Risk-Based Controls

Risk-Based Controls

The risk-based approach (RBA) is the organizing principle of modern AFC, endorsed by FATF and embedded in the US CDD Rule and the EU AML directives. It requires institutions to apply more scrutiny where financial-crime risk is high and less where it is low, rather than treating every customer identically. CAMS tests whether you can match the right intensity of control to a given risk rating.

The due-diligence ladder

Due diligence scales across three tiers. Misapplying a tier — for example, granting simplified diligence to a politically exposed person — is one of the most common scenario errors.

A key nuance: SDD is reduced, never zero. An option saying a low-risk customer needs "no due diligence" is wrong.

EDD triggers

Memorize the relationships that mandate EDD:

• Politically Exposed Persons (PEPs) — and often their family members and close associates; foreign PEPs are generally always high risk.
• Correspondent banking, especially cross-border and with respondents in weak-AML jurisdictions; shell banks are prohibited, not merely high risk.
• High-risk geographies — FATF-listed and sanctioned jurisdictions.
• Unusual, complex, or unusually large transactions with no clear economic or lawful purpose.
• Private banking and high-net-worth relationships, where source of wealth is central.

For a PEP, the program typically needs senior-management sign-off to open or continue the relationship, plus a documented source-of-wealth rationale. A scenario where a junior officer approves a foreign PEP alone is testing this control gap.

Ongoing monitoring and refresh

A risk rating set at onboarding is not permanent. Ongoing monitoring watches transactions against the expected profile, and periodic CDD refresh re-verifies information on a schedule keyed to risk — high-risk customers reviewed most frequently. A sudden change (a retail customer suddenly receiving large foreign wires) should re-trigger diligence and possibly reclassify the customer.

Scenario workflow

For a controls scenario, ask:

• What is the customer's risk rating, and does the proposed control match it?
• Does any EDD trigger apply (PEP, correspondent, high-risk geography, unusual activity)?
• Was senior-management approval obtained where required?
• Has monitoring detected a change that should re-rate the relationship?

The best answer is proportional: it neither under-controls a high-risk PEP nor buries a low-risk domestic account in unnecessary checks. Beware the distractor that applies the same control to every customer regardless of risk — that defeats the entire risk-based approach.

Worked example

A retail customer opened a personal account two years ago with a stable salary profile. Monitoring now flags three incoming international wires of $9,500 each within a week from unrelated senders, just under the $10,000 currency-transaction-report threshold. This pattern suggests structuring and is inconsistent with the customer's profile. The risk-based response: the relationship manager (first line) reports the anomaly, the AFC analyst re-rates the customer upward and applies EDD-style scrutiny (source-of-funds inquiry, enhanced monitoring), and the MLRO evaluates a SAR.

The customer's original low rating does not freeze in place — a behavior change re-triggers diligence.

Calibrating control intensity

The practical question on the exam is always "how much is enough?" The answer is: enough to match the residual risk, with the heaviest controls reserved for the relationships that warrant them.

Two durable rules: SDD is reduced, never absent, and EDD for foreign PEPs requires senior-management approval plus a documented source-of-wealth basis. Controls also include negative-news / adverse-media screening and sanctions screening that run continuously, not only at onboarding. A relationship that was low risk can become high risk overnight if the customer is sanctioned or named in adverse media.

The exam rewards candidates who keep ratings dynamic, escalate when triggers fire, and resist both the under-control trap (treating a PEP like a retail account) and the over-control trap (drowning a low-risk account in EDD it does not need).

Specific control types and their thresholds

Risk-based controls are not abstract — they map to concrete mechanisms with testable parameters:

• Customer Identification Program (CIP) — verify identity at onboarding; for legal entities, collect beneficial owners at the 25% ownership threshold plus one control person.
• Sanctions/watchlist screening — run against OFAC and other lists at onboarding and continuously thereafter; a true match generally requires blocking or rejecting, not just review.
• Transaction monitoring — automated rules detect structuring, rapid movement, and profile deviations; alerts must be worked within policy timelines.
• Adverse-media (negative-news) screening — periodic for high-risk customers, recalibrating ratings on derogatory findings.

A correspondent-banking relationship layers several of these and adds a prohibition: no shell banks, and reasonable steps to ensure the respondent does not let shell banks use the account either. The exam often hides the trap inside a control choice — for example, an option that says low-risk customers need no ongoing monitoring (wrong; monitoring continues for all), or that a single sanctions hit can be cleared by the relationship manager (wrong; hits route to compliance).

Keep the through-line: match control intensity to residual risk, never drop below the floor of standard CDD, escalate triggers, and let monitoring re-rate customers as their behavior changes.