Field Guide

BSA/AML Risk Assessment: A Practitioner's Guide

The short version

A BSA/AML risk assessment is the documented analysis that shows where an institution is exposed to money-laundering and terrorist-financing risk, and how well its controls manage that exposure. The method has three moves: rate the inherent risk across your products, customers, geographies, and channels; evaluate the controls; and document the residual risk that remains. No single line of the BSA commands a standalone risk assessment, but the FFIEC manual treats it as the foundation of the program and an examiner reads it first.

Every other part of a BSA/AML program borrows its logic from the risk assessment. Customer due diligence rates customers against it. Transaction monitoring sets thresholds around it. Training, staffing, and independent testing are all supposed to be scaled to it. When the risk assessment is thin or generic, everything built on top inherits the same weakness, and an examiner can usually tell within the first hour.

This guide covers what a risk assessment is, what the law actually requires, the categories of risk you inventory, the method for getting from inherent risk to residual risk, how to score it, and the mistakes that turn a risk assessment into an exam finding.

What a BSA/AML risk assessment is

A risk assessment is a structured judgment about exposure. It identifies the specific ways your institution could be used to move illicit funds, rates how serious each exposure is on its own, weighs the controls you have against it, and arrives at a residual risk that the program then has to manage. The output is a written analysis with a methodology, ratings, and the reasoning behind them, not a score in isolation.

The point of the exercise is allocation. A program has finite attention, and the risk assessment is how an institution decides where to spend it. It tells you which customer types need enhanced due diligence, which products need tighter monitoring, and where the next dollar of compliance budget should go. Done well, it is the document that lets a BSA officer explain, to a sponsor bank or an examiner, why the program looks the way it does.

Is a risk assessment required? The honest answer

No provision of the Bank Secrecy Act says, in those words, that an institution must conduct a risk assessment. What the law requires is a program that is reasonably designed to guard against money laundering, and the implementing rules for banks and other institutions require written, risk-based programs. The risk assessment is how you demonstrate the program is risk-based at all.

Three sources turn that into a practical expectation:

So the careful statement is this: a standalone risk assessment is not named in the statute, but a program without a defensible one fails the standard it is held to. Treat it as required in practice. For how the assessment fits the wider program, see the guide to the BSA/AML program pillars.

The risk categories you inventory

The FFIEC manual frames inherent risk around products and services, customers and entities, and geographic locations. In practice most programs add delivery channels as a fourth, because how a customer is onboarded and how they move money changes the exposure. Within each category you list the drivers that actually apply to your institution and rate them. The categories are the same everywhere; the drivers are specific to you.

CategoryWhat you are ratingHigher-risk drivers
Products & servicesWhat the institution offers and how easily it can move valueCash-intensive activity, international wires, prepaid access, virtual currency, trade finance, private banking.
Customers & entitiesWho the customers are and the laundering risk they carryMoney services businesses, cash-intensive businesses, non-resident or foreign customers, politically exposed persons, complex ownership structures.
GeographiesWhere customers, counterparties, and activity are locatedJurisdictions under sanctions, high-risk or non-cooperative jurisdictions, and domestic high-intensity financial-crime or drug-trafficking areas.
ChannelsHow customers are onboarded and how they transactNon-face-to-face onboarding, third-party or agent intermediaries, and embedded or platform relationships where the customer never touches the bank directly.

A common failure is to inventory the categories generically, listing risks that apply to every bank rather than the ones that apply to yours. A risk assessment that would read identically for a different institution is not assessing anything.

The method: from inherent risk to residual risk

The analytical core of a risk assessment is moving from inherent risk to residual risk. The steps below are the practitioner method, and they map to the categories above.

Step 1: Rate inherent risk

For each driver you inventoried, rate the risk it carries before any controls are considered. This is inherent risk: the raw exposure of the activity itself. Rate it on a consistent scale, usually low, moderate, and high, and write down why. Volume and dollar value matter here, not just the presence of a risk. Ten foreign wires a year is a different exposure than ten thousand.

Step 2: Assess the control environment

For each area of inherent risk, identify the controls that manage it and judge how well they are designed and whether they operate as intended. Customer due diligence, transaction monitoring, sanctions screening, enhanced due diligence for higher-risk customers, training, and independent testing are the usual controls. A control only counts if it exists and works. A monitoring rule that nobody tunes, or an EDD process that collects documents but never reaches a conclusion, does not reduce risk.

Step 3: Determine residual risk

Combine the inherent rating with control strength to reach residual risk, the exposure that remains after controls. Residual risk is the number that matters, because it describes what the institution actually carries. A high-inherent-risk product with strong, tested controls can land at moderate or low residual risk. A moderate product with weak controls can land at high. Make the logic explicit, because an examiner will test whether your controls genuinely justify the residual rating you assigned.

Step 4: Aggregate to an enterprise-wide rating

Roll the individual ratings up into an enterprise-wide risk profile. This is the view a board, a sponsor bank, and an examiner want: where does the institution's residual exposure concentrate, and why. The aggregate is a reasoned conclusion, not an average. One high-residual-risk line can define the program's posture even when most of the book is low risk.

