The Wolfsberg Group ¦ Guidance on the Risk-Based Approach

22 June 2026

The Wolfsberg Group ¦ Guidance on the Risk-Based Approach

Risk-based approach in financial crime compliance: Why proportionality, prioritisation and effectiveness matter

The Wolfsberg Group’s latest guidance on the risk-based approach (RBA) sets out a simple but important message: financial institutions should design financial crime risk management programmes around the risks they actually face, not around a generic template. A one-size-fits-all model is not risk-based, and it can leave institutions spending time and money on controls that add little value while under-investing in the areas that matter most.

At its core, the guidance treats the risk-based approach as essential to effective financial crime risk management. That means identifying financial crime risks, understanding them, assessing them properly and then taking action that is proportionate to the level of risk identified. The objective is not to do everything. It is to do the right things, in the right places, with enough flexibility to respond to a changing threat environment.

Why the risk-based approach matters now

The Wolfsberg Group argues that the need for a risk-based approach has never been greater. Financial crime threats are evolving quickly, technology is changing how institutions operate, and criminal methods are becoming more adaptive. In that environment, financial institutions need programmes that can respond in a targeted way rather than relying on rigid, static controls.

The guidance also stresses the importance of leadership. Senior management and public sector leaders should reinforce a strong tone from the top that supports genuine risk-based decision-making. Without that commitment, institutions may drift back toward box-ticking, which can create the appearance of control without delivering real protection.

Bastian Schwind-Wagner
Bastian Schwind-Wagner

"The Wolfsberg Group’s latest guidance reinforces a simple point: a financial crime programme should match the risks a financial institution actually faces. Proportionality, prioritisation and effectiveness are the core principles that help firms focus resources where they matter most.

The guidance also makes clear that supervisors, auditors and leadership all have a role in supporting genuine risk-based decision-making. When controls are tailored to real risk and backed by strong governance and training, institutions are better placed to prevent, detect and disrupt financial crime."

Proportionality as the foundation

The first key principle is proportionality. Financial crime controls should be proportionate to an institution’s business model, customer base, footprint, size, scale and risk appetite. That means a bank, fintech or other financial institution should not simply copy another firm’s controls and assume they will fit.

The guidance points out that each institution is different. A company’s business strategy, operating model and customer mix all shape the level and type of risk it faces. A proportionate programme will reflect those realities rather than applying the same procedures everywhere.

National risk assessments (NRAs) can help inform this design. Where available, they provide useful insight into a country’s financial crime threats, vulnerabilities and public sector priorities. Financial institutions can use that information, together with direct dialogue with authorities and law enforcement, to better align their own controls with the risks they face.

Risk appetite and strategic boundaries

The guidance also highlights the role of financial crime risk appetite. Set by senior management, risk appetite defines the level of risk an institution is willing to accept and the risks it will not tolerate. It should reflect the institution’s values, regulatory obligations, business objectives and risk management framework.

This matters because risk appetite gives structure to decision-making. It helps institutions decide where they are willing to simplify, where they need stronger controls and where they should avoid exposure altogether. The guidance also notes that financial inclusion expectations should be considered, but not at the expense of robust financial crime risk management.

Using assessments to drive action

Business-wide risk assessments remain central to a credible risk-based approach. These assessments should use data across categories such as customers, transactions, geographies, products and delivery channels. They should assess risk both quantitatively and qualitatively, giving the institution a full view of its exposure.

Targeted assessments can then be used to segment risk more precisely. Customer, country, industry and product assessments can help institutions assign low, medium or high risk ratings and determine the right level of due diligence, approval requirements, review frequency, escalation and ongoing monitoring.

The guidance is clear that risk assessment should not be treated as a one-off exercise. It should be part of day-to-day risk management, supported by regular oversight, management information (MI) and control effectiveness reporting. That way, the risk-based approach stays current and relevant instead of becoming a static annual review.

Prioritisation means focusing where risk is highest

The second key principle is prioritisation. In practice, this means directing attention and resources to higher-risk customers and activities, while reducing effort where risk is lower. The guidance puts it plainly: focusing on everything is the same as focusing on nothing.

Prioritisation depends on understanding who the customer is and what the customer does. On the customer side, higher risk may be linked to non-resident customers, companies with nominee shareholders, or structures that use bearer shares. Certain industries, such as cash-intensive retail businesses, money service businesses and third-party payment processors, may also carry greater inherent risk.

