Can the risk-based approach work in AML?

Written By Stefania Cirignano
For our latest risk assessment insights, visit Complyse
 
Close up of woman's eye. Title overlaid reads: "Risk Assessment Reframed - Can the risk-based approach work in AML"

I often hear, sometimes quietly and sometimes quite loudly, that “the risk-based approach doesn’t really work in AML.”

The frustration echoes the themes of many of my blogs to date: Many firms have invested years refining their Business-Wide Risk Assessments. They have heat maps, scoring matrices, detailed rationales and comprehensive board packs. Yet practitioners frequently admit that the outputs do not meaningfully shape strategic or operational decisions. The exercise can feel focused more on evidencing compliance than informing action.

And yet those same institutions apply a risk-based approach every day in credit risk, market risk and operational risk without questioning its viability. In those disciplines, the debate centres on calibration and refinement, not on whether the framework can work at all.

So is the risk-based approach fundamentally unsuited to financial crime, or have we struggled with how to apply it?

The honest answer is probably both.

Where the comparison holds

There are clear structural parallels between financial crime risk and other risk disciplines.

In credit risk, the core event is counterparty default. In market risk, it is adverse price movement. In operational risk, it is process failure. Each begins with a clearly defined harm event. Exposure is assessed relative to that event. Mitigation is considered separately. Outputs inform real decisions, such as pricing, limits or capital allocation.

That sequencing matters. Define what could go wrong. Assess exposure. Then evaluate mitigation.

Rather than starting with aggregated characteristics, such as customer types, geographies or products, and inferring “risk” from them, a more coherent starting point is clearly defined financial crime risk events. Once those events are articulated, the key question becomes how exposed the business model is to them.

The importance of articulating exposure

Structural exposure is not statistical likelihood, nor is it a proxy for control strength. It reflects the inherent features of the business, its customer base, product architecture, transaction flows and operating footprint, that create pathways through which financial crime harms could arise. These features do not constitute risk events in themselves, but they shape vulnerability to them.

Separating exposure from mitigation brings clarity. It makes the logic of the model transparent: this is the harm, this is how our business model creates exposure to it, and this is how we mitigate it. That clarity improves defensibility and usefulness.

This is not about importing the mathematics of credit risk into AML. It is about recognising that the sequencing of harm, exposure and mitigation is transferable.

However, structural coherence does not mean the modelling conditions are the same.

Why the analogy has limits

Credit risk models rely on observable outcomes. Defaults occur, losses are measured and large datasets allow probabilities to be estimated. There is an empirical anchor.

In financial crime, the central event, successful laundering or facilitation of illicit activity, is largely hidden. Detection does not equal occurrence. Suspicious activity reports offer signals, but not completeness. Enforcement outcomes are limited and often delayed. Some of the most significant events remain unknown.

These are not just data quality issues. There are structural limits to what can be observed. As a result, probability-based modelling cannot operate with the same confidence. We can impose structure, but we cannot replicate the empirical foundations of credit or market risk.

A dynamic and non-economic risk

Financial crime risk is also adversarial. Criminal actors adapt to detection thresholds, migrate between channels and exploit weaknesses. Controls can displace or reshape risk rather than simply reduce it. Static modelling is therefore fragile.

At the same time, financial crime is not a risk-return trade-off. Institutions do not seek exposure to money laundering in pursuit of yield, nor is there an “optimal” level of illicit activity. AML risk is a governance responsibility attached to commercial activity, where tolerance is framed in legal and reputational terms.

The objective is not optimisation, but proportionate prevention.

Regulation, uncertainty and realistic expectations

AML risk assessment is shaped by regulatory architecture. Mandatory risk factor categories, such as customer, geography and product, are embedded in law and guidance to support supervisory consistency. Firms must exercise judgement within that structure.

Some of the features often criticised in BWRAs reflect those deliberate regulatory objectives. The difficulty arises when prescribed categories crowd out clear articulation of harm events and exposure.

There is no credible alternative to the risk-based approach. A purely rules-based model would be less adaptable, and abandoning structure would weaken transparency. The risk-based approach remains necessary, but it operates under greater uncertainty than other risk domains.

Recent developments at a European level illustrate the complexity of this balance. AMLA has rightly reinforced the importance of the risk-based approach, yet the volume and specificity of data points within its supervisory methodology risk encouraging a more checklist-oriented implementation. The intention is consistency; the operational outcome, if not carefully managed, may be renewed focus on coverage rather than coherence.

When practitioners say it “doesn’t work,” they often mean that outputs feel abstract or disconnected from decisions. The solution is not to discard structure but to recalibrate expectations.

AML risk modelling will never match credit risk modelling in statistical sophistication. What we can expect is clarity about harm, disciplined separation of exposure and mitigation, transparency about judgement and outputs that inform prioritisation.

This matters because poorly structured assessments misdirect attention and control investment. If exposure is unclear, firms may spend heavily in visible areas rather than where vulnerability is greatest. Clarity does not remove uncertainty, but it improves prioritisation.

The discipline that matters

The risk-based approach in AML is neither broken nor directly comparable to other risk disciplines. It operates in an environment of hidden activity, adaptive adversaries, regulatory prescription and limited tolerance for failure.

The objective is not precision for its own sake, but disciplined clarity. The challenge is not to replicate credit risk models, but to apply structure without claiming certainty that does not exist.

For boards and senior management, this is not theoretical. A risk assessment that lacks clarity can distort governance discussions and create false confidence. One that clearly articulates harm, exposure and mitigation supports better oversight, more credible regulatory engagement and more proportionate allocation of resources.

The task is not to defend or discard the risk-based approach, but to ensure it genuinely supports informed judgement at the highest levels of the organisation.


Stefania Cirignano
Next

Assessing the BWRA: Why being “technically compliant” is no longer enough