AML/CFT Audit with a Risk-Based Approach: What the Regulator Expects

FINANCE AND BANKING / by Miguel Gallardo Guerra

The risk-based approach (RBA) is one of the fundamental pillars of the anti-money laundering and counter-terrorist financing system. As a result, it is also a core element of the AML/CFT audit and of the content of the Audit Report.

The Guidelines provide that the auditor must support their assessment through a risk analysis, taking a comprehensive view of the Obligated Entity’s profile, its operations, and its business model. The absence of this approach is one of the most relevant weaknesses identified in audits and supervisory processes.

Risk analysis as the starting point

An AML/CFT audit based on a risk-based approach does not begin by reviewing manuals; it begins by understanding the entity’s inherent and residual risk. To do so, the auditor should consider, among other factors:

• The type of customers or users served.
  
  
• The products and services offered.
  
  
• The distribution channels used.
  
  
• The geographic areas in which the entity operates.
  
  
• The internal structure and the degree of process automation.
  
  

This analysis allows the auditor to prioritize critical areas and define the depth of testing to be performed.

Consistency between the RBA and actual operations

One of the most relevant focus areas of the audit is verifying consistency between the documented Internal Risk Assessment and the entity’s effective operations.

In particular, the auditor assesses whether:

• The risk methodology is properly designed, approved, and implemented.
  
  
• Customer risk classification is consistent with transactional behavior.
  
  
• Mitigation controls correspond to the risk level identified.
  
  
• The monitoring and alert-generation system is aligned with the entity’s risk profile.
  
  

When there is a disconnect between risk analysis and operational practice, the RBA loses effectiveness and becomes a merely formal element.

Impact of the risk-based approach on the Audit Report

The risk-based approach must be reflected transversally throughout the Audit Report. This implies that:

• The work program is designed based on relevant risks.
  
  
• Testing focuses on the processes, products, or customers with the highest exposure.
  
  
• Findings and recommendations are directly linked to identified risks, rather than isolated or low-impact non-compliance issues.
  
  

A report that does not evidence this logic is often perceived as generic and lacking sufficient technical support.

Relationship with supervision

The National Banking and Securities Commission has emphasized—both in the Guidelines and in supervisory practice—that the RBA is a key criterion to assess the real effectiveness of the AML/CFT system.

An audit that does not properly incorporate this approach increases the likelihood of observations, additional information requests, or a higher level of supervisory scrutiny.

Conclusion

The risk-based approach is not an accessory element of the AML/CFT audit, but rather its conceptual and methodological core. Properly integrating it ensures the audit is proportional, relevant, and aligned with regulatory expectations. An AML/CFT audit supported by a solid risk analysis helps identify real weaknesses, strengthen controls, and reduce regulatory risk effectively.