Risk Profiling in Practice: How do you prevent discrimination and other unintended effects in the implementation of Anti-money laundering and Sanctions legislation?
- Miranda Haak
- 1 day ago
- 5 min read
How do you ensure that combating money laundering and sanctions violations does not lead to unintended consequences for customers?
Over the past few years, the fight against money laundering, terrorist financing and sanctions violations has intensified significantly. Organisations that implement obligations under anti-money laundering and sanctions legislation increasingly rely on risk profiling to identify risks, set priorities and carry out targeted controls.
This is understandable. It is simply not feasible to continuously investigate every customer, transaction or situation.
At the same time, another question is becoming increasingly important: how do you ensure that risk profiling does not lead to discrimination and other unintended consequences for customers?
Why is this topic receiving increasing attention?
Over the past few years, numerous studies, publications and guidance documents have been issued on the use of risk profiling. In parallel, attention to discrimination has increased considerably.
What started as practical concerns has evolved into a broader societal and legal issue. Supervisory authorities, industry associations, the Netherlands Institute for Human Rights and organisations themselves are increasingly examining how risk profiling is designed and applied.
As a result, the discussion is shifting from whether risks are sufficiently identified to how this is done in a careful and responsible manner.
This topic will remain high on the agenda in the coming years. As of 10 July 2027, key parts of the new European anti-money laundering package will become applicable, including the AML Regulation and the Sixth Anti-Money Laundering Directive (AMLD6). Supervision of compliance will therefore partly shift to a new European supervisory authority: AMLA.
Where do things go wrong?
Risk profiling is used to perform more targeted controls and investigations. It relies on risk criteria that are expected to correlate with the violation of a legal obligation or norm.
This approach is logical. Not every customer, transaction or situation can be investigated continuously. Organisations therefore have to make choices. This is precisely where an important challenge arises. The criteria that are selected determine who will be subject to more frequent, more intensive or fewer controls. The focus therefore shifts to the question of how risks are identified and which criteria are used in that process.
Practice shows that, however necessary risk profiling may be, it can unintentionally affect customers who have done nothing wrong.
Risk profiling is applied in various processes, including:
customer due diligence (CDD/KYC);
transaction monitoring;
sanctions screening;
fraud detection; and
additional investigations in higher-risk situations.
An important principle is that organisations focus on behaviour, transactions and factual circumstances rather than personal characteristics.
Why is this difficult in practice?
Various parties are involved in implementing anti-money laundering and sanctions obligations, each holding only part of the information and responsibilities. Examples include organisations generating signals and submitting reports, the Financial Intelligence Unit (FIU), law enforcement agencies, supervisors and government authorities.
In practice, feedback on the usefulness and effectiveness of signals and reports is often limited. As a result, organisations do not always have sufficient insight into which criteria genuinely contribute to the intended objective and which criteria may need to be adjusted.
In addition, tensions arise between complying with legal obligations and preventing discrimination as much as possible.
This can be seen, for example, in discussions surrounding data such as nationality and place of birth. Registering data is not the same as using data for risk profiling purposes.
The discrimination assessment
To determine whether risk profiling results in discrimination, two questions are asked:
Is there a distinction being made?
If so, is that distinction objectively justified?
The second question forms the basis for further assessments regarding legitimacy, subsidiarity and proportionality.
Does a risk profile create distinctions?
In practice, yes.
Risk profiling inherently creates distinctions because not everyone is subject to the same level of scrutiny. This immediately raises the question of which criteria are being used to identify risks. A distinction is made between direct and indirect discrimination.
With direct discrimination, explicit characteristics are used.
Race: never permitted as a profiling factor.
Nationality: only permitted when there is a legal basis and when citizenship is substantively relevant to the specific control being performed.
Indirect discrimination can also occur. This happens when a seemingly neutral criterion disproportionately affects certain groups in practice.
Take cash payments as an example. In itself, this is a neutral criterion. However, if certain groups use cash more frequently, this may result in those groups being subject to additional controls more often.
The criterion itself is therefore not necessarily incorrect, but it does require careful consideration and proper substantiation.
These indirect effects are precisely what make risk profiling complex. It is therefore important not only to consider which criteria are used, but also what their practical effects are.
When is differentiation justified?
The fact that a risk profile distinguishes between people does not automatically mean that its use is inappropriate. Organisations have a legal duty to combat money laundering, terrorist financing and sanctions violations. However, organisations must be able to explain why specific criteria are being used.
Three considerations are particularly important:
Legitimate objective: Does the criterion demonstrably contribute to the purpose for which it is being used?
Subsidiarity: Can the same objective be achieved through a less intrusive alternative?
Proportionality: Do the benefits of using the criterion outweigh any potential adverse consequences for those affected?
Ultimately, the key question is:
Why are we using this criterion, and can we explain why it works?
Who is responsible?
An important principle is that responsibility ultimately remains with the user of the risk profile.
Organisations cannot shift responsibility to legislation, supervisors, software providers, data sources or algorithms.
The questions organisations need to ask themselves are gradually changing.
Yesterday's question | Today's question |
Are we compliant with anti-money laundering requirements? | Can we demonstrate that our risk criteria are effective? |
Are we generating enough reports? | Are our reports actually useful? |
Do we have a model in place? | Are we unintentionally disadvantaging certain groups? |
Is the technology implemented? | Is the governance surrounding the technology properly organised? |
Building blocks for preventing discrimination
Preventing discrimination cannot be confined to a single department or process. A broad, integrated approach is required.
This includes areas such as organisational responsibilities, risk analysis, communication, complaints handling, training and periodic evaluations.
Communication also plays an important role. Letters, requests for additional information and customer interactions may unintentionally contribute to feelings of exclusion or unequal treatment.
Complaints can provide valuable insights. They are not only signals that something may have gone wrong, but can also help identify patterns and improve processes.
Risk analyses, policies and procedures have little value if employees are not adequately supported in applying them in their day-to-day work.
This topic therefore requires a different approach to learning. Generic training programmes and standard e-learning modules alone are often insufficient. The real challenge lies in discussing practical dilemmas and real-life examples so that awareness is translated into everyday decision-making.
What does this mean for organisations?
This issue affects far more than anti-money laundering or sanctions functions alone. It impacts the design and operation of processes throughout the entire organisation. Preventing discrimination is increasingly being seen as an integral part of the design, execution and evaluation of risk profiling.
This raises several practical questions for organisations:
Which risk criteria are we actually using?
Can we explain why these criteria are effective?
Do we understand the impact these criteria have on different customer groups?
Is it clear who is responsible for periodically reviewing these criteria?
Are employees sufficiently supported in applying these considerations in their daily work?
Are we using complaints and practical experiences to improve our processes?
The challenge for organisations in the coming years lies not only in keeping up with new legislation, but also in continuously translating existing and new legal obligations into workable processes, clear responsibilities and careful day-to-day implementation.
It is precisely this translation – from legislation to implementation – that lies at the heart of DUFINCO's approach.
Would you like to know what these developments mean for your organisation? Please contact us at info@dufinco.nl or call +31 (0)6 512 47 217.
Comments