Building a Risk-Based AML Programme: Step-by-Step Guide

The risk-based approach is the conceptual foundation of every modern AML framework — MLR 2017, AMLD 6, and the BSA all require compliance programmes to be proportionate to the actual risks the firm faces. But understanding the principle is easier than implementing it. The risk-based approach requires not just that controls exist, but that they are specifically calibrated to identified risks, that the calibration can be explained and justified, and that it is regularly reviewed as risks evolve.

This guide provides a step-by-step framework for building a risk-based AML programme that meets FCA, FATF, and FinCEN expectations — from the foundational risk assessment through to the governance structures that demonstrate ongoing programme effectiveness.

Step 1: Conduct the Firm-Wide Risk Assessment

The firm-wide risk assessment is not a box-ticking exercise. It is the analytical foundation from which every other element of the programme must flow. A well-constructed risk assessment should examine the firm's exposure to money laundering and terrorist financing risk across five dimensions:

• Customer risk — who are the firm's customers? What industries, geographies, and legal structures do they represent? What proportion are PEPs, corporates with complex ownership structures, or customers from high-risk jurisdictions?
• Product and service risk — which of the firm's products and services present the highest inherent money laundering risk? High-value, high-liquidity, or anonymous products carry more risk than simple, transparent services.
• Delivery channel risk — does the firm operate through intermediaries, digital channels, or non-face-to-face arrangements that reduce the effectiveness of standard identity verification?
• Geographic risk — does the firm have exposure to customers or counterparties from jurisdictions with weak AML regimes, high levels of corruption, or active FATF monitoring?
• Transaction risk — what types of transactions does the firm process? High-value cash transactions, cross-border wire transfers, and complex multi-entity transactions carry higher inherent risk than standard domestic payments.

The risk assessment must produce a documented, risk-rated output — identifying which areas of the business carry high, medium, and low inherent risk — and must be signed off by senior management. It must be updated at least annually and whenever material changes occur in the business.

Step 2: Design CDD Procedures Calibrated to the Risk Assessment

Once the risk assessment is complete, the CDD procedures must be designed to deliver proportionate verification for each customer risk tier. This means defining explicitly: what documents and data are required for standard-risk customers, what additional requirements apply to medium-risk customers, and what EDD triggers and requirements apply to high-risk customers.

The customer onboarding process must implement these tiered requirements consistently — applying standard CDD to all customers as a baseline, and automatically escalating to EDD when the customer's risk profile triggers the relevant criteria. The triggers must be objective and documented: PEP status, high-risk jurisdiction of residence, complex corporate structure, transaction volume above defined threshold, or industry sector classification.

Step 3: Establish and Apply a Customer Risk Rating

Every customer must be assigned a risk rating at onboarding — low, medium, or high — based on the risk factors identified in the CDD process. The risk rating determines the monitoring intensity applied to the customer's transactions, the frequency of periodic CDD review, and the threshold for escalating unusual activity to the MLRO.

The risk rating criteria must be documented in the AML policy and applied consistently. A compliance officer who cannot explain why a specific customer was rated at a specific risk level — or why two superficially similar customers received different ratings — cannot demonstrate that the rating process is genuinely risk-based rather than arbitrary.

Risk ratings must be dynamic, not static. The rating assigned at onboarding must be reviewed when the customer's circumstances change, when transaction behaviour deviates significantly from the expected profile, or as part of the scheduled periodic review cycle. A customer who was a standard-risk retail investor at onboarding five years ago may now be the beneficial owner of a complex corporate structure requiring a completely different compliance approach.

Step 4: Design and Deploy Transaction Monitoring Matched to Your Risk Profile

The transaction monitoring programme must be designed around the risk profile identified in Step 1, not around a generic scenario library. The scenarios deployed must reflect the actual money laundering typologies relevant to the firm's customer base and product mix. The thresholds must be calibrated to produce an alert volume that the compliance team can investigate to an adequate standard of quality.

One Constellation's transaction monitoring platform provides a configurable scenario library with built-in calibration tools — allowing compliance teams to tune thresholds against historical transaction data before deployment and to monitor alert quality metrics in production to identify scenarios requiring adjustment.

The monitoring programme must be documented in a Transaction Monitoring Policy that covers: the scenarios deployed and the rationale for their selection, the thresholds applied and the rationale for those thresholds, the process for reviewing and updating scenarios and thresholds, the alert investigation workflow, and the escalation path from alert to MLRO review to SAR filing.

Step 5: Implement PEP and Sanctions Screening

PEP and sanctions screening must be applied at onboarding and on an ongoing basis throughout every customer relationship. Ongoing screening is non-negotiable — a customer who was not a PEP at onboarding may become one during the relationship, and sanctions lists are updated continuously with new designations that existing customers may match.

The screening programme must cover: all customers and beneficial owners at onboarding, all customers and beneficial owners on an ongoing re-screening cycle, and transaction counterparties where identifiable. For firms using manual screening, the coverage and consistency required to meet this standard is operationally unsustainable at any significant customer volume — automated screening is the only practical solution.

Step 6: Establish the SAR Process and MLRO Function

The SAR process must provide a clear, documented pathway from initial suspicion to MLRO review to NCA (or FinCEN) filing. This includes: an internal escalation process for staff who identify suspicious activity, a case management environment where the investigation is documented, the MLRO's review and decision process, and the filing mechanism. Every step must be documented and the documentation retained for the minimum required period.

The MLRO must be empowered, resourced, and sufficiently senior to fulfil the role effectively. A MLRO who is overruled by commercial management on AML decisions, who lacks access to the systems and data needed to make informed decisions, or who is so burdened with other responsibilities that SAR cases are not reviewed on a timely basis is a programme failure in its own right.

Step 7: Governance and Independent Testing

The AML programme must be subject to board-level governance and independent testing. Board reporting should cover, at a minimum: the current risk assessment summary, the volumes and outcomes of the CDD and monitoring programme, SAR filing statistics, training completion rates, and the status of any outstanding audit findings. The board must be able to demonstrate that it understands and oversees the firm's AML risk profile.

Independent testing — either internal audit or external — must review the programme at least annually, covering the adequacy of policies, the effectiveness of controls, the quality of monitoring and alert investigation, the accuracy of SAR filings, and the completeness of training. Audit findings must be tracked to remediation.

Step 8: Staff Training Programme

All staff with AML responsibilities must receive training appropriate to their role. This is not a generic online module completed at induction and never repeated. It is role-specific, regularly refreshed training that covers the money laundering typologies relevant to the staff member's specific function, the firm's policies and procedures, the indicators of suspicious activity they are most likely to encounter, and how to escalate appropriately.

Training completion must be documented and tracked. The MLRO must be able to demonstrate to the regulator which staff received training, when, on what content, and with what assessed outcome. Undocumented training is treated by regulators as equivalent to no training.