The AML Risk Assessment

The AML Risk Assessment


The economic downturn has taken a toll on financial institution balance sheets and income statements, and the attention of risk managers and regulators has been focused – rightfully – on safety and soundness issues. This focus, however, does not mean that anti-money laundering (AML) and related issues have decreased in importance. Indeed, many of the enforcement actions currently being issued by the banking regulators contain provisions requiring improvements to risk management programs for AML and Office of Foreign Assets Control (OFAC) compliance. The starting point for a strong risk management program is an accurate and thorough AML/OFAC risk assessment.

Challenges and Opportunities

AML and OFAC present a variety of risks from multiple perspectives (e.g., reputational, operations) and from multiple sources (e.g., products, customers, geography) that must be identified proactively, evaluated and managed as required by the applicable regulations and as a matter of safe and sound operation. The starting point of any risk management program is the identification and assessment of the risks to be managed. The FFIEC’s BSA/AML Examination Manual and FinCEN’s BSA/AML Examination Manual for Money Services Businesses provide extensive guidance on conducting a risk assessment, but there are additional considerations that help institutions “get it right.”

Effectively and efficiently assessing AML and OFAC risks in the best of times requires planning, resources and coordination, and in this environment it is even more challenging with resource pressures combined with ongoing regulatory scrutiny. At the same time, many institutions are expanding the AML/OFAC risk assessment to include additional risks related to fraud, payment identification and other issues.

Our Point of View

Financial institutions can more accurately and efficiently assess their AML/OFAC risks and productively support their risk management programs by keeping the following principles and guidelines in mind:

  • Develop and use a standard methodology and format to promote consistency across the organization and also year over year.
  • Take an enterprisewide view of AML/OFAC risks, covering all business lines and functional units, and incorporate this view into the overall risk assessment of the institution.
  • Ensure that the institution’s risk philosophy is articulated clearly and understood by everyone working on the risk assessment.
  • Rely on the guidance in the regulatory authorities’ examination manuals and augment this guidance by asking other institutions for ideas – AML officers usually are open to sharing ideas with other institutions because of the shared goal of compliance.
  • Assess the inherent quantity of risk for various categories, such as customers, products and geographies, then adjust this inherent risk by the quality of risk management for that category to arrive at a residual risk rating that is a more accurate representation of the organization’s exposure.
  • Assign a direction of risk rating to rated areas to incorporate a forward-looking element to the risk assessment.
  • Support and substantiate the risk assessment as much as possible with hard data, facts and references.
  • Establish a regular schedule for updating the risk assessment, and amend it immediately upon certain triggering events, such as acquisitions, mergers, new product introductions and automated support system changes.
  • Keep it simple but appropriate to the institution’s needs – an overly complex approach detracts from the utility of the risk assessment.
  • Document the methodology and results so that others, e.g., regulators and auditors, can understand how conclusions were reached.

How We Help Companies Suceed

​Our Regulatory Risk Consulting practice can help financial institutions strengthen their AML/OFAC risk assessments by:

  • Bringing our knowledge of leading industry practices to our engagements
  • Applying our experience with regulatory reviews of risk assessments
  • Developing a comprehensive methodology for risk assessments
  • Identifying sources of risk and assessing risk mitigating controls
  • Locating data, reference material and quantitative information to support the risk assessment
  • Identifying emerging issues that may influence the risk assessment

Our Regulatory Risk Consulting practice professionals are former regulators and industry executives who have the necessary experience, expertise and insight to assist financial institutions in building and refining risk assessments that effectively drive successful AML/OFAC compliance programs.


Reviewing a bank’s AML/OFAC risk assessment during an annual audit, we noted that the assessment did not adequately assess, describe or evaluate the quality of risk controls in place. As a result, the determination of residual risk was neither substantiated nor accurate. We provided guidance to the bank on ways to address the needed improvements to its risk assessment. As a result, risks were evaluated more accurately and the institution’s AML program focused more appropriately on areas of higher risk.


Carol Beaumier
John Atkinson
Shaun Creegan
​ +1.212.708.6362

Ready to work with us?