Skip to main content

How to Conduct an Exam-Proof BSA/AML Risk Assessment

Kevin Gulledge, CAMS
December 7, 2021
Read Time: 0 min

Best practices for your BSA/AML risk assessment

Learn top tips for creating a risk assessment to capture your institution's risk. 

Would you like other articles like this in your inbox?

Has your financial institution started your annual process for updating your Bank Secrecy Act/anti-money laundering (BSA/AML) risk assessment?

If you are a new BSA Officer creating a risk assessment from scratch, determining where to start can be difficult. Although there is no written regulatory requirement for a financial institution to conduct a risk assessment, the expectations of having one are clear. To create a risk-based AML program, an institution must understand its institution’s risk profile. The evaluation process can be daunting, but it doesn't have to be with guidance from the Federal Financial Institutions Examination Council (FFIEC). The following steps for creating or updating your BSA/AML risk assessment should ensure you understand your institution's risk.

Step One
Document the BSA/AML risk assessment

Documentation is one of the more critical aspects of performing a risk assessment. Without supporting documents, the analysis of the institution's risk cannot be adequately supported. Documenting the assessment process may be as simple as creating a Microsoft Word or Excel file, or an institution can use more sophisticated software that automates creating the risk assessment detail. All working papers should be attached to the file, regardless of how critical that analysis was to the process.

According to the FFIEC, there are no required risk categories, and the number and detail of these categories vary based on the bank or credit union's size or complexity. At a minimum, the BSA/AML risk assessment should provide an analysis of the following risk factors for the financial institution:

  • Products and services
  • Geography
  • Customer or member base
  • Transactions
  • Staffing
  • Regulatory audits and exams

In addition, an Office of Foreign Assets Control (OFAC) risk assessment may be completed within this process but is sometimes completed separately from the BSA/AML risk assessment. Either way is acceptable if both OFAC and BSA/AML are thoroughly evaluated and approved by the board of directors.

Step Two
Identify inherent risk vs. residual risk

Inherent risk is any activity or factor posed to the financial institution, notwithstanding applying any management or risk mitigation tools. Each of the above categories should be evaluated before mitigating factors are considered. After adjusting the inherent risk for the institution’s risk management controls, residual risk represents the bank or credit union’s current risk. Residual risk is where any gaps in controls will be identified and where you will determine whether there are further mitigation steps to take or whether the institution is willing to accept the risk.

Determining the strength of the financial institution's mitigating controls can be accomplished by rating on a tiered basis, which will help decide whether to accept the residual risk as supported by the risk assessment. Controls can be graded on a scale with the following descriptors:

  • Strong mitigating controls: covers all bases for the risk of this service or activity; leaves no gaps in monitoring
  • Adequate mitigating controls: does just enough to mitigate risk; may or may not be missing some items
  • Weak mitigating controls: does nothing or has a very weak, perhaps manual process in place

For example, the risk for the financial institution that processes outgoing international wires for customers is an inherent risk. However, the institution has automated software that can monitor this activity, scan the wires for OFAC violations at the time of the transaction, validate wire transactions in their AML software daily, and provides a quarterly process to review all international wires. This example is a situation with a "high" inherent risk, along with "strong" mitigating controls.

Step Three
Classify the risks

A service or product with an inherent risk can be scored on a 1 to 3 or 1 to 5 sliding scale. A "high" inherent risk would be scored 3. Meanwhile, the mitigating controls should help reduce the score. In the example above, processing outgoing international wires is a "high" inherent risk, scoring 3 points, using a 1–3-point scale. The financial institution has "strong" mitigating controls, so this lowers the inherent risk score of the product or service down from 3 points to 1 point. If the financial institution had weak mitigating controls, the 3 points would stay 3 points. If mitigating controls were "adequate," the score would lower from 3 to 2.

Determining whether the risk is increasing, decreasing, or stable is crucial to understanding the actual risk for the FI. What are some factors to help determine if the risk is stable, increasing, or decreasing? Using the international wire example, questions to consider could include:

  • Have the volumes increased year-over-year, diminished, or stayed the same?
  • Have your mitigating controls become more sophisticated?
  • Is the financial institution growing year-over-year in asset size and customer or member base, or are they similar?
Analyzing risk factors
Risk factor review

The following sections provide additional detail and potential questions to aid in conducting an analysis of each risk factor as part of the BSA/AML risk assessment.

Products and services

Understanding the financial institution's products and services involves knowing how many customers or members use these services, as well as the risks involved in those products or services. For example, the following questions may be asked:

  • Does the FI offer the sale of monetary instruments?

  • Are monetary instruments allowed to be sold to non-accountholders?

  • Do you allow customers or members to send outgoing international wires?
  • If so, how is this monitored?
  • How many accounts and to which countries are they sent?
  • Do you offer services to those without a Tax ID Number (TIN)?
  • If so, how many customers or members?

Although not all-inclusive, other products and services that you may want to include in your review are:

  • Foreign correspondent accounts
  • Special use accounts
  • Trade finance
  • Bulk cash
  • Consumer or business loan portfolios
  • Online account access/opening
  • ATM services
  • Remote deposit capture

Remember, for each of these, it’s important to understand whether these volumes are increasing or decreasing and what controls are in place to mitigate the inherent risk. Once again, all supporting documentation of your analysis must be retained.


