Risk-Based Compliance: Balancing Speed and Safety in Onboarding Workflows

Risk-based compliance is the framework that EU regulators have designed to resolve that tension. It does not mean applying minimal scrutiny to everyone in the name of speed. It means applying the right level of scrutiny to each customer based on a genuine assessment of the risk they present. Done well, risk-based compliance actually enables faster onboarding for the majority of your customer base because you are not applying enhanced scrutiny to relationships where it is not warranted. Done poorly, it becomes a shorthand for inconsistency, and that is precisely what auditors identify when they review onboarding files.

This article is written for compliance teams, MLROs, and operations professionals at regulated financial services businesses in the EU. We will walk through what the risk-based approach to onboarding actually requires under current and forthcoming EU law, how to structure a workflow that genuinely balances speed and safety, and where the most common calibration failures occur.

What the Risk-Based Approach Actually Means in Law

The Foundational Obligation Under the AMLR

The risk-based approach is not a design philosophy that regulated businesses can choose to adopt or decline. It is a legal requirement. Under Regulation (EU) 2024/1624, the Anti-Money Laundering Regulation that will apply directly and uniformly across all 27 EU Member States from 10 July 2027, obliged entities must at all times be able to demonstrate to their supervisors that the measures taken are appropriate in view of the risks of money laundering and terrorist financing that have been identified.

That phrase, appropriate in view of the risks, is the legal expression of the risk-based approach. It means your onboarding controls are not just documented. They are calibrated to each customer's actual risk profile, applied consistently, and evidenced in a way that a regulator can examine and assess.

The AMLR sets out a three-tier framework for how due diligence is applied during onboarding: standard customer due diligence, simplified due diligence for lower-risk relationships, and enhanced due diligence for higher-risk relationships. Understanding how to operationalise those three tiers correctly is the core practical challenge of building an onboarding workflow that balances speed and safety.

AMLA's Role in Defining the Detail

The substantive detail of what each tier of due diligence requires is being developed by the Anti-Money Laundering Authority (AMLA), which became operational on 1 July 2025. AMLA's consultation on draft Regulatory Technical Standards under Article 28(1) of the AMLR, published in February 2026, is developing the specific requirements and information to be collected for standard, simplified, and enhanced due diligence purposes, as well as the risk factors that supervisors must consider when assessing CDD adequacy.

Separately, AMLA is consulting on draft guidelines under Article 10(4) of the AMLR on business-wide risk assessment, with a public hearing held on 28 May 2026. As AMLA has confirmed in its consultation page, final guidelines are expected in Q4 2026. These guidelines will provide the specific list of additional sources of information to be taken into account when building the business-wide risk assessment that underpins every onboarding risk decision.

Also, under Article 19 of the AMLR, AMLA is required to issue guidelines on risk variables and risk factors to be taken into account by obliged entities when entering into business relationships or carrying out occasional transactions by 10 July 2026. These guidelines will shape how onboarding risk scoring frameworks should be structured across the EU, replacing the existing patchwork of national approaches with a harmonised standard.

For businesses building or reviewing their onboarding workflows right now, the practical message is this: the detail is being written. The high-level framework, however, is already legally established, and waiting for every technical standard before beginning to align your workflows is not a viable compliance strategy.

The Three-Tier CDD Framework: How It Works in an Onboarding Context

Standard Due Diligence: The Baseline for Every Relationship

Standard customer due diligence applies to all business relationships that do not present either a clearly lower or a clearly higher risk. It is the baseline, and it covers the core verification obligations: confirming the legal identity of the customer, understanding the nature and purpose of the business relationship, and, where the customer is a legal entity, identifying and verifying beneficial owners.

For individual customers, standard CDD requires verifying identity through reliable and independent sources. For corporate customers, it additionally requires understanding the ownership and control structure, identifying any individual who holds 25% or more of shares or voting rights or who otherwise exercises control, and verifying those individuals' identities. Under the AMLR's summary provisions on EUR-Lex, obliged entities must also apply more stringent controls in higher-risk cases involving complex or unusually large transactions or those without apparent economic purpose.

In an onboarding workflow, standard CDD should be the process that the majority of your customers pass through. It should be efficient, consistently documented, and completed before the business relationship commences.

Simplified Due Diligence: Speed With Evidence, Not Speed Without Thought

Simplified due diligence allows obliged entities to apply a reduced set of measures when a business relationship or transaction presents a genuinely low degree of risk. Under Regulation (EU) 2024/1624, the determination that SDD is appropriate must be based on an individual analysis of the risks of money laundering and terrorist financing, having regard to the specific characteristics of the client and the business relationship, and taking into account the business-wide risk assessment and the risk factors set out in Annexes II and III of the Regulation.

