TL;DR: A risk based approach helps firms apply customer due diligence in proportion to actual exposure, instead of treating every customer the same. As AML frameworks have matured, regulators have pushed businesses to assess customer risk using factors such as geography, product type, transaction behaviour, and ownership complexity.
Assessing customer risk is key to preventing crime within the finance sector. Many financial services organizations use a risk based approach with Customer Due Diligence (CDD) to mitigate fraud-related risk specifically. A risk based approach is beneficial for most businesses, especially when watchdog organizations, such as the Financial Action Task Force (FATF) and the Financial Conduct Authority (FCA), openly support this approach.
Financial institutions must consider how to meet regulatory compliance requirements to improve the accuracy and safety of financial transactions. The Know Your Customer (KYC) and Anti Money Laundering (AML) frameworks clearly assign businesses, organizations, and financial service providers the responsibility of verifying the authenticity and accuracy of customer identities.
In doing so, they must also assess each customer’s risk profile and carry out necessary measures. This guide will dive into the history and evolution of the risk based approach within AML processes, as well as how you can safeguard your organisation.
The Evolution of the Risk Based Approach
The earliest AML frameworks were developed in the 1970s. These implemented a “one size fits all” approach. It required organizations to adhere to rules to mitigate money laundering activities. However, creating a single set of compliance requirements to be upheld proved insufficient and ineffective.
Not all businesses are equally susceptible to money laundering or terrorism financing. Some are more likely to be a risk than others, requiring a higher level of due diligence. Furthermore, not all customers or sectors possess the same risk. Politically Exposed Persons (PEPs), for example, required far more attention and focus than others. Some transactions were also higher risk than others, and pinpointing those was critical.
The UK’s Financial Services Authority (now the FCA) established the proportionality concept, which encouraged institutions to focus their attention (and money) on mitigating the most expensive risks. In 2007, the FATF created a set of standards to follow, including 40 recommendations in its Risk Based Approach (RBA). Specifically, it required financial institutions to have specific but more flexible measurements to utilize their resources more effectively at true targets to their operations. Instead of blanket statements, they enabled organizations to focus on those areas of risk most likely to impact their course of business.
In 2012, the FATF updated this approach again, incorporating it as the foundation of AML compliance mandates. Jurisdictions around the world adopted the risk-based approach, leading to many organizations across financial services integrating this approach into their KYC processes. At this time, the FATF
“The risk-based approach is central to the effective implementation of the FATF Recommendations. A risk-based approach means that countries, competent authorities, and banks identify, assess, and understand the money laundering and terrorist financing risk to which they are exposed, and take the appropriate mitigation measures in accordance with the level of risk,” states FATF.
What Does a Risk Based Approach Look Like?
Customer risk management is complex but essential. A robust and effective KYC approach is essential to reducing costs while meeting regulatory requirements. However, such methods can be time-consuming and can drain customer experience expectations.
Risk Profiling
Risk profiling is one form of verification of a customer’s identity. It considers customer risk scoring based on customer behavior. Risk profiling focuses on a full assessment of each customer, transaction, and business relationship based on factors identified as potential risks. It categorizes those customers based on their assigned level of risk based on their behavior, nature of the activity, and other risk profile factors.
Some of the most common components of a risk-based analysis include:
- Geographical factors: High-risk countries or jurisdictions with well-recognized AML/CFT concerns, such as terrorism-heavy locations.
- Customer type: PEPs, non-resident customers, complex business structures, or cash-intensive operations can also factor into risk assessment.
- Transaction patterns: Unusual, complex, or high-frequency transactions could signal risks, such as a sudden shift in account usage..
- Source of funds: Known high-risk sources or unexplained income streams, often those that are on the perceived watchlist.
- Industry or occupation: Certain sectors (e.g., cryptocurrency, gaming, or import/export) carry higher risks and must be considered.
- Lighting and Depth Perception: AI models use light reflection and shadows to detect liveness. Human faces reflect light differently than a flat photo or video.
The Council of Europe states in their Committee of Experts on the Evaluation of Anti-Money Laundering Measures and the Financing of Terrorism implementation stated that a risk based approach means nations, governments, and the private sector should be well aware of money laundering and terrorist financing threats.
Additionally, the Council states that the FATF Recommendations promote a risk-based approach at three levels:
- National Level: Countries should assess and share ML/TF risks with authorities and the private sector.
- State Authorities: Supervisors should focus on specific risks and allocate resources efficiently.
- Private Sector: Businesses should tailor AML/CFT measures to their own risks and client profiles.
Customer Due Diligence
Customer Due Diligence (CDD) focuses specifically on applying a higher level or enhanced security based on the risk level of the customer, utilizing, for example, the data within their risk profile. There are two types of CDD that could be applicable:
Standard CDD: The most common standard for customer due diligence is basic customer due diligence, which involves limited identification and verification. This standard applies to nearly all accounts and customers within the financial industry and is the baseline measurement. It is applied for low-risk customers.
Enhanced Due Diligence (EDD): Applied for high-risk customers or situations, enhanced due diligence goes further. It involves more in-depth background checks, interviews, or third-party verification to mitigate risks because there is some level of concern present.
CDD can be flexible in terms of application and function. The scope of CDD typically includes the following:
Verification of an identity through government-issued ID checks.
Understanding the occupation or the business purpose of the relationship being established.
Assessing the ownership structures or financial interests of the customer or company.
Determining the intended use of services or accounts if approved.
