AML Compliance · Session Six of Nine
The Risk-Based Approach and Record Keeping
This guide is for educational purposes only. It is not legal advice and is not a substitute for jurisdiction-specific professional counsel: legislation, regulation and regulatory guidance change. Always verify current requirements with a qualified adviser in your jurisdiction before relying on this material for compliance decisions.
Reviewed May 2026. This session is primarily UK-focused, with comparisons to New Zealand and Australia.
The risk-based approach sits at the centre of modern AML compliance. It was designed to make compliance more rational, not more complicated. The alternative is a blanket approach that applies the same level of scrutiny to every customer and every transaction, regardless of risk. That wastes resources on low-risk activity, leaves high-risk activity under-examined, and produces poor outcomes across the board.
This session explains what the risk-based approach actually requires, how to build and document a firm-wide risk assessment, how customer risk ratings work in practice, and where firms most often fall short. It also covers the record-keeping obligations that support the framework, as well as the equivalent position in New Zealand and Australia.
What the risk-based approach means in practice
The risk-based approach is a requirement, not an option. Regulation 18 of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 requires every relevant person to carry out a firm-wide risk assessment. Regulation 19 requires policies, controls and procedures that are informed by and proportionate to that assessment. The risk-based approach is the conceptual thread connecting those two obligations.
In practice, it means three things. Resources and scrutiny should be directed where the risk is highest. Low-risk activity should not be overburdened with controls designed for high-risk situations. And the assessment of what counts as high or low risk should be based on real analysis, not assumption.
It is worth being direct about what this means for firms that have adopted a compliance programme built primarily around a uniform process. If every customer goes through the same checks regardless of their risk profile, the firm is not applying the risk-based approach. It may meet some of the letter of the regulations, but it does not meet the spirit, and a supervisor reviewing the firm's controls will notice.
FATF's June 2025 guidance on financial inclusion made explicit what had previously been implicit. AML controls should be proportionate and risk-based. Blanket measures that exclude low-risk customers from the formal financial system are not good compliance practice. They can undermine the purpose of AML controls by pushing legitimate activity into informal or unregulated channels where transparency is weaker.
Proportionality is part of the framework, not a courtesy. Applying enhanced due diligence where the risk does not justify it is not careful compliance. It is a poor application of the risk-based approach.
Building the firm-wide risk assessment
The firm-wide risk assessment is the foundation of an AML compliance programme. Everything else, the policies, the CDD levels, the monitoring, the training, should flow from it. A firm that has produced a risk assessment as a document exercise and then built its compliance programme independently has got the relationship backwards.
What the assessment must cover
Regulation 18 sets out the minimum content. The assessment must take account of the risks arising from the firm's customers, countries or geographic areas, products and services, transactions and delivery channels. Those five categories are a floor, not a ceiling. A risk assessment that mechanically addresses each category without genuine analysis of what the risks actually are in that firm, in that sector, with those customers, will not satisfy a supervisory review.
| CustomersWho you deal with | The types of customers the firm takes on and retains. Consider the mix of individuals and entities, high-net-worth clients, corporate structures, PEPs, customers from higher-risk jurisdictions, and customers in cash-intensive businesses. |
| GeographiesWhere business is done | The countries and territories where the firm operates, where customers are based, and where funds originate or are sent. High-risk third countries under regulation 33 now track the FATF lists directly, so firms need to monitor the current FATF and HM Treasury notices rather than rely on a static domestic list. |
| Products and servicesWhat you offer | The nature of the products and services the firm provides. Some products carry inherently higher risk: anonymous transactions, products that allow rapid movement of large sums, or services that create layers of complexity between the beneficial owner and the asset. |
| TransactionsHow money moves | The volume, value and pattern of transactions the firm processes. Unusual transaction patterns, high-value cash transactions, and transactions involving high-risk jurisdictions are all relevant. |
| Delivery channelsHow business is conducted | Whether the firm deals face-to-face or at a distance, through intermediaries or directly, through online platforms or traditional processes. Non-face-to-face business carries a higher inherent risk in most sectors. |
What good looks like
A good firm-wide risk assessment is specific to the firm. It describes the actual risks the firm faces, not a generic description of the sector. It draws on internal data, including customer base composition, transaction patterns, SAR history, and findings from previous supervisory reviews or audits. It also draws on external sources: the National Risk Assessment, FATF typologies, sector-specific guidance, and supervisor publications.
