A money transmitter is a money services business, so its anti-money laundering program must be reasonably designed and commensurate with the risks it faces, under 31 CFR 1022.210. The risk assessment is how the transmitter establishes those risks. It rates inherent money-laundering and terrorism-financing risk across products and services, customers, geographies, and delivery channels, including the agent network, scores the controls against that risk, and derives a residual rating that drives the rest of the program. Both FinCEN and the state regulators that issue the license review it.
A money transmitter inherits the full BSA/AML obligation set the moment it is licensed, and the risk assessment sits underneath all of it. The program rule does not prescribe a separate risk-assessment document by name, but it requires a program that is commensurate with the risks the business carries, and the FFIEC manual treats the risk assessment as the basis for that risk-based program. You cannot show a program is sized to the risk without first establishing what that risk is. This guide covers what the assessment must cover for a money transmitter, the categories that matter most for this model, how to build it, and where these assessments fail an exam.
Why a money transmitter needs one
Money services businesses, including money transmitters, are required to develop, implement, and maintain an effective anti-money laundering program under 31 CFR 1022.210. The rule's standard is that the program be reasonably designed to prevent the business from being used to facilitate money laundering and terrorism financing, and that it be commensurate with the risks posed by the location, size, nature, and volume of the services provided. The phrase commensurate with the risks is the hook: it presumes the business has assessed its risks. The risk assessment is that work, and it is the document a federal or state examiner reads to test whether the rest of the program is built to the right size.
The risk categories that matter
A money transmitter's risk assessment uses the same four categories every BSA/AML assessment uses, but each one carries weight specific to the money-transmission model.
| Category | What drives risk for a money transmitter |
|---|---|
| Products and services | Cross-border remittance, cash-to-cash transfer, prepaid access, and convertible virtual currency carry higher inherent risk than closed-loop or low-value domestic transfer. |
| Customers | The customer base and any higher-risk segments, including cash-intensive senders and customers in higher-risk corridors. |
| Geographies | The jurisdictions and corridors served, weighting higher-risk countries and the states in which the business operates. |
| Delivery channels | The agent or authorized-delegate network, online and app-based onboarding, and any non-face-to-face channel that distances the transmitter from the customer. |
The agent network is the category that most distinguishes a money transmitter from a bank. Risk is introduced by parties the transmitter does not directly employ, so the assessment has to reach agent oversight: how agents are vetted, monitored, and trained, and how the transmitter sees the activity flowing through them.
The two layers of review
A money transmitter answers to two readers. FinCEN sets the federal program requirement, and the state regulators that grant the license supervise the business under state money-transmission law, increasingly harmonized through the CSBS Money Transmission Modernization Act. The BSA/AML risk assessment is a federal obligation rooted in 31 CFR 1022.210, but a state examiner reviews it too, because the BSA/AML program is a condition of holding the license. One assessment serves both readers; it does not need to be written twice.
How to build it
Step 1: Inventory products, customers, geographies, and channels
Catalog the services offered, the customer segments served, the corridors and states covered, and the channels and agents through which transfers move.
Step 2: Rate inherent risk in each category
Assign an inherent-risk rating to each category before considering controls, weighted toward the higher-risk products, corridors, and channels.
Step 3: Score the controls
Evaluate the controls that mitigate each inherent risk, including agent oversight, transaction monitoring, sanctions screening, and customer due diligence, and rate their strength.
Step 4: Derive residual risk
Combine inherent risk and control strength into a residual rating for each category, then aggregate to an enterprise rating.
Step 5: Document, then refresh on a cycle and on change
Record the methodology and the ratings, review the assessment on a periodic cycle, and refresh it whenever the business enters a new state or corridor, adds a product, or changes its agent model.
Where it goes wrong
- The agent network is missing. The assessment rates the transmitter's own activity but never reaches the risk introduced by agents or authorized delegates.
- Not sized to the program. The risk assessment rates the business high but the program's controls do not match, which is the gap an examiner is looking for.
- Stale after expansion. The business added states, corridors, or a virtual-currency product, and the assessment was not refreshed to match.
The risk assessment is the foundation the rest of a money transmitter's program is built on, and the first thing two sets of examiners read. Keep it current, reach the agent network, and make the program genuinely match it. For the wider obligation, see the money transmitter compliance guide and the money transmitter glossary; for the underlying method, see the BSA/AML risk assessment guide.
Primary sources
- 31 CFR 1022.210: The anti-money laundering program requirement for money services businesses; the program must be reasonably designed and commensurate with the risks, which is what a risk assessment establishes.
- 31 U.S.C. 5318(h): The statutory anti-money laundering program requirement.
- FFIEC BSA/AML Examination Manual: The interagency supervisory standard; see the BSA/AML Risk Assessment and Independent Testing sections, including the risk-based approach to scope and frequency.
- CSBS Money Transmission Modernization Act (Model Law): The multistate model law standardizing money transmitter licensing and supervision; state examiners review the BSA/AML program, including its risk assessment.