AML Risk Assessment Template

In this article, you will learn step by step how the self-risk assessment of an anti-money laundering (AML) and countering the financing of terrorism (CFT) obligated institution should be conducted in accordance with EU 4th AML Directive (Chapter 1, Section 2, Article 8); EU AML Regulation (Chapter 2, Section 1, Article 10); Recommendation number 12 from the FATF or relevant national legislations.

You will also see how the Risk Assessment Assistant, a professional tool for conducting a self-risk assessment, can help you with this.

Remember! The Self-Risk Assessment must be in the form of a formal document (paper or electronic). You cannot create it ad hoc during an inspection.

What is the self-risk assessment of an obliged institution?

AML/CFT obliged institutions, in addition to assigning a risk category to each client, must also assess themselves typically not less than every two years, as well as with each key change (e.g., the introduction of a new product or product delivery channel). Therefore, the risk assessment of an obliged institution indicates whether the way the institution operates increases the likelihood of money laundering or terrorist financing.

For example, casino customers, for obvious reasons, may find it easier to launder money through its services. Therefore, an obliged institution such as a casino, operating in an industry with a high risk of money laundering, must take this clear argument into account in its final risk assessment. However, the industry is not the only criterion considered in the final evaluation. A broad range of factors is the foundation of any risk assessment. Small accounting offices are generally not classified as high-risk businesses, but this does not necessarily mean that the final assessment will not be at a high level.

How to conduct AML/CFT self-risk assessment?

Step one – list the necessary risk assessment factors

A properly conducted risk assessment must at least consider the following risk factors related to:

• Clients

• Products and services

• Countries or geographical areas

• Transactions or product delivery channels

Failure to include all required factors constitutes non-compliance with legal obligations!

Factors related to clients:

What is the percentage of clients assigned a high-risk category? How many clients classified as Politically Exposed Persons (PEPs) does the institution have? Answers to these types of questions must be included in the client-related section.

Factors related to products and services:

Does the institution have products that allow cash transactions? Does the institution have products that enable payments to/from third parties who are not clients of the institution?

Factors related to countries or geographical areas:

How many clients are associated with high-risk countries? Does the institution have branches located outside the country of the institution?

Factors related to transactions or products delivery channels:

What is the estimated scale of cash transactions? Does the institution allow client acquisition through intermediaries?

Protip: The more factors, the better

Step two – assign a risk rating to each factor.

A four-level scale is most commonly used: low, medium, high, and unacceptable risk. The suggested questions listed above are meant to help you assign a rating to each factor. I believe that a minimum of at least five questions should be considered in each section.

The selected rating for each factor is the so-called inherent risk level, meaning the risk level without implementing any mitigating measures.

Step three – list higher-risk areas requiring mitigating measures.

They will relate to the factors from the previous steps. For example, if the section on factors related to transactions or delivery channels generates high risk, and the institution intends to reduce the risk to a target level, a mitigating measure should be introduced (e.g., additional employee training or enhanced transaction monitoring).

Step four – determine the final risk assessment level and write a summary.

The final risk assessment level is the so-called residual risk, which is the risk remaining after implementing the previously mentioned mitigating measures. An unacceptable risk rating indicates a level of risk that exceeds the risk appetite of the obliged institution. The summary should primarily include the justification for the final assessment, as well as planned actions to, for example, reduce its level.

Can a pre-made AML risk assessment template be used?

I discourage using pre-made and highly generic templates available for free on the Internet (often from unreliable sources). The AML risk assessment must be unique and tailored to the specific nature of the obliged institution. Using a simple template significantly increases the risk of receiving a financial penalty.

Proposed Solution

If you have a moment, I recommend checking out the Risk Assessment Assistant. It allows you to quickly create a complete risk assessment, regardless of your knowledge of AML regulations. This is not a generic template but a professional tool featuring, among other things, 40 automated fields and extensive explanations of all factors determining the final risk level.

You can download a demo version here completely free of charge.

You will pay less for the full version of the product than for a meal at a restaurant.

AML self-risk assessment is a complex topic, so I hope this article has been helpful. Remember, by preparing a thorough and well-crafted risk assessment, we demonstrate a strong understanding of AML regulations and significantly reduce the risk of receiving a financial penalty. It’s worth considering professional assistance, especially when it is available at an affordable price.