Nikita Veremeev
16.02.2026 | 6 min read
Updated: 16.02.2026
Since 2016 I have been leading COREDO as a company that turns the complexity of international regulation into a clear system of manageable solutions. During this time we have registered dozens of legal entities in the EU, the Czech Republic, Slovakia, Cyprus and Estonia, supported licensing in the United Kingdom, Singapore and Dubai, and built compliance for clients at the level regulators and banks expect. I am convinced: the foundation of sustainable international growth is a risk-oriented approach (RBA, risk-based approach), embedded in registration, licensing and day-to-day operational processes.
In this article I have collected our practical experience of implementing RBA in financial organisations, fintechs, crypto companies and international holdings. My focus: to show how to turn
AML requirements/CFT, AML compliance checks and corporate RBA compliance into a source of managerial advantage, TCO reduction and faster time-to-market, rather than into a “cost of compliance” with no return. The text is aimed at entrepreneurs and directors who need to make decisions quickly, systematically and transparently.
Risk-based approach — a pillar
RBA is not a “tick-the-box” exercise; it is about a reasoned choice. When we prepare a client to obtain a license for
payment services in the EU, to register a crypto service in Estonia, or to gain approval from a regulator in Singapore, I start by defining the risk appetite at the board level. This anchors managerial responsibility, sets the framework for the risk matrix, and determines the depth of KYC/KYB, CDD and EDD.
Comparing RBA with a checklist approach always favors the former. A checklist creates blind spots and disproportionate effort, whereas the RBA methodology allocates resources where the inherent risk is highest and where it needs to be reduced to an acceptable residual risk. In COREDO’s practice this reduced delays in product launches, lowered the level of false positives in monitoring, and improved TAT and closure rate metrics for investigations.
Regulatory expectations for RBA in the EU, the AMLD5 and AMLD6 requirements, and FATF recommendations explicitly state: you are obliged to know the risk profile of clients, products, channels and geographies. In response we design the company’s risk management based on ISO 31000 and the COSO internal control framework, combining corporate information governance (GRC) with a clear decision-making matrix and an escalation model. This makes dialogue with auditors and banks predictable and substantive.
RBA Framework: from strategy to processes
When I say “framework”, I mean a bundle of strategic documents, processes and measurable metrics. At COREDO we start with RBA documentation and compliance policy, then record the risk register (risk register), process mapping (process mapping) and control points, and only after that do we move to automation.
This order is important, because automating the risk matrix without clear criteria for classifying customers by risk leads to an avalanche of exceptions and manual work. The correct sequence is design first, then control assessment and design testing, and only then launching into production with compliance KPIs and key risk indicators (KRI). The COREDO team implemented such a scheme in projects from the Czech Republic to Dubai, and as a result the risk analysis for audit became transparent, and the review and updating of the risk matrix regular and meaningful.
RBA methodology and the risk matrix
The RBA methodology starts with a taxonomy of risks: customers, products/services, distribution channels, geographies, transactions and counterparties. For each category we assess probability and impact scales (likelihood & impact), assign score weights and obtain a heatmap (risk map), where the high-risk area is immediately visible to the board. This is how we develop a risk matrix for audit that is understandable to the business, internal audit, and the external inspector.
The assessment of inherent risk and residual risk is carried out in two stages. First we calculate the risk without controls, then we add the control environment and assess its controls’ effectiveness and compliance KPIs to see the reduction to the residual level. This assessment includes
sanctions screening and filtering against EU and OFAC lists, PEP risk, UBO identification and reputational indicators, as well as customer risk scoring models that take into account behavioral and transactional indicators.
To show the “transparent mechanics”, I often give the example of a risk matrix for AML audit. Take customer risk: base scoring by country of registration, industry, UBO status, PEP status and product type; then modifiers, onboarding channels, remote KYC/KYB, presence of complex corporate structures. The heatmap immediately highlights where an Enhanced
Due Diligence (EDD) procedure is needed, and where a standard CDD — a comprehensive customer check — is sufficient. This is not theory: COREDO’s practice confirms that such decomposition simplifies RBA when conducting internal audits and speeds up coordination with the compliance officer.
Integration of RBA with KYC/CDD and sanctions
The RBA methodology is meaningless without being embedded into operational processes. We design the integration of RBA with KYC and CDD processes so that a customer’s risk assessment is updated on every material event: change of UBO, expansion of geography, anomalous transactions. For high-risk segments, EDD procedures are triggered automatically, additional documents are collected, sanctions screening against extended lists is activated, and suspicious activity analysis (SAR) is conducted.
Transaction risk assessment and monitoring are built on rule engines and machine learning for anomaly detection. In crypto companies we integrate blockchain analytics and crypto screening tools; in payment organizations:
transaction monitoring in real time, configuration of thresholds and trigger rules, as well as management of false positives. Here data quality management and lineage are critical: without reliable sources and auditing (audit trail), the evidential base for the regulator collapses.
