Risk-Based in Name, Rule-Based in Practice
India’s anti-money laundering framework has undergone a visible transformation over the past decade. Regulatory expectations have expanded, reporting obligations have intensified, and financial institutions today operate within a significantly more mature AML/CFT environment than they did even a few years ago.
This evolution was reflected in India’s recent Mutual Evaluation under the FATF framework, where the country achieved strong technical compliance ratings across a majority of FATF Recommendations. Yet, the evaluation also carried a more important message beneath the headline scores: technical compliance and effective implementation are not the same thing. That distinction matters.
For many reporting entities in India, AML compliance today remains heavily documentation-driven and operationally rule-based, even while regulatory frameworks increasingly prescribe a genuine risk-based approach (RBA). Institutions may have risk categorisation frameworks, customer risk buckets, and monitoring rules in place, yet still struggle to demonstrate that their controls are genuinely calibrated to the specific money laundering and terrorist financing risks they face.
This gap between prescribed RBA and practised RBA is now becoming increasingly difficult for institutions and regulators to ignore.
What the Risk Based Approach Actually Means
The risk-based approach is not a new regulatory concept. FATF Recommendation 1, which forms the foundation of the global AML/CFT framework, requires countries and reporting entities to identify, assess, understand, and mitigate money laundering and terrorist financing risks proportionate to their nature and level.
At its core, the RBA is built on a simple principle: Not all customers, products, channels, or transactions carry the same level of risk, and therefore they should not be treated identically.
However, in practice, many institutions continue to operationalise AML controls in largely uniform ways. Customer onboarding procedures, transaction monitoring thresholds, review frequencies, and escalation processes often remain standardized across broad customer populations irrespective of differing risk exposure.
This is precisely what the RBA was intended to avoid.
A genuine risk-based approach is not merely a compliance methodology or documentation requirement. It is a philosophy of resource allocation and control calibration. Higher-risk relationships require deeper scrutiny, enhanced monitoring, and stronger controls. Lower-risk relationships require proportionate treatment; not over-application of controls that create unnecessary operational friction.
Indian regulatory frameworks already reflect this expectation. RBI Master Directions on KYC, SEBI’s AML guidelines for intermediaries, IRDAI’s AML/CFT framework, and IFSCA obligations all mandate varying forms of risk-based compliance. The regulatory prescription is clear.
The challenge lies in operationalisation.
Risk-Labelling vs. Risk-Based Thinking
One of the most common misgivings across reporting entities is the tendency to equate risk classification with risk assessment. In many institutions, customers are categorised into “low”, “medium”, or “high” risk buckets during onboarding, after which the classification remains largely static until the next mandated periodic review cycle. Once assigned, the label itself often becomes the conclusion of the exercise rather than the beginning of an ongoing risk understanding process.
This is risk-labelling; not risk-based thinking. A genuine RBA requires institutions to continuously evaluate how risk evolves across multiple dimensions:
- customer profile,
- product usage,
- geographic exposure,
- transaction behaviour,
- and delivery channels.
A customer initially classified as low-risk may later begin demonstrating materially different transactional behaviour. Similarly, the risk profile of a product or delivery channel may change due to evolving typologies, regulatory developments, or emerging abuse patterns. Where institutions fail is not necessarily in creating risk categories but in failing to dynamically connect those categories to actual monitoring intensity, due diligence depth, escalation frameworks, and control allocation.
This becomes especially visible in transaction monitoring environments where identical rule thresholds are frequently applied across customers with fundamentally different risk profiles. In such cases, institutions may technically operate monitoring systems while still failing to demonstrate proportionate risk management.
The distinction is subtle but critical: assigning a risk label is an administrative process; understanding risk is an analytical process.
What Genuine RBA Looks Like Across Financial Sectors
The application of a risk-based approach differs significantly across sectors because the underlying vulnerabilities themselves differ.
➔ Banks and NBFCs
For banks and NBFCs, a genuine RBA requires institution-specific assessment of customer segments, products, geographies, and delivery channels. FATF guidance has consistently emphasised that institutions should avoid relying on generic industry templates and instead develop controls tailored to their own risk exposure.
This becomes especially important in areas such as:
- correspondent banking,
- trade finance,
- cash-intensive businesses,
- remittance corridors,
- and digital onboarding ecosystems.
A common industry challenge is the tendency toward “de-risking” – blanket exclusion of customer categories perceived as higher-risk. However, FATF guidance increasingly stresses that indiscriminate exclusion is not an effective risk-based approach. Controls must be proportionate, not avoidance-driven.
➔ Securities and Capital Market Intermediaries
The securities ecosystem presents a different set of vulnerabilities:
- high transaction velocity,
- layered ownership structures,
- rapid movement of funds,
- and potential misuse through off-market transfers or circular trading patterns.
