do alerts lead to quality cases and timely SARs?
  • Alert-to-SAR conversion & time-to-file
• Are high-risk reviews thorough and fast?
  • Track enhanced due diligence (EDD) cycle time & completion rate
• Track Coverage & SLA for preventive controls
  •  e.g., sanction list refresh within 2 hours and 100% delta-screening (only changes in lists) across active customers.
• Are the top risks trending down after control changes?
  • Track residual risk trend
• Track FAR/FRR and TAR separately for higher and lower risk customers:
  • Tune the controls to match the right FAR/FRR and TAR for customer segments
  • One-size-fits-all controls lead to higher false acceptance/rejection rates, leading to loss of revenue & increased fraud risks
  • Demonstrate that low-risk customers enjoy high True Acceptance Rates while high-risk customers face proportionate friction.

How Shufti Helps Businesses Achieve Both Goals of a Risk-Based Approach, Compliance & Efficiency

Implementing a risk-based approach isn’t just about compliance — it’s about precision. It ensures that genuine customers experience seamless onboarding, while higher-risk activities face proportionate scrutiny.

Shufti empowers financial institutions to achieve this balance through configurable Know Your Customer journeys, jurisdiction-specific identity verification logic, and advanced screening tools. Its no-code design and adaptive verification flow enable compliance teams to match each control precisely to the risk at hand, achieving both compliance and customer satisfaction.

Learn how Shufti helps financial institutions operationalize RBA to achieve measurable compliance and efficiency. Request a demo!