Skip to main content

Rethinking the AML/CFT risk assessment

Terri Luttrell, CAMS-Audit, CFCS
July 16, 2026
0 min read

What is an AML/CFT risk assessment?  

An AML/CFT risk assessment is the foundation of a financial institution's anti-money laundering and countering the financing of terrorism compliance program. It is the process of identifying, evaluating, and understanding the money laundering, terrorist financing, fraud, sanctions, and other illicit financial activity risks associated with an institution's customers, products, services, delivery channels, and geographic footprint. More importantly, the risk assessment provides the framework for designing controls, allocating compliance resources, and ensuring the institution's AML/CFT program remains aligned with its unique risk profile. 

Rethinking the AML/CFT Risk Assessment 

For many financial institutions, the AML/CFT risk assessment has traditionally been viewed as an annual milestone. Data is gathered, risk ratings are updated, a report is presented to senior management and the board, and then the document sits largely untouched until the next review cycle. 

That approach no longer reflects today’s financial crime landscape. Criminals continuously adapt their methods. New payment channels are emerging, digital banking is expanding customer access, and artificial intelligence (AI) is changing both how financial institutions detect suspicious activity and how criminals carry out fraud schemes. At the same time, regulatory expectations continue to evolve, emphasizing that institutions should understand how their unique risk profile changes over time rather than relying on a static assessment. 

The AML/CFT risk assessment has become the foundation of an effective financial crime program. Institutions that treat it as a living process rather than an annual exercise are better positioned to identify emerging risks, allocate resources strategically, and strengthen the overall effectiveness of their compliance programs. 

Staying on top of fraud is a full-time job. Let our Advisory Services team help when you need it.

Connect with an expert

How are regulatory expectations for risk assessments changing? 

This shift also aligns with regulatory expectations. The FFIEC BSA/AML Examination Manual emphasizes that an institution's risk assessment should identify and evaluate the specific risks it faces from money laundering, terrorist financing, and other illicit financial activities and serve as the foundation for a risk-focused compliance program.  

Every financial institution has a unique risk profile shaped by its customers, products, services, delivery channels, and geographic footprint. In the past, many of those risk factors evolved gradually. Today, meaningful changes can occur almost overnight. 

A community bank may introduce digital account opening. A credit union may expand its faster payment capabilities. Even relatively small business decisions can significantly change an institution’s exposure to money laundering, terrorist financing, fraud, and sanctions risks. 

External events reshape risk just as quickly. Criminal organizations rapidly adopt new technologies. AI is being used to create increasingly convincing phishing campaigns, synthetic identities, and social engineering attacks. Geopolitical conflicts create new sanctions requirements. Human trafficking networks adjust their methods, and fraud schemes that were uncommon just a year ago quickly become widespread. Financial institutions cannot afford to wait until the next annual review to evaluate these changes. 

If an institution’s understanding of risk remains unchanged while financial crime continues to evolve, gaps inevitably develop between actual exposure and the controls designed to manage that risk. 

Connected financial crime 

Another important shift is the growing recognition that fraud and AML/CFT risks are closely connected. Identity theft, account takeover, business email compromise, elder financial exploitation, and authorized fraud often represent the beginning of a much larger financial crime event. Once criminals obtain funds through fraud, they must move, conceal, or integrate those proceeds into the financial system.  

When fraud and AML/CFT teams operate independently, institutions often see only part of the story. Information uncovered during a fraud investigation may significantly influence customer risk ratings, transaction monitoring, or investigations into suspicious activity. Likewise, AML/CFT investigations frequently identify behavioral patterns that strengthen fraud detection efforts. 

Institutions should evaluate not only individual risks but also how those risks intersect across the organization. A more connected view of financial crime supports stronger investigations, better resource allocation, and a more complete understanding of emerging threats. 

 

How do risk assessments affect business decisions at an FI? 

The purpose of a risk assessment extends far beyond assigning risk ratings. An effective AML/CFT risk assessment provides the context for many of the most important decisions a financial institution makes. It influences staffing priorities, customer due diligencetransaction monitoring strategies, independent testing, employee training, and technology investments. More importantly, it helps leadership determine whether the institution’s current risk exposure remains consistent with its established risk appetite. 

As an institution’s risk profile changes, leadership should regularly evaluate whether existing controls remain appropriate for the level of risk the organization has chosen to accept. If new risks exceed that tolerance, leadership can strengthen controls, dedicate additional resources, or reconsider strategic initiatives before vulnerabilities become larger problems. 

When risk assessments actively support business planning, compliance becomes an enabler of responsible growth rather than simply a regulatory obligation. A risk assessment that actively shapes decision-making is not only more valuable to the institution but also more consistent with the direction regulators continue to encourage. 

What are the regulatory expectations for risk assessments? 

While regulations do not prescribe how often an AML/CFT risk assessment must be updated, institutions are expected to reassess risk whenever meaningful changes occur. The FFIEC examination procedures make clear that risk assessments should reflect the institution's current products, services, customers, geographic footprint, and delivery channels. As those elements change, institutions should evaluate whether their assessments and corresponding controls continue to reflect their risk profiles accurately. 

