AML risk assessments: What are they and how do they work?

Anti-money laundering (AML) laws and regulations around the world require financial institutions and other businesses subject to those regulations to take a “risk-based approach” to their AML practices. 

To do so, those businesses must first assess their own risk profile. This can be accomplished through an AML risk assessment, which then informs the business’s AML, know your customer (KYC), and customer due diligence (CDD) measures. 

Below, we take a look at what an AML risk assessment is, how it differs from a customer risk assessment, and how you can create and implement one that works for your business. 

What is an AML risk assessment?

An AML risk assessment is the process of understanding the likelihood of a bad actor successfully leveraging your products, services, or platform in order to engage in money laundering, tax evasion, terrorist financing, and other financial crimes.

The goal of an AML risk assessment is to:

• Identify the types of money laundering risk you’re subject to
• Determine the degree of this exposure
• Identify measures that can be taken to mitigate these risks
• Evaluate their effectiveness to inform implementation 

Risks identified during this assessment will typically fall into broader risk categories, which can be helpful for understanding how different types of risk relate to one another. The Federal Financial Institutions Examination Council (FFIEC) specifically calls out the following categories for AML risk assessments in the financial industry: product risk, service risk, customer risk, and geographic risk. However, the council also notes that these categories should be unique to the institution based on size and structure. 

What does an AML risk assessment inform?

The findings of an AML risk assessment should be used to inform AML processes and practices. (The assessment should be informed by current processes as well.) This includes, but isn’t limited to:

• Identity verification: Including your customer identification program (CIP) and general KYC processes
• Customer due diligence (CDD): Including procedures for both simplified due diligence (SDD) and enhanced due diligence (EDD)
• AML screening: Including screening for individuals on sanctions lists, watchlists, and in politically-exposed persons (PEPs) databases
• Transaction monitoring: Including record keeping and reporting (suspicious activity reports, unusual activity reports, etc.)
• Internal policies: Including management accountability and employee training
• Oversight: Including independent testing and auditing

AML risk assessment vs. customer risk assessment 

Your business is the subject of an AML risk assessment. In contrast, your customers are the subject of customer risk assessments with the intention of measuring an individual’s risk of money laundering. 

Customer risk assessment typically occurs during onboarding and throughout the customer lifecycle as necessary. KYC, CDD, and transaction monitoring are all parts of customer risk assessment.

With this in mind, customer risk assessment can be thought of as a product of your AML risk assessment, informing how you assess customer risk. 

Why are AML risk assessments required?

Banks and other financial institutions are required by law to have adequate controls in place to mitigate the likelihood that bad actors will be able to launder money through their products, platforms, and services, and to implement a risk-based approach to anti-money laundering. Most countries have implemented laws and regulations, which we’ve covered in this guide to global AML, to combat money laundering and terrorist financing. 

In order to implement a risk-based approach, you must first understand your money laundering risk profile. You can develop and complete your profile through an AML risk assessment and then implement processes to address the risks. 

‍

Money laundering risk factors to consider

Not every business is exposed to the same type or scale of money laundering risk. To assess your risk profile, the Financial Action Task Force (FATF) recommends taking the following factors into account:

The nature, scale, diversity, and complexity of the business

Your money laundering risk can vary significantly depending on size. Your number of employees, customers, and jurisdictions you operate in all contribute to your risk profile. Organizational complexity and diverse product offerings also present more opportunity for bad actors to infiltrate and conceal money activities.

Target markets

Your risk profile can also vary significantly depending on the types of customers you target — for example, if you target a certain industry, or if you primarily work with B2B or B2C customers.

The number of customers already identified as high risk

The number of existing customers, clients, or users that you’ve flagged as being a high risk for money laundering should be considered as you evaluate your overall risk profile. 

The jurisdictions you are exposed to (through your activities or your customers’)

Certain jurisdictions are considered to pose a higher risk for money laundering, terrorist financing, and other financial crimes. This includes countries and regions experiencing high levels of corruption and organized crime, as well as countries without sufficient anti-money laundering controls. 

An up-to-date database of high-risk countries identified by the FATF can be found here. 

Distribution channels

How you acquire your customers and distribute your products and services, and whether you handle CDD and KYC processes internally or through the use of third parties can all impact your risk profile.

Internal audit and regulatory findings

If you’ve recently conducted an internal audit, the results of this audit should inform your risk assessment, as should any regulatory actions taken against your business. 

The volume and size of transactions

A higher volume of transactions generally increases your risk, as does the presence of larger transactions potentially designed to skirt reporting and recordkeeping requirements. 

Putting your AML risk assessment into practice

Once you’ve conducted your risk assessment and documented your findings, your task becomes implementing AML processes, tools, and strategies wherever known risk exists in your business. 

At Persona, we understand just how critical having a clear, complete picture of your customers’ identities is to mitigating your business’s AML risk. That’s why we’ve built a comprehensive, configurable suite of fintech identity tools you can leverage to suit your risk profile and requirements.

Leverage our Verifications solution during customer onboarding and identity verification (IDV), as well as for periodic reverification to mitigate the threat of account takeover fraud. Supplement your IDV processes with Reports for a richer understanding of your customer risk. Deploy Graph, our link analysis tool, to root out bad actors who may have already opened an account with your business. Design a custom manual review process with Cases, our all-in-one investigation dashboard.

And because Persona automatically tracks customer history and internal decision-making, you can rest easy knowing that you’ll have a full record of exportable data to share with regulators and auditors if it ever becomes necessary.

Interested in learning more? Start for free or get a custom demo today.