A BSA/AML risk assessment is the documented analysis that shows where an institution is exposed to money-laundering and terrorist-financing risk, and how well its controls manage that exposure. The method has three moves: rate the inherent risk across your products, customers, geographies, and channels; evaluate the controls; and document the residual risk that remains. No single line of the BSA commands a standalone risk assessment, but the FFIEC manual treats it as the foundation of the program and an examiner reads it first.
Every other part of a BSA/AML program borrows its logic from the risk assessment. Customer due diligence rates customers against it. Transaction monitoring sets thresholds around it. Training, staffing, and independent testing are all supposed to be scaled to it. When the risk assessment is thin or generic, everything built on top inherits the same weakness, and an examiner can usually tell within the first hour.
This guide covers what a risk assessment is, what the law actually requires, the categories of risk you inventory, the method for getting from inherent risk to residual risk, how to score it, and the mistakes that turn a risk assessment into an exam finding.
What a BSA/AML risk assessment is
A risk assessment is a structured judgment about exposure. It identifies the specific ways your institution could be used to move illicit funds, rates how serious each exposure is on its own, weighs the controls you have against it, and arrives at a residual risk that the program then has to manage. The output is a written analysis with a methodology, ratings, and the reasoning behind them, not a score in isolation.
The point of the exercise is allocation. A program has finite attention, and the risk assessment is how an institution decides where to spend it. It tells you which customer types need enhanced due diligence, which products need tighter monitoring, and where the next dollar of compliance budget should go. Done well, it is the document that lets a BSA officer explain, to a sponsor bank or an examiner, why the program looks the way it does.
Is a risk assessment required? The honest answer
No provision of the Bank Secrecy Act says, in those words, that an institution must conduct a risk assessment. What the law requires is a program that is reasonably designed to guard against money laundering, and the implementing rules for banks and other institutions require written, risk-based programs. The risk assessment is how you demonstrate the program is risk-based at all.
Three sources turn that into a practical expectation:
- The FFIEC BSA/AML Examination Manual describes a well-developed risk assessment as the basis of a sound program and instructs examiners to evaluate it. For a supervised institution, the manual is the standard you are measured against.
- The Customer Due Diligence rule (31 CFR 1010.230, effective in 2018) requires risk-based procedures for customer due diligence and beneficial-ownership identification. You cannot run risk-based CDD without a risk assessment underneath it.
- FinCEN's proposed AML/CFT Program Rule (RIN 1506-AB72) would make a documented risk assessment process an explicit, named program component, tied to the national AML/CFT priorities. It is a proposal, not yet final law, but it points where supervision is heading.
So the careful statement is this: a standalone risk assessment is not named in the statute, but a program without a defensible one fails the standard it is held to. Treat it as required in practice. For how the assessment fits the wider program, see the guide to the BSA/AML program pillars.
The risk categories you inventory
The FFIEC manual frames inherent risk around products and services, customers and entities, and geographic locations. In practice most programs add delivery channels as a fourth, because how a customer is onboarded and how they move money changes the exposure. Within each category you list the drivers that actually apply to your institution and rate them. The categories are the same everywhere; the drivers are specific to you.
| Category | What you are rating | Higher-risk drivers |
|---|---|---|
| Products & services | What the institution offers and how easily it can move value | Cash-intensive activity, international wires, prepaid access, virtual currency, trade finance, private banking. |
| Customers & entities | Who the customers are and the laundering risk they carry | Money services businesses, cash-intensive businesses, non-resident or foreign customers, politically exposed persons, complex ownership structures. |
| Geographies | Where customers, counterparties, and activity are located | Jurisdictions under sanctions, high-risk or non-cooperative jurisdictions, and domestic high-intensity financial-crime or drug-trafficking areas. |
| Channels | How customers are onboarded and how they transact | Non-face-to-face onboarding, third-party or agent intermediaries, and embedded or platform relationships where the customer never touches the bank directly. |
A common failure is to inventory the categories generically, listing risks that apply to every bank rather than the ones that apply to yours. A risk assessment that would read identically for a different institution is not assessing anything.
The method: from inherent risk to residual risk
The analytical core of a risk assessment is moving from inherent risk to residual risk. The steps below are the practitioner method, and they map to the categories above.
Step 1: Rate inherent risk
For each driver you inventoried, rate the risk it carries before any controls are considered. This is inherent risk: the raw exposure of the activity itself. Rate it on a consistent scale, usually low, moderate, and high, and write down why. Volume and dollar value matter here, not just the presence of a risk. Ten foreign wires a year is a different exposure than ten thousand.
Step 2: Assess the control environment
For each area of inherent risk, identify the controls that manage it and judge how well they are designed and whether they operate as intended. Customer due diligence, transaction monitoring, sanctions screening, enhanced due diligence for higher-risk customers, training, and independent testing are the usual controls. A control only counts if it exists and works. A monitoring rule that nobody tunes, or an EDD process that collects documents but never reaches a conclusion, does not reduce risk.
