Policy Meets Practice: Why Risk-Based AML Works—When It’s Done Right

The phrase “risk-based approach” (RBA) is repeated so often in today’s AML compliance landscape that it can start to feel like a buzzword. With regulators around the world highlighting the importance of an RBA in the fight against money launderers and fraudsters, financial institutions are under pressure to show that they’re doing more than just ticking boxes. 

So, what does a true RBA look like in practice? And why is it so important for regulatory compliance?

To unpack these questions, we spoke with Louie Vargas, Lead Sanctions Compliance Officer at Nordea and Sumsub Academy speaker, about why risk-based AML matters and how organizations can get it right.

Why does a true risk-based AML work?

Vargas makes it clear that there’s a difference between a box-ticking RBA to AML, and a genuine RBA: ensuring activities are tailored based on risk tolerance.

“Ticking the box is only surface level and will lead to potential gaps in data, understanding your customer, and fully understanding your compliance program, technology, and controls,” he says. “An RBA attempts to ensure tailored activities that are proportionate based on the risk tolerance and calculation. This limits gaps, customer friction, and losing control of your compliance program.”

In other words, an RBA adjusts scrutiny depending on the risks actually posed by the customer.

“Regulators want to ensure you understand your customers and the potential risks they present,” Vargas explains. “If you have a cookie-cutter approach, this will usually raise a red flag for them, which may lead to additional questions or deep dives.”

Suggested read: Adaptive, Accurate, Efficient: How Dynamic Risk Scoring Elevates Compliance

Getting risk-based AML right in practice

There is a real danger in thinking that risk-based AML is regulatory jargon, with Vargas eager to stress its practical significance. Institutions that fail to implement RBAs open themselves up to major risks.

Vargas lists the harms of failing to adopt an RBA plainly: “Poor customer experience, lack of appropriate information for screening and oversight, the institution can be exposed to nefarious activities, the list goes on.”

Overly rigid AML programs can simultaneously burden low-risk customers with unnecessary friction, while failing to detect high-risk customers who slip through box-ticking checks. The result is an approach that is unsuitable for both customer expectations and the fast-changing nature of financial crime, made all the more complex by technological breakthroughs like AI. 

So, where do firms go wrong in adopting an RBA? Vargas indicates there are too many mistakes to list them all, with the most common being: “Not truly understanding their customers or products, a lack of clear documentation defining the framework, and a lack of relevant data to score customers’ level of risk appropriately.”

In practice, this means institutions making policies that look risk-based on paper but collapse under any real-world scrutiny. Without accurate data, clear documentation, and customer or product understanding, an RBA just becomes another form of box-ticking.

Leveraging technology responsibly

A pressing question for compliance professionals is how much technology can actually help them move closer to true risk-based AML without creating new blind spots. 

Vargas is cautiously optimistic, explaining one way technology can help financial institutions: “Technology helps by consolidating and summarizing the customer in a holistic way, making it easier to see potential issues with a specific client across their life cycle, customer segment, and product.”

Automation tools, in particular, are especially useful for low-risk, repetitive tasks, with Vargas mentioning decision reapplication as a prime example. However, higher-risk situations always need human input.

“Automation for low-risk, repeatable tasks, and human intervention where more risk is present, and making judgment calls,” he advises.

This helps build a culture of organizational efficiency while keeping institutions from relying blindly on algorithms, with regulators wary of AI use in compliance.

Suggested read: AML/KYC Compliance Guide for Fintech 2025

Balancing innovation and regulatory pressure

One challenge compliance teams face is that regulators tend to want stricter, more prescriptive controls. This raises a key question: How can firms balance this with the need to stay innovative?

For Vargas, the answer lies in transparency and partnership: “Documentation, transparency, and taking the regulator on the journey with you to obtain feedback and provide comfort and foster a partnership with the regulator.”

Proactive engagement can help firms not only stay compliant but also drive innovation without fear of regulatory pushback.

That said, the regulatory environment itself is under strain. As technology advances and risks like AI-driven fraud become even more pressing, there is a danger of regulators not being fast enough to evolve with the reality of the financial landscape. 

“Slowly but surely,” Vargas says when asked if regulations are evolving fast enough. “Regulators are short-staffed as well, but appear to be making a concerted effort.”

The future of risk-based AML

Vargas makes a point that the future of risk-based AML is next to impossible to predict. “My crystal ball is in the shop, I’ll need to get back to you,” he jokes, before turning serious.

“The truth is, the future of risk-based AML is a good question but difficult to answer, as regulation, crime typologies, geopolitics, evasion techniques, and technology are so dynamic and rapidly evolving, there is no way to know even where we’ll be at the end of 2025, let alone 2030.”

Suggested read: The 10 Most Common AML Red Flags to Watch Out for in 2025

Bridging policy and practice

Turning back to the present, Vargas offers a final piece of advice to compliance teams trying to bridge the gap between policy and the daily reality of compliance work.

“As our world and crime continue to change, we also have to be dynamic and consider new approaches,” he says. “We have to start thinking outside of the box to become more effective. The old silos, approaches, and so on were not built for this current world. We need to be brave and begin to think of these changes now, including technology adoption, before we’re even further behind.”

It’s advice that highlights both the urgency and the opportunity of risk-based AML, with adopting the right technologies key to getting it right.