Skip to main content

Looking for Valuant? You are in the right place!

Valuant is now Abrigo, giving you a single source to Manage Risk and Drive Growth

Make yourself at home – we hope you enjoy your new web experience.

Looking for DiCOM? You are in the right place!

DiCOM Software is now part of Abrigo, giving you a single source to Manage Risk and Drive Growth. Make yourself at home – we hope you enjoy your new web experience.

How to conduct an exam-proof BSA/AML risk assessment

Kevin Gulledge, CAMS
Terri Luttrell, CAMS-Audit, CFCS
March 29, 2023
Read Time: 0 min

Best practices for your BSA/AML risk assessment

Learn top tips for creating a risk assessment to capture your institution's risk. 

You might also like this resource: "BSA/AML risk assessment checklist."


Has your financial institution started your annual process for updating your anti-money laundering/countering the financing of terrorism (AML/CFT) risk assessment?

Determining where to start can be difficult if you are a new BSA Officer creating a risk assessment from scratch. Although there is no written regulatory requirement for a financial institution to conduct a risk assessment, the expectations of having one are clear. An institution must understand its risk profile to create a risk-based AML/CFT program. The evaluation process can be daunting, but it doesn't have to be with guidance from the Federal Financial Institutions Examination Council (FFIEC). The following steps for creating or updating your AML/CFT risk assessment should ensure you understand your institution's risk.

Step one

Document the BSA/AML risk assessment

Documentation is one of the more critical aspects of performing a risk assessment. The analysis of the institution's risk can only be adequately supported with supporting documents. Documenting the assessment process may be as simple as creating a Microsoft Word or Excel file, or an institution can use more sophisticated software to automate the risk assessment detail. All working papers should be attached to the file, regardless of how critical that analysis was to the process.

According to the FFIEC, there are no required risk categories, and the number and detail of these categories vary based on the bank or credit union's size or complexity. At a minimum, the AML/CFT risk assessment should provide an analysis of the following risk factors for the financial institution:

  • Products and services
  • Geography
  • Customer or member base
  • Transactions
  • FinCEN Priorities
  • Staffing
  • Regulatory audits and exams

In addition, an Office of Foreign Assets Control (OFAC) risk assessment may be completed within this process but is sometimes completed separately from the AML/CFT risk assessment. Either way is acceptable if the board of directors thoroughly evaluates and approves OFAC and AML/CFT risk assessments.

Step two

Identify inherent risk vs. residual risk

Inherent risk is any activity or factor posed to the financial institution, notwithstanding applying any management or risk mitigation tools. Each of the above categories should be evaluated before mitigating factors are considered. After adjusting the inherent risk for the institution’s risk management controls, residual risk represents the bank or credit union’s current risk. Residual risk is where any gaps in controls will be identified and where you will determine whether there are further mitigation steps to take or whether the institution is willing to accept the risk.

Determining the strength of the financial institution's mitigating controls can be accomplished by rating on a tiered basis. This will help decide whether to accept the residual risk as the risk assessment supports. Controls can be graded on a scale with the following descriptors:

  • Strong mitigating controls: covers all bases for the risk of this service or activity; leaves no gaps in monitoring
  • Adequate mitigating controls: does just enough to mitigate risk; may or may not be missing some items
  • Weak mitigating controls: does nothing or has a very weak, perhaps manual process in place

For example, the risk for the financial institution that processes outgoing international wires for customers is inherent. However, the institution has automated software that can monitor this activity, scan the wires for OFAC violations at the time of the transaction, validate wire transactions in their AML software daily, and provides a quarterly process to review all international wires. This example is a situation with a "high" inherent risk and "strong" mitigating controls.

Step three

Classify the risks

A service or product with an inherent risk can be scored on a 1 to 3 or 1 to 5 sliding scale. A "high" inherent risk would be scored 3. Meanwhile, the mitigating controls should help reduce the score. In the example above, processing outgoing international wires is a "high" inherent risk, scoring 3 points, using a 1–3-point scale. The financial institution has "strong" mitigating controls, which lowers the product or service's inherent risk score from 3 points to 1 point. If the financial institution had weak mitigating controls, the 3 points would stay 3. If mitigating controls were "adequate," the score would lower from 3 to 2.

Determining whether the risk is increasing, decreasing, or stable is crucial to understanding the actual risk for the FI. What are some factors to help determine if the risk is stable, increasing, or decreasing? Using the international wire example, questions to consider could include the following:

  • Have the volumes increased year-over-year, diminished, or stayed the same?
  • Have your mitigating controls become more sophisticated?
  • Is the financial institution growing in asset size and customer or member base year-over-year, or are they similar?

Analyzing risk factors

Risk factor review

The following sections provide additional detail and potential questions to aid in analyzing each risk factor as part of the AML/CFT risk assessment.

Products and services

Understanding the financial institution's products and services involves knowing how many customers or members use these services and the risks involved in those products or services. For example, the following questions may be asked:

  • Does the FI offer the sale of monetary instruments?
  • Are monetary instruments allowed to be sold to non-accountholders?
  • Do you allow customers or members to send outgoing international wires?
  • If so, how is this monitored?
  • How many accounts and to which countries are they sent?
  • Do you offer services to those without a Tax ID Number (TIN)?
  • If so, how many customers or members?

Although not all-inclusive, other products and services that you may want to include in your review are:

  • Foreign correspondent accounts
  • Special use accounts
  • Trade finance
  • Bulk cash
  • Consumer or business loan portfolios
  • Online account access/opening
  • ATM services
  • Remote deposit capture

Remember, it’s essential to understand whether these volumes are increasing or decreasing and what controls are in place to mitigate the inherent risk. Once again, all supporting documentation of your analysis must be retained.


