Risk-Based AML Regulation: Human Rights Challenges in Delegated Law Enforcement

Financial institutions now investigate customers, assess their risk, report suspicious activity to law enforcement, and exclude individuals from the financial system based on risk profiles rather than evidence of wrongdoing. This is the risk-based approach (RBA) to anti-money laundering regulation, adopted across more than 200 jurisdictions. It is widely treated as progress.

The problem is structural. The RBA delegates law enforcement functions to private actors without the legal constraints that bind the state. When the state investigates someone, it must establish grounds, obtain authorization, and expose its actions to challenge. When a bank does the same work under the banner of compliance, those requirements do not apply. The state gets the intelligence benefit without bearing legal responsibility for how it was gathered. This piece examines that accountability gap and what it means for three fundamental rights: the presumption of innocence, legal certainty, and privacy.

Where Risk-Based Regulation Came From

Risk-based regulation emerged in environmental law and prudential banking supervision during the 1970s as a response to the limitations of prescriptive rule-making. Under the older approach, regulators would specify detailed requirements: which pollutants could be released in what quantities, or what capital ratios banks must maintain. The regulated entity had little discretion; compliance meant meeting the specified standard. As industries became more complex and diverse, however, prescriptive rules became rigid and reactive. A rule written for one type of polluter or one type of financial institution was often poorly suited to another. Regulators could not foresee every scenario or update rules quickly enough to address emerging hazards. The legislative shift was toward a new social contract: the regulator would set a general objective and a framework for assessment, but the regulated entity, having superior knowledge of its own operations, would determine how best to identify and manage risks within that framework. The firm became responsible for the analytical work; the regulator became responsible for ensuring the framework was sound. This arrangement promised greater flexibility, better responsiveness, and more efficient allocation of regulatory resources.

The migration into AML happened with the 2012 FATF revision. The original 1990 Recommendations were rule-based: specific offenses triggered specific obligations, and reporting arose from reasonable grounds to suspect criminal conduct. After 2012, financial institutions were required to conduct enterprise-wide risk assessments, classify customers by risk level, and apply continuous, anticipatory controls. The institution was no longer a reporter of suspicious activity but a risk manager expected to forestall financial crime before it occurred. What that shift failed to reckon with is that financial crime occupies different normative territory than environmental or capital risk. It involves culpability, state coercion, and the rights of individuals to be free from unjustified interference. The legal doctrines governing those domains do not transfer cleanly, and the RBA has never adequately accounted for the difference.

What the RBA Actually Requires

Under the current framework, a financial institution must classify each customer by risk level and calibrate due diligence accordingly. High-risk customers attract enhanced due diligence: intrusive identity verification, source-of-wealth inquiries, ongoing transaction monitoring, and senior management approval. The institution must also maintain a transaction monitoring system capable of detecting suspicious patterns and file a suspicious activity report (SAR) with the relevant financial intelligence unit when a relationship gives rise to suspicion.

None of these obligations depend on identifying actual criminal conduct. Enhanced due diligence applies to customers deemed risky, not customers suspected of anything. The consequences of a high-risk classification, which may include intrusive inquiries, restricted services, or outright refusal of the relationship, are imposed on the basis of a profile rather than an allegation. What follows examines how that design fares against the legal doctrines that govern these same powers when the state exercises them directly.

Challenge One: The Presumption of Innocence Reversed

The presumption of innocence, guaranteed by Article 6(2) ECHR and Article 14(2) ICCPR, embodies a principle that extends beyond the courtroom: the state, and those acting at its direction, may not treat individuals as wrongdoers absent specific and articulable grounds for doing so. When the state delegates law enforcement functions to private actors, however, it also diffuses accountability for how those functions are exercised. Financial institutions are governed by commercial incentives and regulatory risk management, not by obligations to vindicate individual rights. The state retains the intelligence benefit without bearing legal responsibility for how it was gathered. Neither the institution nor the regulator is fully accountable for practices that would be constitutionally constrained if performed by the state directly. The RBA exploits that gap systematically.

A customer is classified as high-risk not because the institution has found specific grounds to suspect them, but because they belong to a category, such as politically exposed persons, customers from certain jurisdictions, or operators in cash-intensive businesses, that correlates statistically with elevated risk. The individual may have done nothing wrong and never faced criminal scrutiny. Yet the classification treats them as a threat, triggering intrusive due diligence, restricted services, or outright exclusion.

The case of Somali remittance services illustrates this plainly. After AML enforcement actions in the early 2010s, major financial institutions in the United States, the United Kingdom, and Australia closed the accounts of money service businesses serving the Somali diaspora, not because those businesses were accused of money laundering, but because the remittance corridor to Somalia was deemed high-risk. Hundreds of thousands of individuals lost access to formal remittance channels. Had the state directly blocked those transfers without evidence of criminal conduct, the measure would face immediate constitutional challenge. Because the exclusion came from financial institutions exercising "risk-based judgment" under a state-designed framework, no judicial authorization existed to challenge, no regulator was accountable, and no legal remedy was available. The state achieved an outcome it could not have achieved directly. That is precisely where the presumption of innocence disappears.

Challenge Two: FATF Grey and Black Lists

The RBA anchors country-level risk assessments to a prior determination made by FATF: the classification of jurisdictions as high-risk through its blacklist and greylist. Once listed, domestic law in most jurisdictions mandates enhanced due diligence for all customers and transactions connected to that country. That mandate functions as a legal instruction to treat everyone from a listed country as presumptively risky, regardless of individual conduct. The proportionality of those measures depends entirely on whether the underlying listing is accurate, objective, and fairly derived. On each count, the evidence is troubling.