This is an important clarification that is frequently misapplied in practice. Simplified due diligence is not an automatic exemption from scrutiny based on customer type. It is a calibrated reduction in the depth of information collected, supported by a documented risk assessment that justifies why the lower-risk classification applies to this specific customer. An onboarding workflow that applies SDD to an entire customer segment without individual-level justification is not a risk-based approach. It is a blanket assumption, and it is a finding that regulators consistently identify.

The risk factors in Annex II of the AMLR that point toward lower risk include customer factors such as public companies listed on regulated exchanges, financial institutions supervised for AML/CFT compliance, and public authorities. Product and service factors include products with low transaction limits, no cash element, and strong traceability features. Geographic factors include customers established in EU Member States and jurisdictions with strong AML/CFT frameworks. Where several of these lower-risk factors are present for a specific customer relationship, a documented SDD determination is appropriate. Where they are absent or ambiguous, default to standard CDD.

Enhanced Due Diligence: Depth Proportionate to Risk

Enhanced due diligence applies where a business relationship presents a genuinely higher risk of money laundering or terrorist financing. Regulation (EU) 2024/1624 requires that where obliged entities identify an increased risk of money laundering or terrorist financing, they shall apply enhanced due diligence measures. The AMLR also specifies that EDD must apply in a number of specific circumstances, including business relationships with customers from high-risk third countries identified by the European Commission, relationships involving Politically Exposed Persons, and relationships involving complex, opaque, or multi-jurisdictional ownership structures.

AMLA's draft RTS under Article 28(1) specifies that under EDD, obliged entities must collect deeper information on source of wealth, transactional purpose, and the reputational and business background of customers and beneficial owners. EDD also requires ongoing sanctions screening integrated into the CDD lifecycle.

In an onboarding workflow, EDD customers require a separately designed process that is more intensive, involves senior management sign-off where appropriate, and produces a more detailed documented file. The key operational challenge with EDD is ensuring it does not become a bottleneck that slows onboarding for every customer above a certain risk threshold, regardless of what specifically makes them higher risk. The depth of EDD should itself be proportionate to the specific risk factors identified, not a fixed procedural ceiling applied uniformly to all EDD cases.

Designing an Onboarding Workflow That Balances Speed and Safety

Start With the Risk Assessment, Not the Process

The most common mistake in onboarding workflow design is to start with the process steps and then try to fit risk assessment into them. The risk-based approach requires the opposite: you start with a risk assessment of the customer and then the process adapts to match.

Your business-wide risk assessment, which under Regulation (EU) 2024/1624 must be drawn up by the compliance officer and approved by the management body, is the foundation. It identifies the risk profile of your customer base in aggregate: which customer types, product types, geographies, and delivery channels present higher, standard, or lower risk. That business-wide assessment then informs the individual customer risk scoring that occurs at onboarding. AMLA is currently consulting on draft guidelines on business-wide risk assessment that will provide more specific guidance on how the assessment should be structured and what sources of information must be taken into account.

The onboarding workflow is the mechanism by which the individual risk assessment gets translated into the right level of CDD for each customer. A customer whose individual risk profile indicates clearly lower risk, consistent with your business-wide assessment of that customer type, follows the SDD pathway. A customer whose profile triggers standard risk factors follows the standard CDD pathway. A customer whose profile triggers higher-risk indicators is routed to EDD.

Building a Dynamic Risk Scoring System

Risk scoring at onboarding should not be a static questionnaire completed once and never reviewed. Regulation (EU) 2024/1624 requires that relevant documents, data, and information about the customer are kept up to date throughout the business relationship, with the frequency of updates dependent on the risk level. This means your risk scoring logic needs to be designed from the outset to support ongoing recalibration, not just a point-in-time determination at onboarding.

A dynamic risk scoring system will incorporate information from multiple sources: the customer's self-reported data, primary-source registry verification for corporate customers, PEP and sanctions screening results, adverse media checks, and the geographic and sector risk factors relevant to the customer's profile. The score produced by combining those inputs should flow directly into the CDD tier decision, with clear logic that a compliance officer can explain and a regulator can examine.

Where new information emerges during the onboarding process that changes the risk picture, such as a beneficial owner who appears on an adverse media check, or a corporate structure that turns out to be more complex than initially indicated, the scoring system needs to be able to escalate that customer to a higher CDD tier automatically rather than requiring a manual override. The audit trail for that escalation decision is as important as the decision itself.

