The obligation on firms to adopt a risk-based approach to their AML/CTF procedures is not a new concept. It was initially introduced in the Money Laundering Regulations 2007 (MLR 2007), however, given that the word 'risk' appears 136 times in the new Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017), as opposed to 13 times in MLR 2007, it is clear that the European Commission wish to place a far stronger emphasis on a risk-based approach than ever before.

The Fourth Money Laundering Directive (MLD4) has been enshrined into UK law through MLR 2017. These regulations, in conjunction with MLD4, implement a multi-tiered system of risk assessment. This allows the risk-based approach to be as watertight as possible. For example, the UK Government must ensure that a national risk assessment is undertaken (16(1)). Obliged entities must similarly implement policies, controls and procedures to sufficiently mitigate risks of money laundering and terrorist financing (18(1)). These measures should be adhered to in consideration of a higher-level risk report undertaken by the European Commission, which is to be updated every two years (MLD4 6(1)). The obligations of Member States are more stringent than the previous approach of allowing them the flexibility to decide whether the relevant rules could be simplified in accordance with the perceived risk.

A key factor of MLR 2017's risk based approach is to permit obliged entities to carry out Simplified Due Diligence (SDD) where they have identified lower risk. Enhanced Due Diligence (EDD) should only be applied to higher risk circumstances.  This process can still be outsourced but responsibility ultimately remains with the obliged entity. EDD must now be applied automatically to business or transactions with parties in 'high-risk third countries'(33(b)). Such countries are to be identified by the European Commission.

MLR 2017 thus assigns a pragmatic degree of autonomy to obliged entities. They now have the discretion to apply the proportionate level of due diligence in the appropriate context, affording them added flexibility. However the Regulations in fact take a more restrictive approach to SDD than their 2007 predecessors. By removing the blanket exemptions previously available under MLD 3/MLR 2007, SDD can no longer be applied automatically. Should they employ SDD, obliged entities must now provide a detailed justification of their rationale. The pragmatism and cost-effectiveness of this approach is commendable, as businesses can conserve their resources for mitigating higher risk matters. But the new rules will undoubtedly result in larger numbers of customers requiring EDD.

A high-risk situation would be where a firm's client is a Politically Exposed Person (PEP). MLR 2017 now removes the distinction between domestic and foreign PEPs for the purposes of EDD application – it must now automatically be applied to both. This risk assessment should establish the source of wealth/funds of the PEP. The ongoing business relationship with the person is also now subject to senior management approval.

In conclusion, it is evident that the European Commission feels that the key battle in the war against AML/CTF is identifying and properly evaluating risk. Technology is playing an increasing role in facilitating money transfers and cyber terrorism is an increasing threat. Therefore it has never been more crucial for Member States, institutions and companies to all play their part in improving their internal procedures and conducting their due diligence.