What Is a Risk-Based Approach?

At its core, the Risk-Based Approach is about tailoring your AML controls based on the specific risks in your business. That includes the types of clients you serve, the services you offer, how you onboard users, and where your money is moving.

It’s a living system that needs to evolve as your business grows and as risks shift.

Example: A long-time customer sending $200 monthly to family overseas is low-risk. A brand-new corporate client pushing $500,000 in stablecoins through a token bridge is not. Your controls should reflect that difference.

What the Law Requires

Section 9.6 of the PCMLTFA requires all reporting entities, including MSBs, to identify, assess, and manage the risk of money laundering and terrorist financing. That’s the legal trigger.

More importantly, FINTRAC expects you to actually implement it. This includes:

• Risk scoring your customers, services, geographies, and channels

• Mapping that risk to appropriate controls

• Keeping those risk assessments up to date

• Demonstrating that your team understands and follows the framework

If your risk assessment hasn’t been touched in two years, or if it doesn’t mention crypto even though you process tokens, you’ve already failed the first test.

What FINTRAC Looks for

During a compliance exam or audit, FINTRAC will check for:

• A written, up-to-date risk assessment

• Clear linkage between risk and controls

• Ongoing review of the risk model

• Risk scores that evolve based on behavior

• Proof that your controls are applied in practice

You should also be able to explain your rationale. Why was this client marked as high-risk? Why was a source-of-funds check triggered? If you can’t answer those questions with evidence, it’s a problem.

The Four Core Risk Areas

FINTRAC divides risk into four categories. Your RBA should address all of them.

1. Client Risk

Key risk indicators include:

• Jurisdiction of residence or incorporation

• Politically Exposed Person (PEP) status

• Nature of the business

• Source of funds

• History of suspicious transactions

Don’t just score clients once at onboarding. Re-score them if new risk factors emerge.

2. Product and Service Risk

Ask yourself: how easy is it to misuse this product for money laundering?

Examples of high-risk services:

• Anonymous prepaid instruments

• Crypto-to-fiat swaps

• International remittance corridors with limited oversight

• On-chain staking or bridging tools

New services should go through a formal risk assessment before launch.

3. Geographic Risk

This applies to both clients and destinations. Consider:

• Countries on FATF grey or black lists

• Jurisdictions under OFAC, UN, or Canadian sanctions

• High-volume cash corridors or tax havens

Make sure you’re not just flagging geographies. You need a plan for what to do when they show up.

4. Delivery Channel Risk

How do clients access your services? Risk goes up when you can’t see or verify the person.

Examples of elevated risk:

• Fully remote onboarding without video verification

• Use of intermediaries or resellers

• High-value transactions triggered by bots or APIs

You may need different controls for in-person onboarding versus wallet-to-wallet crypto transfers.

Mapping Controls to Risk

Here’s where many MSBs fail. You can’t just identify risk—you need to do something about it.

Low-risk clients may go through basic ID verification. Medium-risk clients might need manual review and periodic EDD. High-risk clients may require documented source-of-funds checks, approval from your CAMLO, or even rejection.

Every control should match the level of risk and be applied consistently.

Examples of controls:

• Transaction thresholds and typology triggers

• Real-time monitoring with escalation protocols

• CAMLO signoff for large or unusual behavior

• Use of sanctions screening tools across multiple lists

• Source-of-wealth documentation for high-risk flows

Keep It Fresh: Updates and Reviews

Your risk model should be reviewed:

• At least once a year

• When launching new products or corridors

• After receiving regulator feedback

• Following any major internal incidents or red flags

If your business has been operating for more than two years, you should consider commissioning an Effectiveness Review to verify that your risk-based controls are doing what they’re supposed to.

What About Crypto?

If you operate a crypto MSB, you’ll need to go further. This includes:

• Wallet and token due diligence

• Blockchain monitoring policies

• Risk rating of wallet activity and protocol usage

• Controls for NFTs, smart contracts, and cross-chain swaps

Even if you don’t name the tool, regulators want to see that you’re actively screening on-chain flows and understanding the risk that lives inside the blockchain.

RPAA Requirements for PSPs

If you’re a Payment Service Provider (PSP), you may also need to register with the Bank of Canada under the Retail Payment Activities Act. The RPAA requires its own risk management framework, including ongoing monitoring of operational and financial risks—not just AML.

Common Pitfalls to Avoid

• Copy-paste risk assessments with no business-specific content

• Blanket controls that don’t vary based on risk

• Lack of documentation on who performed a review and why

• Failure to re-score clients as new data becomes available

• Ignoring sanctions or third-party vendor risks

These issues aren’t just technical gaps. They’re red flags that could lead to fines or registration loss.

Final Thoughts

The Risk-Based Approach is not just a FINTRAC requirement—it’s a smart way to protect your business and reputation. Done right, it helps you:

• Focus resources on high-risk areas

• Document your rationale to auditors and banks

• Avoid surprise enforcement actions

• Build trust with partners and counterparties

AML Incubator supports Canadian MSBs in designing, implementing, and auditing their Risk-Based Approach as part of a full suite of services, including:

• MSB Registration

• CAMLO/MLRO Services

• EDD Services

• Regulatory Remediation

Your Trusted Partner in Regulatory Excellence.