What is a risk-based approach?

A risk-based approach sits at the centre of modern anti-money laundering (AML), counter-terrorist financing (CTF) and counter-proliferation financing (CPF) frameworks. It’s the idea that firms should focus their time, effort and controls on the areas where the risks are greatest, rather than applying the same checks to every client, transaction or activity.

This approach comes directly from the global standards set by the Financial Action Task Force (FATF). Those standards then flow into UK law and sector guidance for accountants, lawyers, property businesses and other regulated professions.

FATF’s definition of a risk-based approach

FATF is the global standard-setter for AML, CTF and CPF. Its 2012 Recommendations introduced the risk-based approach as a core principle and it remains central to the current framework.

FATF’s position is clear. Countries, regulators and regulated firms should:

• identify and assess money laundering, terrorist financing and proliferation financing risks;
• understand how those risks arise in their own context; and
• apply measures that are proportionate to the level of risk identified.

Higher risks require stronger controls. Lower risks can justify simpler measures, provided that decision is reasoned and documented.

This principle recognises a practical reality. Risks are not evenly distributed. Some clients, services, structures and transactions present more opportunity for abuse than others. Treating everything as equally risky diverts attention away from genuine threats.

FATF’s three linked stages of a risk-based approach

FATF describes the risk-based approach as a process rather than a single decision point. It involves three linked stages.

First, risks must be identified and assessed. This means looking at factors such as clients, jurisdictions, delivery channels, products and services, and understanding where exposure exists.

Second, risks must be mitigated. Controls, due diligence and monitoring are designed and applied in line with the assessed level of risk.

Third, decisions must be kept under review. Risks change over time, so assessments and controls need to be refreshed when circumstances shift.Importantly, FATF stresses that professional judgement is essential. The risk-based approach is not a checklist exercise. It relies on informed assessment, supported by evidence, and clear reasoning.

How the risk-based approach appears in UK law

The UK adopts FATF’s standards through domestic legislation and guidance. The Money Laundering Regulations 2017 (as amended) (MLRs) embed the risk-based approach throughout the framework.

Regulation 18 requires every regulated business to carry out a business-wide risk assessment. This assessment must consider the nature of the business, its clients, the services it provides and the geographic areas it operates in.

That firm-level understanding of risk then feeds into:

• customer due diligence decisions;
• whether enhanced due diligence is required;
• how often clients are reviewed; and
• how ongoing monitoring is carried out in practice.

UK law doesn’t prescribe a single way to do this. Instead, it expects firms to demonstrate that their approach is informed by risk and proportionate to it, reflecting FATF’s principles.

How sector guidance reflects the same principles

Sector guidance issued for accountancy, legal and property businesses consistently mirrors the FATF model. Across guidance from supervisory bodies and affinity groups, the same themes appear:

• Risks vary between clients and matters
• Controls should respond to those differences
• Decisions should be evidence-based and recorded
• Higher-risk situations justify deeper enquiry

For example, complex layered ownership structures, overseas elements, politically exposed persons (PEPs) or unusual transaction patterns are all treated as indicators that risk may be higher. That doesn’t make them unacceptable. It means the response should be more thorough and better documented.

Lower-risk situations can justify a lighter approach, as long as the reasoning is clear and aligns with the firm’s overall risk assessment.

What a risk-based approach looks like in practice

In day-to-day AML work, a risk-based approach means joining information together rather than treating each check in isolation.

Client due diligence, source of funds, source of wealth, beneficial ownership and control, geography and behaviour all inform the overall picture. No single factor determines the outcome on its own.

It also means avoiding assumptions. A familiar client can still present new risks if their circumstances change. A complex structure can still be legitimate if it makes sense in context and is supported by evidence.

The common thread is explanation. Regulators and supervisors are looking for firms to show that they understand the risks they face and have responded thoughtfully.

Why documentation matters

FATF places strong emphasis on documentation. Decisions made using a risk-based approach should be capable of being explained after the event. In practice, this means recording:

• what risks were identified;
• why a particular risk level was assigned; and
• what measures were applied as a result.

Good records turn judgement into evidence. They show that controls were applied deliberately rather than by default.

Final thoughts

The risk-based approach is not an extra layer of AML compliance. It is the organising principle that holds the framework together. FATF designed it to make AML more effective by directing attention to where it matters most. UK law and sector guidance follow the same logic.

When applied properly, a risk-based approach supports better decisions, clearer records and more meaningful compliance. It allows regulated professionals to focus on understanding risk in context, rather than treating AML as a uniform administrative task.