Legal structure matters as well. Simple ownership structures are easier to understand and monitor, while complex structures need closer scrutiny to determine whether the complexity is commercially justified or may be designed to obscure illicit activity. Newly formed entities may also carry more risk than long-established ones.

Publicly owned or traded companies often present lower risk because they are subject to greater disclosure obligations. That may allow financial institutions to reduce the intensity or frequency of some controls, provided the overall risk picture supports that decision.

Understanding what the customer does

Behaviour matters just as much as customer type. The guidance emphasizes that institutions should look closely at how customers use products and services, move value and interact over time.

Unusual transactional behaviour can be a strong indicator of risk, especially where it does not match the customer’s stated purpose, expected turnover, wealth, transaction volume or business model. Activity involving higher-risk jurisdictions or corridors that do not fit the known customer profile should also draw attention.

Product usage can be another warning sign. If a customer uses products in unusual ways, especially to increase anonymity, add complexity or reduce traceability, that may indicate elevated risk. Screening, transaction monitoring and other control tools should feed into customer risk insights that help institutions focus on the areas most likely to matter.

Effectiveness is the real test

The third key principle is effectiveness. A risk-based programme should not be judged by the volume of controls in place, but by the quality of the outcomes it produces. That includes compliance with applicable laws and regulations, reasonable controls that mitigate abuse, and the ability to provide highly useful information to relevant authorities.

This is an important shift. It moves the discussion away from rigid process compliance and toward practical results. An institution can have extensive policies and still be ineffective if the controls do not meaningfully reduce risk or support law enforcement and supervisory goals.

The guidance also points to the need for traceable governance. Institutions should be able to explain how decisions are made, how controls work and why certain choices were taken. At the same time, governance should not become so complex that it slows decision-making or consumes resources that should be focused on actual risk management.

Supervisors and auditors have a role to play

A risk-based approach can only work if supervision and audit frameworks support it. The guidance warns against tick-box supervision, unrealistic expectations and zero-failure compliance mindsets. These approaches can increase cost, create customer friction and divert attention away from real risk.

Supervisors and auditors should assess outcomes and the practical contribution an institution makes in combating financial crime. Testing should be tailored to the institution’s business model and risk profile rather than built on a standard template. Public-private collaboration and regular dialogue are also essential if the risk-based approach is to be accepted and applied consistently.

People, training and culture

The guidance closes with an important reminder: systems and controls do not work on their own. People are critical. Training should be risk-based too, with role-specific content for higher-risk functions and learning that keeps pace with new technology and changing threats.

Just as importantly, training should strengthen critical thinking, curiosity and confidence to escalate concerns. A healthy risk-based culture depends on staff who can spot unusual activity, apply judgment and speak up when something does not look right. Leadership has a key role here as well, by setting the tone and making clear that financial crime risk management is a priority.

A practical path forward

The Wolfsberg Group’s message is that a genuine risk-based approach is not about doing less. It is about doing what matters most, in a way that fits the institution’s actual risks and business model. Proportionality ensures controls are right-sized. Prioritisation ensures resources go to the highest-risk areas. Effectiveness ensures the programme produces real outcomes.

For financial institutions, the challenge is to turn those principles into daily practice. For supervisors, the challenge is to support firms that are trying to do exactly that. When both sides get it right, the result is a stronger financial crime risk management framework and better protection for the financial system overall.

The information in this article is of a general nature and is provided for informational purposes only. If you need legal advice for your individual situation, you should seek the advice of a qualified lawyer.
Did you find any mistakes? Would you like to provide feedback? If so, please contact us!
Dive deeper
  • The Wolfsberg Group ¦ Guidance on the Risk-Based Approach ¦ Link
« FATF ¦ Outcomes FATF Plenary, 17-19 June 2026
Bastian Schwind-Wagner
Bastian Schwind-Wagner Bastian is a recognized expert in anti-money laundering (AML), countering the financing of terrorism (CFT), compliance, data protection, risk management, and whistleblowing. He has worked for fund management companies for more than 24 years, where he has held senior positions in these areas.

EU Sanctions Helpdesk

EU Sanctions Helpdesk The EU Sanctions Helpdesk platform supports European operators in complying with European Union restrictive measures (also known as sanctions) imposed worldwide. Aimed primarily at Small and Medium-sized Enterprises (SMEs), the Helpdesk offers resources and personalised help to companies performing sanctions due diligence checks.
get free support

What else?

What else?