What are high-risk delivery channels?

A high-risk delivery channel is one that limits your ability to verify who you’re dealing with, understand the nature of the client relationship or monitor activity effectively. 

You might meet a client in person or onboard them remotely, receive the lead through an intermediary or serve them entirely through a digital platform. Each of these delivery channels gives you a different level of direct access to the client. 

From an AML perspective, the channels that reduce that access are the channels that could present a higher risk. The concern is that the more removed you are from a client, it becomes easier for that relationship to be used to move or conceal criminal funds. 

The UK’s Money Laundering Regulations 2017 (as amended) (MLRs) require regulated firms to assess their exposure to money laundering, terrorist financing and proliferation financing risk at a business level. 

Delivery channel risk is explicitly part of that assessment. Firms that don’t address it may find their risk ratings are incomplete, their controls insufficient and their AML framework harder to defend under supervisory scrutiny.

Where delivery-channel risk fits in the regulatory framework

FATF (the Financial Action Task Force) sets the global standards that UK AML law reflects. Its Recommendation 10 requires countries to ensure that the risk-based approach accounts for factors including how services are delivered. 

FATF’s guidance is explicit that non-face-to-face relationships and intermediary-based delivery methods carry higher inherent risk.

This flows directly into Regulation 18 of the MLRs, which requires regulated firms to identify and assess the risks to which their business is subject, including risks arising from the delivery channels they use. 

Regulation 33 then sets out specific circumstances where enhanced due diligence is mandatory, and non-face-to-face situations are included within that scope.

The UK National Risk Assessment of Money Laundering and Terrorist Financing 2025 (NRA) also highlights digital and remote service delivery as an area requiring ongoing attention, particularly as the volume and speed of online and automated interactions continues to grow across regulated sectors.

What makes a delivery channel high risk?

A delivery channel becomes high risk when it reduces your ability to verify identity, understand the client relationship or monitor activity effectively. Several patterns tend to create that kind of exposure.

Non-face-to-face onboarding is the most commonly cited example. When a client relationship begins entirely remotely, you’re relying on documents and data rather than direct interaction. 

That creates a greater opportunity for fake identities or impersonation and it limits your ability to pick up on the kinds of behavioural cues that sometimes surface during in-person conversations.

Intermediary-introduced business presents a different set of risks. Where a third party, such as a another regulated professional, handles the initial client contact and passes the relationship to you, your direct knowledge of the client is narrowed. 

You’re dependent on the quality of that initial engagement and you have less opportunity to form your own view of the client before the relationship begins. 

How business reaches you is a factor Regulation 18 expects you to consider in your business-wide risk assessment. Where introduction through a third party is a regular feature of your model, that channel warrants explicit treatment in your policies and controls.

Automated or digital-only service delivery can also increase risk where the controls around identity verification and monitoring are weaker than the channel demands. 

Firms providing services through online portals, apps or automated platforms need to consider whether those channels provide adequate safeguards, particularly where clients are onboarded and managed without meaningful human oversight.

High-risk jurisdictions add another layer of concern when they intersect with delivery channel risk. A non-face-to-face relationship with a client based in or connected to a country with strategic AML deficiencies compounds the risk on both dimensions simultaneously.

How delivery channel risk affects your due diligence obligations

When a delivery channel is identified as high risk, enhanced due diligence (EDD) applies. EDD is a proportionate response, not a fixed checklist. But in the context of delivery channel risk it typically includes some or all of the following:

•       Additional verification steps to confirm identity, such as video identification, certified documents or third-party electronic verification services that meet the standard of being reliable and independent as required under Regulation 28 of the MLRs.

•       Obtaining more information about the client’s source of funds and source of wealth, particularly where the channel limits your direct access to the client.

•       Seeking senior management approval for the relationship before it begins, which Regulation 33 identifies as one of the specific EDD measures available to firms.

•       Applying closer and more frequent ongoing monitoring, with a lower threshold for reviewing transactions that appear unusual or inconsistent with your understanding of the client.

For intermediary-introduced clients, the practical question is whether you have sufficient assurance about the quality of the due diligence carried out by the introducer. If you cannot obtain that assurance, the position is the same as if no due diligence had been done at all.

Delivery channel risk in your business-wide risk assessment

Regulation 18 of the MLRs requires your business-wide risk assessment to consider the delivery channels you use and the risks they introduce. This means being explicit about how your services reach clients and what that means for your firm’s overall risk exposure.

In practice, a business that onboards all clients face-to-face with no intermediary involvement carries a lower inherent delivery channel risk than a firm that takes on remote clients, works with introducers or provides services through automated platforms. Neither model is prohibited. But the controls must reflect the risk.

Where your delivery channels include higher-risk methods, your policies, controls and procedures (PCPs) should set out clearly how those risks are mitigated. Supervisors reviewing your AML framework will expect to see that delivery channel risk has been considered, assessed and documented with proportionate controls attached to it.

The overlap with sanctions and proliferation financing

Delivery channel risk does not sit in isolation. It intersects with other risk factors, and the combination can significantly increase overall exposure. Non-face-to-face onboarding combined with involvement from a high-risk jurisdiction and intermediary-introduced business creates a layered risk picture that warrants particularly close attention.

In the context of sanctions and proliferation financing, the NRA notes that remote and digital channels can be used to obscure the identity of sanctioned individuals or entities, or to move funds in ways that are harder to trace. This makes sanctions screening particularly important where delivery channels limit direct visibility of who you are really dealing with.

For firms with any international dimension to their work, the interaction between delivery channel risk, high-risk jurisdictions and sanctions exposure should be considered explicitly in the risk assessment and reflected in the controls applied.

Documenting your reasoning

One of the more practical consequences of the risk-based approach is the documentation requirement. Supervisors do not just want to see that due diligence was completed. They want to understand how risk was assessed and how your controls responded to it.

For high-risk delivery channels, this means your files should show that the channel was identified as higher risk, that the elevated risk was factored into the client risk assessment and that enhanced measures were applied proportionately. 

A file that shows a remote client was onboarded and screened without any reference to the delivery channel risk will raise questions, even if the outcome of the due diligence was otherwise sound.

The audit trail requirement under the MLRs is not about generating paperwork. It is about being able to demonstrate that decisions were informed, proportionate and consistent with your firm’s documented AML framework.

Final thoughts

Delivery channel risk is one of the building blocks of a sound business-wide risk assessment under the MLRs. The way you reach your clients affects how well you can verify who they are, understand their activity and monitor the relationship over time. Where that visibility is reduced, the controls need to compensate.

Assessed and documented properly, delivery channel risk fits naturally within a proportionate, risk-based AML framework. The key is making the connection explicit, in your risk assessment, in your policies and in the due diligence decisions you make for individual clients.