What are the elements of an AML risk assessment program and how should they fit together to help banks identify and mitigate AML risks?

As we discussed in the first blog of this series, banks should have (or should develop) AML risk assessment programs that identify: a) the bank’s inherent risks across a range of categories; b) the level of risk that is acceptable in line with the bank’s risk appetite; c) gaps that exist between these levels; and d) the steps and controls needed to mitigate identified risk.

This can be seen as a three-phase process:


  • Phase I – The bank defines and identifies its risk appetite and agrees upon the risk factors to be assessed. It notes the specific products, services, customers, entities and geographic locations unique to the bank and determines their weighting in relation to the banks’ business model.
  • Phase II – The bank determines inherent risk to the firm through a detailed analysis of the data obtained on the specific risk factors. It then augments these findings with the output from internal audits and regulatory examinations.  The aggregated data is assessed to determine whether existing controls are strong enough to address the firm’s inherent risk and remain aligned with its risk appetite.
  • Phase III – The bank takes steps to mitigate risks, beginning by communicating and reporting its findings on identified issues. It develops action plans to resolve these issues, with a focus on implementing controls needed to avoid, mitigate or reduce the inherent risks of the firm.

Regulations require banks to periodically assess the AML risks of their individual business units (and for banks with a consolidated AML compliance program to conduct an enterprise-wide assessment).  In my next blog I will look at how such programs can be structured for greater efficiency and effectiveness.

For more information, view our presentation on how financial services firms can set-up an effective AML risk assessment program.

AML Risk Assessment Process