Imagine you own a little café downtown. Every morning, your regulars show up—Sarah grabs her latte, Tom insists on his black coffee, and the couple from across the street always shares a croissant. You know their names, their habits, even their favourite seats.
But one day, a man you’ve never seen before walks in. He doesn’t order anything small—he slaps down a big stack of cash and says, “I’d like to prepay for a whole year of coffee.”
Weird, right?
Your gut tells you: this guy isn’t like Sarah or Tom. Something feels off.
That gut feeling? That’s the heart of a Risk-Based Approach (RBA).
It’s simply a way of saying: not every customer or transaction carries the same risk—so don’t treat them all the same.
Step 1: Customer Risk – Who’s in Front of You?
Some customers are open books. Others are mysteries.
- Low risk: The regulars—ordinary people with simple, everyday needs.
- Medium risk: The small business owner wiring money abroad.
- High risk: People with political ties (PEPs), or companies where no one really knows who’s behind them.
Just like in your café, you don’t worry about Sarah buying her usual latte—but the stranger with the cash stack? You’d definitely keep an eye on him.
Step 2: Product & Service Risk – What Are They Buying?
Not all “menu items” are equal.
- Low risk: Paying utility bills, opening a savings account.
- Medium risk: Domestic wire transfers.
- High risk: Crypto, anonymous prepaid cards, or complex international banking.
Some services are like plain coffee straightforward. Others are like mysterious cocktails—you’re not always sure what’s inside.
Step 3: Geographic Risk – Where in the World Are They From?
Let’s say two customers show up. One from Canada, where rules are strict. Another from a country with weak regulations and high corruption.
Which one do you think you’d look at more closely?
Geography matters. Some regions are safe zones. Others… not so much.
Step 4: Channel & Transaction Risk – How Are They Ordering?
The way someone interacts with you says a lot.
- Low risk: Face-to-face—you can check their ID yourself.
- Medium risk: Online sign-ups—you rely on digital documents.
- High risk: Agents or middlemen—you don’t know who’s really behind it.
And don’t forget behaviour. If Sarah, who normally spends $5, suddenly sends $5,000 to three countries in a week? Red flag.
The RBA Matrix – Your “Menu of Risks”
Here’s how businesses often map it out:
| Risk Level | Customer | Product/Service | Geography | Channel/Transactions |
| Low | Local individuals | Bill payments, savings | Canada, UK (strong AML laws) | Face-to-face onboarding |
| Medium | Small businesses | Domestic wire transfers | Countries under FATF monitoring | Online sign-ups |
| High | PEPs, shell companies | Crypto, prepaid cards | Sanctioned/corrupt countries | Agents, non-face-to-face deals |
Think of it like a spice scale —the further down you go, the hotter (riskier) it gets.
Step 5: Ongoing Monitoring – People Change
Even regulars can surprise you. What if Sarah suddenly buys 100 lattes a day “for friends”? That’s unusual.
That’s why RBA isn’t one-and-done. You keep an eye out, because behaviour can change overnight.
Step 6: Controls & Oversight – Your Safety Net
An RBA isn’t just about spotting risk—it’s about knowing what to do with it.
- Have a system for scoring customer risk.
- Train your team to notice red flags.
- Decide when to step up checks (Enhanced Due Diligence).
- Assign someone to take responsibility (often the Compliance Officer).
It’s like locking up your café at night. You don’t just say you care about safety—you actually take action.
Wrapping It Up
The Risk-Based Approach isn’t about making your business complicated. It’s about being smart.
Spend your time where the risk is highest.
Keep it simple where the risk is low.
Show regulators you get it.
Just like in your café:
- You don’t interrogate Sarah every morning about her latte.
- But when a stranger shows up with a suitcase of cash, you know it’s time to ask some questions.
That’s the RBA in plain English.
