Join the 7/21 live chat & demo: How to turn KYB & KYC into your competitive advantage


AML risk assessments: What are they and how do they work?

AML risk assessments are an essential part of implementing a risk-based strategy as required by law. Learn more.

Read time:
Share this post
Table of contents
⚡ Key takeaways
  • In order to design and implement an effective AML strategy, a company must first understand its unique risk profile.
  • An AML risk assessment is the process a company goes through to understand its exposure to money laundering risk.
  • AML risk assessments are an essential part of implementing a risk-based strategy as required by law.

Anti-money laundering (AML) laws and regulations around the world require financial institutions and other businesses subject to those regulations to take a “risk-based approach” to their AML practices. 

To do so, those businesses must first assess their own risk profile. This can be accomplished through an AML risk assessment, which then informs the business’s AML, know your customer (KYC), and customer due diligence (CDD) measures. 

Below, we take a look at what an AML risk assessment is, how it differs from a customer risk assessment, and how you can create and implement one that works for your business. 

What is an AML risk assessment?

An AML risk assessment is the process of understanding the likelihood of a bad actor successfully leveraging your products, services, or platform in order to engage in money laundering, tax evasion, terrorist financing, and other financial crimes.

The goal of an AML risk assessment is to:

  • Identify the types of money laundering risk you’re subject to
  • Determine the degree of this exposure
  • Identify measures that can be taken to mitigate these risks
  • Evaluate their effectiveness to inform implementation 

Risks identified during this assessment will typically fall into broader risk categories, which can be helpful for understanding how different types of risk relate to one another. The Federal Financial Institutions Examination Council (FFIEC) specifically calls out the following categories for AML risk assessments in the financial industry: product risk, service risk, customer risk, and geographic risk. However, the council also notes that these categories should be unique to the institution based on size and structure. 

What does an AML risk assessment inform?

The findings of an AML risk assessment should be used to inform AML processes and practices. (The assessment should be informed by current processes as well.) This includes, but isn’t limited to:

AML risk assessment vs. customer risk assessment 

Your business is the subject of an AML risk assessment. In contrast, your customers are the subject of customer risk assessments with the intention of measuring an individual’s risk of money laundering. 

Customer risk assessment typically occurs during onboarding and throughout the customer lifecycle as necessary. KYC, CDD, and transaction monitoring are all parts of customer risk assessment.

With this in mind, customer risk assessment can be thought of as a product of your AML risk assessment, informing how you assess customer risk. 

Why are AML risk assessments required?

Banks and other financial institutions are required by law to have adequate controls in place to mitigate the likelihood that bad actors will be able to launder money through their products, platforms, and services, and to implement a risk-based approach to anti-money laundering. Most countries have implemented laws and regulations, which we’ve covered in this guide to global AML, to combat money laundering and terrorist financing. 

In order to implement a risk-based approach, you must first understand your money laundering risk profile. You can develop and complete your profile through an AML risk assessment and then implement processes to address the risks. 

Free white paper
See how experts evaluate AML solutions

Money laundering risk factors to consider

Not every business is exposed to the same type or scale of money laundering risk. To assess your risk profile, the Financial Action Task Force (FATF) recommends taking the following factors into account:

The nature, scale, diversity, and complexity of the business

Your money laundering risk can vary significantly depending on size. Your number of employees, customers, and jurisdictions you operate in all contribute to your risk profile. Organizational complexity and diverse product offerings also present more opportunity for bad actors to infiltrate and conceal money activities.

Target markets

Your risk profile can also vary significantly depending on the types of customers you target — for example, if you target a certain industry, or if you primarily work with B2B or B2C customers.

The number of customers already identified as high risk

The number of existing customers, clients, or users that you’ve flagged as being a high risk for money laundering should be considered as you evaluate your overall risk profile. 

The jurisdictions you are exposed to (through your activities or your customers’)

Certain jurisdictions are considered to pose a higher risk for money laundering, terrorist financing, and other financial crimes. This includes countries and regions experiencing high levels of corruption and organized crime, as well as countries without sufficient anti-money laundering controls. 