Finally, data privacy and GDPR compliance: part of the architecture, not an afterthought. In the retention policy we define archiving of evidence and data storage requirements, set retention periods for cases and structure the case lifecycle (case management). This reduces the burden on the first line and increases readiness for inspections and independent review.
Choosing a Jurisdiction for RBA
The solution developed at COREDO always begins with mapping regulatory expectations and relevant licenses to the client’s business model. In the EU – the requirements of AMLD5/AMLD6, in the United Kingdom: FCA rules, in Estonia: VASP specifics, in Cyprus – the regime for payment and investment firms, in Singapore: MAS, and in Dubai, DFSA/DIFC or VARA for the crypto segment. By aligning them with the client’s risk appetite, we help choose the jurisdiction, the degree of centralization and payment routes.
RBA for international companies in Europe and Asia ensures a “soft landing” when opening accounts and establishing correspondent relationships. Banks expect to see corporate RBA compliance, a process map, KRI metrics and the presence of a risk mitigation plan for key scenarios. At the start of company registration we already form the basis for AML compliance checks so there is no need to go back to “restructuring” at the end of licensing.
The impact of RBA on business processes appears immediately after launch. Standardized KYC/KYB, unified checklists for legal entities, decision matrices and an escalation model increase onboarding speed, while transaction risk assessment reduces operational incidents. As a result, you do not “adapt to the regulator”, but build an efficient and economical process that meets inspection expectations.
Implementing RBA in a Financial Organization
My basic roadmap for clients looks like this:
- Strategy: we determine the risk appetite, establish a risk management committee and record the responsibilities of the board and the compliance director under RBA.
- Processes: we conduct process modelling, define control points, align the roles of the lines of defence and prepare a risk register.
- Design of controls: we describe client risk classification criteria, CDD/EDD procedures, sanctions screening and transaction monitoring, and configure the risk matrix and heatmap.
- Technologies: we select the AML/CFT platform architecture, assess the scalability of technical solutions, integration with ERP/CRM and banking systems, and configure thresholds and rules.
- Measurement: we define key risk indicators (KRI), metrics for the ROI of RBA implementation, investigation effectiveness metrics, as well as ROI assessment and the total cost of ownership (TCO) of RBA.
- Verification: we plan internal audit and independent review procedures, sampling methodologies for audit (statistical sampling), and scenario analysis and stress testing of risks.
- Training: we initiate change management and staff training, including for the first line and investigative analysts.
At each step I ask the team to check the cohesion of components: whether there is a gap between policies and case management, how complete logging and audit trails are, and whether decision matrices are correctly defined. The outcome is not a document for the sake of a document, but a living system.
Scaling RBA in a holding company
In transnational structures, the choice between a centralized and decentralized compliance model is not only a question of organizational structure, but also of the capital efficiency of risk-mitigation measures. In one project the COREDO team built a central core of rules and scoring models for several licensable entities in Europe and Asia, preserving local modifiers for the
regulatory requirements. This simplified reporting, ensured comparability of KRIs and allowed centralized sanctions screening and third-party and vendor management.
When scaling, risk visualization and BI tools are important so that the board can see a heatmap for each country and product. Case lifecycle, case management and evidence archiving are unified, and the process map and escalation matrix are standardized. Such a setup facilitates interaction with external regulators and inspections and reduces audit costs by reusing the evidentiary base.
COREDO Case Studies: crypto licenses and institutions
One notable example: launching a VASP in Estonia. The client came with an ambitious roadmap for token issuance and a wallet service; our experience at COREDO showed the need for enhanced
sanctions control and the implementation of blockchain analytics tools. We developed client risk scoring models and transaction risk assessments, configured trigger rules for high-risk flows, and reduced the false-positive rate by 38% in the first three months without losing sensitivity to suspicious operations.
Another project,
Licensing of a payment institution in Cyprus with SEPA connectivity and card issuance. The solution developed at COREDO included building a risk matrix, configuring a rule engine, integration with core banking and ERP, as well as CDD/EDD chains for corporate clients with multi-layered UBO structures. As part of the analysis of the impact on EBITDA and operational risk, we forecasted cost reductions through automation and optimization of the investigation process, and then confirmed the savings in real KPIs.
In Singapore we supported a client in obtaining Major Payment Institution status for an international payment gateway. RBA and sanctions control were combined with anti-fraud mechanisms and integration of AML monitoring with card fraud detection systems. The COREDO team carried out scenario analysis and stress testing of risks by geography, correctly set the risk appetite taking into account aggressive growth, and also worked out interactions with correspondent banks for cross-border payments.
Finally, a holding structure in the Czech Republic and Slovakia required scaling RBA across several operating subsidiaries with different risk profiles. We implemented a centralized heatmap, standardized client classification, configured the RBA procedure for internal audits, and prepared a risk register for the external auditor. As a result of the inspection, the client had no significant findings, and the board noted increased transparency of decisions and faster escalation of complex cases.
What is needed for RBA to work daily?