The assessment should conclude. It should identify which areas of the business carry the highest inherent risk, which controls are in place to mitigate those risks, and the residual risk position after those controls are applied. That conclusion should then drive the design of the compliance programme.
The assessment must be documented and kept up to date. Documentation does not mean length. A well-reasoned ten-page assessment that genuinely reflects the firm's risk position is far more useful than a fifty-page document that restates regulatory guidance without applying it. Supervisors are looking for evidence of genuine engagement, not volume.
Most AML enforcement actions involving inadequate risk assessments share a common thread. The firm produced a risk assessment, but the compliance programme it ran bore little relationship to what the assessment concluded. Controls were not designed to address the identified risks. Enhanced due diligence was not consistently applied where the assessment said it was required. The assessment was reviewed annually as a process, not updated when the business changed.
A risk assessment that does not drive decisions is not serving its purpose. The question a supervisor will ask is not whether the document exists. It is whether the programme reflects what the document says.
When to update the risk assessment
Regulation 18(6) requires the risk assessment to be kept up to date. That is not an instruction to review it annually and change the date. The assessment should be updated when something changes that affects the firm's risk profile:
- A material change in the firm's customer base, for example, the addition of a new customer segment or significant growth in a particular sector.
- A new product or service is introduced, particularly where it carries different risk characteristics from existing offerings.
- The firm begins operating in or dealing with a new jurisdiction, especially a higher-risk one.
- A significant change in delivery channels, for example, a shift to predominantly online onboarding.
- Changes to the external threat environment, including new FATF typologies, updates to the National Risk Assessment, changes to the FATF high-risk and increased-monitoring lists reflected in HM Treasury advisory notices, or major sanctions developments.
- Findings from a supervisory review, internal audit or compliance monitoring exercise that reveal gaps in the risk assessment.
- A suspicious activity report or pattern of SARs that suggests a risk not previously identified.
Customer risk ratings
The firm-wide risk assessment tells you where the risks lie across the business as a whole. Customer risk ratings translate that into a judgment about individual customers. The rating determines the level of CDD applied, the frequency with which the relationship is reviewed, and the intensity of ongoing monitoring.
Setting the customer risk rating
Customer risk ratings should flow from the firm's risk assessment methodology. They should not be produced by a generic scoring model that is disconnected from what the firm actually knows about its risks. The factors used to generate a customer risk rating should reflect the risk categories identified in the firm-wide assessment.
Common factors in a customer risk rating include the customer type, their jurisdiction of incorporation or residence, the nature of the products or services they use, the source of their funds, the complexity of their ownership structure, whether they are a PEP or connected to a PEP, and whether they have any adverse media coverage or sanctions exposure.
No single factor should be determinative. A customer from a high-risk jurisdiction who is a long-standing client with straightforward transactions and a well-documented source of wealth presents a different risk profile from a new customer with the same jurisdictional exposure but an opaque ownership structure and an unexplained source of funds. The rating should reflect the overall picture.
Risk ratings are not permanent
A customer risk rating assigned at onboarding is a starting point. It should be reviewed when circumstances change, as discussed in Session Four, and it should be subject to periodic review regardless of whether anything has obviously changed. Most firms apply a review cycle tied to the risk rating: high-risk customers are reviewed annually or more frequently, medium-risk customers every two or three years, and low-risk customers on a longer cycle.
The risk rating should also be reviewed as a result of transaction monitoring. If a customer rated as low risk begins transacting in ways inconsistent with their profile, the monitoring system should flag it, prompting a review of the rating. A monitoring system that generates alerts and then closes them without reference to the customer's risk rating is not performing its function.
Risk ratings fail for a consistent set of reasons. The scoring model is applied mechanically without human judgment. The model is not reviewed to determine whether it continues to capture the right risks as the threat environment changes. Ratings assigned at onboarding are not updated when the customer's circumstances change. And the link between the risk rating and the level of scrutiny applied is broken, either because staff do not understand the connection or because workflow systems do not enforce it.
If a compliance review of a sample of customer files reveals that the level of CDD applied does not match the customer's risk rating, that is a fundamental problem. It means the risk-based approach is not operating as intended.
Where the risk-based approach falls short
The risk-based approach fails for a consistent set of reasons. None of them is difficult to understand. Most are difficult to fix without deliberate organisational commitment.
The assessment is treated as a document, not a tool. Many organisations produce a firm-wide risk assessment to satisfy a regulatory requirement and then update it annually as a compliance exercise. It does not drive how controls are designed or how resources are allocated. A genuine risk assessment is dynamic. It reflects changes in the business and the external threat environment, and it is used to make real decisions.