To analyze geography, understanding the branch footprint of the financial institution is critical. Specific questions to ask include:

  • What are the area's populations of cities and towns?
  • Are the branches located within High-Intensity Financial Crime Areas or High-Intensity Drug Trafficking Areas?
  • Does the financial institution have a presence on the U.S.-Mexico border?
  • Does the institution file many suspicious activity reports (SARs) annually compared to the other institutions in the same geographical area? If not, what might be the reason?

Determine whether these volumes are increasing or decreasing and what controls the bank or credit union has for each customer or Member Base.

The customer or member base should be evaluated on several factors, such as the number of high-risk customers or members of the financial institution. Consider the following types of customers in your account base:

  • Non-Resident Aliens (NRAs)
  • Politically exposed persons (PEPs)
  • Cash-intensive businesses (including marijuana-related businesses)
  • Money Services Businesses (MSBs)
  • Virtual currency exchanges
  • Non-bank financial institutions (NBFIs)
  • Professional service providers

In addition, the risk assessment will want to include assessing how well the financial institution collects beneficial ownership information and whether the customer due diligence (CDD) and enhanced due diligence (EDD) processes are sufficient. Again, determine if these volumes are increasing or decreasing and what controls are in place. These questions must be answered to understand the customer or member risk fully.


Transactions will require a review of both volumes and frequencies. Analyze processes such as:

  • Number of currency transaction reports (CTRs) filed annually
  • Number of SARs filled annually
  • Volumes and frequencies of international wires compared to domestic
  • Number of international ACH transactions compared to domestic transactions
  • The volume of Private ATM customers, if any
  • The volume of loan transactions

FinCEN Priorities

FinCEN issued eight National AML/CFT priorities in June 2021. Each of the following priorities should have a section within the risk assessment addressing the institution’s risk and any mitigating factors available for each risk:

  • Corruption
  • Cybercrime and related cybersecurity, including virtual currency considerations
  • Foreign and domestic terrorist financing
  • Fraud
  • Transnational criminal organizations (TCO) activity
  • Drug trafficking organizations (DTO) activity
  • Human trafficking and human smuggling
  • Proliferation financing (weapons and materials of mass destruction)


Adequate compliance staffing is critical to any AML program. When analyzing human resources for your risk assessment, consider the following:

  • Number of full-time and part-time employees in AML function
  • How these numbers compare to the previous year
  • Qualifications and experience level of the AML staff
  • What training is provided for the team (and the financial institution staff more broadly)
  • Whether background checks are conducted when hiring

Regulatory audit and exams

Regulatory audit and exam results demonstrate a picture of your AML program's health and any gaps that may be present in the program. If the institution has a history of violations, particularly repeat findings, the risk of the financial institution should be increased in the risk assessment. Suppose the board of directors has been adequately apprised of the audit or exam outcomes, and repeat violations occur. In that case, this could indicate a need for a strong culture of compliance, which will ultimately lead to further increased risk. The following other items should also be addressed within an audit or exam:

  • Policies and procedures should be checked and updated when necessary.
  • A designated officer should be appointed and approved by the board of directors as responsible for AML/CFT and OFAC compliance.
  • SARs and CTRs should be filed regularly and promptly, following FinCEN guidelines.


Adequate OFAC compliance is essential for mitigating a financial institution’s risk. A robust OFAC risk assessment supporting the program is critical to avoid costly monetary penalties or regulatory consent orders. Certain transactions, such as wire transfers and ACH, must be checked for OFAC matches before being sent. A financial institution should have a clear set of policies and procedures for OFAC compliance and provide training to all stakeholders. If the institution has a history of OFAC violations, the OFAC risk should be classified as elevated and tightened with mitigating factors.

Get ready for upcoming exams with this webinar, "AML/CFT hot topics for 2023: Are you prepared?"

Keep me informed Listen


Cover all the bases with risk assessment support

The above considerations only cover some aspects of evaluating and documenting a financial institution’s risk. However, they should provide a solid roadmap to completing a thorough risk assessment so that management understands the actual risk profile of the institution. Some financial institutions need assistance creating or updating a risk assessment due to a lack of time, staffing, or expertise. Expert advisory consultants can partner with the financial institution to provide a risk assessment that evaluates and documents your aggregate risk profile and solidifies confidence in your AML/CFT program.

You might also like this resource, "BSA examination prep checklist."

Keep me informed Download
About the Authors

Kevin Gulledge, CAMS

Senior Risk Management Consultant
Kevin Gulledge has over sixteen years’ experience in the retail banking sector, having worked with mid-sized and large international institutions in a variety of roles, including retail, operations, compliance, and BSA/AML. Since 2014, Kevin has served Abrigo customers as a Senior Risk Management Consultant, working with domestic and international institutions

Full Bio

Terri Luttrell, CAMS-Audit, CFCS

Compliance and Engagement Director
Terri Luttrell is a seasoned AML professional and former director and AML/OFAC officer with over 20 years in the banking industry, working both in medium and large community and commercial banks ranging from $2 billion to $330 billion in asset size.

Full Bio

About Abrigo

Abrigo enables U.S. financial institutions to support their communities through technology that fights financial crime, grows loans and deposits, and optimizes risk. Abrigo's platform centralizes the institution's data, creates a digital user experience, ensures compliance, and delivers efficiency for scale and profitable growth.

Make Big Things Happen.