The methodological foundation of FATF's mutual evaluation process is weaker than its institutional authority suggests. FATF's 2025 methodology revision lowered its evidentiary standard by shifting from "proven" to "assessed" low risk. Evaluations increasingly rely on national risk assessments submitted by the countries being reviewed, without independent verification, clear quantitative thresholds, or transparent sector weightings. Where the evidentiary basis for a listing rests on unverified self-reporting and assessor discretion without transparent scoring, the resulting risk determination falls short of the objective, independently verifiable standard that proportionality demands.

The distribution of listing outcomes raises documented consistency concerns. The Tax Justice Network's Financial Secrecy Index, which assesses financial opacity independently of FATF, has persistently ranked several major FATF member states, including the United States, Switzerland, and the United Kingdom, among the world's most secretive financial jurisdictions. The United States lacked a comprehensive beneficial ownership registry until the Corporate Transparency Act took effect in 2024, a gap that FinCEN's own Geographic Targeting Orders acknowledged created material money laundering exposure in its real estate sector. No FATF grey list designation followed. Academic research on the political economy of FATF, including work by Sharman and Nance, has observed that political proximity to core FATF member states correlates with listing outcomes in ways that technical compliance scores alone do not fully explain. The recent greylisting of European jurisdictions such as Bulgaria and Croatia suggests the process has become less systematically skewed over time. The structural concern remains: where the same category of deficiency produces different listing outcomes depending on the institutional weight of the jurisdiction involved, the country-level risk determination cannot be described as purely objective.

The effectiveness of the listing system is also contested. Greylist status does not reliably indicate greater actual financial crime risk than unlisted jurisdictions. Research estimates capital inflow reductions of around 7.6% of GDP following greylisting, yet those costs fall on entire economies rather than on the actors responsible for the deficiencies. Repeated greylisting of countries such as Pakistan and Panama reveals a deeper problem: the process incentivizes technical and documentary compliance without generating sustained reform. Effectiveness ratings in mutual evaluation reports consistently lag behind technical compliance scores. The framework measures activity, not outcome. The legal consequence is that millions of individuals and businesses face financial exclusion on the basis of a country-level classification that is methodologically contested, politically influenced, and not reliably predictive of actual risk, with no legal forum in which to challenge it. This represents collective treatment on the basis of national status, implemented through mandatory compliance requirements that individuals cannot contest.

Challenge Three: Privacy

The right to privacy, protected by Article 8 ECHR and Article 17 ICCPR, covers financial information. The European Court confirmed in M.N. and Others v San Marino (2015) that collecting and using personal financial data interferes with Article 8 rights and must be justified under the proportionality test. When the state conducts financial surveillance directly, it must obtain judicial authorization, demonstrate reasonable suspicion, and limit the intrusion to what the investigation requires. The RBA requires the same surveillance but removes every one of those safeguards. No judicial authorization. No requirement of reasonable suspicion. No limit on scope. Monitoring covers all customers, all transactions, continuously. This is mass financial surveillance, conducted by private institutions at state direction.

When a SAR is filed, the customer's financial data is transmitted to a government intelligence agency without their knowledge, without judicial oversight, and without any right to challenge the report. In most jurisdictions, the customer cannot even be informed. Disclosure is itself a criminal offense. The United Kingdom's financial intelligence unit received over 900,000 SARs in 2023-24; the United States receives over 4 million annually. Beyond disclosure, continuous monitoring shapes behavior. When people know that lawful but unusual financial activity may generate a report, they adjust what they do. Transfers to relatives in high-risk jurisdictions, donations to politically sensitive causes, payments to organizations in conflict-affected regions all become sources of anxiety. The effect falls hardest on diaspora communities, faith-based organizations, and activists whose legitimate activities do not fit standard risk profiles. This narrowing of normal financial life never appears in any compliance report.

If the state ran this surveillance program itself, monitoring millions of citizens without judicial authorization or individualized suspicion, it would face immediate challenge under Article 8. In Szabó and Vissy v Hungary (2016), the European Court held that even national security surveillance must be subject to effective judicial oversight and limited to what is strictly necessary. The RBA operates at comparable scale and intrusiveness but avoids judicial oversight by routing the surveillance through private institutions. From the perspective of the individual being monitored, the effect is identical: their financial life is subject to continuous scrutiny without judicial authorization or individualized suspicion. The proportionality test does not exempt interference with Article 8 rights simply because the conducting entity is private rather than state. What matters is whether the surveillance meets the standard of being subject to effective judicial oversight and limited to what is strictly necessary. The RBA satisfies neither requirement.

Conclusion

The RBA has achieved regulatory coverage at remarkable speed, but the cost is becoming difficult to justify. Global money laundering volumes remain virtually unchanged since the framework's adoption, while financial institutions spend over $300 billion annually on compliance and file millions of SARs that rarely translate into prosecutions or asset recovery. That gap between activity and outcome reflects a system built around procedural compliance rather than substantive results, and around private actors who bear little accountability for the rights consequences of the surveillance they conduct.

The framework treats individuals as suspects on the basis of category rather than conduct, classifies entire populations as high-risk through a listing process that is methodologically flawed, politically influenced, and immune from legal challenge, and enables mass financial surveillance with no judicial oversight and no meaningful limit on scope. The framework delegates law enforcement functions to private actors without the legal constraints that bind the state, and this structural problem cannot be fixed through compliance improvements. The three doctrinal failures identified above—erosion of the presumption of innocence, loss of legal certainty, and mass surveillance outside judicial oversight—require structural reform: individual-level risk assessment rather than categorical classification; independent and transparent review of country-level determinations; and judicial oversight of transaction monitoring. Whether the RBA can evolve to incorporate these constraints while preserving its adaptability will determine whether it remains compatible with human rights law.