Risk ratings become formulaic. When customer risk ratings are produced by automated systems that apply a fixed set of criteria, the process can run on autopilot. Nobody asks whether the model is still capturing the right risks, or whether the output reflects the reality of the customer relationship. Financial crime is adaptive. The risk indicators that mattered three years ago may no longer be the most important.
Compliance and the business operate in separate lanes. A risk-based approach requires compliance to understand the business well enough to identify where financial crime risk actually arises in practice. That requires genuine collaboration between compliance teams and the business units they oversee. Where those relationships are distant, the risk assessment reflects what compliance thinks the risks are, rather than what is actually happening at the customer interface.
The approach becomes a tick-box exercise. The risk-based approach is not a process to be completed. It is a way of thinking about controls. A firm that applies it only because it is required, rather than because it is the most rational way to manage risk, will produce a programme that appears compliant but is not effective.
Record keeping
Record keeping sits alongside the risk-based approach as one of the foundations of any AML compliance programme. The obligation to keep records is not just administrative. Records are the evidence that the firm has met its obligations. Without them, there is no way to demonstrate compliance, no way to support a SAR or an investigation, and no way to defend the firm in a supervisory review or enforcement action.
What the MLR 2017 require
Regulation 40 sets out the record-keeping obligations. There are two categories of record.
The first is CDD records. A relevant person must keep a copy of, or a reference to, the evidence obtained during CDD for the duration of the business relationship and for five years after it ends. Where the relationship involves an occasional transaction rather than an ongoing business relationship, the five-year period runs from the transaction date.
The second is transaction records. A relevant person must keep supporting evidence and records of any transaction carried out in the course of a business relationship or in connection with an occasional transaction for five years from the date the transaction was completed.
Records must be kept in a form that allows them to be made available promptly to the firm's supervisor or to law enforcement if requested. That last point matters more than firms sometimes appreciate. A record that cannot be retrieved within a reasonable time is not much better than no record at all.
- Customer identification documents or references to where they are held.
- The results of any screening against sanctions lists, PEP databases or adverse media sources.
- Risk assessments at the customer level, including the basis for any simplified due diligence determination.
- Correspondence and notes relevant to the business relationship, including the basis for any enhanced due diligence decisions.
- Records of suspicious activity reports made internally, and external SARs filed with the NCA.
- Records of DAML requests and the responses received.
- Transaction records for the duration specified by regulation 40.
- Training records for all relevant staff.
- The firm-wide risk assessment and records of reviews and updates.
- Policies, controls and procedures, including previous versions and the dates they were in force.
The five-year rule in practice
The five-year retention period is the UK baseline under regulation 40. Some firms may also be subject to longer or separate retention requirements under other rules, statutes, litigation holds or local law. Where that happens, the retention policy needs to reflect the obligation that actually applies, rather than assuming one rule answers every case.
One practical complication arises when a SAR has been filed, a defence request has been made, or the firm becomes aware of an investigation or preservation requirement. In those circumstances, records should be preserved in line with the legal and regulatory obligations that apply to the case. Routine destruction schedules should not be followed blindly where they would cut across those obligations.
Data protection obligations sit alongside the record-keeping requirements and can create tension. The UK GDPR requires personal data to be kept no longer than necessary for the purpose for which it was collected. The MLR 2017 provide a specific legal basis for retaining AML records for the required period, but firms should not retain records beyond that period without a clear justification. Most firms resolve this by including a defined retention schedule in their AML policies that aligns both sets of obligations.
Keeping records that can actually be used
The most common record-keeping failure is not the absence of records but their inaccessibility. Records held across multiple systems, in paper files that have not been indexed, or in formats that require specialist software to open, are records in name only. If they cannot be retrieved promptly and provided in a usable form, they do not serve their purpose.
Building record keeping into the CDD process from the outset is far more effective than trying to reconstruct records retrospectively. That means knowing at the point of onboarding where the CDD documentation will be stored, in what format, and for how long. It means ensuring that transaction records are captured automatically where possible rather than manually. And it means testing the retrieval process periodically rather than assuming it works.
Record keeping in New Zealand and Australia
New Zealand
The record-keeping obligations for New Zealand reporting entities are set out in the Anti-Money Laundering and Countering Financing of Terrorism Act 2009 and the associated regulations. The general requirement is to keep records of CDD information and transaction records for a minimum of five years, broadly equivalent to the UK position.
