The Problem With Treating Everyone the Same
There is a tempting simplicity to applying the same level of scrutiny to every customer. It feels fair. It feels thorough. It is also a terrible idea.
If you apply maximum due diligence to everyone, you will spend so much time investigating low-risk customers that you will not have the resources left to properly investigate the high-risk ones. This is not just a theoretical concern. It is why the Financial Action Task Force (FATF) and virtually every major regulator in the world explicitly require a risk-based approach. You are supposed to spend your attention where the risk actually is.
What Makes a Customer Risky
The first step is figuring out what "risky" means for your specific business. The risk factors vary, but regulators point to several big categories.
Where They Are
Geography is one of the strongest risk signals. A customer in a country that FATF has flagged for weak anti-money laundering controls is inherently riskier than one in a well-regulated jurisdiction. The same goes for countries under comprehensive sanctions, or countries known for corruption or drug trafficking.
But it is not just about where the customer lives. You also need to think about where their money comes from and where it goes. A customer in London whose funds originate in a high-risk jurisdiction still carries geographic risk.
Who They Are
Some types of customers carry more inherent risk than others. Politically exposed persons are riskier because of their potential for corruption. Cash-intensive businesses are riskier because cash is hard to trace. Companies with opaque ownership structures are riskier because you cannot see who is really in control.
What They Buy
Some products are easier to abuse than others. Anonymous instruments, cross-border transfers, correspondent banking, and private banking all make it easier to move or hide illicit funds. The question to ask is: how easily could someone use this product to launder money?
How They Behave
Transaction patterns tell you a lot. Frequent round-number transfers, rapid movement of funds through an account, transactions that do not match the stated business purpose, or sudden changes in activity levels are all signals. Behavior is often more revealing than any form you ask a customer to fill out.
A risk-based approach is not about doing less compliance work. It is about doing the right compliance work. The institutions that get this right catch more suspicious activity while operating more efficiently.
The Light Touch for Low-Risk Customers
For customers who look genuinely low-risk, you can use simplified due diligence. This does not mean skipping verification. It means using lighter methods: database checks instead of document collection, less frequent reviews, higher monitoring thresholds.
- Identity verification through database checks rather than requiring document uploads
- Reviews less often, maybe every couple of years instead of annually
- Monitoring with higher thresholds before an alert fires
- Simpler documentation requirements
The catch is that you need a defensible reason for believing the customer is low-risk. And you need a mechanism to escalate them if something changes. Regulators will not accept "we just assumed they were fine."
The Deep Dive for High-Risk Customers
High-risk customers get enhanced due diligence. This means more verification, deeper investigation, closer monitoring, and management sign-off. It is expensive and time-consuming, which is exactly why you only want to apply it where it is actually needed.
- Gather additional identity documents from independent sources
- Verify where their wealth and funds actually come from, with documentary evidence
- Search adverse media across multiple languages and sources
- Get senior management to approve the relationship before it starts, and again at each review
- Set lower monitoring thresholds so you catch smaller anomalies
- Document why you are comfortable maintaining the relationship despite the elevated risk
Turning Risk Into Numbers
Risk scoring models take all these qualitative factors and turn them into a number. You assign weights to each factor based on how important it is, calculate a total score for each customer, and use the score to decide whether they get simplified, standard, or enhanced due diligence.
Building a good scoring model is harder than it sounds. Here is what matters:
- It has to be explainable. If a regulator asks why Customer X got a high-risk score, you need to be able to point to specific factors and weights. Black boxes are not acceptable.
- It has to differentiate. If 90% of your customers end up in the same risk bucket, your model is not doing its job.
- It has to update. Risk scores should change when new information arrives: a change in behavior, a new sanctions designation, a negative news story.
- It has to be tested. Independent validation ensures the model is actually working and not producing biased or inaccurate results.
Risk Is Not Static
A customer who is low-risk today might not be low-risk next year. Their business might change. They might start transacting in new jurisdictions. A new sanctions designation might hit someone in their ownership chain. Your due diligence program needs to keep up with all of this through ongoing monitoring, periodic reviews, and event-driven reassessments.
What Regulators Actually Want to See
Regulators are not naive. They know that some institutions use "risk-based approach" as code for "we do less work." They will push back on that. What they want to see is that you have documented risk assessments at both the institutional and customer level, that your policies clearly define how you identify and score risk, that you consistently apply enhanced due diligence to high-risk customers, and that you test your methodology regularly.
Getting this right takes real investment upfront in methodology, scoring models, and process design. But the payoff is large. You catch more actual suspicious activity. You use your compliance team more efficiently. Onboarding is smoother for the majority of customers who are not high-risk. And you are in a much stronger position when the regulators come knocking.