Blog

Putting Risk First in Risk-Based AML

Blog cover for "Putting Risk First in Risk-Based AML." Navy background with a white icon of money bag in a bathtub offset by a light pink circle.

Ask any financial institution whether their Anti-Money Laundering (AML) program is risk‑based and the answer is almost always yes. But if you look at how most programs are actually built, a different picture emerges. 

The problem with how riskbased AML is usually implemented 

Controls, technology, and workflows are established first, and then, somewhere toward the end of the process, risk gets layered in to justify the decisions that were already made. 

When a company tackles AML as more of a risk-rationalized rather than a true risk-based approach, the result is programs that generate a massive volume of work without necessarily catching what matters.  

Recent analysis from Retail Banker International found that up to 95% of AML alerts are false positives—meaning teams are spending the bulk of their time chasing red flags that don’t lead anywhere. And according to the 2026 AML False Positive Report, compliance teams spend up to 90% of their time investigating alerts that ultimately require no action. 

When the vast majority of effort goes toward clearing noise, very little is left for genuine risk.

READ NEXT: How to Build and Empower a Cyber‑Resilient Financial Organization

What it means to put riskbased AML first 

There’s a meaningful difference between a program that accounts for risk and one that’s built around it. 

In most institutions, risk assessment is something that happens around an existing structure. Risk isn’t taken into consideration until controls are in place and tools are already selected. 

Putting risk‑based AML first flips that. Risk becomes the thing that determines what controls are needed, where friction belongs, how resources are allocated, and which signals deserve attention. It’s treated as the foundation, rather than finishing layer. 

This matters because financial crime is too large and fast-moving for evenly distributed effort. Nasdaq’s 2024 Global Financial Crime Report estimates more than $3.1 trillion in illicit funds moved through the global financial system in 2023. And research from Moody’s puts the annual cost of financial crime at up to $2 trillion globally. 

At that scale, treating every customer, transaction, and alert the same way can become a liability. 

Why sequencing matters more than sophistication 

Here’s what makes this conversation tricky: two institutions can use the same vendors, follow the same regulations, and still end up with wildly different outcomes. The difference usually comes down to when risk is taken into consideration. 

When risk comes first, low-risk scenarios are addressed quickly and efficiently, and high-risk signals are pushed to the top of the list of priorities. When risk comes last—or only during periodic reviews—programs tend to grow heavier over time without getting smarter. 

In fact, the LexisNexis Risk Solutions True Cost of Compliance Study found that financial crime compliance now costs $61 billion annually across the U.S. and Canada. And 83% of mid‑ and large‑sized institutions report increasing alert volumes year over year. 

More spend and more alerts don’t necessarily equate to more protection. Instead, we’ve seen the most successful organizations prioritize being precise over casting a wide net. 

From compliance function to competitive advantage 

When risk truly leads an AML program, the benefits extend well beyond compliance. Onboarding gets faster for low‑risk customers because friction is applied selectively, instead of uniformly. Investigations become more focused because teams aren’t buried in noise. New products and markets become easier to enter because risk logic is portable and scalable. 

And regulator conversations change, too. Instead of defending volume and coverage, institutions can explain why their program is designed the way it is, because every decision traces back to risk. 

We’ve also noticer that the industry as a whole is already moving in this direction. The Gartner Emerging Tech Impact Radar: 2025 highlights growing adoption of real‑time detection and adaptive risk scoring, both aimed at reducing false positives and improving decision speed. This reflects a broader change in how institutions are thinking about AML and its purpose. 

The institutions pulling ahead are using compliance investment more effectively, with risk guiding where resources go.

RELATED: Why AI Governance Should Start From Day Zero

Where most riskbased AML programs break down 

If the framework is already widely adopted, why do programs still fail? 

Usually, it comes down to a gap between what the program says and what it does. Risk assessments exist, but they don’t influence how alerts are prioritized. Risk ratings are assigned, but they’re static—unchanged even as customer behavior or market conditions shift. AML teams operate downstream of product and growth, reacting to decisions they had no hand in shaping. 

The consequences are real. Global enforcement data shows $4.6 billion in AML‑related penalties were issued in 2024, with failures consistently tied to ineffective monitoring and fragmented risk management. Banks alone accounted for more than $3.2 billion of that total, often because known risks weren’t acted on in time. 

In these institutions, risk-based frameworks existed, yet risk remained confined to documentation rather than shaping day-to-day operations. 

What to consider when putting riskbased AML first 

Moving toward a risk-first posture requires honest questions about how risk is handled across your organization today. 

  • How current is your view of risk? Is it based on continuous signals, or updated on a cycle that may not reflect what’s happening now? 
  • Where does risk influence decisions? Only at onboarding—or throughout the customer lifecycle? 
  • What actions does risk actually trigger? Does a higher score change workflows and resource allocation, or just a label in a system? 
  • How connected are detection and response? Are signals, investigations, and model tuning part of one loop—or separate functions that rarely talk to each other? 
  • Who owns risk across the organization? Is it isolated within compliance, or shared across product, operations, and technology? 
  • How explainable are your decisions? If a regulator asked why a specific alert was deprioritized, could you walk them through the logic? 

Research cited in Gartner’s 2025 AML Market Guide shows financial crime is becoming more scalable and more sophisticated, which means static controls and periodic reviews are increasingly mismatched to the threat environment. What was once seemedlike an aspiration has now become a practical operating requirement. 

Making Risk the Starting Point in AML 

The financial services industry agreed on risk‑based AML a long time ago. It’s embedded in regulation, referenced in every program design, and present in nearly every institution’s compliance documentation. 

But agreement and execution aren’t the same thing. And the pressure to close that gap is growing. The LexisNexis Risk Solutions 2024 Study found that 99% of financial institutions report rising compliance costs—a signal that current approaches are straining under their own weight. 

Most teams already have an AML strategy—the bigger challenge is building it around risk from the start. At Insight Global, we provide both tech and talent solutions to help you create the best strategies for your business. Reach out to our experts today to start a conversation.

More Content