Step 5: Document and refresh

Write down the methodology, the ratings, the supporting data, and the rationale, so a reader who was not in the room can follow how you reached each conclusion. Then keep it current. Refresh the full assessment periodically, and update it whenever a material change occurs.

Scoring it: the risk matrix

Most institutions express the assessment as a matrix: risk drivers down one axis, and inherent risk, control strength, and residual risk across the columns, each rated on a low-to-high scale. Some programs attach numeric weights so the aggregation is repeatable; others stay qualitative with written justification. Either approach is defensible. What an examiner looks for is consistency: the same logic applied across every line, and a residual rating that the documented controls actually support.

The scale is less important than the discipline. A three-point scale that is applied consistently and backed by reasoning beats a ten-point scale that is assigned by feel. Whatever scale you choose, define what each level means before you rate anything against it.

The enterprise-wide assessment and refresh cadence

The enterprise-wide risk assessment is the consolidated view of the whole institution, and it is the version examiners and sponsor banks ask for by name. There is no fixed statutory interval for refreshing it. Common practice is a full refresh at least every twelve to eighteen months, plus an update on any material change: a new product or service, a new market, a new customer segment, a merger, a new bank or fintech partner, or a significant shift in volume. A risk assessment that no longer matches the business is treated as stale, and a stale assessment undercuts every control that was supposed to be scaled to it.

Where risk assessments fail an exam

The recurring failures are not subtle, and they show up across public enforcement. Watch for these:

An AML gap analysis is often where these surface, and the exam-preparation guide covers what examiners request and how the review unfolds.

Risk assessment for fintechs and sponsor-bank programs

In a banking-as-a-service relationship the responsibility does not move. The sponsor bank holds the non-delegable regulatory obligation for BSA/AML, including the risk assessment, even when a fintech performs the work. A fintech operating under a sponsor bank still needs its own risk assessment, sized to its products and customers, and that assessment rolls up into the bank's enterprise view.

Two things change in this model. First, the channel category carries more weight, because embedded and platform relationships put distance between the bank and the end customer. Second, the bank's own enterprise risk assessment has to account for the risk each fintech partner introduces, which means the bank needs visibility into the partner's risk assessment, not just its own. A money transmitter operating across states faces a parallel version of this; the money transmitter compliance guide covers the licensing layer that sits on top.

A risk assessment takes work to do well, but the standard is plain. Keep it specific to your institution, keep the method explicit, keep residual risk honest about what the controls really do, and keep it current. Then it functions as the foundation the rest of the program is supposed to stand on, and an exam becomes a review of reasoning you already did.

Primary sources

Common questions

Is a BSA/AML risk assessment legally required?
No single line of the BSA names a standalone risk assessment as a requirement. But the FFIEC BSA/AML Examination Manual treats a well-developed risk assessment as the foundation of the program, examiners expect one, and the risk-based obligations of the customer due diligence rule make it effectively unavoidable. FinCEN's proposed AML/CFT Program Rule would make a documented risk assessment process an explicit program component. In practice, a program without a defensible risk assessment is a finding.
What are the risk categories in a BSA/AML risk assessment?
The FFIEC manual frames inherent risk around products and services, customers and entities, and geographic locations. Most practitioners add delivery channels as a fourth category, because how a customer is onboarded and transacts changes the risk. Within each category you identify the specific risk drivers that apply to your institution and rate them.
What is the difference between inherent risk and residual risk?
Inherent risk is the money-laundering risk of an activity before any controls are applied. Residual risk is what remains after the controls that manage it are accounted for. A high-inherent-risk product with strong controls can carry low residual risk, and a moderate product with weak controls can carry high residual risk. Examiners read the residual rating, and they read whether your controls actually justify it.
How often should a BSA/AML risk assessment be updated?
There is no fixed statutory interval. Common practice is a full refresh at least every twelve to eighteen months, plus an update whenever a material change occurs: a new product or service, a new market or geography, a new customer segment, a merger or a new bank or fintech partner, or a significant change in transaction volume. A risk assessment that no longer matches the business is treated as stale.
Who owns the risk assessment in a fintech and sponsor-bank relationship?
The sponsor bank holds the non-delegable regulatory responsibility for BSA/AML, including risk assessment, even when a fintech performs the work. A fintech operating under a sponsor bank still needs its own risk assessment sized to its products and customers, and that assessment rolls up into the bank's enterprise view. The bank's own risk assessment has to account for the risk its fintech partners introduce.
From the team behind this guide

A risk assessment, scored and kept current

Compliance Command Center builds and scores your BSA/AML risk assessment against enforcement-calibrated benchmarks, separates inherent from residual risk with the reasoning written down, and prices the gaps in dollars. Practitioners build it (JD, CAMS), with a human reviewing every deliverable, so the residual ratings hold up when a sponsor bank or an examiner tests them.

See Compliance Command Center Talk to a Practitioner