Step 3: Determine residual risk
Combine the inherent rating with control strength to reach residual risk, the exposure that remains after controls. Residual risk is the number that matters, because it describes what the institution actually carries. A high-inherent-risk product with strong, tested controls can land at moderate or low residual risk. A moderate product with weak controls can land at high. Make the logic explicit, because an examiner will test whether your controls genuinely justify the residual rating you assigned.
Step 4: Aggregate to an enterprise-wide rating
Roll the individual ratings up into an enterprise-wide risk profile. This is the view a board, a sponsor bank, and an examiner want: where does the institution's residual exposure concentrate, and why. The aggregate is a reasoned conclusion, not an average. One high-residual-risk line can define the program's posture even when most of the book is low risk.
Step 5: Document and refresh
Write down the methodology, the ratings, the supporting data, and the rationale, so a reader who was not in the room can follow how you reached each conclusion. Then keep it current. Refresh the full assessment periodically, and update it whenever a material change occurs.
Scoring it: the risk matrix
Most institutions express the assessment as a matrix: risk drivers down one axis, and inherent risk, control strength, and residual risk across the columns, each rated on a low-to-high scale. Some programs attach numeric weights so the aggregation is repeatable; others stay qualitative with written justification. Either approach is defensible. What an examiner looks for is consistency: the same logic applied across every line, and a residual rating that the documented controls actually support.
The scale is less important than the discipline. A three-point scale that is applied consistently and backed by reasoning beats a ten-point scale that is assigned by feel. Whatever scale you choose, define what each level means before you rate anything against it.
The enterprise-wide assessment and refresh cadence
The enterprise-wide risk assessment is the consolidated view of the whole institution, and it is the version examiners and sponsor banks ask for by name. There is no fixed statutory interval for refreshing it. Common practice is a full refresh at least every twelve to eighteen months, plus an update on any material change: a new product or service, a new market, a new customer segment, a merger, a new bank or fintech partner, or a significant shift in volume. A risk assessment that no longer matches the business is treated as stale, and a stale assessment undercuts every control that was supposed to be scaled to it.
Where risk assessments fail an exam
The recurring failures are not subtle, and they show up across public enforcement. Watch for these:
- Template-driven content. A risk assessment that lists generic industry risks rather than the institution's actual drivers. It reads as if it could belong to anyone.
- No documented methodology. Ratings appear with no explanation of how they were reached, so the conclusions cannot be tested or reproduced.
- Inherent and residual risk conflated. The assessment never separates raw exposure from the controls that manage it, so there is no way to see what the program is actually carrying.
- Controls asserted, not evidenced. Residual ratings rely on controls that are weak, untuned, or not operating, so the residual number is not earned.
- Stale. The business changed and the assessment did not, so it describes an institution that no longer exists.
- Disconnected from the program. The risk assessment sits in a binder while CDD, monitoring, and staffing are scaled to something else entirely.
An AML gap analysis is often where these surface, and the exam-preparation guide covers what examiners request and how the review unfolds.
Risk assessment for fintechs and sponsor-bank programs
In a banking-as-a-service relationship the responsibility does not move. The sponsor bank holds the non-delegable regulatory obligation for BSA/AML, including the risk assessment, even when a fintech performs the work. A fintech operating under a sponsor bank still needs its own risk assessment, sized to its products and customers, and that assessment rolls up into the bank's enterprise view.
Two things change in this model. First, the channel category carries more weight, because embedded and platform relationships put distance between the bank and the end customer. Second, the bank's own enterprise risk assessment has to account for the risk each fintech partner introduces, which means the bank needs visibility into the partner's risk assessment, not just its own. A money transmitter operating across states faces a parallel version of this; the money transmitter compliance guide covers the licensing layer that sits on top.
A risk assessment takes work to do well, but the standard is plain. Keep it specific to your institution, keep the method explicit, keep residual risk honest about what the controls really do, and keep it current. Then it functions as the foundation the rest of the program is supposed to stand on, and an exam becomes a review of reasoning you already did.
Primary sources
- FFIEC BSA/AML Examination Manual: The interagency supervisory standard; see the BSA/AML Risk Assessment section for the risk categories and the foundational role of the assessment.
- 31 CFR 1010.230: Beneficial ownership requirements for legal entity customers (the CDD rule, effective 2018).
- 31 CFR 1020.210: Anti-money laundering program requirements for banks, which must be risk-based.
- 31 U.S.C. 5318(h): The statutory anti-money laundering program requirement.
- FinCEN, proposed AML/CFT Program Rule (RIN 1506-AB72): Would make a documented risk assessment process an explicit program component. A proposal, not final law.