Designing Parallel Workflows for Different Risk Tiers

One of the most effective ways to balance speed and safety in onboarding is to design separate, parallel workflows for each CDD tier rather than running every customer through the same sequential process. If every customer passes through the same steps, the process defaults to the level required for the highest-risk customers, which means lower-risk customers experience unnecessary friction and delay.

For SDD customers, the workflow should be designed around minimal friction consistent with the documented risk justification: digital identity verification where eIDAS-compliant electronic identification methods are available, automated registry checks for corporate customers, and a streamlined documentation set. AMLA's draft RTS and the EU Digital Identity Framework including eIDAS 2.0 are progressively enabling fully digital onboarding for lower-risk customers without physical documents or video verification, which represents a genuine efficiency opportunity for businesses serving lower-risk customer segments at scale.

For standard CDD customers, the workflow should cover the full baseline verification set with a clear process for the most common variations, such as multi-layer ownership structures or customers with connections to multiple jurisdictions.

For EDD customers, the workflow should be designed around depth rather than speed. There should be a defined set of additional information requirements, a senior management review stage where appropriate, and a process for documenting why each EDD measure applied was proportionate to the specific risk identified. EDD onboarding will always take longer. The goal is not to make it fast. It is to make it thorough, documented, and consistent.

Using Primary-Source Data to Accelerate Without Compromising Quality

One of the biggest opportunities to simultaneously improve speed and safety in onboarding workflows is to connect to primary-source registry data rather than relying on documents provided by the customer or aggregated from secondary sources. This matters for two reasons.

First, primary-source verification is faster for the customer because it reduces the documentation burden. If your system can verify a company's legal existence, registered address, directors, and ownership directly from the official corporate registry, the customer does not need to provide certified copies of documents that your system then needs to manually review and reconcile. For lower-risk corporate customers, this can reduce onboarding time from days to hours.

Second, primary-source verification is more defensible under regulatory scrutiny. When a regulator asks how you verified a corporate customer's beneficial ownership, the answer that you retrieved the information directly from the official registry of their jurisdiction of incorporation is significantly stronger than the answer that you accepted the information the customer provided about themselves. Under Directive (EU) 2024/1640, obliged entities must have timely access to the information held in the interconnected central beneficial ownership registers when conducting customer due diligence. Using systems that connect directly to those registers supports both the legal obligation and the audit trail.

Getting the Escalation Logic Right

A risk-based onboarding workflow that works well operationally has clear, documented escalation logic that defines exactly what triggers a change in CDD tier during the onboarding process. Without that, individual compliance officers make ad hoc decisions that produce inconsistent outcomes, which is one of the most common findings in regulatory reviews of onboarding files.

The escalation triggers should include both automatic system-generated escalations and manual escalation pathways. Automatic escalations should fire when a customer or beneficial owner appears on a PEP or sanctions list, when the jurisdiction of incorporation or operation appears on the European Commission's list of high-risk third countries, when the corporate ownership structure contains more layers than a defined threshold, or when the customer's stated business purpose is inconsistent with the product or service being requested.

Manual escalation pathways should be available to any compliance team member who identifies a risk factor not captured by the automated logic. The key requirement is that the escalation decision is documented, including what factor triggered it, who made the decision, and what additional steps were taken as a result. The AMLR's requirement that obliged entities demonstrate at all times that measures taken are appropriate in view of identified risks applies to escalation decisions as much as it applies to the initial risk scoring.

Process Controls: Ensuring Consistency Across Every Onboarding Case

Why Consistency Is a Regulatory Expectation, Not Just a Quality Goal

Process control in onboarding is not primarily a quality management concept. It is a regulatory requirement. The risk-based approach only functions as a compliance framework if it is applied consistently. If the same type of customer receives standard CDD on Monday and SDD on Friday because a different team member processed the file, that inconsistency is not risk-based compliance. It is arbitrary compliance, and it is a finding that regulators identify when they review a sample of customer files.

Regulation (EU) 2024/1624 requires that obliged entities have internal policies, procedures, and controls that are approved at senior management level and consistently applied. The compliance officer is responsible for their day-to-day operation. Process controls are the operational mechanism by which that consistency is achieved: defined steps, documented decisions, clear accountability at each stage, and an audit trail that shows the process was followed as designed.

Checklist-Based Controls Versus Dynamic Process Controls

There is an important distinction between checklist-based process controls and dynamic process controls, and it matters for both compliance quality and operational efficiency.