The architecture of AML/CFT platforms should be modular. I look at how easy it is to connect sanctions lists, how the rule logic is organized, whether model training and their validation are available, and how the issue of data quality management and lineage is addressed. I separately check how logging and audit trails are implemented, because legal requirements for reporting and the evidential basis are becoming more stringent.
Integration with ERP/CRM and banking systems is a critically important element. Without complete data, scoring models “go blind”, and case management loses context. We often implement a centralized hub for event enrichment, configuring thresholds and triggering rules in one place, and broadcasting configuration to subsidiary entities to maintain metric comparability and manage changes.
We pay special attention to privacy and GDPR requirements, including restrictions on data transfers between jurisdictions. Having a clear scheme for archiving evidence and storing data with understandable SLAs for data extraction reduces risks in regulator requests and facilitates independent review. When this “hygiene” is in place, inspections run smoother and faster.
Launch RBA: a guide for the director
First step: establish the board’s accountability and appoint a compliance director with veto power over risky launches. The risk management committee should approve the risk appetite, align the KRI and KPI metrics, and define a process map with control points. This turns RBA from an “important topic” into a management routine.
Second step: develop a risk matrix, build a heatmap, and describe the criteria for classifying clients by risk.
At the same time a risk mitigation action plan is prepared here, including sanctions screening, EDD for PEPs and complex structures, as well as assessment of residual risk (residual risk) and its monitoring. At this stage it is important to define ROI metrics for RBA implementation and target indicators for reducing TCO.
Third step – choose a technological solution and assess scalability. Evaluate the scalability of technical solutions, integration with current systems, configuration of rules and thresholds, and ensure change management and staff training.
Finish by launching internal audit procedures, planning and validating test samples, and regular review and updating of the risk matrix every 6–12 months.
COREDO: from diagnostics to operations
My collaboration model is transparent: we start with a diagnostic session where we align the business model, regulatory objectives and risk appetite. Then the COREDO team conducts a gap assessment against the requirements of the chosen jurisdiction and FATF/AMLD standards, creates a process map and a risk register, and after approval designs the target control design and solution architecture.
Next we build AML compliance checks, set up scoring models, sanctions screening, transaction monitoring and case management, and also document policies and procedures. COREDO’s practice confirms that the combination “processes + technology + metrics” delivers a sustainable result, not just passing an audit. In the final stage we prepare the client’s team for independent operation and provide support for interaction with external regulators and inspections.
In projects for company registration and licensing in the Czech Republic, Slovakia, Cyprus, Estonia, the United Kingdom, Singapore and Dubai we take into account local specifics and supervisory expectations. This saves time on approvals, speeds up account openings and reduces the cost of compliance ownership thanks to the right initial architecture.
Frequently Asked Questions from Directors
How to measure the return on RBA? I use two groups of metrics: financial (ROI assessment and impact on EBITDA through reduced fines and optimization of operating costs) and operational (false-positive rate, TAT per case, investigation closure rate, KRIs by client segments). Additionally, we calculate the total cost of ownership (TCO) of RBA and the capital efficiency of risk-reduction measures.
How to differentiate inherent and residual risk in everyday practice? We assess the risk profile separately without considering controls, and then after their application, and use alert statistics and the results of control design and effectiveness tests for calibration.
internal audit verifies the correctness of the methodology by applying sampling methodologies for the audit and independent validation.
How to align AML and anti-fraud? These domains overlap at the level of transaction scenarios and data sources, but the tasks differ. At COREDO we synchronize rules, separate escalation, and build a shared process map and audit trail so investigations don’t compete for resources and don’t lose context. This approach reduces analysts’ workload and improves reporting quality.
What is important in sanctions screening? In addition to updating EU and OFAC lists, it is worth setting clear fuzzy-matching policies, escalation thresholds and alert-review procedures. Consider correspondent relationships and the risk of cross-border payments, as well as company structuring and analysis of the counterparty chain and ultimate beneficial owners to reduce circumvention schemes.
Conclusions
RBA is not just a buzzword from regulatory requirements, but a management tool that speeds up registration and licensing, reduces operational risks and opens a dialogue with banks and regulatory inspections in the language of facts. I see this every time the COREDO team implements the RBA methodology, builds a risk matrix, integrates KYC/KYB, CDD/EDD, sanctions and transaction monitoring and brings the client to a new level of compliance maturity.
If you are planning to register a legal entity in the EU, the Czech Republic, Slovakia, Cyprus, Estonia, the United Kingdom, Singapore or Dubai, aiming for
obtaining financial licenses or want to strengthen AML and corporate compliance: start with a clear definition of risk appetite and a risk map. Next – process discipline, the right architecture and measurable metrics that prove the value of each step.
COREDO was created exactly for this kind of systematic work: without loud promises, with thorough attention to detail and responsibility at every stage. I am ready to discuss your case and show how the
risk-oriented approach will turn compliance from a cost center into a pillar of international business growth.
