The challenges with taking a risk-based approach to AML

Compliance teams find taking a risk-based approach to Anti-Money Laundering (AML) compliance using traditional tools slow and laborious. The global landscape is growing even more complex with geopolitical conflicts, increasing sanctions, and ESG considerations. At the same time, the volume of data about individuals and entities grows at an unprecedented rate. Current AML tools can’t keep up. Teams often rely on limited datasets and keyword searches that fall short of capturing a client’s full risk profile. Missing even one critical piece of information can drastically alter a client’s risk assessment. Without a well-rounded profile, firms can’t take appropriate risk-based measures. This leads to inadequate AML due diligence and increased exposure to regulatory and reputational risks.

Database screening doesn’t shape a risk profile

The Financial Action Task Force (FATF) clearly states that due diligence must be done in proportion to risk. However, most compliance teams start with initial AML screening as their primary tool to build this profile. While critical, AML screening alone provides only a narrow snapshot—primarily identifying whether a client is sanctioned, a Politically Exposed Person (PEP), or on a watchlist. This data, though important, has limitations. It misses broader risks, such as involvement in illicit activities not captured by standard datasets or emerging risks linked to evolving business environments.

This incomplete view leads to risk assessments that fail to capture the client’s nuances. As a result, firms often struggle to perform due diligence in proportion to the actual risk the client poses, leading to either over-scrutiny (wasting resources) or under-scrutiny (creating regulatory exposure). To adopt a truly risk-based approach to AML, firms need access to broader, more nuanced data and sophisticated tools that provide deep, actionable insights into a client’s overall risk.

AML databases don’t capture every risk

AML databases contain only a fraction of the world’s population—just a few million entries—leaving billions of individuals unaccounted for. Simply because a client doesn’t appear in these databases, compliance teams cannot assume they aren’t risky. To strengthen risk assessments, compliance teams must move beyond basic identity verification or AML screening, which often provides limited yes/no answers without deeper insights.

Compliance teams should incorporate publicly available, open-source information to compensate for these limitations. They can use sources such as news articles, press releases, interviews, and social media activity. These resources reveal crucial details about a client’s business dealings, political associations, or potential red flags. For instance, an article describes a client as a “close associate” of a sanctioned individual significantly alters the client’s risk profile.

Adopting this multifaceted approach better equips compliance teams to assess a client’s risk early on. This enables them to make more informed AML decisions in line with the risk-based approach.

Conducting open-source research is challenging 

Open-source research is critical in building a complete and accurate risk profile, offering insights that structured databases alone can’t provide. However, the manual methods that analysts often use to conduct this research are highly inefficient and prone to error.

The process usually begins with screening clients against structured databases, helping to identify immediate risks such as political exposure or sanctions. Then, analysts turn to open-source research, typically using Google or a similar search engine. Although this step may seem straightforward, it quickly becomes complex due to the overwhelming volume of search results—many of which are irrelevant, outdated, or incomplete.

To narrow down the results and surface relevant information, analysts use specific search strings, combining the subject’s name with terms like “fraud,” “money laundering,” or “embezzlement.” While this can help, it’s an inherently limited process. Analysts can only search for risks they’re aware of, leaving potential blind spots where risks go undetected. What about risks you didn’t think to search for?

To make the process manageable, organisations often instruct analysts to limit searches to the first 10 or 15 pages of search results. This constraint, however, can lead to missing significant risk indicators—such as connections to fraudulent activities, negative media coverage, or legal disputes—which may appear later in the search results or under unexpected terms.

Even within these limits, manual research doesn’t scale well. As organisations grow and take on more clients, analysts spend increasingly large amounts of time cross-checking database results with online information, summarising findings, and preparing reports. In doing so, they sacrifice the time needed to properly assess higher-risk clients. With all clients receiving the same level of scrutiny, the risk-based approach to AML breaks down, leaving compliance teams vulnerable to overlooking key risks.

Firms lack a risk-based approach process

Only with a complete view of a client from the outset can compliance teams effectively apply risk-based measures. This has created an Initial Due Diligence (IDD) workflow, which bridges the gap between early screening and deep due diligence. With a clearer understanding of risk early on, compliance can effectively triage clients and focus resources where needed. Initial Due Diligence streamlines the risk analysis process for low-risk clients, allowing compliance teams to move them through onboarding quickly. This means partners can open client matters sooner to start fee-earning work. At the same time, high-risk clients are flagged for a more in-depth review to protect the firm and its individuals.