The Risk-Based Approach: Wolfsberg’s Renewed Call to Action and What It Really Means

The Wolfsberg Group has released a timely statement reaffirming the critical role of the Risk-Based Approach (RBA) in financial crime risk management. For seasoned professionals, this is not a new concept. The RBA has been part of international AML/CTF frameworks for nearly two decades, championed by the FATF, the FCA, and regulatory bodies globally. Yet, despite its longstanding presence, the approach is still widely misunderstood, misapplied, or implemented superficially. Wolfsberg’s intervention, therefore, is a welcome one. It offers a sharper lens on what the RBA truly entails, and why its proper execution is essential for protecting the financial system.

At its core, a Risk-Based Approach requires financial institutions (FIs) to move away from rigid, rules-based frameworks that treat all risks equally. Instead, it urges institutions to identify, assess, and understand their specific exposure to financial crime, and then to apply controls and resources in a way that corresponds to the level and nature of that risk. The FATF’s Recommendation 1 defines this as taking “proportionate action that appropriately corresponds to the level of identified risk and effectively mitigates the risks.” This definition is mirrored by the UK Financial Conduct Authority, which expects firms to apply risk-based assessments not only at the customer level, but across governance, product design, transaction monitoring, and internal audit.

Wolfsberg breaks the RBA down into three interrelated pillars: proportionality, prioritisation, and effectiveness. Proportionality demands that a financial institution’s financial crime risk management (FCRM) framework is tailored to its business model, size, geography, customer base, delivery channels, and overall risk appetite. This isn’t a philosophical principle, it is a direct response to how FIs must allocate resources. For example, a small e-money issuer dealing with low-value domestic payments will not (and should not) apply the same control framework as a multinational bank servicing high-net-worth clients across high-risk jurisdictions. The controls must be proportionate in depth and scope to the real risk profile.

Prioritisation follows from proportionality and refers to the allocation of resources and attention to higher-risk customers, products, channels, or regions. This means firms should not simply “layer on” new controls over time but should instead be willing to reduce or eliminate measures that are no longer adding value. Wolfsberg explicitly calls out the need to stop redundant or duplicative processes. This is particularly relevant in the UK, where firms are under pressure from both the FCA’s AML guidance and the Consumer Duty regime to avoid regulatory inertia, where compliance burdens increase over time without a measurable improvement in outcomes.

The third and perhaps most misunderstood pillar is effectiveness. An effective financial crime framework is not one with the longest policy document or the strictest onboarding criteria. It is one that can demonstrate that it prevents, detects, and reports financial crime with measurable success. Wolfsberg’s prior statement on “Demonstrating Effectiveness” forms the backdrop here: effectiveness is about achieving good outcomes, not simply adhering to rules. An effective institution understands its risk exposure, adapts to changes in the threat landscape, and uses data, intelligence, and cross-functional collaboration to continuously improve.

From a technical perspective, the implementation of an RBA should be supported by a documented and dynamic enterprise-wide risk assessment (EWRA), detailed product and customer risk models, and control mapping that demonstrates how each risk is mitigated. EWRAs should be updated annually at least, or more frequently if material changes occur in the business, and should feed directly into the firm’s policies, training plans, system calibration, and governance forums. Control effectiveness must be tested through a combination of first-line assurance, second-line compliance reviews, and independent internal audit testing. The FCA is increasingly looking at how firms operationalise their risk appetite statements, i.e., whether stated tolerances actually influence decision-making at the product, onboarding, and monitoring stages.

Importantly, Wolfsberg highlights that effective RBAs are not created in isolation. Collaboration, both internal and external, is key. Compliance cannot design an effective control framework without input from operations, technology, sales, and finance. Nor can an FI operate in a silo without engaging with its regulators, law enforcement partners, and industry peers. This aligns with FCA expectations under the Senior Managers and Certification Regime (SM&CR), which holds senior managers directly accountable for ensuring that their area of responsibility includes proper oversight of the firm’s financial crime controls, and that the RBA is not only in place but functioning as intended.

When a Risk-Based Approach is applied properly, it allows institutions to be agile, data-driven, and customer-centric. It enables smarter allocation of limited resources, faster decisions, and more relevant outcomes for both the firm and the regulator. However, when misapplied, the consequences can be severe. We’ve seen firms face enforcement action not just for failing to detect crime, but for deploying a one-size-fits-all model that fails to distinguish between risk categories, resulting in both over- and under-regulation of clients. This is not only inefficient, but dangerous. It can lead to the alienation of low-risk customers and the unintentional onboarding of high-risk ones with inadequate oversight.

With increasing emphasis on outcomes rather than procedures, a properly executed Risk-Based Approach is not a “nice to have”, it is essential. The Wolfsberg Group’s renewed focus on the topic is a reminder to all of us that an RBA is a living, breathing strategy, not a compliance checkbox. As Wolfsberg aptly states, “a supervisory regime that supports FIs in the application of an RBA is a key enabler to its success.” Financial institutions should embrace the challenge, not avoid it.

In the end, the RBA is not just a regulatory expectation. It is a strategic advantage, one that, when done well, protects customers, reduces financial crime, and strengthens the credibility of the financial sector as a whole.