Checklist-based controls require the compliance officer to work through a fixed set of steps regardless of the customer's risk profile. They are easy to implement and easy to audit because every file looks the same. But they do not operationalise the risk-based approach effectively, because they do not adapt to the risk profile of each customer. They also tend to become outdated quickly as customer types or regulatory requirements change.

Dynamic process controls are designed around risk-tier logic: the steps required for any given customer are determined by their risk profile, and the system guides the compliance officer through the steps appropriate for that risk tier. They are more complex to design and maintain but are much better aligned with the risk-based approach. They also enable faster onboarding for lower-risk customers because those customers are not required to go through steps that only apply to higher-risk relationships.

The EBA noted in its response to the Commission's Call for Advice on AMLA mandates that requirements which impose a fixed data collection set without regard to actual risks impose significant operational and cost burdens with limited corresponding risk-mitigating effect, and can lead to disproportionate compliance costs, unnecessary customer outreach, and delays in onboarding. The direction of EU regulatory thinking is explicitly toward proportionate, risk-calibrated requirements rather than uniform checklists.

Documenting the Decision, Not Just the Outcome

One of the most important aspects of process control in onboarding is the quality of decision documentation. It is not sufficient to record that a customer was classified as standard risk. The record needs to show what information was reviewed, what risk factors were considered, why the classification reached was appropriate given those factors, and who made the decision.

This documentation requirement applies at every stage of the onboarding process where a judgement is exercised: the initial risk classification, any escalation decisions, the determination of whether SDD or EDD applies, and any decisions to proceed with a business relationship despite incomplete information or the identification of risk factors. Under the AMLR, the obligation to demonstrate at all times that measures taken are appropriate means that the documentation needs to be contemporaneous. A file note written after the fact to explain a decision made at onboarding is a weaker evidential basis than a record created as the decision was made.

Where Risk-Based Onboarding Workflows Most Commonly Fail

Across EU-regulated sectors, the same calibration failures appear consistently in regulatory review findings on onboarding workflows.

1. Risk classifications are applied at the segment level without individual-level justification. A business may have decided that all customers in a particular sector are standard risk, but if individual customers within that sector have specific higher-risk characteristics that were not assessed, the segment-level classification does not satisfy the risk-based approach.

2. SDD is applied without documenting the risk analysis that supports it. Regulators regularly find customer files where SDD measures were applied but the file contains no evidence of the risk analysis that justified that determination. This turns a legitimate compliance decision into an unexplained gap.

3. EDD is triggered for the right reasons but the additional steps taken are not proportionate to the specific risk identified. EDD is not a single fixed process. The measures applied should match the nature of the elevated risk: a customer from a high-risk third country requires different additional steps than a PEP relationship, and the documentation should reflect that.

Onboarding decisions are not reviewed or escalated when new information emerges during the process. If a beneficial ownership check reveals a complex multi-jurisdictional structure that was not apparent from the customer's initial profile, the risk classification needs to be updated and the CDD tier reassessed. Files where this update did not happen are a consistent audit finding.

And the audit trail is incomplete, inconsistent, or not produced in a format that is retrievable on short notice. No amount of good onboarding process design substitutes for an audit trail that cannot be produced efficiently when a regulator asks for it.

About SpeedyDD

SpeedyDD is built around the conviction that a risk-based onboarding workflow is only as good as the data that determines the risk decisions within it. Our platform connects with over 3000 corporate registry data sources across more than 200 countries and territories, giving compliance teams access to primary-source KYB verification data that is authoritative, current, and retrievable as audit evidence.

Our mission is to help complex, regulated businesses maintain continuous audit-readiness. That means supporting onboarding workflows that move at the right speed for each customer's risk profile, with the documentation quality that regulators now expect.

Frequently Asked Questions

What is risk-based compliance in the context of customer onboarding?

Risk-based compliance in onboarding means applying customer due diligence measures that are proportionate to the actual risk each customer presents, rather than applying the same fixed set of checks to every customer regardless of their risk profile. Under Regulation (EU) 2024/1624, obliged entities must at all times be able to demonstrate to their supervisors that the measures taken are appropriate in view of the risks identified. In practice, this means your onboarding workflow should route customers to one of three levels of due diligence, standard, simplified, or enhanced, based on a documented individual risk assessment conducted at the start of the onboarding process.

What is the difference between simplified due diligence and enhanced due diligence, and how does each affect onboarding speed?