The Act also requires records to be kept in a form that is readily accessible. The New Zealand supervisors, particularly the Department of Internal Affairs, have emphasised in their guidance that records must be retrievable and provided promptly upon request. The standard is the same as in the UK: a record that cannot be produced when needed is not compliant.
Australia
In Australia, the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 remains the core legislation, now read alongside the Anti-Money Laundering and Counter-Terrorism Financing Rules 2025 and the transitional rules issued for the 2026 reforms. The 2024 amending Act has already changed part of the framework, with further reforms taking effect from 1 July 2026 for newly regulated entities and with some transitional relief running beyond that date. Firms operating there need to work from the current Act, the current Rules and the current AUSTRAC guidance, not from reform summaries or future-law compilations alone.
AUSTRAC has consistently treated poor record keeping as a serious compliance failure. The point is practical. If a firm cannot produce customer identification records, monitoring records, or the basis for its risk decisions, it cannot show that its controls are working. Records are the evidence.
Key takeaways from Session Six
- The risk-based approach is a regulatory requirement, not an option. Resources and scrutiny must be directed where the risk is highest, and compliance controls must be proportionate to the risk assessed, not applied uniformly regardless of risk.
- The firm-wide risk assessment must be specific to the firm. It should draw on internal data and external sources, conclude the firm's risk position, and drive the design of the compliance programme. A document that does not connect to the programme it is meant to support is not meeting its purpose.
- The risk assessment must be kept up to date. That means updating it when the business changes, when the external threat environment changes, or when monitoring or supervisory findings reveal gaps. Annual review is a minimum, not a target.
- Customer risk ratings should flow from the firm-wide risk assessment methodology. They should reflect the overall picture of the customer relationship and be updated when circumstances change. A rating assigned at onboarding is a starting point, not a permanent label.
- Record keeping is not just administrative. Records are the evidence that the firm has met its obligations. They must be kept for the required period, in a form that can be retrieved promptly, and must cover CDD, transactions, SARs, training, risk assessments and policies.
- In the UK, the minimum retention period for both CDD and transaction records is five years. In New Zealand, the general position is also five years. In Australia, firms should check the current Act, the AML/CTF Rules 2025, the 2026 transitional rules and current AUSTRAC guidance, because the reform programme is being brought into force in stages.
- The most common record-keeping failure is inaccessibility, not absence. Records that cannot be retrieved promptly and produced in a usable form do not meet the regulatory standard.
Coming up in Session Seven
Session Seven covers suspicious activity reporting. It is one of the most important duties a regulated firm faces, yet one of the most misunderstood. The session explains what triggers a reporting obligation, what a SAR must contain, how the DAML process works, and how to manage the tipping-off risk that arises once a report has been made.
Further reading and resources
The following primary sources are worth reading alongside this session. All are publicly available.
Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, regulations 18 to 21 and regulation 40. These are the core obligations regarding risk assessment and record keeping. Use the consolidated version on legislation.gov.uk.
HM Treasury: National Risk Assessment of Money Laundering and Terrorist Financing 2025. Published 17 July 2025. A key external input to any UK firm-wide risk assessment. Available at gov.uk.
FCA Financial Crime Guide, especially FCG 2 and FCG 3. The FCA finalised important updates in November 2024, including changes relevant to sanctions, proliferation financing and transaction monitoring. Use the current handbook version rather than an older PDF. Available through the FCA Handbook.
JMLSG Guidance, Part I, Chapter 4 (Risk-based approach). Still one of the most practical UK guides to applying the risk-based approach in financial services. Check the current JMLSG guidance page for the latest approved text and any pending revisions.
FATF guidance on financial inclusion and anti-money laundering and terrorist financing measures (June 2025). Useful on proportionality, simplified measures and the limits of blanket de-risking. Available at fatf-gafi.org.
AML/CFT Act 2009 and supervisor guidance (New Zealand). The Department of Internal Affairs, the Financial Markets Authority and the Reserve Bank of New Zealand publish current guidance on risk assessment, AML/CFT programmes and record keeping. Use legislation.govt.nz and each supervisor's website.
Anti-Money Laundering and Counter-Terrorism Financing Act 2006, the AML/CTF Rules 2025, the 2026 transitional rules, and AUSTRAC guidance (Australia). Use the current legislation and AUSTRAC implementation materials carefully. Some reforms are already in force, others take effect later, and AUSTRAC's future-law compilations are only planning aids, not the law itself.
The complete session as a PDF, formatted for reading offline or sharing with your team.