If you live near a river that regularly floods, it makes sense to invest in sandbags. It's money well-spent, since there's a high risk that you're going to end up with half your home underwater if you do nothing. But if you live on the side of a mountain, sandbags are a poor investment‍—‌that money could have been better spent on improvements to counter other risks, more relevant to mountain-side living.

This is the essence of a risk-based approach.

A risk based approach is the process of identifying, assessing and analysing the risks in a situation in order to put in the right controls to mitigate these risks.

A risk-based approach is the recommended method for preventing financial crime‍—‌specifically anti-money laundering or AML - for financial institutions in the UK. It’s part of the guidance issued by the Financial Conduct Authority (FCA) and is supported internationally by the Financial Action Task Force (FAFT).

Financial crime is depressingly common, and regulated financial institutions are required to do everything they can to prevent it. Most small financial institutions are working with limited resources and even large institutions don’t have the resources to match the scale of the problem.  Taking a risk-based approach targets key risks  and prioritises those that cause harm to customers. This means businesses can focus on preventing financial crime at the point of maximum impact to the customer and the market as a whole.

That might sound straightforward enough‍—‌but how do you decide what your key risks are and what controls will be most effective for mitigating them?

Implementing a risk-based approach

The Joint Money Laundering Steering Group (JMLSG) has detailed guidance for implementing a risk-based approach for AML. This can be broken down as follows:

• Identify and assess the risks that criminals will attempt to use your business for money laundering and terrorist financing. This involves considering multiple factors, such as the regions and industries you operate in, the products you offer, how they are distributed, and the type of customers you serve. By analysing these factors and how they interact with each other, you can determine the level and types of risk likely to impact your business‍—‌your key risks. This analysis will help you determine your inherent risk profile, i.e. the level of risk present before you have put any controls in place to mitigate it.
• Understand your customers. Even if you have a broad view of the types of customers you serve and the risks they pose, every individual customer still needs to go through due diligence. To learn more about customer due diligence, check out our blog on what fintechs need to know about CDD.
• Once you have an understanding of your inherent risk profile, you can start putting in systems and controls in place to mitigate the risks. These controls should reflect the nature of your business and your customers.

Assessing customer risk

Taking a risk-based approach means performing an initial assessment on every potential new customer. This assessment allows you to create a risk profile for them. Most companies do this via risk scoring, assigning numerical values to the answers to a series of questions in your risk assessment. Risk scoring is an effective and consistent way to estimate the level of risk the customer poses and make an informed decision whether to onboard them or not.

Customer risk assessment should never be a one-off activity. The JMLSG advises companies to assess customer risks on an ongoing basis. This means changes in the market, your product, your customer’s activities, or environmental factors can all mean changes in your customer’s risk profile. Monitoring your customers’ risk profiles also means you can proactively ensure your policies, controls, and procedures are all aligned with the overall levels of risk posed. Having a robust monitoring system in place is an important control for ensuring that your business is not suddenly exposed.

A risk based approach in AML controls

The goal of a risk-based approach to AML is to help you set up the right controls, i.e. the controls that are going to reduce the likelihood of key risks materialising, and mitigate their impact if they do. Only after you are able to implement and test your control framework will you be able to assess your residual risk profile i.e. the amount of risk you’re exposed to once you’ve done everything you reasonably can to mitigate it. It’s important to note that risk can’t be eliminated completely; a certain amount of it is inherent to any business. The amount of risk your business is willing to accept in pursuit of its goals is your risk appetite, which should be expressed as a qualitative and quantitative risk appetite statement. Keeping the business comfortably within your stated risk appetite should be the goal of your controls.

A control is any action or activity that mitigates risk. The nature of a risk-based approach means that ultimately the nature and stringency of your controls are going to be specific to your business and your customers. But there are broad categories of controls that are almost always relevant for financial institutions. These include:

• Policies and procedures that reflect your stated risk appetite and clearly communicate roles, responsibilities and step-by-step processes for financial crime prevention.
• Regular training for employees on money laundering, fraud and other forms of financial crime.
• A thorough onboarding process that lets you quickly gather and assess all the relevant information about potential new customers, with enhanced levels of due diligence for customers that reflect greater risk.
• Transaction monitoring and screening to identify unusual transactions or patterns of transactions that could indicate money laundering or terrorist financing.
• Counter terrorist financing based on the risks identified in your independent terrorist financing risk assessment.
• Fraud prevention to ensure the protection of customers and prevention of harm.

All these controls (and more!) constitute your risk based control framework. This control framework needs to be reviewed regularly to make sure it’s still relevant and effective; for example, if your risk appetite changes, your controls will have to change too.

Even when your controls are tailored to your business and your risk appetite, the process of implementing them can still be resource-intensive and time consuming. There have been huge advances in the automation of key controls in recent years, and proven technologies are often a faster and more reliable way to implement AML controls. For example, with Verify, you can run KYC/KYB, PEP, Sanctions, fraud and adverse media checks on customers with a simple API integration, reducing your manual review queue and freeing up your compliance team to focus on edge cases.

Further reading:

• Risk based approach‍—‌JMSLG
• Risk based approach for the banking sector report
• Money laundering and terrorist financing‍—‌FCA
• The Wolfsberg FAQs on risk assessments for money Laundering, sanctions and bribery & corruption