AML/CTF Risk Assessment: Step 2 In Building An Effective AML/CTF Compliance Program

Aml/Ctf Risk Assessment

The second step in building an effective AML/CTF compliance program is to conduct a money laundering risk assessment. 

This is important because an organization has an overview of the specific AML risks it may be exposed to and needs to be aware of potential deficiencies.  But let’s be more precise.

Step 2: AML/CTF Risk Assessment

The AML risk assessment serves three objectives:

Objective 1: The first objective is very obvious; it identifies the general and specific money laundering risks an organization faces.

Objective 2: The second objective is determining how these risks are mitigated by the organization’s AML/CTF compliance program controls.  Having said this, this would require already have some sort of AML controls in place.  If your organization does not have any controls in place yet, this would mean that the degree of AML risk mitigation is zero and that it is about time to get cracking.

Objective 3: The third objective is establishing the residual risk that remains for the organization.  Now, what’s the residual risk? You have the AML risk; you have certain measures that mitigate that risk to some degree. What remains after applying the measures is the residual risk.

Aml/Ctf Risk Assessment

3 Steps to perform an AML Risk Assessment

So how do you perform an AML risk assessment?  There are numerous ways of how to do this, which differ across organizations and industries.  However, there is a conventional logic behind them. We will look at a general approach that can be used to conduct a money laundering risk assessment. 

As a general rule, the money laundering risk assessment should cover the entirety of the organization’s business. Still, it may be conducted in parts or as part of a rolling cycle with a particular focus.  

Now the AML risk assessment is performed in 3 phases.  Phase 1 is to determine the inherent risk. Phase 2 assesses the internal measures, and phase 3 is to derive the residual risk.

Step 1: Identifying The Inherent Risk

Let’s explore determining the inherent risk.  

The inherent Risk represents the exposure to money laundering risk in the absence of any control environment being applied.

To identify the inherent risk, assessments across numerous risk categories are commonly undertaken, depending on the organization.  Common categories include Clients, Products and services offered, Distribution channels, Geographies of doing business in, and something that is usually called other qualitative risk factors

Let’s spend a word or two on these exemplary risk factors that might be assessed.


Let’s start with Clients: To assess the inherent money laundering risk of a business division, unit, or business line, the client base and business relationship should be assessed.  The number of Client types, industries, activities, professions, and businesses, alongside other factors, can increase or decrease money laundering risks.  The following categories can stratify the client base and identify client risk factors: client type, ownership, industry, activity, profession, and business.

Products and Services

Next up are Products and services: The volume of product types offered by the business and associated KPIs should be determined or estimated.  The product types should then be assigned a risk category.  For example, low money laundering risk, moderate money laundering risk, or high money laundering risk.  This data can then be utilized to determine what percentage of each product type is rated according to the risk classification.  You might, for example, see that 25% of your products have a moderate money laundering risk.

Delivery Channels

Then we have channels: Some delivery channels can increase money laundering risk because they increase the risk that the identity and activities of the clients can be disguised.  Consequently, it should be assessed whether, and to what extent, the method of account origination or account servicing could increase the inherent money laundering risk.


Next up are geographies: Identifying geographic locations that may pose a higher risk is a core component of any inherent risk assessment.  Doing business in certain geographic locations can be associated with a higher risk of money laundering.  For the geographic risk evaluation, you can use lists from the FATF or other organizations.

Additional Risk Factors

Finally, additional risk factors can impact operational risks and contribute to an increasing or decreasing likelihood of breakdowns in key AML controls.  Qualitative risk factors directly or indirectly affect inherent risk factors.  For example, effective strategy and operational changes or opening in a new location may affect the inherent risk.

Aml/Ctf Risk Assessment

Step 2: Evaluating The Internal Measures

Let’s move on to phase 2 of the money laundering risk assessment.  Once the inherent risks have been identified and assessed, internal controls must be evaluated to determine how effectively they offset the overall risks.  Controls are programs, policies, or activities put in place by the organization to protect against the materialization of a money laundering risk.  These controls are also used to maintain compliance with applicable AML regulations.  AML controls are usually assessed across different control categories.  Typical categories may include Corporate Governance, policies, procedures, monitoring and control, employee training, and detection and SAR filing.  Each of these areas is assessed for overall design and operating effectiveness.

There may be both a positive or negative indicator of control execution. These should be documented to assess the operating effectiveness of each control.

Let us make an example: For Training, there will be some elements required to be present within an effective training framework.  As such, the controlled assessment will focus on each of these elements, such as whether staff training needs have been assessed, whether specialist training is provided for key roles, or whether training is being completed on time.  These elements require the organization to assess whether each element operates satisfactorily, needs improvement, or is deficient.  

The results for each control category are associated with a score, reflecting the relative strength of that control.  Each category can then be assigned a weighting based on the importance that the institution places on that control.  What comes out at the bottom will be used in Phase 3.

Step 3: Determining The Residual Risk

Okay, so once both the inherent risk and the effectiveness of the internal control environment have been considered, the residual risk can be determined.  Residual risk is the risk that remains after controls are applied to the inherent risk.  It is determined by balancing the level of inherent risk with the overall strength of the risk management controls.  The residual risk rating indicates whether the money laundering risks within the organization are adequately managed.

It is general practice to apply a 3 tier rating scale to evaluate the Residual Risk on a High, Moderate, and Low scale.  Any rating scale could also be used, for example, a 5 point scale of Low, Low to Moderate, Moderate, Moderate to High, and High.  But a 3-tier rating scale is the most common.

Using the AML Risk Assessment Results

Now that you have performed an AML risk assessment and have the results, what do you do with them? They can be used in an organization in many different ways.  Here are the top 5:

  1. First of all, they can be used to identify gaps or opportunities for improvement in AML policies, procedures, and processes.
  2. Second, they can develop risk mitigation strategies, including appropriate internal controls and lower residual risk exposure.
  3. Third, they can make informed decisions about risk appetite and implementation of control efforts, resource allocation, and technology spending.
  4. Next, they can ensure senior management is aware of the key risks, control gaps, and remediation efforts.
  5. And last, they can be used to ensure regulators are made aware of the key risks, control gaps, and remediation efforts across the organization.

Final Thoughts

An AML/CTF risk assessment is the process of identifying risk and developing policies and procedures to reduce and manage that risk, as well as assessing the likelihood and severity of facilitating ML/TF through your service. Part A of your AML/CTF program necessitates the creation of a framework for identifying, prioritizing, treating, controlling, and monitoring risk exposures. When assessing the risks, it is critical to consider the likelihood and severity of facilitating ML/TF through your service.