An up-to-date database of high-risk countries identified by the FATF can be found here

Distribution channels

How you acquire your customers and distribute your products and services, and whether you handle CDD and KYC processes internally or through the use of third parties can all impact your risk profile.

Internal audit and regulatory findings

If you’ve recently conducted an internal audit, the results of this audit should inform your risk assessment, as should any regulatory actions taken against your business. 

The volume and size of transactions

A higher volume of transactions generally increases your risk, as does the presence of larger transactions potentially designed to skirt reporting and recordkeeping requirements. 

Putting your AML risk assessment into practice

Once you’ve conducted your risk assessment and documented your findings, your task becomes implementing AML processes, tools, and strategies wherever known risk exists in your business. 

At Persona, we understand just how critical having a clear, complete picture of your customers’ identities is to mitigating your business’s AML risk. That’s why we’ve built a comprehensive, configurable suite of fintech identity tools you can leverage to suit your risk profile and requirements.

Leverage our Verifications solution during customer onboarding and identity verification (IDV), as well as for periodic reverification to mitigate the threat of account takeover fraud. Supplement your IDV processes with Reports for a richer understanding of your customer risk. Deploy Graph, our link analysis tool, to root out bad actors who may have already opened an account with your business. Design a custom manual review process with Cases, our all-in-one investigation dashboard.

And because Persona automatically tracks customer history and internal decision-making, you can rest easy knowing that you’ll have a full record of exportable data to share with regulators and auditors if it ever becomes necessary.

Interested in learning more? Start for free or get a custom demo today.

Frequently asked questions

What are the common categories of AML risk assessment?

According to the FATF, businesses subject to AML regulations should consider the following risk factors in evaluating money laundering risk:

  • The nature, scale, diversity, and complexity of its business
  • Target markets
  • The number of customers already identified as high risk
  • The jurisdictions it is exposed to (through its own activities of those of its customers)
  • Distribution channels
  • Internal audit and regulatory findings
  • The volume and size of transactions

What triggers an AML investigation?

Most AML investigations are triggered when an account engages in suspicious or unusual activity, which is detected via transaction monitoring. Examples include:

  • Large transactions
  • An unusually high number of transactions for a given account
  • International wire transfers, especially to high-risk countries 
  • Transactions that appear structured to avoid detection

Virtually any activity that seems unusual can be enough to trigger an AML investigation.

How often should businesses conduct AML risk assessments?

According to the FFIEC, a business should update its risk assessment whenever it experiences an event that could change its AML risk. 

Expansion into a new geography, launching a new product or service, or undergoing a merger or acquisition are good moments for reassessment. 

Continue reading

Continue reading

Trust & safety in the age of AI
Trust & safety in the age of AI

Trust & safety in the age of AI

LLMs and other types of generative AI have the potential to destroy customer trust in your marketplace or platform. Learn more about the risks and solutions.

LLMs + fraud: How criminals use large language models to commit fraud
LLMs + fraud: How criminals use large language models to commit fraud

LLMs + fraud: How criminals use large language models to commit fraud

Large language models (LLMs) have a lot of potential to be used for fraud. Learn how fraudsters have added this and other AI programs to their toolkit.

DAC7 compliance: What is it, and who does it impact?
DAC7 compliance: What is it, and who does it impact?

DAC7 compliance: What is it, and who does it impact?

See how DAC7 impacts businesses, consumers, and governments, and understand what you need to know to stay compliant. Learn how Persona can help.

What is anti-money laundering (AML), and why is it important?

What is anti-money laundering (AML), and why is it important?

Learn about the stages and harms of money laundering, key AML regulations, and how to meet constantly evolving compliance standards.

How to implement the five pillars of AML compliance

How to implement the five pillars of AML compliance

Learn what a compliant AML program looks like and how to establish one at your company.

AML tools: What to look for in AML software

AML tools: What to look for in AML software

Learn about the different features you may want to look for as you build your AML toolkit.

Ready to get started?

Get in touch or start exploring Persona today.