In such environments, uniform customer due diligence frameworks are often insufficient. Product-specific and behaviour-specific monitoring becomes critical. A retail trading account and a high-frequency institutional participant cannot realistically be supervised using identical behavioural assumptions.
➔ Insurance Sector
In insurance, AML vulnerabilities often emerge through:
- single-premium products,
- early policy surrenders,
- third-party premium payments,
- and refund structures.
This means that onboarding alone cannot form the basis of effective AML supervision. Institutions must understand risk across the entire policy lifecycle rather than limiting controls to customer acquisition stages.
➔ Fintechs and New-Age Reporting Entities
For fintechs, payment intermediaries, and digitally native financial entities, the challenge is even more pronounced.
Fast onboarding, thin customer interaction layers, and extremely high transaction velocity create environments where static due diligence frameworks quickly become ineffective. Institutions operating at scale must therefore increasingly rely on dynamic monitoring, behavioural analytics, and technology-enabled risk assessment models.
In many ways, technology capability is now becoming directly linked to AML effectiveness.
Where Reporting Entities Continue to Fall Short
India’s regulatory ecosystem has become significantly more sophisticated, but implementation maturity still varies widely across sectors and institutions.
Larger banks and technology-driven institutions generally demonstrate stronger monitoring systems, better calibrated controls, and more mature risk assessment practices. Smaller entities and institutions with fragmented compliance infrastructure often continue to struggle with practical implementation.
Some of the most common gaps visible across institutions include:
- Static Risk Ratings
Customer risk categorisation often remains unchanged between review cycles even when material risk indicators evolve. - Generic Product Risk Assessment
Many institutions maintain broad product risk statements without meaningful calibration to actual transaction patterns or misuse typologies. - Weak Integration Between Risk Assessment and Monitoring
Business-wide risk assessments frequently operate as standalone documentation exercises rather than directly influencing transaction monitoring rules, escalation thresholds, or due diligence intensity. - Limited Channel Risk Differentiation
Digital onboarding channels, branch onboarding, and intermediary-driven onboarding often continue to receive similar treatment despite materially different inherent risks. - Inadequate Feedback Loops
Findings from STRs, investigations, regulatory observations, and internal alerts are not always fed back into institutional risk assessment frameworks.
These weaknesses matter because regulators are increasingly evaluating whether AML programmes are operationally effective — not merely procedurally complete.
RBI’s Evolving Direction on Internal ML/TF Risk Assessments
Recent regulatory developments indicate that Indian supervisors are now placing far greater emphasis on institution-specific risk understanding.
RBI’s guidance on internal ML/TF risk assessments reinforces the expectation that reporting entities must move beyond generic frameworks and conduct detailed internal assessments covering:
- customer base,
- products and services,
- geographies,
- delivery channels,
- and transaction characteristics.
This reflects an important shift.
Historically, many institutions approached risk assessments as template-driven exercises aligned broadly with sector expectations. Regulators are now clearly expecting institutions to demonstrate why their controls are appropriate for their own business model and risk environment specifically.
A defensible internal ML/TF risk assessment today must therefore:
- be analytical rather than descriptive,
- demonstrate rationale for risk ratings,
- connect directly to CDD and monitoring controls,
- and evolve as institutional risks evolve.
In effect, regulators are increasingly asking institutions a far more difficult question: “How does your AML framework reflect the actual risks created by your own business?”
Financial Inclusion and the Misapplication of RBA
An often-overlooked consequence of poor RBA implementation is financial exclusion.
Where institutions apply uniformly stringent due diligence requirements across all customer categories, genuinely low-risk individuals and small businesses may face unnecessary onboarding barriers, repeated documentation demands, or delayed access to financial services.
This is particularly relevant in India’s context, where:
- digital financial inclusion,
- Jan Dhan penetration,
- small business digitisation,
- and UPI-led financial participation
have expanded rapidly.
An effective risk-based approach does not mean weakening AML controls. It means applying controls proportionately. Over-applying enhanced due diligence to low-risk customers is not prudence, it is failure to apply the RBA correctly.
This principle is increasingly reflected in global regulatory thinking as well, where financial inclusion and effective AML/CFT supervision are now viewed as mutually reinforcing rather than contradictory objectives.
Conclusion: The Question Institutions Must Now Answer
The gap between prescribed and practiced RBA is ultimately a gap between policy and understanding.
Policies can be drafted centrally, templates can be circulated, and risk buckets can be assigned mechanically. But a genuine risk-based approach requires institutions to continuously ask:
- what risks exist,
- why they exist,
- how they evolve,
- and whether controls remain proportionate to those risks.
This is where AML compliance is increasingly headed globally and India is no exception.
For regulators, the question is no longer whether institutions have AML frameworks in place. The question is whether those frameworks genuinely reflect the institution’s actual risk exposure.
And increasingly, “we follow the Master Directions” may no longer be considered a sufficient answer.