The US Treasury Department’s Financial Crimes Enforcement Network (FinCEN) have proposed rules to modernise AML compliance and, crucially, allow financial institutions to adopt something like a risk-based approach.
For years, the risk-based approach has been the organising principle of AML compliance. The FATF has long treated it as foundational, while the EU embedded it in the Fourth AML Directive and subsequent guidance. In the UK, it has been a core feature of the regime since the 2007 Money Laundering Regulations and was further developed under the 2017 framework.
Now, proposals from FinCEN signal a move away from judging compliance by the volume of policies, procedures or alerts, and toward a more outcome-driven model. The focus is increasingly on whether a firm’s AML/CFT programme is effective in identifying and mitigating illicit finance risk, and whether it produces intelligence of genuine value. This potential move to a risk-based approach could reshape AML compliance in the US, and re-align it towards a more Europe-centred approach.
What is the risk-based approach in AML?
At its core, the risk-based approach means identifying, assessing, understanding, monitoring and mitigating money laundering and terrorist financing risk, then applying controls in proportion to that risk. Higher-risk customers, products, delivery channels, geographies and transactions should attract stronger controls and more scrutiny. Lower-risk scenarios may justify simplified measures, provided there is no suspicion of money laundering or terrorist financing. FATF has framed this as the central organising principle of modern AML/CFT for years.
AML compliance is not supposed to be a uniform exercise. A firm with complex cross-border structures, high-risk jurisdictions, opaque ownership chains and non-face-to-face onboarding should not be supervised or expected to behave like a small domestic business with simple products and a transparent customer base. The risk-based approach is meant to prevent both under-control and over-control. It should concentrate resources where exposure is real, while avoiding indiscriminate de-risking or burden for its own sake.
How has the EU used the risk-based approach?
In Europe, the risk-based model has been embedded in AML law since the third AML regime and then more explicitly and systematically under the fourth AML Directive. The UK’s 2007 Money Laundering Regulations required customer due diligence and policies to be applied on a risk-sensitive basis. This meant that firms were required to apply risk-based customer due diligence measures.
The Fourth AML Directive, adopted in 2015, moved the EU further toward an expressly evidence-based model. The Commission described the Directive as involving evidence-based decision-making to target the money laundering and terrorist financing risks facing firms. The guidelines explain that firms and supervisors should identify, assess and understand AML risk, then allocate controls and supervisory resources accordingly.
How has the UK used the risk-based approach?
The UK retained and developed this model through the Money Laundering Regulations 2017. Those regulations replaced the 2007 regime and require both firms and supervisors to act on a risk-based basis. Guidance from across the regulated sector encourages firms to develop a thorough understanding of AML risks as the foundation for proportionate and effective systems and controls. Firms should identify and assess risks arising from their products and services, jurisdictions, customer types, transaction complexity and distribution channels, then target resources to the areas of greatest risk.
Many regulators have criticised firms whose business-wide risk assessments were generic, poorly documented, weak on methodology, or disconnected from operational decision-making. The SRA and FCA among them have taken action against firms who who not appropriately undertake a risk-based approach.
What does the risk-based approach mean in practice?
For firms, the risk-based approach usually starts with a business-wide risk assessment. That is the enterprise-level view of exposure: what risks arise from the business model, products, services, customer base, ownership structures, delivery channels, jurisdictions, transaction patterns and use of intermediaries or third parties. That assessment should be comprehensive, draw on a wide range of information, and be proportionate to the firm’s size and complexity. It should then feed into individual customer risk assessments and the level of due diligence applied to each relationship.
That means a proper AML framework is layered. The business-wide risk assessment informs customer risk scoring. Customer risk scoring then informs onboarding, verification, source-of-funds and source-of-wealth checks, approval thresholds, transaction monitoring scenarios, escalation triggers and review frequency. Guidance from regulators requires that customer and business-wide assessments should be reviewed regularly and should not be treated as one-off documents.
