The “Risk-Based” Principle of AML Management

The “risk-based” anti-money laundering (AML) principle was first promoted by British regulatory authorities. In January 2000, the Financial Services Authority (FSA) was the first to put forth such a concept in its book titled A New Regulator for the New Millennium. Since then, the principle was actively promoted by international organizations, such as the Wolfsberg Group, the Financial Action Task Force (FATF), the International Association of Insurance Supervisors and the International Organization of Securities Commissions. In February 2012, FATF published its updated “International Standards on Combating Money Laundering and the Financing of Terrorism and Proliferation” (the revised FATF 40 Recommendations) which clearly defines the risk-based AML principle, ultimately ushering in an era of revolutionary change in the international AML arena. Simply put, the “risk-based” principle requires financial institutions to assess the risks associated with illicit activities (such as money laundering and terrorist financing) that they may face in order to reasonably deploy corresponding resources before taking prioritized control measures as a response to these risks.

The Necessity of the "Risk-Based" Principle

Objectively speaking, as different countries/regions have unique economic structures, more often than not there are variations in AML regulatory requirements, AML control awareness and capabilities, as well as the amount of AML efforts. Money launderers are always painstakingly scrambling to find new “outlets” for black money, and such black money may be transferred from institutions/regions with more stringent management to those with weaker management or from business areas with sound management to those with immature management (“buckets effect”). For example, after some European countries a while ago took the initiative in tightening their audit and management on cash deposit operations, money launderers drove their truckloads of money to other countries with relatively lax controls. Furthermore, the booming development of third-party payment expedites capital transfer and remittance, complicating the flow of funds. On the other hand, banks need to pay more attention to money laundering risks associated with these kinds of transactions owing to AML regulatory controls that fail to keep up and insufficient communication in customer and transaction information.

It is evident that the “risk-based” AML approach requires banks to proactively identify and seek out various “outlets” and changes of black money in order to find ways to control money laundering, whereas the “regulation-based” approach only requires passive enforcement of regulatory requirements and standards.

The Key to the "Risk-Based" Principle

To implement the “risk-based” principle, the banking industry needs to shift the focus of AML management from post-analysis and judgment to proactive management. With this in mind, banks must organically integrate risk control ideas, mechanisms, requirements and banks’ business development and management. Banks need to build up stringent AML compliance principles and enforce whole processes and unified risk management mechanisms, in order to establish a sound and compliant management culture within the institutions.

Customer Due Diligence Is the Basis of AML Management

Previously, banks—particularly full-service banks—took things lightly when it came to collecting information about their ordinary customers. They tended to collect information about customers of business services (such as credit granting and money management, etc.) but these customers only accounted for a small fraction of their clients. So, it is fair to conclude that banks did not know the majority of their customers. Therefore, many banks were penalized by regulators for the violation of AML regulations. In response, they proactively decided to divert their focus from low-value clients and regions with low profitability to high-value clients, after weighing customer due diligence (CDD) costs against operating income. In the meantime, even if banking staff managed to collect information on customers and their transactions, they were still unable to apply them to AML management due to the lack of risk management awareness and expertise. In addition, the unavailability of support by system functions further restricted banks’ capability to clearly document, demonstrate and accurately analyze risks associated with customer money laundering.

Accurately judging the risk level of customer money laundering is an important prerequisite for the “risk-based” approach. Banks need to conduct due diligence on business operations, industries, customer characteristics and regions, in order to obtain adequate, complete and truthful customer information as the basis of analyses. In addition to information pertaining to customers themselves, banks also need to obtain more information, such as the scope of business operations, their major counterparties, transaction areas, transaction currencies, transaction scale, actual beneficiaries and negative news. These efforts should be embedded into the procedure for the establishment and maintenance of customer relationship, thus becoming part of daily business operation management routines. When trying to build up sweeping risk management awareness, business operation units are advised against separating the investigation on customers and transactions as required by AML from CDD during the course of routine business operations (such as credit granting and trade financing, etc.). Instead, they should consider the risk for money laundering as one of the angles for examining customers and business operations, while driving the gradual integration of various business operation management measures such as credit risks, market risks and operational risks. With these efforts in place, backline risk managers can utilize professional tools to assess the risks for money laundering and formulate specific control measures based on this information.

Monitoring Real-Time Transactions is a Key Method

A customer money laundering risk rating should be properly applied. One of the applications is the monitoring of or restrictions on real-time transactions. With regard to specific types of customers or high-risk customers, banks should combine their risk characterization to increase monitoring or restriction measures in their business operation systems. For example, adding a prompt for enhanced due diligence on customers with frequent cash deposits; putting a limit on incoming and outgoing remittance for customers who have had unusual cross-border transactions according to analyses; restricting the use of self-help channels such as electronic and third-party payment by customers suspected of internet fraud, etc. AML is no longer just about reporting suspicious transactions after their occurrences; it requires banks to proactively manage risks and control the occurrence of potential risks.

Money Laundering Risk Assessment on Products is a Necessary Approach

Banks must assess the money laundering risks for various products, ensuring that the control measures for different products are appropriate and that existing risks are brought under control. Therefore, banks need to incorporate a money laundering risk assessment into their product management systems, in addition to building product risk heat maps, regular reexamination in conjunction with business conditions and the adjustment of assessment conclusions as needed. When competitors or other banks identify that a particular product is prone to be exploited for money laundering or control measures have failed to live up to their expectation, banks should initiate a triggering assessment to adjust product risk levels and to optimize control measures in order to decide whether or not to suspend a product. At present, major problems encountered by banks in terms of the realization of product risk assessment and management are the following:

  1. How can banks accurately calculate product risks? Some of banks’ existing methods for product categorization and financial accounting are partly unsuitable for AML assessment. For example, many figures such as product effectiveness and customer bases cannot be directly accessed and analyzed.
  2. When and based on what criteria should banks decide to initiate the triggering assessment?

These problems involve the adjustment and optimization of banks’ management mechanisms.

Advanced Information Technology is a Must

As we strengthen “risk-based” AML management, the AML system’s functions must be robust, which involves not only the consideration for labor cost investment, but also an improvement in accuracy for analysis and control. It is especially important for banks with a large scale of customer bases and daily transactions. No matter if it is about increasing the accuracy of suspicious transaction reports, reducing the rate of missed hits in screening a sanctions list, or a business procedure participation in CDD and transaction restrictions, people armed with only experiences and memories can no longer get the job done. In order to increase risk control capabilities, system support is more and more indispensable. Even the screening for a “black list” has expanded from a sanctions list and political dignitaries to big data information processing of various negative news, ships, boats and harbors, as well as military and civilian material checklists. As the application of big data continues to expand in recent years, various information service providers and internet platforms have emerged as a result, making it possible to process big data and capture valuable information. Information technology is an indispensable tool for banks to truly build and enforce a “risk-based” compliant management mechanism.

In the new era of frequent international economic exchanges and instantaneous global capital interflow, new money laundering models continue to mushroom. It has become a consensus among regulators and banks to enhance AML management. If a bank wishes to enhance its AML control, it needs to solidly embed the “risk-based” principle into its operations and management, while ingraining it into the awareness of its employees.

Zhang Fan, CAMS, vice chairman, Macau Anti-Money Laundering Specialists Association, Bank of China, Macau,

In need of an AML Risk Assessment tool? ACAMS Risk Assessment® is the first AML risk assessment software of its kind to provide an automated means of measuring, understanding and explaining an institution's money laundering risks. To request a free demonstration, visit You may also reach us directly via email at

Leave a Reply