“Risk-based approach” is a phrase used in many domains, from pharmaceutical manufacturing practices to auditing, to testing internal controls, to combating money laundering and terrorist financing. The AML regulations are consistent in saying a risk-based approach should be deployed; our best practices that follow explain how some financial institutions get this done.
BSA (Bank Secrecy Act): In a report regarding BSA, Gibson Dunn states, “Under the BSA and its implementing regulations, and, with respect to banks, parallel requirements of the Federal bank regulators, banks, securities broker-dealers, and certain other "financial institutions" are required to implement risk-based anti-money laundering ("AML") programs to prevent and detect money laundering and terrorist financing and to comply with a labyrinth of BSA/AML laws, regulations, and regulatory guidance.”
FCPA (Foreign Corrupt Practices Act): “We recommend companies follow a risk-based approach: focus on the nature of relationships with their distributors. Determine which distributors are the most likely to qualify as agents, for whose acts the company can be held responsible. Once a company segregates the high-risk distributors that likely qualify as agents and potentially subject the company to FCPA liability from mere resellers that pose little FCPA risk, FCPA compliance procedures can be tailored appropriately. Distributors that qualify as ‘‘agents’’ and also pose FCPA risk, full FCPA due diligence, certifications, training, and contract language are imperative,” according to the FCPA Professor.
FSA (Financial Services Authority, UK): The FSA states, “Firms must put in place adequate and risk-sensitive AML policies and procedures. This means that firms have to identify and assess their money laundering risk and put in place systems and controls adequately to manage and mitigate this risk. Firms who apply a risk-based approach to AML will focus AML resources where they will have the biggest impact. The risk-based approach means a focus on outputs. Firms must have in place policies and procedures in relation to customer due diligence and monitoring, among others, but neither the law nor our rules prescribe in detail how firms have to do this. Firms’ practices will vary depending on the nature of the money-laundering risks they face and the type of products they sell.”