top of page

What a Risk-Based Approach to AML Really Means, and What it Doesn’t

Updated: Jun 9


someone reading from a tablet with a computer screen in the background

Forget the Checkbox — This is About Common Sense

There’s a lot of talk about applying a “risk-based approach” to anti-money laundering (AML) compliance — but what does that actually mean for a law firm?


Let’s be clear: it doesn’t mean doing the bare minimum. It means focusing your time, attention, and due diligence on the clients and matters that pose the most risk — and scaling back where the risk is low.


Done right, it’s the difference between wasting hours on admin and actually protecting your firm from financial crime.


So, What is a Risk-Based Approach?

A risk-based approach is about tailoring your AML controls to:


  • The types of work your firm does

  • The clients you act for

  • The jurisdictions you operate in

  • The delivery channels you use (e.g. face-to-face vs remote)


Instead of applying the same level of scrutiny to every file, you assess the risk — and then respond accordingly.


Low risk = simplified or standard checks. High risk = enhanced checks.

It’s not about shortcuts. It’s about strategic resource allocation — and it’s what regulators expect.


What it is Not

Let’s bust a few myths:


  • It’s not an excuse to skip due diligence

  • It’s not something you decide once and forget

  • It’s not a policy hidden in a drawer

  • It’s not the same as “gut instinct”


Risk-based compliance is structured, documented, and evidence-led. And yes, it involves judgement — but informed judgement, based on clear criteria and training.


Why This Matters More Than Ever

Australia’s AML/CTF framework increasingly relies on a risk-based approach — and so do international standards like the FATF recommendations.

This means:


  • You must be able to justify your decisions

  • You need records to show how risk was assessed

  • Your processes must flex depending on the situation


Regulators won’t expect perfection. But they will expect to see that you’ve tried — and that your decisions were proportionate and documented.


Where Law Firms Go Wrong

Common pitfalls include:


  • Applying the same ID and verification process to every matter, regardless of risk

  • Ignoring or skipping the client matter risk assessment altogether

  • Failing to reassess risk when circumstances change (e.g. new parties, new jurisdictions)

  • Assuming that long-term clients are automatically low risk


The risk-based approach isn’t something you set and forget. It’s dynamic — and should evolve as your clients and matters do.


Final Thoughts

A risk-based approach is not about doing less — it’s about doing what’s right, based on the risks your firm actually faces.


Done well, it improves efficiency, enhances compliance, and protects your team from being caught off guard. And if the regulator calls? You’ll be ready.


Need help putting a real-world risk-based approach in place?

AML Sorted helps law firms map risks, set up practical controls, and evidence their decision-making. Let’s talk.


bottom of page