2025-12-08

This feature appears in the 2025 Basel AML Index Public Edition report. Download the full report and related resources.

Key takeaways 

• A risk-based approach has long been at the core of efforts to mitigate risks of financial crimes like money laundering and terrorist financing. But application of the approach has been uneven, often focusing too heavily on high-risk areas while paying too little attention to where risks are lower. 
• Global AML/CFT standards now place stronger emphasis on applying the risk-based approach proportionately, encouraging the use of simplified measures in lower-risk situations. 
• Many financial institutions and authorities find it difficult to assess or provide guidance on what constitutes lower risks in specific contexts. This limits the use of simplified measures and adds to compliance burdens. 
• The Basel AML Index’s updated risk classification offers a more nuanced, data-driven way to identify lower-risk jurisdictions and to support the application of a proportionate risk-based approach. 

Proportionality: why clarity on lower-risk jurisdictions matters

The risk-based approach has become the backbone of efforts to prevent money laundering, terrorist financing and related financial crimes. Its logic is straightforward: understand the different levels of risk, then apply stronger or lighter controls as appropriate.

Yet in many jurisdictions as well as in the private sector, the risk-based approach is not used as effectively as intended. Most attention is placed on identifying high-risk clients, products or jurisdictions – for example, through the FATF’s black and grey lists, international sanctions regimes or high-risk lists. By contrast, there has been much less discussion about what should count as lower risk.

This gap matters because lower-risk situations are where simplified measures should be used by financial institutions. If they are not, resources are not used efficiently and people or organisations can be unjustifiably excluded from accessing financial services. Yet financial institutions often hesitate to use simplified measures out of fear that they may not be accepted by supervisors, which may not have clearly articulated their own risk tolerance.

The FATF, which sets global AML/CFT standards, has recognised this imbalance and the unintended consequences. Updates to its Recommendations this year encourage jurisdictions not only to consider allowing simplified measures for lower-risk situations but to actually allow and encourage them.

The FATF has also shifted to using the word proportionate instead of commensurate to describe how controls should be applied. While this may sound like semantics, it does signal a stronger expectation that AML/CFT measures should not be uniform or mechanistic, but carefully calibrated in a way that ensures effectiveness and reduces compliance burdens.

The missing piece: what exactly is “lower risk”?

Even with this shift, many authorities and financial institutions find it difficult to decide what genuinely counts as lower risk. According to our review of several recent national risk assessments from different regions, and from discussions with public and private-sector experts, several factors contribute to this uncertainty:

• Lack of clear definitions. The FATF distinguishes between low risk or (where isolated exemptions from AML/CFT measures may be possible) and lower risk (where simplified measures may be appropriate). Most national risk assessments do not draw this distinction.
• Different approaches. Some jurisdictions use structured risk scales in their national risk assessments. Malaysia’s national risk assessment, for example, uses a four-band model: high, medium-high, medium and low. Others, such as that of the U.S., describe risks in narrative form without assigning categories. 
• Unhelpful shortcuts. Jurisdiction risk models sometimes rely mainly on sanctions lists or lists of offshore centres, which offer a limited picture of financial crime risk.

Why clearer lower-risk categories support better outcomes

When lower-risk jurisdictions and other situations are clearly identified, the benefits are significant:

• Better resource allocation and reduced compliance burdens. Staff and systems can be better directed towards higher-risk areas instead of being spread thinly.
• Improved quality of suspicious activity reports. Financial intelligence units often complain of defensive reporting, i.e. reporting entities submitting large numbers of suspicious activity reports mainly to protect themselves from possible criticism, rather than because the activity is genuinely suspicious. Specifically allowing simplified measures in lower-risk situations would help to reduce this.
• Less de-risking. When risk is assessed more accurately, financial institutions are less likely to withdraw services from whole countries or sectors based on broad assumptions.
• Public authorities can also distinguish between jurisdictions or regions requiring intense scrutiny in terms of cross-border financial crime risks and those where less close attention is justified.

To achieve these outcomes, financial institutions need a clear internal framework and risk assessment methodologies, as well as reliable data sources, on which to base their decisions.

How the Basel AML Index’s updated classification helps

The Expert Edition of the Basel AML Index has long provided an independent, data-driven assessment of money laundering and related financial crime risks across jurisdictions.

Previously it used three fixed risk bands: low, medium and high. This straightforward approach offers stability and simplicity, but may no longer capture the granularity needed by financial institutions and policymakers, especially where the rating drives due diligence or monitoring processes.

Following our annual expert review meeting (see page 12), the Expert Edition will now use Jenks natural breaks, a statistical method that groups jurisdictions according to natural patterns in the data rather than fixed cut-off points. This results in the following categories:

• Lower risk: < 4.70
• Medium risk: 4.70–6.08
• Higher risk: > 6.08

The categories have also been renamed “lower”, “medium” and “higher” to emphasise that risk is relative. This new approach produces a clearer spread across categories and helps users see which jurisdictions fall meaningfully below the global risk pattern.

The purpose is not to label any jurisdiction as “safe” or “unsafe” but to offer a practical tool that supports geographic risk assessments and the application of proportionate measures. The Index’s underlying data remain available to subscribers. Users can then consider specific indicators relevant to their company’s risk appetite.