A mature implementation usually distinguishes between inherent risk and residual risk. Inherent risk is the exposure before controls. Residual risk is what remains after controls are applied. Firms can use tools such as qualitative and quantitative scoring, assessing the strength of controls, comparing outcomes to risk appetite, and mapping typologies and red flags into the business-wide assessment. That is a more sophisticated expression of the risk-based approach than simply assigning customers red, amber or green ratings.
How to implement a risk-based approach
As FinCEN considers adopting a risk-based approach, it is important to understand how to do this properly.
First, methodology must be explicit. Firms should be able to explain how they score risk, what variables they use, how weightings work, what overrides are allowed, and who approves exceptions. Regulator criticism has often focused on weak methodology and poor documentation rather than on the existence of a risk matrix as such.
Second, the assessment has to be tailored to the actual business. Regulators repeatedly object to generic risk assessments that could belong to any firm. A law firm, payments firm, broker, trust company and crypto business should not be using interchangeable narratives or control sets. The assessment needs to reflect the firm’s real customer journeys, real products, real geographies and real typologies.
Third, the risk assessment is what drives controls. A risk-based approach fails if the assessment sits in a folder and does not change behaviour. High-risk relationships should trigger more intrusive checks, tighter approval, closer monitoring and more frequent review. Lower-risk relationships can justify simpler treatment, though not where suspicion exists. There must be a process to escalate where there is suspicion.
Fourth, the model should be dynamic. Risk assessments must be reviewed when products change, when the firm enters new markets, when typologies evolve, when FATF or national authorities publish new findings, or when internal incidents expose a weakness. Regulators expressly say firms should regularly review both business-wide and individual risk assessments so they remain current.
Fifth, governance and challenge matter. A good risk-based approach is more than an operational tool. It needs oversight, independent challenge and clear accountability, including for overrides and risk acceptance. Weak senior management understanding of the firm’s own risk profile is a recurring problem.
Sixth, firms should avoid mistaking de-risking for risk management. Refusing whole categories of clients or jurisdictions without rationale can itself signal a weak framework.
What would the current US proposals do?
The US proposal would essentially move the US framework closer to the logic long familiar in FATF, EU and UK practice, while still retaining distinctive US features. FinCEN’s April 2026 proposed rule would amend AML programme rules under the Bank Secrecy Act for a wide set of financial institutions. FinCEN says the aim is to implement the AML Act of 2020 by requiring effective, risk-based AML/CFT programmes designed to achieve the purposes of the BSA, especially identifying, preventing and reporting financial crime.
The proposal also tries to sharpen the distinction between programme design and programme implementation. Agencies say they want to distinguish failures to establish a compliance programme from failures to implement a properly established programme, and to focus enforcement and significant supervisory action on significant or systemic failures. That is a notable change in tone. It suggests an attempt to move away from a culture in which any technical weakness might be treated as an equal supervisory event. In essence, the risk-based approach is smarter and better focused on actual risks.
Another important element is supervisory coordination. Some proposed rules would require federal banking regulators to consult FinCEN before taking certain AML/CFT enforcement or significant supervisory actions, with written notice at least 30 days in advance. That would strengthen FinCEN’s role as the central administrator of the BSA and may produce more consistent outcomes across agencies.
What happens next with the proposed risk-based approach?
The proposals are currently in the consultation phase. Once published in the Federal Register, there is a formal public comment period, typically around 60 days. During this window, industry participants, trade bodies and other stakeholders can submit detailed feedback on the scope, definitions and practical implications of the rules.
After this period, regulators will review submissions and may revise the proposals before issuing a final rule. That process can take several months, particularly where there are complex supervisory or operational implications. For a rule of this significance, a final version would realistically be expected later in 2026 or potentially into early 2027.
Implementation is unlikely to be immediate. US regulators typically provide a transition period to allow firms to adjust policies, systems and controls. Depending on the final form of the rule, this could range from six months to over a year. Firms should expect a phased adjustment rather than a single compliance deadline, especially where changes affect programme design, risk assessment frameworks and supervisory expectations.
