AML Compliance

6 Steps for Completing an AML Risk Assessment

Anti-money laundering risk assessments are crucial for preventing financial crimes and remaining compliant with regulations. This comprehensive guide will review the basics of an AML risk assessment by answering the following questions: What is an AML risk assessment? Why should you complete one? What steps are involved?

Thorsten J Gorny
March 14, 2022

What is an AML Risk Assessment?

Money laundering occurs when criminals try to make illicit funds appear to come from a legitimate source. Technology has made it easier for perpetrators to engage in money laundering, so it is more important now than ever that businesses implement a system to detect and prevent it.

That’s where the anti-money laundering risk assessment comes in. This analytical process allows organizations to determine the likelihood that a customer is involved with money laundering or terrorist financing. By gauging the risk level of each client, they can perform the appropriate due diligence and minimize involvement in a money-laundering scheme.

Once you complete the AML risk assessment, you can rate your clients as low, medium, or high risk. This information will determine the best way to monitor transactions, validate identities, and file suspicious activity reports.

Key Risk Indicators

To determine which clients are most likely to be involved with money laundering or other illicit activities, the assessment model looks at key risk indicators – or KRIs. KRIs refer to known vulnerabilities or aspects of a business that might attract criminals and money launderers.

There are five primary KRIs that all businesses should consider as part of their AML process:

  1. Types of Customers
  2. Nature, Complexity, and Size of the Business
  3. Products and Services Offered
  4. Geographical Risks
  5. Process for Onboarding Clients and Engaging with Existing Customers

Each of these KRIs includes several risk drivers that influence how relevant they are to your organization. If the drivers increase the risk, then the rating will be higher – and vice versa. As such, the AML assessment will need to include a risk range so that you can take appropriate action.

Why Complete an AML Risk Assessment?

No law specifically states you must conduct an AML risk evaluation, but other applicable regulations make it the only way to comply. For instance, the Bank Secrecy Act (BSA) requires that companies take steps to mitigate the risk of money laundering at the individual level.

OFAC, the Office of Foreign Assets Control, requires businesses to implement a risk management program. This program must include Sanctions Screenings and PEP screenings - and other analyses - to identify and mitigate risks associated with money laundering and terrorist financing. (Also see FinCEN, the Financial Crime Enforcement Network and other relevant regulatory bodies for your industry and market).

Likewise, your Solicitors Regulation Authority (SRA) might want to review your risk assessment process to determine whether your organization is putting in the appropriate effort to catch and prevent money laundering.

Simply put, an AML risk assessment is the first step to follow regulatory mandates and prevent financial crimes so that you can avoid hefty fines and penalties – and reputational damage – associated with non-compliance.

Aside from compliance, there are other compelling reasons to perform AML risk assessments. Understanding the risk level associated with each client and transaction allows you to build appropriate processes and procedures to protect your business and its reputation. It also empowers your staff to act when they see something that is suspicious and gives them a roadmap of what steps they should take to address it.

In other words, you need to complete AML risk assessments to comply with the regulations and to protect your organization and staff from the threat of money laundering and other financial crimes.

The 6 Steps of an AML Risk Assessment

1.  Document the Risk Assessment Process

The first step for conducting an anti-money laundering risk assessment is to create documentation about the key risk indicators and how they relate to your business. This documentation is the foundation of the risk-based approach, as it outlines the support for the analysis of risks you are going to perform.  

At a minimum your documentation should address the following KRIs:

  • Geography
  • Types of Customers (Customer Due Diligence)
  • Transactions
  • Products and Services

As you analyze each of these key risk indicators, take note of areas that might be extra susceptible to money laundering. Identifying these high-risk areas – and documenting them – is the first step to conducting a successful AML risk assessment.  

2.  Ensure Adequate Staff is Dedicated to AML

After you have documented the key risk indicators and gained an understanding of the areas you should focus on, you must address the issue of staffing.

Having adequate compliance staff is essential to the success of any AML program. Ensure that you have the appropriate number of staff available and that they have adequate training. The chief compliance officer will manage the training program and determine the qualifications the staff should have.

3.  Identify Risks

Step three will build on the initial documentation that you prepared, as it involves identifying the inherent and residual AML and CFT risks your organization is exposed to (AML customer risk assessment methodology.

Inherent risk refers to those factors that affect your organization when you have not taken any steps to mitigate them. Think about it this way – the inherent risks are present just because your organization exists and conducts a certain type of business.

These factors should be evaluated before you implement any internal controls or mitigation so that you can gauge the effectiveness of your efforts later.

Residual risks, on the other hand, are what is left after you have taken steps to mitigate the inherent risks. Another way to view residual risks is as the gaps in your controls where there is still a chance that money laundering or other financial crimes could occur.

A bank, for example, has inherent risks associated with international transactions. However, they may use automated software to analyze these activities, check for OFAC Sanctions violations, and validate the legitimacy of the transaction. While the inherent risk is not eliminated, those efforts reduce it significantly – and what is left over is the residual risk.

