AML Compliance: Understanding The Differences Between Risk-Based And Rule-Based Approaches

Risk-based vs rule-based compliance

There is no doubt managing AML compliance can be a complicated process at times, but ensuring you take a risk-based approach vs a rule-based approach will go a long way to protecting your business.

While it might be tempting to adopt a rule-based approach to AML as it appears to be a more efficient, less costly option this will come with its own problems. Not least is the unnecessary risk to your business as well as it being unlikely to fully meet regulator expectations.

There are some risks we cannot eliminate but they can be mitigated. Focus your compliance programme on developing effective risk mitigation strategies, rather than just treating compliance as a tick box exercise and you will benefit in the long term.

What is risk-based vs rule-based AML?

A rule-based approach to AML means carrying out your AML obligations using the same level of investigation regardless of the underlying risks a client may pose.

A risk-based approach provides a more holistic view as you measure and  monitor the risk of criminal activity and take action based on your assessment.

Some companies by the very nature of their business, due to the products and services they offer, carry more risk than others. However, even if you consider the risk specific to your business to be relatively low you should always evaluate risk when onboarding new clients.

What are the key elements of a risk-based programme?

A risk-based programme will allow you to make proactive assessments based on the level of risk you believe a client may pose. Core to supporting this activity is a robust compliance programme which should include:

Risk assessment

The foundation of a risk based AML/CFT approach is understanding the money laundering and terrorism financing potential risks in your business. The risk assessment guidelines provide guidance on how to document, consider and rate your specific risks. These also provide the steps required to ensure you meet the requirements of the AML/CFT Act

Customer due diligence (CDD)

Carrying out CDD checks will help you to know your client. Taking a risk-based approach to this is more than just carrying out your identity checks, verifying details and ensuring your client is who they say they are. It requires you to understand the nature and purpose of the customer’s relationship so you can monitor for any irregularities. Being able to assess this risk for your business based on your risk assessment means you can make risk-based decisions on whether enhanced due diligence or other action is required.

PEP and sanctions

The Russia Sanctions Act was a timely reminder of how important it is to ‘know your customer’ and understand their source of wealth/funds. Ensuring you keep on top of sanctions and politically exposed person (PEP) checks with up-to-date data will provide a more robust approach to your due diligence and help you more accurately identify risk. Remember, it is a legal requirement to carry out enhanced due diligence on PEPs and is not something to overlook.

Transaction monitoring

Understanding the risk your client poses and what risk factors to look out for when monitoring transactions is essential to a risk-based approach. Monitoring should be an ongoing process and you should have processes set up to manage unexpected transactions or activity.

What might make a client high risk?

Your risk assessment of clients should include some key areas to establish their level of risk:

  • The products or services you are providing to individual clients
    Consider whether the services you provide to your client could allow for anonymity
  • Transactions
    Monitor transactions – high volume, high value and high velocity transactions and those between higher risk jurisdictions could be considered higher risk.
  • Where your client is based
    Consider how dealing with clients who are based in countries with less stringent AML regulations may affect risk levels. Could your client be exposed to money laundering or terrorism financing  threats?
  • The nature of your business
    If your business is large and/or has complex structures, consider how the nature of your business might provide the potential to hide or mask suspicious activity.


While there are many elements to a risk-based approach at the heart of it is ensuring you are proactive, and understand the different risks posed by different clients and different transactions. 

A risk-based approach assists the recognition of these differences but a rule-based approach does not.

Following a rule-based programme prevents the completion of robust AML checks, opens the door to criminal activity, and will not properly meet your obligations under the AML/CFT Act.

If you need some help to review your AML/CFT  Risk Assessment or Compliance Programme to ensure you are adopting a risk-based approach, give us a call on +64 9 369 6867 or email

Get insights and news delivered to your inbox

Webite Developed by Logo