One of the key elements of the FATF Standards is to take into consideration the imminent ML/TF risk in the jurisdiction and individual sectors for the purposes of applying ML/TF measures on a risk-sensitive basis. This enables the state authorities, as well as the private sector, to allocate resources more appropriately and focus on areas with higher vulnerabilities and threats.

Risks are defined by the FATF as a combination of the following factors:

  • Threats: a person, object or activity with the potential to cause harm to, for example, the state, society, economy, etc.; 
  • Vulnerabilities: things that can be exploited by the threat or that may support or facilitate its activities; 
  • Consequence: impact or harm that may be caused, amongst others, on the financial systems and institutions, as well as economy or society more generally.

The 2003 FATF Recommendations already referred to the assessment of risk in several areas. Firstly, the risk-based approach was to be applied by the private sector when implementing preventive measures. Supervisory authorities were also required to adopt a risk-based approach to monitoring compliance with AML/CFT requirements. With regard to state authorities, an understanding of risks was required for the purposes of designation of national priorities, when formulating national strategic documents, as well as with regard to the NPO sector in order to be able to target measures to mitigate the risks.

The 2012 FATF Recommendations significantly increased the focus on understanding ML/TF risks. Recommendation 1 and Immediate Outcome 1 formulate concrete requirements for countries to identify, assess and understand the ML/TF risks the jurisdiction faces and to establish mechanisms for undertaking this risk assessment. This national risk assessment undertaken by the authorities serves as a basis and guidance for the application of the risk-based approach by the private sector. It shall be reviewed and updated regularly in order to reflect current developments in the jurisdiction. For further information on national risk assessments, see the relevant section.

The obligations of the private sector to evaluate and understand the risks inherent to their business and customers, as well as the requirements to put in place measures to mitigate such risks, are further strengthened in the FATF 2012 Recommendations (as amended up to June 2025). Corresponding responsibilities exist for the supervisory authorities.