The RBA was introduced to subject persons through the 4th Money laundering directive, replacing the previously used ‘tick box’ approach to customer due diligence.

Article 7(6) of the Prevention of money laundering and funding of terrorism regulation (PMLFTR) requires a subject person’s customer due diligence procedures to be implemented on a risk-sensitive basis. This obligation is reinforced in chapter 3 of the implementing procedures part 1.

When utilising a RBA to customer due diligence, subject persons must ensure to understand the inherent risk of business relationships and/or occasional transactions, prior to onboarding and on an ongoing basis. This effectively means that subject persons must understand the particular risks they are being exposed to by onboarding and servicing each of their clients.

Upon understanding their risk exposure, a subject person is then expected to effectively mitigate the risk through the implementation of mitigating measures, which address the unique risks identified through the Customer Risk Assessment process. A subject person therefore cannot solely implement standard mitigating measures across the board, as each client, whether establishing a business relationship or requesting an occasional transaction, will expose the subject person to a unique set of risks.

Should a subject person determine however, that they are not able, or are not sufficiently equipped, to mitigate the risks identified, then the subject person should refrain from onboarding or servicing the client.

Can the RBD affect your business adversely? 

If the RBA is not implemented and utilised as intended, yes, it could hinder business, become time consuming, costly and may cause issues with authorities, due to actual risk exposure not being identified and/or addressed.

The scope of adopting a risk-based approach is to allocate resources where they are most needed and to address specific risks. It is however very common for subject persons to default to obtaining more, or more extensively verified documentation when clients are assessed as being higher risk, most of the time completely overlooking the actual risk being faced.

Although in certain instances further documentation and authentication would be the correct mitigating measure, exposure to certain other risks may not necessarily require further KYC documentation to be collected. Alternatively, a higher level of ongoing monitoring or a different method of ongoing monitoring may need to be implemented and further information may be required (not necessarily from the client).

Obtaining meaningful information, both initially and on an ongoing basis, will help subject persons understand their client, establish what ‘normal’ looks like for that particular client and as a result Identify any unusual behaviour/activity.


It is therefore imperative, for the protection & survival of the subject person, that AML/CFT measures are targeted to address the actual risks being faced, rather than collecting a significant amount of documentation to tick the proverbial box and attempting to present a compliant front to the regulator.

Subject persons need to work smarter by understanding and addressing real risk, making AML/CFT measures meaningful and efficient in their implementation. Although this approach is not infallible, it will ensure that the subject person is addressing risk meaningfully, taking the appropriate action where necessary.