Regulators continue to emphasize effectiveness over documentation alone. Institutions are increasingly expected to demonstrate that their risk assessment informs the design of their controls, resource allocation, and monitoring activities rather than existing as a standalone compliance document. 

Examiners also expect compliance teams to have a seat at the table before strategic decisions are finalized. Bringing compliance into discussions early allows institutions to identify potential risks before they become operational challenges. It also helps ensure that new initiatives are designed with appropriate controls from the outset rather than requiring costly adjustments later. 

This collaborative approach positions compliance as a strategic business partner while demonstrating that risk management is fully integrated into organizational decision-making. 

 

How have technology and AI affected risk assessments? 

Maintaining a current understanding of institutional risk would be difficult using manual processes alone. Modern AML/CFT platforms enable continuous analysis of customer onboarding, transaction monitoring, fraud detection, sanctions screening, cybersecurity, and case management. However, technology is only as effective as the quality of the data supporting it. Institutions should regularly evaluate whether the information used throughout the risk assessment process is complete, accurate, and relevant. Collecting more data does not automatically produce better insights. The objective is to identify the information that truly reflects changing risk and to use it consistently to support sound decision-making. 

AI is also becoming an increasingly valuable component of risk assessment. As institutions adopt AI-driven tools, they should also ensure those models are appropriately governed, validated, and monitored over time. Effective governance builds confidence that AI produces reliable, explainable results while meeting regulatory expectations. 

Rather than relying exclusively on predefined rules, AI can identify subtle behavioral changes, emerging transaction patterns, and complex relationships that may otherwise go unnoticed. These capabilities help compliance teams recognize meaningful shifts in risk earlier and respond more effectively. 

Automation further strengthens the process by reducing the manual effort traditionally associated with risk assessments. Instead of spending valuable time gathering information from multiple systems, compliance professionals can focus on evaluating emerging risks, validating findings, and recommending actions that strengthen the institution’s overall control environment. 

The goal is not simply to process more information. It is to transform information into timely intelligence that supports better decisions. 

 

A Stronger AML/CFT Program 

The strongest AML/CFT programs are no longer centered on an annual risk assessment. They are built on continuous risk awareness. When institutions use the assessment to shape strategy, strengthen controls, and guide resource allocation, they can respond more effectively to emerging threats while supporting safe, sustainable growth. 

In an increasingly complex financial crime environment, a dynamic risk assessment is more than a regulatory expectation; it is a competitive advantage. Institutions that adopt this mindset are better positioned to protect customers, demonstrate a truly risk-focused compliance program, and adapt confidently to future challenges. 

Find out how to automate sanctions screening to reduce false positives.

Abrigo Intelligent Scan

FAQs

What does an AML/CFT risk assessment evaluate?

An AML/CFT risk assessment evaluates a financial institution’s exposure to money laundering, terrorist financing, fraud, sanctions, and other illicit financial activity. It considers customers, products, services, delivery channels, and geographic markets so the institution can design proportionate controls, allocate compliance resources, and keep its financial crime program aligned with its actual risk profile.

Why should an AML/CFT risk assessment be treated as a living process?

An AML/CFT risk assessment should be treated as a living process because customer behavior, payment channels, criminal methods, sanctions exposure, and digital threats can change faster than an annual review cycle. Ongoing risk awareness helps institutions identify gaps between current exposure and existing controls early enough to adjust monitoring, staffing, training, or strategy.

What events should trigger an AML/CFT risk assessment update?

Meaningful changes to an institution’s risk profile should trigger a full or partial AML/CFT risk assessment update. Common triggers include launching new products, entering new markets, adding customer types, expanding digital account opening or faster payments, completing a merger, or encountering significant changes in criminal activity, technology, or sanctions requirements.

Why should fraud and AML/CFT teams share risk information?

Fraud and AML/CFT teams should share information because fraud proceeds often must be moved, concealed, or integrated through the financial system. Connecting insights from identity theft, account takeover, business email compromise, elder exploitation, and similar investigations can improve customer risk ratings, transaction monitoring, suspicious activity investigations, and the identification of broader financial crime patterns.

How can AML/CFT risk assessments support strategic business decisions?

AML/CFT risk assessments support strategic decisions by informing staffing, customer due diligence, transaction monitoring, independent testing, training, technology investments, and control design. They also help leadership compare current exposure with the institution’s risk appetite and determine whether to strengthen controls, allocate additional resources, or reconsider an initiative before risk exceeds acceptable levels.

About the Author

Terri Luttrell, CAMS-Audit, CFCS

Compliance and Engagement Director
Abrigo
Terri Luttrell is a seasoned AML professional and former director and AML/OFAC officer with over 20 years in the banking industry, working both in medium and large community and commercial banks ranging from $2 billion to $330 billion in asset size.

Full Bio

About Abrigo

Abrigo enables U.S. financial institutions to support their communities through technology that fights financial crime, grows loans and deposits, and optimizes risk. Abrigo's platform centralizes the institution's data, creates a digital user experience, ensures compliance, and delivers efficiency for scale and profitable growth.

Make Big Things Happen.