The risk-based approach is the foundational principle of UK AML/CFT regulation: a firm should identify and assess the money-laundering and terrorist-financing risks it faces, and then apply controls proportionate to those risks, rather than treating every customer and transaction identically. It is mandated by Regulation 18 of the Money Laundering Regulations 2017, which requires each firm to take appropriate steps to identify and assess its risks and to keep a written record of that assessment.
What the risk assessment must cover
Regulation 18(2) requires the assessment to take account of risk factors relating to the firm’s customers, the countries or geographic areas in which it operates, its products and services, its transactions, and its delivery channels. The firm must also have regard to information published by the FCA and to the National Risk Assessment. Under Regulation 18(4), the assessment must be kept up to date and provided to the FCA on request.
Why the risk-based approach matters
The risk-based approach is what allows enhanced due diligence to be focused where it is needed (on PEPs, high-risk third countries and complex structures) while simplified measures apply to demonstrably low-risk relationships. It also drives the firm’s policies, controls and procedures under Regulation 19, which must be proportionate to the assessed risk. The FCA regularly criticises firms whose customer-level risk ratings are not anchored in a credible firm-wide assessment.
Who it applies to
All firms in the regulated sector under the MLRs 2017. The risk assessment is typically owned by the MLRO and approved at senior-management level, consistent with accountability under SM&CR.