Misjudging Risk: How the Risk-Based Approach Can Undermine Financial Crime Controls

The Risk-Based Approach (RBA) has become the cornerstone of financial crime compliance within banks globally. Praised for its flexibility and practicality, RBA empowers institutions to allocate resources more effectively by focusing on higher-risk areas, theoretically improving overall compliance efficacy. However, this approach is increasingly criticised as potentially susceptible to misuse or abuse, raising critical questions: Does the Risk-Based Approach inadvertently allow financial institutions to circumvent rigorous compliance, and is it being misinterpreted as a 'get out of jail free' card?

Risk Appetite versus Risk Acceptance

Central to the controversy is the balance between risk appetite and risk acceptance. Risk appetite, set by senior management, defines how much risk the institution is willing to take to achieve strategic objectives. Conversely, risk acceptance involves consciously deciding to tolerate a specific risk within established limits. While this balance should theoretically safeguard against systemic financial crime risk exposure, the practical application can sometimes blur ethical boundaries, potentially leading to risk acceptance that is inadequately scrutinised.

The Dangers of Superficial Implementation

A fundamental flaw in RBA emerges when institutions deploy it superficially, adopting a checkbox mentality rather than genuinely engaging with underlying risk dynamics. When compliance teams lack resources, senior management oversight, or robust governance structures, decisions to accept certain levels of risk may be insufficiently documented or rationalised. Such scenarios expose banks not only to financial crime risks but also regulatory scrutiny, enforcement actions, and reputational damage.

Regulatory Sanctions as Case Studies

Recent enforcement actions underscore these vulnerabilities. For example, the UK Financial Conduct Authority (FCA) fined Santander UK £107.7 million in December 2022 for significant failures in its anti-money laundering (AML) systems, specifically highlighting the bank's poor oversight and management of AML controls. Although primarily related to control failures, the Santander case illustrates the broader risks associated with inadequate application of RBA principles. In this instance, Santander failed to effectively apply its risk assessments to prioritise and manage high-risk accounts, indicating a fundamental disconnect between risk identification, risk appetite, and the practical implementation of control measures. Consequently, ineffective AML processes and structures left the bank significantly exposed to financial crime.

Similarly, in 2019, the FCA fined Standard Chartered Bank £102.2 million for serious and sustained AML control failings in higher-risk areas, specifically its UK Wholesale Bank Correspondent Banking business and its UAE branches. Standard Chartered’s failures included inadequate customer due diligence and ineffective ongoing monitoring of higher-risk accounts. This case exemplifies another scenario where improper implementation of risk-sensitive policies—core components of RBA—led directly to substantial exposure to financial crime risks, including potential breaches of international sanctions.

Another pertinent example is the case of National Westminster Bank Plc (NatWest), fined £264.8 million in 2021 after being criminally convicted for serious failures in monitoring suspicious transactions. NatWest failed to adequately manage risks associated with its commercial customer Fowler Oldfield, despite clear indicators of suspicious activity such as significant cash deposits carrying evident "red flags". This case highlights stark deficiencies in the bank's application of RBA, where inadequate monitoring, misclassification of risk types, and insufficient response mechanisms directly facilitated money laundering activities. The severity of NatWest's case further underscores the critical need for diligent and thorough application of RBA principles.

RBA is Not a Free Pass

Moreover, institutions often confuse flexibility with leniency. Flexibility under RBA does not translate to diminished accountability. It demands thorough due diligence, ongoing monitoring, and rigorous documentation justifying each decision taken to accept risks. Without rigorous application and oversight, the RBA may inadvertently provide a veneer of legitimacy to suboptimal compliance practices.

Regulators have repeatedly emphasised that RBA is not synonymous with reducing compliance obligations. According to FATF guidance, RBA should enhance rather than reduce regulatory effectiveness, urging financial institutions to demonstrate that their compliance programmes are genuinely aligned with the nature and scale of risks they face.

Ensuring Disciplined Implementation

To address the potential misuse of RBA, banks must establish clear governance around risk acceptance processes, including robust oversight by senior management and compliance functions. Transparent documentation and accountability mechanisms should underpin each risk-based decision. Additionally, periodic independent audits can validate that risk assessments and accepted risks align with the institution’s stated risk appetite and regulatory expectations.

Ultimately, while RBA remains an essential tool for effective financial crime compliance, its practical effectiveness depends heavily on disciplined implementation. Institutions that misconstrue RBA as a shield against thorough regulatory compliance risk severe consequences. Effective RBA deployment is not a mere strategic option but a regulatory imperative, demanding accountability, transparency, and consistent regulatory alignment.

Conclusion: Reclaiming the Promise of RBA

The Risk-Based Approach, when properly implemented, offers a powerful framework for targeted and efficient financial crime compliance. However, its effectiveness hinges on integrity, expertise, and robust governance. The examples of Santander, Standard Chartered, and NatWest illustrate that when risk-based decision-making becomes a veneer for complacency or cost-cutting, the results can be catastrophic. Regulators are clear: RBA is not a licence to accept unmanaged risk or to forgo core AML obligations. Financial institutions must ensure their risk frameworks are dynamic, reflective of real-world threats, and fully embedded into operational controls. Only then can the promise of the RBA be realised as a driver of compliance excellence, rather than a fig leaf for failure.

Is Your Risk-Based Approach Really Working For You - or Just Working Around the Problem?

At OpusDatum, we help financial institutions reclaim the value of the Risk-Based Approach by designing robust governance structures, enhancing decision-making accountability, and embedding intelligence-led risk frameworks.

If your organisation needs support navigating complex risk appetite challenges, aligning AML controls with regulatory expectations, or strengthening oversight of risk acceptance, get in touch.