When you review residual risks, you must decide whether the remaining threat level is acceptable or if you need to implement additional controls to reduce them further. We can break this analysis down into three categories:

  • Weak Mitigating Controls: Weak controls are not very effective or only minimally reduce the risk. It is likely that the control involves a manual process and is not sufficient to address the concern.
  • Adequate Mitigating Controls: Adequate mitigating controls do just enough to address the risk. They may be missing some components and still allow for some gaps, but they may be sufficient for certain KRIs.
  • Strong Mitigating Controls: A strong control covers the entire risk associated with a transaction or activity. There are no gaps or additional measures needed to eliminate the threat.

4.  Classify the Risks You Identified

The next step is to classify the risk level for each of the KRIs you identified.

Most organizations will use a sliding scale of 1 to 3, with 1 representing a low inherent risk and 3 indicating a high inherent risk. The goal is to implement controls that can lower the risk scores down from 3 to 1.

Using the example from above, international wire transfers would be considered high inherent risk, or a 3. However, the automated system used to monitor and validate those transactions is classified as a strong mitigating control, which would lower it to a 1.

If the control was weak, it wouldn’t adjust the risk score. When there is an adequate control in place, it might reduce it from a 3 to a 2. Your AML process should evaluate these factors over time to see if the risks are increasing, decreasing, or stable.

5.  Review Each of the Risk Factors

Now that you have identified the KRIs and classified them as low, medium, or high, you must review each of them in greater detail. Consider the following questions as you conduct your analysis of the risk factors:


Analyzing your geographical risk involves looking at the footprint of your organization. Consider the areas where you conduct business, the size of those populations, and the people that live there.

Do you operate in areas where there are high rates of financial crime or drug trafficking? Are you constantly submitting suspicious activity reports in one region? Do you have a presence on a border that poses a higher risk than others?

Answering these questions can help you focus on areas that need more attention. Activities in higher-risk geographies will require you to increase your controls and due diligence measures. On the other hand, regions that do not pose as large of a threat may not need as strict monitoring measures.

Customer Base

There are many factors to consider regarding your customer base and the types of individuals and entities you interact with. Some individuals and entities will have a higher inherent risk, such as the following:

  • Politically Exposed Persons (PEPs)
  • Non-Resident Aliens
  • Professional Service Providers
  • Cash-Intensive Businesses
  • Businesses Involved with Virtual Currencies

Assessing the risk level of each client is an essential part of the onboarding and know your customer process. At this stage, you should complete a sanction screening to confirm that the individual is not on an OFAC or any other Sanctions Lists.

Likewise, you must conduct a PEP screening to determine whether the client is a government official or a similar person that has a higher-level risk for corruption and illegal activities. If you identify clients that fall into this category, you will need to apply enhanced due diligence measures.

Products and Services

The products and services you offer will also contain inherent and residual risks. The better you understand and analyze these risks, the more successful your AML assessment will be. Here are some examples of high-risk offerings:

  • ATM and Cash Services
  • Loan Portfolios
  • Online Account Opening and Access
  • Remote Deposits
  • Foreign Correspondent Accounts

Not only should you review the risk associated with these types of products and services, but you should also review how many clients use them. Determining whether the volume is increasing or decreasing can help you implement appropriate controls.

Transaction Review

An AML risk assessment also involves a review of the volume, frequency, and types of transactions that your business engages in. Consider some of the following:

  • How many currency transaction reports and SARs are filed each year?
  • What is the volume of loan transactions and private ATM customers?
  • How does the number of international wires compare to domestic ones?

Certain transactions must be verified for OFAC compliance, like ACH and wire transfers. Ensure that you have clear policies and procedures for addressing them.

6.  Conduct Regular Audits

The AML risk assessment process does not stop after the steps we just described – it is a continuous process. As such, the last step is to conduct regular audits and reviews to ensure the program remains healthy and effective.

Update your policies and procedures as needed and ensure that the appointed compliance officer reviews them to keep them aligned with regulatory changes. This, along with a strong culture of compliance, can minimize the risk that your organization will be involved with money laundering.

Simplify your AML Screening Process with is a highly reliable and cost-effective solution for AML and sanctions screening. AI-powered and with an enterprise-grade API with 99.99% uptime are reasons why customers globally trust us with their trade compliance and AML screening needs. To learn more about how our sanctions, PEP, and criminal watchlist screening service can support your organization's compliance program:

Book a free Discovery Call.

We also encourage you to take advantage of our free 7-day trial (no credit card is required).

New Sanctions Screening Guide
Download our FREE Sanctions Screening Guide and learn how to set up an effective sanctions screening process in your organization.
Thorsten J Gorny
Thorsten is Co-founder & CEO of He has worked for more than 15 years in the tech industry with focus on bringing ideas to life, and building great teams and products. At he is mainly responsible for Business Development, Growth and Strategy.
Enjoyed this read?

Subscribe to our Newsletter right now and never miss again any new Articles, Guides and more useful content for your AML and Sanctions compilance.

Success! Your email has been successfully registered for our newsletter.
Oops! Something went wrong while submitting the form.