Risk-Based Regulatory Expectations

The Risk-Based Approach Is the Spine of CAMS

The risk-based approach (RBA) is FATF Recommendation 1 and the single most tested governance concept on the CAMS exam. It requires institutions to identify, assess, and understand their money laundering and terrorist financing (ML/TF) risks, then allocate controls and resources proportionately. A rule-based, one-size-fits-all program is wrong on the exam; so is treating every customer as equally risky. CAMS scenarios reward the answer that escalates effort where risk is highest and reduces friction where it is demonstrably low.

The enterprise-wide risk assessment (EWRA) is the document that operationalizes the RBA. It scores inherent risk (risk before controls) across four standard categories, applies the strength of mitigating controls, and produces residual risk (what remains). Memorize the four categories: customers, products and services, geographies, and delivery channels.

Residual risk drives customer due diligence (CDD) intensity: standard CDD for normal risk, enhanced due diligence (EDD) for high risk (e.g., PEPs), and simplified due diligence (SDD) only where lower risk is justified and permitted by law.

Governance: Who Owns the Program

A CAMS-ready answer always names an owner. The board of directors sets risk appetite and provides oversight; senior management approves the AML program and ensures it is resourced. The designated AML Compliance Officer (in the US, the BSA Officer required under 31 CFR 1020.210) must have day-to-day responsibility, sufficient authority, independence, and resources, and a reporting line to the board. A common exam trap: a compliance officer who lacks authority or reports only to the business line - that is a governance deficiency, not an acceptable structure.

The three lines of defense model is the framework examiners expect:

• First line - the business: front-office staff who own and manage risk daily (onboarding, transaction execution, escalation of unusual activity).
• Second line - compliance and risk: sets policy, monitors, advises, and independently challenges the first line; the AML function lives here.
• Third line - internal audit: independent assurance that lines one and two work; tests the program and reports to the board/audit committee.

A frequently missed distinction: internal audit must be independent of the AML function it tests, so the AML officer cannot also run the AML audit. The four pillars of a US program - internal controls, a designated officer, training, and independent testing - map onto this structure, with a fifth pillar (risk-based CDD) added by the 2018 FinCEN CDD rule.

Worked scenario: A bank's EWRA rates trade finance as high inherent risk but applies only standard CDD because "it always has." The CAMS-correct response is that controls must match assessed risk - the bank should apply EDD and document the rationale - not lower the risk rating to fit existing controls. Tailoring controls to risk, with documented justification and board-approved appetite, is the governance behavior the exam rewards.

Exam logistics anchor: CAMS is 120 multiple-choice and multiple-select questions in 3.5 hours, scored on a scale where 75 is passing; there is no penalty for guessing, so answer every item.

Risk Appetite, Documentation, and Common Traps

A mature program converts the board's risk appetite into concrete limits: which countries are out of bounds, which products require senior sign-off, and what residual-risk score forces EDD or exit. The exam expects you to see governance as a chain - appetite set at the top, policies that implement it, procedures that operationalize the policies, and monitoring that proves they work. A break anywhere in that chain (a policy that contradicts the appetite, a procedure no one follows) is a finding.

Documentation is itself a control. Regulators apply the principle that if a decision is not written down, it did not happen. Every high-risk acceptance, every EDD waiver, every SDD justification must be evidenced and approved at the right level. CAMS scenarios that hinge on "the bank did the analysis but kept no record" point to a control failure, because the institution cannot demonstrate its reasoning to an examiner.

Watch for these recurring traps the exam plants in governance items:

• The figurehead officer: a named AML officer with a title but no authority, budget, or board access - a structural deficiency, not compliance.
• Static risk assessment: an EWRA done once and never refreshed when products, geographies, or typologies change. FATF expects periodic and event-driven updates.
• Audit conflict: the AML function auditing itself, destroying third-line independence.
• Resource starvation: monitoring alerts piling up unreviewed because the team is understaffed - a resourcing failure that senior management owns.

Worked scenario: A bank launches a new crypto-asset product but does not update its EWRA or train front-line staff before go-live. The CAMS-correct critique names two failures: the risk assessment was not refreshed for a material new product, and training (a pillar) lagged the launch. The proportionate fix is to pause or constrain the product, reassess inherent risk, build controls to reach acceptable residual risk, and train staff - then document board approval before scaling. Governance is judged on this disciplined, evidenced sequence, not on good intentions.