Is AI Making the Traditional Risk-Based Approach to Financial Crime Obsolete?
- Elizabeth Travis
- 2 days ago
- 5 min read

For decades, banks have relied on the risk-based approach (RBA) to combat financial crime, as mandated by global regulators like the Financial Action Task Force (FATF), the Financial Conduct Authority (FCA), and the Office of Financial Sanctions Implementation (OFSI). The core principle has been straightforward: allocate compliance resources proportionately based on the level of financial crime risk posed by customers, transactions, and jurisdictions.
But with the rise of artificial intelligence (AI) and machine learning, the effectiveness of this traditional model is being questioned. Can static risk models keep pace with evolving criminal tactics, dynamic transaction patterns, and the sheer scale of modern financial networks? Or is the RBA becoming obsolete in the AI-driven world?
The Traditional Risk-Based Approach to Financial Crime Risk Management in Banks
The RBA has been the cornerstone of financial crime risk management in banks for decades. At its core, the RBA involves three key steps: risk assessment, risk categorisation, and proportionate response:
Risk Assessment: Banks conduct periodic risk assessments to identify money laundering (ML), terrorist financing (TF), and sanctions risks across customer types, business lines, and geographic exposures. These assessments take into account factors such as politically exposed persons (PEPs), high-risk industries (e.g., gambling, crypto, shell companies), and countries with weak AML controls.
Risk Categorisation: Based on assessment findings, customers, transactions, and counterparties are categorised into low, medium, or high risk. A low-risk retail customer may only require standard due diligence, while a high-risk corporate entity in a sanctioned jurisdiction would trigger enhanced scrutiny.
Proportionate Response: The intensity of compliance controls is determined by the assigned risk level. High-risk customers undergo enhanced due diligence (EDD), including source of funds verification, deeper transaction monitoring, and regular KYC updates. Low-risk customers may only require periodic checks with minimal intervention.
This tiered approach helps banks balance compliance costs while meeting regulatory expectations. Rather than applying blanket monitoring, institutions can focus on high-risk areas where illicit finance is more likely to occur.
Banks implement the risk-based approach through a mix of manual processes and rule-based systems:
Know Your Customer (KYC) & Customer Due Diligence (CDD): Banks collect and verify customer information at onboarding and throughout the relationship, updating risk profiles periodically.
Transaction Monitoring Systems: Rule-based alerts flag potentially suspicious transactions based on pre-defined scenarios, such as large cash deposits, rapid fund movements, or payments to high-risk jurisdictions.
Sanctions & PEP Screening: Customers and transactions are screened against government watchlists, including OFAC, UN, EU, and UK sanctions lists.
Suspicious Activity Reporting (SARs): Transactions deemed high-risk are reviewed by compliance analysts, and if warranted, reported to regulators such as the National Crime Agency (NCA) in the UK or FinCEN in the US.
While effective to an extent, this framework has growing limitations in today’s AI-driven financial crime landscape.
Why the Risk-Based Approach is No Longer Enough
Despite its long-standing role, the risk-based approach has major shortcomings:
High False Positives: Rule-based transaction monitoring generates excessive alerts, many of which turn out to be false positives, leading to inefficiency and alert fatigue for compliance teams.
Static Risk Scoring: Customers are categorised into risk tiers at onboarding, but their behaviour may change over time, making static assessments less effective.
Evolving Criminal Tactics: Money launderers constantly adapt to bypass risk rules, often structuring transactions to remain below detection thresholds.
Manual Investigations: Analysts must review flagged alerts manually, slowing response times and increasing compliance costs.
These challenges have pushed banks to explore AI-powered compliance solutions that move beyond rigid risk tiers and static thresholds.
How AI is Challenging the Risk-Based Approach
AI-driven financial crime detection marks a paradigm shift from traditional risk scoring to dynamic, real-time risk analysis. A core limitation of the risk-based approach is its reliance on predefined rules, static risk scores, and historical typologies to categorise threats. In contrast, AI-powered AML systems analyse real-time behavioural patterns, detect anomalies dynamically, and adapt to emerging risks far more effectively than static models.
Traditional risk scoring assigns broad risk categories based on factors such as customer type, transaction history, and jurisdiction. However, criminal methodologies evolve rapidly, often bypassing rule-based risk models. AI, with its ability to analyse massive datasets and detect hidden correlations, does not require pre-defined risk thresholds—instead, it continuously learns from new data and adjusts risk assessments dynamically.
For example, in sanctions screening, a risk-based approach typically prioritises high-risk jurisdictions or PEPs, but AI can identify hidden networks of illicit finance beyond traditional risk parameters. This has been seen in AI-powered trade finance monitoring, where machine learning detects complex money laundering schemes that traditional rules-based systems often miss.
Additionally, the high false positive rates in traditional AML systems are a major pain point. AI-driven models significantly reduce false positives by analysing contextual data and refining alert thresholds based on real transaction behavior rather than rigid pre-set rules. Some UK banks, including HSBC, Barclays, and Revolut, have already reported up to 60% reductions in false positives using AI-driven transaction monitoring.
The Case for Retaining the Risk-Based Approach
Despite AI’s advantages, the risk-based approach remains embedded in global regulatory frameworks. Regulators such as the FCA, FATF, and the US Treasury still mandate that financial institutions assess and categorise risk rather than relying solely on AI as a 'black box'.
One reason is explainability and accountability. AI models often operate as black boxes, making it difficult for banks to justify automated risk decisions to regulators. The risk-based approach provides a clear, rule-based framework that is easier to audit. The FCA and the Bank of England’s AI Discussion Paper have repeatedly stressed the importance of AI explainability in financial crime prevention, warning that uninterpretable AI models could pose regulatory and ethical risks.
Another issue is bias and data quality. AI models are only as good as the data they are trained on. If a bank’s AI system is trained on historical transaction data that contains inherent biases, it could unfairly target certain customer groups, violating FCA consumer protection regulations. In contrast, the risk-based approach provides human oversight, ensuring that compliance decisions are not purely algorithmic but also consider context, proportionality, and regulatory expectations.
AI also struggles with new and emerging financial crime threats that do not yet have sufficient training data. Criminals often adapt their methods to evade machine learning models, and without human-led risk assessments, AI-driven systems could fail to detect novel typologies.
The Future: AI-Enhanced Risk-Based Compliance
Rather than replacing RBA entirely, the future of financial crime risk management lies in a hybrid model where AI augments rather than replaces traditional risk-based frameworks. Regulators and banks are increasingly focusing on explainable AI (XAI), which integrates AI-driven insights into a human-led, risk-based framework.
For example, NatWest’s AI-driven financial crime unit still follows a risk-based model but incorporates AI insights to refine risk scoring and transaction monitoring thresholds. Similarly, Standard Chartered applies AI to enhance rather than replace its sanctions screening processes, ensuring AI-driven decisions remain traceable and auditable.
Final Thoughts
The risk-based approach is not yet obsolete, but it must evolve. While AI vastly improves efficiency, accuracy, and real-time risk detection, regulatory, ethical, and explainability challenges mean that financial institutions cannot abandon traditional risk frameworks.
Instead, the best path forward lies in a hybrid model, where AI augments traditional risk-based strategies, improving accuracy, reducing false positives, and allowing banks to proactively detect emerging threats.
The future of financial crime risk management is hybrid. Are you ready?
Traditional risk models are no longer enough. At OpusDatum, we help financial institutions enhance their risk-based approach with AI-driven insights to reduce false positives, improve detection, and stay ahead of evolving threats. Explore our RegTech solutions to see how we can future-proof your compliance framework.
Get in touch today to explore how our tailored solutions can support your transformation.