Each of these factors helps build a risk profile and provides more customer risk management strategies. CDD is a common and flexible method for scrutinizing risky customers more thoroughly. Understanding a customer’s risk profile allows a financial institution to better understand their risks to business applications. For more on Customer Due Diligence, read “What is Customer Due Diligence (CDD)?”
Ongoing Monitoring
It is a mistake to believe that risk assessment ends once an account is opened and transactions begin. Continuously monitoring customer activity is essential to identifying what is “normal” for that customer and what is not. This enables improved reaction to suspicious activity or non-compliant transactions. This enhanced due diligence and customer risk assessment protects financial institutions and other businesses in the long term.
Monitoring is a process that requires organizations to adapt to changes in customer behavior. For example, if a customer has numerous large transactions coming in and going out that are new to them, it may be wise to investigate those transactions. A sudden change in the customer’s financial situation can also be notable.
One of the best resources for ongoing monitoring is the inclusion of automated transaction monitoring tools. While many organizations continue to use manual processes, these methods are largely prone to errors. Automated transaction monitoring tools also speed up the process, enabling more real-time responses.
One area of opportunity that could substantially increase efficiency gains is in the automated trigger-based Ongoing Due Diligence (ODD) of clients.
“One area of opportunity that could substantially increase efficiency gains is in the automated trigger-based Ongoing Due Diligence (ODD) of clients. In practice, most FIs are conducting manual client reviews on a periodic basis. These manual reviews are time-consuming, provide (relatively) limited added value to mitigating money laundering risks, and negatively impact client satisfaction and data privacy,” shares Deloitte. Learn more about the benefits of ongoing monitoring in our blog, “What is an Ongoing Monitoring Process?”
Case Study: FinCEN’s 2026 Shift Toward Risk-Based Customer Due Diligence
Before 2026, firms had to re-identify and re-verify beneficial owners each time an existing legal entity customer opened a new account. For many low-risk customers, this created extra work without adding meaningful value. It also weakened the risk based approach by forcing the same level of customer due diligence regardless of actual customer risk.
Shifts Toward Trigger-Based Review
FinCEN allowed firms to stop repeating beneficial ownership checks for every new account. Instead, businesses can rely on existing records unless new risk indicators appear or current data becomes unreliable. This is a more proportionate risk based approach, where customer due diligence responds to real customer risk.
Outcomes
Less duplication in customer due diligence for existing lower-risk customers
Better alignment between AML controls and actual customer risk
Stronger support for a flexible, event-driven risk based approach
The Benefits of a Risk Based Approach
A risk-based approach is sensible and effective for most financial institutions, especially when it relates to AML processes and customer risk. Some of its key benefits include:
- Improved customer due diligence experience, alleviating frustrating steps from non-risk-based clients.
- Efficient allocation of resources, allowing financial and human resources to be applied to truly high-risk concerns.
- Enhanced financial crime detection because there are better resources and more accurate and timely actionable steps taken.
- Alignment with regulatory requirements, reducing the risk of costly fines.
- Scalability and flexibility allow institutions to adjust their focus as new risks emerge or circumstances change, enabling them to “stay ahead” of threats.
- Improved reputation with fewer compliance-related or highly visible fraudulent attempts.
Higher-risk customers may require additional verification procedures.
“The Know Your Customer risk-based approach enables a better customer onboarding compliance program by adjusting verification levels based on risk factors. Low-risk customers are accepted more quickly, whereas higher-risk customers may require additional verification procedures,” shares Financial Crime Academy.
Key Takeaways
The risk based approach helps apply AML controls in line with actual exposure.
Strong customer due diligence starts with accurate assessment of customer risk.
Regulators favour proportionate, intelligence-led compliance over repetitive checks.
Ongoing monitoring is central to keeping the risk based approach effective.
Modern AML programmes use technology to scale customer due diligence.
Implementing ComplyCube’s Solutions
ComplyCube’s platform can power organizations with a strong risk-based AML process. If your organization is not assigning resources based on risk-based strategies, now is the time to learn how to do so efficiently. ComplyCube is ideally positioned to provide companies with the tools to facilitate robust, accurate, time-efficient, and cost-effective risk-based solutions for mitigating customer risk. For more information on ComplyCube’s services, reach out to their expert compliance team.
Frequently Asked Questions
What is a risk based approach in AML?
A risk based approach means applying AML controls in proportion to identified exposure. Firms assess customer risk using factors such as geography, behaviour, and ownership structure, then tailor customer due diligence accordingly. This improves both efficiency and regulatory alignment.
How do firms assess customer risk effectively?
Firms assess customer risk by analysing identity data, transaction patterns, jurisdiction, and business activity. Risk scoring models combine these signals to determine whether standard or enhanced customer due diligence is required, ensuring controls match real exposure.
Why is customer due diligence evolving?
Customer due diligence is evolving to become more dynamic and proportionate. Regulators now expect firms to rely on ongoing monitoring and trigger-based reviews, rather than repetitive checks, to better reflect changes in customer risk over time.
What changed in the risk based approach in 2025–2026?
Recent updates from FATF and FinCEN emphasise proportionality and flexibility. Firms are encouraged to reduce unnecessary checks and focus on real-time indicators of customer risk, strengthening the effectiveness of the risk based approach.
How does ComplyCube support a risk based approach?
ComplyCube enables a risk based approach through configurable workflows, real-time risk scoring, and continuous monitoring. Its unified platform supports adaptive customer due diligence, helping firms respond to evolving customer risk with precision and scale.
