What are the elements of an AML risk assessment program and how should they fit together to help banks identify and mitigate AML risks?

As we discussed in the first blog of this series, banks should have (or should develop) AML risk assessment programs that identify: a) the bank’s inherent risks across a range of categories; b) the level of risk that is acceptable in line with the bank’s risk appetite; c) gaps that exist between these levels; and d) the steps and controls needed to mitigate identified risk.

This can be seen as a three-phase process:


  • Phase I – The bank defines and identifies its risk appetite and agrees upon the risk factors to be assessed. It notes the specific products, services, customers, entities and geographic locations unique to the bank and determines their weighting in relation to the banks’ business model.
  • Phase II – The bank determines inherent risk to the firm through a detailed analysis of the data obtained on the specific risk factors. It then augments these findings with the output from internal audits and regulatory examinations.  The aggregated data is assessed to determine whether existing controls are strong enough to address the firm’s inherent risk and remain aligned with its risk appetite.
  • Phase III – The bank takes steps to mitigate risks, beginning by communicating and reporting its findings on identified issues. It develops action plans to resolve these issues, with a focus on implementing controls needed to avoid, mitigate or reduce the inherent risks of the firm.

Regulations require banks to periodically assess the AML risks of their individual business units (and for banks with a consolidated AML compliance program to conduct an enterprise-wide assessment).  In my next blog I will look at how such programs can be structured for greater efficiency and effectiveness.

For more information, view our presentation on how financial services firms can set-up an effective AML risk assessment program.

AML Risk Assessment Process

4 responses:

  1. Learning a lot from AML Risk Assessment series, thank you Garikai!

    Could you please share your opinion on the big decisions some banks make in order to mitigate risk?For example, to exit certain high risk businesses offerings (cash deposits, certain money market instruments, etc.). If we look at other listed in phase I factors, this approach may continue further and end up in closing certain locations, saying no to high risk customers, and the list can go on. This does not seem very sustainable to me. I would love to hear your thoughts on this.

    1. Zhana, thank you for your question. If I may re-phrase your question slightly, you are asking what sustainable processes banks have in order to mitigate risk.

      Firstly, most banks utilize “client committees” to review and approve new clients and extension of business with existing clients. These committees act as tollgates to prevent potentially risky clients being on-boarded at banks. Similarly, most banks leverage a “new products committee” to assess the profitability and risk of new products before they go-to-market.

      For existing clients, products, services, and transactions, the bank’s business strategy and risk appetite statement outline its accepted operating parameters. Where there are deviations from the risk appetite, i.e. residual risk is identified, enhancements to the control environment are required.

      However, if there are deviations to the strategy, then the bank should explore wholesale changes for example exiting lines of business, and / or withdraw products, services, and transaction types either globally or within high risk jurisdictions.
      With respect to exiting clients, this is usually due to the unacceptable reputational risk posed by the client to the institution. However, recently the cost-to-serve a client has become an operational driver in deciding whether to continue a relationship, especially when the client is unprofitable.

        1. Zhana, in addition to my prior response, to understand whether “de-risking” or the exit of high risk customers will significantly reduce an institutions residual risk in the risk assessment, it is important to consider the size and weighting of that specific product or service consumed by the customer, as well as the customer. For example, correspondent banking is a high risk service offered by most financial institutions. If an institution were to exit a significant number of relationships that use this service, correspondent banking would still be a high risk service offered, however the weighting the service carries in the overall calculation of the residual risk of the firm would have changed. In this example you see that exiting customers from a product or service does not make the service lower risk. It would take a combination of product and service withdrawal and customer exit to move the enterprise residual risk which would constitute a fundamental change in the bank’s strategy.

Submit a Comment

Your email address will not be published. Required fields are marked *