Why databases aren’t sufficient for AML risk assessments

An effective AML risk assessment is holistic and contextualised, providing fee-earners with a clear understanding of their client. This prevents the firm from risking involvement in a money laundering offence during a matter. Strong regulatory requirements underpin this to ensure AML risk assessments are comprehensive and consider all potential client and matter risks. However, many firms fall short in this area. The Solicitors Regulation Authority (SRA) has issued warnings about poor practices in client and matter risk assessments. These include failing to identify the correct level of risk, missing specific AML risks, and taking a superficial tick-box approach. The latter is particularly common.

Databases are binary, but risks are nuanced

While screening is a necessary first step in assessing client risk, it provides only a partial view. These static lists determine whether a client is sanctioned, a PEP, or appears on a watchlist. Screening systems rely heavily on structured databases, which tick a “yes” or “no” box. However, they fail to offer a wider perspective on the client’s overall risk profile. 

For example, these databases may flag a client as politically exposed, but their criteria for political exposure can vary. One database might classify a former minister, retired for 20 years, as politically exposed, while another might not. This inconsistency creates gaps in an AML risk assessment.

Moreover, databases are one-dimensional, offering static, point-in-time solutions that don’t account for evolving risks. Just because an individual or entity doesn’t appear on a watchlist today doesn’t mean they’re not risky. An individual may not be sanctioned, but they could have close relationships with sanctioned individuals or are reported in the media to be involved in fraudulent activities.

High-risk individuals are removed every month

Another major issue with screening databases is the right to removal. This allows individuals or entities to request their removal if they believe the information is outdated, inaccurate, or unfairly damaging. While these databases contain millions of records, they remove tens of thousands each month. Many of these removed entries may still represent Politically Exposed Persons (PEPs) or high-risk individuals.

This loophole presents a serious AML risk. By requesting removal, criminals or high-risk individuals can appear as low-risk or no-risk, effectively “hiding” in plain sight. This exposes a key flaw in these databases—they cannot be fully trusted to assess risk accurately. Relying on databases alone can lead to significant oversights, as their incomplete nature may provide a false sense of security. This, in turn, can result in misinformed AML risk assessments, enabling high-risk individuals to evade Enhanced Due Diligence (EDD).

Adverse media databases are curated by nature

Adverse media databases are collections of articles, reports, and public information selected for their relevance to AML risk. While they provide a useful starting point, they have clear limitations. These databases may miss critical information due to selection biases or limited sources. They often exclude smaller regional publications, niche industry blogs, or emerging news platforms that could offer valuable insights. Moreover, curated databases usually focus on specific risks, such as financial crimes or sanctions. But they may overlook broader reputational or Environmental, Social, and Governance (ESG) risks.

These databases update periodically, not in real time. As a result, recent developments, such as breaking news or investigative stories, may go unnoticed until the database refreshes. For example, a real-time Google search could immediately flag a client’s public connection to a criminal gang leader, while a curated database might capture the information later. Emerging risks, such as involvement in newly exposed scandals or criminal networks, often remain undetected until they gain significant media or regulatory attention.

Traditional adverse media databases present information in isolation and don’t map relationships between individuals, businesses, and networks. Analysts must manually connect the dots when reviewing hundreds of news items, increasing the risk of missing red flags. For instance, a seemingly harmless business partner may have hidden links to organised crime, which may only surface after extensive research. Like a manual Google search, understanding a client’s network requires significant effort to uncover the full context.

Qualitative risk assessments need qualitative due diligence 

The information that compliance teams need to create contextualised risk assessments isn’t confined to structured databases. It exists in open sources like news reports, press releases, blogs, and high-profile documents such as the Panama Papers. These sources can offer critical insights into a client’s reputation, behaviour, and associations. 

The challenge is that most firms lack the technology to access this unstructured data and turn it into a meaningful assessment. Traditional due diligence processes often rely solely on AML screening and procured negative news and web searches. This simply generates more manual and time-intensive work for in-house compliance teams who are already stretched thin.

This is where advances in artificial intelligence (AI) technology come into play. AI enhances the accuracy of risk assessments and dramatically reduces the cost and time associated with due diligence processes. Automating screening reports and qualitative due diligence enables compliance teams to scale their onboarding operations. 

By processing vast amounts of unstructured data, AI can quickly identify patterns, associations, and risk factors that might otherwise remain hidden. This enables the creation of holistic and contextualised risk assessments within minutes, rather than days or weeks. Most importantly, compliance teams can focus their resources on higher-risk clients and matters, adhering to the risk-based approach, which is fundamental to every AML compliance programme.