Skip to content
CityLearning
Financial crime

Risk-based approach

The risk-based approach is the principle that AML/CFT resources should be focused in proportion to the money-laundering and terrorist-financing risks a firm faces. In the UK it is mandated by Regulation 18 of the Money Laundering Regulations 2017, which requires every firm to carry out and document a written risk assessment.

The risk-based approach is the foundational principle of UK AML/CFT regulation: a firm should identify and assess the money-laundering and terrorist-financing risks it faces, and then apply controls proportionate to those risks, rather than treating every customer and transaction identically. It is mandated by Regulation 18 of the Money Laundering Regulations 2017, which requires each firm to take appropriate steps to identify and assess its risks and to keep a written record of that assessment.

What the risk assessment must cover

Regulation 18(2) requires the assessment to take account of risk factors relating to the firm’s customers, the countries or geographic areas in which it operates, its products and services, its transactions, and its delivery channels. The firm must also have regard to information published by the FCA and to the National Risk Assessment. Under Regulation 18(4), the assessment must be kept up to date and provided to the FCA on request.

Why the risk-based approach matters

The risk-based approach is what allows enhanced due diligence to be focused where it is needed (on PEPs, high-risk third countries and complex structures) while simplified measures apply to demonstrably low-risk relationships. It also drives the firm’s policies, controls and procedures under Regulation 19, which must be proportionate to the assessed risk. The FCA regularly criticises firms whose customer-level risk ratings are not anchored in a credible firm-wide assessment.

Who it applies to

All firms in the regulated sector under the MLRs 2017. The risk assessment is typically owned by the MLRO and approved at senior-management level, consistent with accountability under SM&CR.

CDD, EDD and MLRO.

Frequently asked questions

What is the risk-based approach to AML?
The risk-based approach means a firm assesses its own money-laundering and terrorist-financing risks and directs its controls and resources where the risk is greatest, rather than applying identical checks to everyone. It is required by Regulation 18 of the Money Laundering Regulations 2017, which obliges firms to prepare a documented, written risk assessment.
What must a firm's AML risk assessment cover?
Under Regulation 18(2) of the Money Laundering Regulations 2017, a firm's risk assessment must take account of risk factors relating to its customers, the countries or geographic areas it operates in, its products and services, transactions, and delivery channels. The assessment must be kept up to date and made available to the FCA on request under Regulation 18(4).

Reviewed by Margaret Hassett

← Back to the compliance glossary

Turn definitions into training

See how CityLearning's UK compliance courses help your team understand terms like this in practice.