To analyze geography, understanding the branch footprint of the financial institution is critical. Specific questions to ask include:

  • What are the area's populations of cities and towns?
  • Are the branches located within High-Intensity Financial Crime Areas or High-Intensity Drug Trafficking Areas?
  • Does the financial institution have a presence on the U.S.-Mexico border?
  • Does the institution file many suspicious activity reports (SARs) annually compared to the other institutions in the same geographical area? If not, what might be the reason?

Determine whether these volumes are increasing or decreasing and what controls the bank or credit union has in place for each.

Customer or Member Base

The customer or member base should be evaluated on several factors, such as how many high-risk customers or members the financial institution has. Consider the following types of customers in your account base:

  • Non-Resident Aliens (NRAs)
  • Politically exposed persons (PEPs)
  • Cash-intensive businesses (including marijuana-related businesses)
  • Money Services Businesses (MSBs)
  • Virtual currency exchanges
  • Non-bank financial institutions (NBFIs)
  • Professional service providers

In addition, the risk assessment will want to include assessing how well the financial institution collects beneficial ownership information and whether the customer due diligence (CDD) and enhanced due diligence (EDD) processes are sufficient. Again, determine if these volumes are increasing or decreasing and what controls are in place. These questions will need to be answered to understand the customer or member risk fully.


Transactions will require a review of both volumes and frequencies. Analyze processes such as:

  • Number of currency transaction reports (CTRs) filed annually
  • Number of SARs filled annually
  • Volumes and frequencies of international wires compared to domestic
  • Number of international ACH transactions compared to domestic transactions
  • The volume of Private ATM customers, if any
  • The volume of loan transactions


Adequate compliance staffing is critical to any AML program. When analyzing human resources for your risk assessment, consider the following:

  • Number of full-time and part-time employees in AML function
  • How these numbers compare to the previous year
  • Qualifications and experience level of the AML staff
  • What training is provided for the team (and the financial institution staff more broadly)
  • Whether background checks are conducted when hiring

Regulatory Audit and Exams

Regulatory audit and exam results demonstrate a picture of your AML program's health and any gaps that may be present in the program. If the institution has a history of violations, particularly repeat findings, the risk of the financial institution should be increased in the risk assessment. Suppose the board of directors has been adequately apprised of the audit or exam outcomes and repeat violations occur. In that case, this could indicate a lack of a strong culture of compliance, which will ultimately lead to further increased risk. The following other items should also be addressed within an audit or exam:

  • Policies and procedures should be checked and updated when necessary.
  • A designated officer should be appointed and approved by the board of directors as responsible for BSA/AML and OFAC compliance.
  • SARs and CTRs should be filed regularly and in a timely manner, following FinCEN guidelines.


Adequate OFAC compliance is essential for mitigating risk of a financial institution, and a robust OFAC risk assessment supporting the program is critical to avoid costly monetary penalties or regulatory consent orders. Certain transactions, such as wire transfers and ACH, must be checked for OFAC matches before being sent. A financial institution should have a clear set of policies and procedures for OFAC compliance and provide training to all stakeholders. If the institution has a history of OFAC violations, the OFAC risk should be classified as elevated and tightened with mitigating factors.

The above considerations do not cover every aspect of evaluating and documenting the risk of a financial institution. However, they should provide a solid roadmap to completing a thorough risk assessment so that management understands the actual risk profile of the institution. Some financial institutions find they need assistance creating or updating a risk assessment, either due to a lack of time, staffing, or expertise. Expert advisory consultants can partner with the financial institution to provide a risk assessment that evaluates and documents your aggregate risk profile and solidifies confidence in your BSA/AML program.

About the Author

Kevin Gulledge, CAMS

Senior Risk Management Consultant
Kevin Gulledge brings over a decade of retail banking experience to Abrigo, having worked with mid-sized and large international institutions in a variety of roles, including retail, operations, compliance, and BSA/AML. Since 2014, Kevin has served Abrigo customers as a Senior Risk Management Consultant, working with domestic and international institutions

Full Bio

About Abrigo

Abrigo enables U.S. financial institutions to support their communities through technology that fights financial crime, grows loans and deposits, and optimizes risk. Abrigo's platform centralizes the institution's data, creates a digital user experience, ensures compliance, and delivers efficiency for scale and profitable growth.

Make Big Things Happen.


Looking for Banker’s Toolbox? You are in the Right Place!

Banker’s Toolbox is now Abrigo, giving you a single source for all your enterprise risk management needs. Use the login button here, or the link in the top navigation, to log in to Banker’s Toolbox Community Online.

Make yourself at home!

Looking for MainStreet Technologies? You are in the Right Place!

MainStreet Technologies is now Abrigo, giving you a single source for all your enterprise risk management needs. Use the contact us button here, or the link in the top navigation, to reach product support for your MST products.

Make yourself at home!

Looking for Sageworks? You are in the Right Place!

Sageworks is now Abrigo, giving you a single source for all your enterprise risk management needs. Use the login button here, or the link in the top navigation, to log in to your Sageworks products.

Make yourself at home!

Looking for Farin? You are in the Right Place!

Farin is now Abrigo, giving you a single source for all your enterprise risk management needs. Use the login button here, or the link in the top navigation, to log in to your Farin client portal.

Make yourself at home!

Abrigo acquires construction loan management solutions

Coupled with our lending suite, Construct and +Pay from BankLabs enable end-to-end automated residential/commercial construction loans.

Read the press announcement

BankLabs Logo Abrigo Logo