Simplified due diligence applies where a business relationship presents a genuinely low degree of risk, based on the risk factors set out in Annexes II and III of Regulation (EU) 2024/1624. It allows obliged entities to collect less information and to apply less intensive verification measures, which directly reduces the time and friction involved in onboarding lower-risk customers. Enhanced due diligence applies where the relationship presents an increased risk of money laundering or terrorist financing, and requires additional information collection including source of wealth, transactional purpose, and deeper beneficial ownership verification. EDD onboarding takes longer by design, and that is appropriate because the risk level warrants deeper scrutiny. The efficiency gain from a well-calibrated risk-based approach comes from not applying EDD-level scrutiny to customers who genuinely present lower risk.

How does AMLA's draft RTS on customer due diligence affect onboarding workflows?

AMLA's consultation on draft Regulatory Technical Standards under Article 28(1) of the AMLR, published in February 2026, is developing the specific information requirements and risk factors that will apply under standard, simplified, and enhanced due diligence. Once finalised and adopted, these RTS will define with much greater precision what a complete onboarding file must contain for each CDD tier. This means businesses that build their onboarding workflows now need to be tracking the development of these standards and building in flexibility to adapt their documentation requirements as the final RTS content is confirmed. The core architecture of the three-tier framework is already established in the AMLR itself, so building to that architecture is the right approach even before the RTS are finalised.

What process controls does a regulated business need to maintain consistent risk-based onboarding?

Consistent risk-based onboarding requires documented risk scoring logic that determines which CDD tier applies to each customer, clear escalation triggers that route customers to a higher tier when specific risk factors are identified, a complete contemporaneous audit trail of every verification step and decision, senior management approval for EDD relationships where required, and a process for updating risk classifications when new information emerges during or after onboarding. The audit trail is particularly important because Regulation (EU) 2024/1624 requires that obliged entities be able to demonstrate at all times that their measures were appropriate, which requires evidence that can be produced and reviewed on short notice.

Can onboarding be fully digital for EU-regulated businesses under the new AML framework?

Yes, for lower-risk customers, the new EU framework is explicitly designed to support fully digital onboarding. The eIDAS 2.0 Regulation establishes the European Digital Identity Framework, including the European Digital Identity Wallet, and AMLA's draft RTS on customer due diligence confirms that obliged entities must accept eIDAS-compliant electronic identification methods when customers choose to present them. For lower-risk individual customers, this means no physical documents and no video verification are required. For corporate customers, digital access to primary-source registry data provides the foundation for verification without requiring customers to produce certified paper documents. The practical constraint is that these digital pathways need to be built into your onboarding system and validated against the applicable eIDAS standards, which requires investment in your technology infrastructure.

What are the most common regulatory findings in onboarding workflow reviews?

The most frequently identified weaknesses in onboarding workflow reviews by EU regulators are: SDD applied without documented individual risk justification; risk classifications applied at segment level without individual customer assessment; EDD triggered but the additional measures not proportionate to the specific risk identified; escalation decisions made during onboarding not documented with the rationale for escalation; and audit trails that are incomplete, inconsistent, or not retrievable within a reasonable timeframe. Each of these weaknesses reflects the same underlying failure: the risk-based approach was applied at the level of policy design but not operationalised consistently at the level of individual customer files.

How should a business handle a situation where onboarding cannot be completed due to insufficient information?

Under Regulation (EU) 2024/1624, where an obliged entity is unable to comply with the requirement to apply customer due diligence measures, it shall refrain from carrying out a transaction or establishing a business relationship, and shall consider whether a suspicious activity report should be made to the Financial Intelligence Unit. This is a clear rule that admits no commercial override: if you cannot verify the customer to the standard required for the applicable CDD tier, you cannot onboard them. Your onboarding workflow should have a defined exit pathway for these situations, with a documented record of what information was missing, what steps were taken to obtain it, when the decision was made to decline the relationship, and whether a SAR was considered and, if so, what conclusion was reached.

How does beneficial ownership verification fit into a risk-based onboarding workflow for corporate customers?

Beneficial ownership verification is a required element of standard CDD for corporate customers under Regulation (EU) 2024/1624, and the depth of that verification increases under EDD. At standard CDD level, you must identify and verify the identity of any individual holding 25% or more of shares or voting rights, or otherwise exercising control. At EDD level, you must go deeper into the ownership chain, document source of wealth, and provide evidence that the ultimate beneficial owners are who they say they are. Under Directive (EU) 2024/1640, you must also check the information obtained against the central beneficial ownership register and report any discrepancy you find. Using primary-source registry data for this step rather than relying on customer-provided documentation both strengthens the defensibility of your verification decision and reduces the time spent chasing documents from the customer.