The Risk-Based Approach to AML: What Regulators Actually Expect
The risk-based approach (RBA) is the foundational principle of modern AML regulation — but few concepts in compliance are as widely cited and as poorly understood. This guide explains what FATF actually requires, what a documented firm-wide risk assessment looks like, and how regulators test whether a programme is genuinely risk-based or merely claiming to be.
Regulators have moved decisively away from prescriptive, rules-based AML supervision. The current standard — across FATF members and increasingly beyond — is outcomes-focused supervision of risk-based programmes. The supervisor does not ask "did you check this box?" but "did your programme detect the financial crime it should reasonably have been expected to detect?"
This shift puts substantial pressure on firms. A box-ticking programme that satisfied a 2010-era inspection will fail a 2026-era inspection if the risks the firm is exposed to outpace the controls. Genuine RBA — risk assessment that is current, controls that scale with risk, governance that catches gaps — is now what good looks like.
What FATF Recommendation 1 Actually Requires
FATF Recommendation 1 sits at the head of the FATF Recommendations because every other recommendation rests on it. It requires countries to identify, assess, and understand their money-laundering and terrorist-financing risks, and it requires regulated firms to do the same at firm level. The text is short; the implications are profound.
The Interpretative Note to Recommendation 1 elaborates the firm-level obligations: "Financial institutions and DNFBPs should be required to identify, assess, and take effective action to mitigate their money laundering and terrorist financing risks." Firms must document the assessment, keep it current, share it with the regulator on request, and use it as the basis for their AML/CFT programme.
Critically, the assessment is not a free-text essay — it is a structured analysis whose components are individually testable. National regulators have mostly elaborated the structure: customer risk, geography risk, product/service risk, delivery-channel risk, and (increasingly) emerging-technology risk. Each dimension must be assessed, the assessments must combine into an overall risk profile, and the controls must be designed around that profile.
The Four Risk Dimensions
Every well-structured risk assessment analyses risk along the same four dimensions. The assessment within each dimension is firm-specific; the dimensions themselves are universal.
Customer Risk
What kinds of customers does the firm serve? Retail consumers, mass-affluent, high-net-worth, ultra-high-net-worth, corporate, institutional? What proportion are PEPs or PEP-related? What sectors do the corporate customers operate in (cash-intensive sectors, gambling, real estate, defence-related industries carry higher inherent risk)? What proportion of customers are non-resident or onboarded non-face-to-face?
Geography Risk
Which jurisdictions does the firm operate in, and which jurisdictions do its customers and counterparties connect to? The FATF black and grey lists, EU high-risk third-country list, FinCEN advisories, and Basel AML Index are the standard reference points. A firm whose customer base concentrates in higher-risk geographies must calibrate controls accordingly.
Product and Service Risk
Which products does the firm offer, and what is each product's inherent ML/TF risk profile? Cash-intensive products carry higher risk than electronic-only products. Cross-border payment products carry higher risk than domestic-only products. Anonymous prepaid products carry materially higher risk. Trust and corporate services products carry the highest risk in many regimes.
Delivery Channel Risk
How are customers onboarded and how do they interact with the firm? Face-to-face branch onboarding, video KYC, fully digital onboarding, and intermediary-introduced relationships each carry different risk characteristics. A pure-digital firm with no face-to-face channel is not necessarily higher-risk — but it must compensate with stronger digital identity verification, including liveness detection and biometric matching.
From Firm-Wide Assessment to Customer-Level Rating
The firm-wide risk assessment establishes the firm's overall exposure. The customer risk rating applies that framework to each individual customer. The two are connected — the firm-wide assessment determines which customer characteristics carry weight in the rating model — but they operate at different levels of granularity.
A customer risk rating model assigns each new customer to a tier (typically Low, Medium, or High; some firms use four or five tiers) based on a structured combination of factors: customer-type factors, geographic factors, product factors, and behavioural factors observable at onboarding. The rating then drives the level of due diligence applied (standard CDD vs EDD), the sensitivity of transaction monitoring, and the cadence of periodic reviews.
See our deeper guide on customer risk rating for the framework methodology and the documentation regulators expect.
How Regulators Test Whether a Programme Is Genuinely Risk-Based
Supervisors have developed a fairly standard set of tests for whether a firm's claimed RBA is real. These tests rarely surprise an inspector — they are part of every modern AML supervisory toolkit — and a programme that has not been built with these tests in mind is unlikely to pass them.
The five tests inspectors typically apply:
- Currency of the assessment — when was the firm-wide risk assessment last refreshed? An assessment more than 18 months old is presumptively stale.
- Connection to actual customer book — does the assessment's description of customer composition, geography, and product mix match the firm's actual book? Inspectors will sample.
- Translation into controls — for each elevated risk identified in the assessment, what specific control is in place to address it? Risks identified without corresponding controls indicate a paper exercise.
- Customer rating distribution — what proportion of customers are rated high, medium, low? A distribution where 99% of customers are low-risk is implausible in almost every business model.
- Outcome consistency — does the firm's SAR-filing rate, EDD-customer count, and transaction-monitoring alert volume look reasonable given the risk profile? Outcome metrics that diverge sharply from peers without explanation are a red flag.
Building an Operating Model Around RBA
Translating risk-based principles into day-to-day operations requires the same three things every effective compliance operating model needs: clear ownership, structured processes, and supporting technology.
Ownership sits with the MLRO and senior management. The firm-wide risk assessment must be owned by the MLRO, refreshed at least annually, signed off by the board or equivalent, and integrated into the firm's ICAAP/ILAAP/business-as-usual risk reporting.
Process means the customer risk rating runs at onboarding, gates the CDD/EDD path, drives monitoring sensitivity, and is refreshed at scheduled intervals or on material event triggers. The handoffs between systems and teams must be documented and tested.
Technology means the risk model is computable from data the platform holds, the rating updates automatically as facts about the customer change, and the audit trail captures every decision. A unified compliance portal reduces RBA from a documentation burden to a working system. See also our compliance-programme build guide for fintech startups.
Risk-Based Compliance That Actually Operates
One Constellation's compliance portal computes customer risk ratings from your model, gates onboarding flows by risk tier, scales monitoring sensitivity automatically, and gives the MLRO the audit trail regulators expect.
