4 steps of a risk-based approach in banking

In this post, we will explain the four core components of a risk-based approach based on FATF's recommendations.

Gabriela Taranu

Content Manager Published 2025-02-12
A person’s hands writing in a notebook with a pen.

Criminals constantly implement new methods and tools, making it more difficult for banks to identify financial crime. This means that banks must understand their specific risks and develop strategies to mitigate them. A risk-based approach (RBA) is key to managing such challenges effectively. 

In this blog post, we will explain the four steps of a risk-based approach based on the Financial Action Task Force's (FATF) recommendations. 

What is a risk-based approach?

A risk-based approach is a strategy banks use to manage and mitigate the risks associated with money laundering and terrorist financing. Banks must identify and assess how criminals can use their services to conduct financial crimes. Then, they need to implement effective strategies to mitigate and report such risks.  

The four steps of a risk-based approach are:  

  1. risk identification;
  2. risk assessment;
  3. risk mitigation;
  4. internal controls, governance, and monitoring. 

1. Risk identification 

Risk identification involves recognising risks associated with money laundering and terrorist financing and how the bank can be used for such financial crimes.  

Some of the factors banks need to take into consideration when identifying and assessing money laundering/terrorist financing risks include: 

  • The business' nature, scale, and complexity.
  • The volume and size of transactions.
  • The target customers and markets.
  • The number of customers already identified as high-risk.
  • The jurisdictions the bank is exposed to.
  • The distribution channels, including how the bank interacts with customers, the extent to which it relies on third parties for customer due diligence (CDD), and the use of technology.
  • Internal audits and regulatory findings. 

2. Risk assessment 

Risk assessment refers to evaluating the possibility and potential impact of the identified risks. This helps banks prioritise their resources and efforts on the most significant risks. 

To conduct a thorough risk assessment, banks must consider several elements: 

  • Likelihood of occurrence: Banks must estimate the probability of a particular risk based on historical data, industry trends, and other relevant factors.
  • Impact analysis: Banks must assess the potential consequences of each risk, including financial losses, reputational damage, and regulatory penalties.
  • Risk rating: Banks should assign a risk rating to the identified risks based on their likelihood and impact. This helps them prioritise their risk mitigation efforts.
  • Documentation and communication: Banks must document the risk assessment process and share the findings with the organisation's relevant stakeholders. 

3. Risk mitigation 

Risk mitigation involves developing and applying controls to reduce the likelihood and impact of identified risks. It can be split into three steps: customer due diligence, ongoing monitoring, and reporting.  

3.1 Customer due diligence 

Banks must perform thorough due diligence on customers to understand the nature of the business and relationship. The initial CDD steps that every bank must conduct imply the following: 

  • Identifying the customer and, if needed, the customer's beneficial owner.
  • Verifying the customer's identity based on reliable information.
  • Understanding the purpose and intended nature of the business relationship and obtaining further information in higher-risk situations. 

3.2 Ongoing monitoring or transaction monitoring 

Ongoing monitoring refers to evaluating transactions to ensure they align with the bank's understanding of the customer, the product's purpose, and the business relationship. 

A transaction monitoring system is essential for detecting unusual or suspicious activities, especially when large volumes of transactions occur regularly. The system should analyse vast amounts of data in real time and flag any transactions that deviate from established patterns. 

Some examples of monitoring practices include daily transaction monitoring and review, analysis of information, assessing the destination of funds, and establishing red flags. 

3.3 Reporting 

The third step in mitigating risks is to report any identified suspicious activities. If a bank suspects that transactions or funds come from criminal activities or are connected to terrorist financing, it must report these suspicions to the appropriate Financial Intelligence Unit (FIU). 

4. Internal controls, governance, and monitoring 

This last step is essential for banks to ensure that risk mitigation measures are effectively implemented and maintained. The following elements provide a framework for managing risks and ensuring compliance with regulatory requirements: 

  • Policies and procedures: Banks must have clear policies and procedures for AML/CFT compliance. These should be regularly reviewed and updated to reflect changes in the regulatory environment and emerging risks.
  • Training and awareness: Banks must regularly train employees on AML/CFT policies and procedures. The training should be specific to the roles and responsibilities of the employees.
  • Independent audit: Banks must conduct regular independent audits of the AML/CFT programme to identify weaknesses and areas for improvement.
  • Board and senior management oversight: The board of directors and senior management must actively oversee the AML/CFT programme by receiving regular reports and being involved in decision-making.
  • Continuous improvement: Banks must continuously monitor and improve their AML/CFT measures and stay informed about new risks, regulatory changes, and best practices in the industry.