Building Blocks for an Effective AML Enterprisewide Risk Assessment

Building Blocks for an Effective AML Enterprisewide Risk Assessment
Building Blocks for an Effective AML Enterprisewide Risk Assessment


The risks of money laundering for a financial services company are indisputable. The types of customers served, the products and services provided and how these are delivered, as well as the geographic footprint of the company and location of its customers all, pose risks. For decades, the Financial Action Task Force (FATF), governments and regulators, and industry bodies such as The Wolfsberg Group have emphasised that anti-money laundering (AML) risk assessments are foundational underpinnings of a sound AML compliance programme.

As with other risk assessments performed by financial institutions (FIs), an enterprisewide AML risk assessment (EWRA) should evaluate an institution’s inherent risk and control environment to determine its residual risk to money laundering.

The outputs from the risk assessment help FIs prioritise resources to specific control functions and activities toward mitigating exposure to money laundering and terrorist financing risks (collectively referred to herein as ML risks). Armed with this information, FIs can take other necessary actions, including modifying their risk profiles if needed. For example, in certain cases, the outputs may result in an FI exiting a business it determines cannot be appropriately managed.

To be effective, risk assessments should be dynamic. They should be updated on a periodic basis to reflect variations in a risk profile that can occur due to changes in the business model (e.g., expansion into or withdrawal from a jurisdiction, launch of new products, accep-tance of new customer types), regulatory requirements (e.g., expectations set forth in the European Union’s 5th Money Laundering Directive or in FinCEN’s Customer Due Diligence rule), or other emerging risks such as those posed by technological advancements.

The financial services industry has expended consid-erable effort and expense performing AML EWRAs. However, despite the consensus view that risk assess-ments are important, the timing and level of detail of regulator guidance and expectations for AML risk assessments have varied across the globe, adding to the industry’s challenge of getting the risk assessment process right, especially for those institutions that operate across borders.

For example, in the United States, the prudential bank regulators first issued substantive guidance in the inaugural version of the Federal Financial Examination Council’s (FFIEC) BSA/AML Examination Manual (2005). Since then, the expectations of both regulators and the industry have continued to evolve.

“A reasonably designed risk-based approach will provide a framework for identifying the degree of potential money laundering risks associated with customers and transactions and allow for an institution to focus on those customers and transactions that potentially pose the greatest risk of money laundering.”

— The Wolfsberg Group, Guidance on a Risk-Based Approach for Managing Money Laundering Risks, 2006

In the United Kingdom, the Financial Conduct Authority (FCA) continues to provide guidance on AML EWRA and, more broadly, financial crimes EWRA, offering examples of good practises to encourage FIs to complete EWRAs on an ongoing basis.

In Japan, the Financial Services Agency (FSA) first mandated AML risk assessments in February 2018. Many other countries have issued risk assessment guidance and expectations at various times.

Notwithstanding the differences in, and evolving nature of, published regulatory guidance, the financial services industry, with the support of bodies such as The Wolfs-berg Group, has continued to build on its risk manage-ment capabilities. More advanced institutions are moving from historically qualitative (some might say subjective) approaches to AML EWRAs toward methodologies that blend qualitative and quantitative information to provide a much more holistic and supportable view of risk.

“Financial institutions in Japan are still in the early stages of developing their AML risk assessment methodologies and we expect their approaches will be iterative, as they address many of the same issues and challenges that U.S. and European financial institutions faced before them.”

— Masanobu Ishikawa, Managing Director, Protiviti Japan


The evolution in the AML EWRA process has not been easy and still presents significant challenges to many FIs.

Key among these challenges are:

This paper discusses each of the challenges along with possible solutions. While the paper is focused on AML EWRA, the principles behind the approaches listed can also be applied when performing similar assessments for sanctions and other financial crime-related risks.