An AML risk assessment is the foundation of every BSA compliance program. Here is a step-by-step guide to conducting one that satisfies FinCEN, your sponsor bank, and stands up in examination.
How to Conduct an AML Risk Assessment for Your Fintech
Before you write a single AML policy, before you configure transaction monitoring rules, before you onboard your first customer — you need an AML risk assessment.
It is not optional. FinCEN requires that your BSA/AML program be reasonably designed for your specific business — and the only way to design a program that fits your risk profile is to first understand what that risk profile actually is.
This guide walks through what an AML risk assessment is, what it needs to cover, how to conduct one step by step, and what the finished product should look like.
What Is an AML Risk Assessment?
An AML risk assessment is a structured, documented analysis of the money laundering and financial crime risks your business faces based on its specific products, customers, geographies, and delivery channels.
It answers one core question: where is your business most likely to be exposed to or exploited for financial crime — and how significant is that risk?
The output directly shapes the calibration of every control in your AML program. A business with high-risk customers and products needs stronger monitoring, more rigorous due diligence, and more frequent reviews than one with a low-risk profile. Your risk assessment is what justifies every design decision in your program — and what FinCEN examiners use to evaluate whether your controls are appropriate.
Why the Risk Assessment Must Come First
FinCEN examiners evaluate your AML program against your risk assessment. If your assessment identifies high-risk customers but your monitoring controls are calibrated for low-risk activity, that misalignment is a gap — the kind of gap that results in examination findings and potential civil money penalties.
Conversely, if your risk assessment is thorough, documented, and your controls clearly map to the risks you have identified, you are in a strong defensive position even if not every aspect of your program is perfect.
Sponsor banks review your risk assessment when evaluating your compliance program. A well-executed, detailed risk assessment signals that you understand your business, understand your risks, and have built controls deliberately rather than by guessing.
The Four Risk Categories You Must Assess
- Customer Risk
Who are your customers, and how much money laundering and financial crime risk do they represent?
Factors that increase customer risk:
— Politically Exposed Persons (PEPs) — government officials, immediate family members, and close associates
— Non-resident customers and customers with foreign addresses
— Customers in high-risk industries — cannabis, gambling, adult entertainment, arms dealing, money services
— Customers with no clear or verifiable source of funds or wealth
— Legal entities with complex, layered, or opaque ownership structures
— Cash-intensive businesses — restaurants, car washes, convenience stores, nail salons
— Customers who are reluctant to provide identification or explain transaction purpose
— Customers flagged by third-party databases for adverse media or prior financial crime
Your risk assessment should categorize your current or anticipated customer base into low, medium, and high risk tiers with clear definitions of what places a customer in each tier.
- Product and Services Risk
What products and services does your business offer, and how easily could they be exploited for money laundering?
Higher-risk product characteristics:
— Anonymous or near-anonymous transactions — prepaid cards, peer-to-peer transfers, certain crypto products
— High transaction velocity or volume enabling rapid layering of funds
— Cross-border transactions — particularly to or from high-risk or sanctioned jurisdictions
— Cash-equivalent instruments that are easily converted and transferred
— Products that allow rapid fund movement with limited friction or delay
— Digital wallets that can hold and transfer value without strong identity verification
Map each product or service to a risk level and document the rationale clearly. If you are pre-launch, assess your planned product set as designed.
- Geographic Risk
Where do your customers operate, and where do transactions flow to and from?
Key risk factors:
— FATF grey list countries — jurisdictions identified by the Financial Action Task Force as having strategic AML/CFT deficiencies
— FATF black list countries — high-risk jurisdictions subject to a call for action, including Iran and North Korea
— OFAC-sanctioned jurisdictions — countries or regions subject to U.S. comprehensive or targeted sanctions programs
— Countries with high corruption indices or known high levels of organized financial crime
— Domestic high-risk geographies — certain regions or industries with elevated financial crime patterns
Document which geographies your business serves, which it explicitly excludes, the screening controls applied to each, and the risk rationale behind each decision.
- Delivery Channel Risk
How do customers access your product and how do transactions flow through your platform?
Higher-risk delivery characteristics:
— Fully digital, remote onboarding with no face-to-face customer interaction or verification
— Third-party intermediaries or agents involved in the onboarding or transaction process
— API-based access enabling high-volume, automated transactions with minimal human review
— Mobile-only platforms with streamlined but potentially lower-friction identity verification
— Non-face-to-face account relationships where the institution has no physical contact with the customer
Most fintechs operate primarily through digital channels, which generally elevates delivery channel risk relative to traditional in-person banking. This is expected and manageable — it just needs to be acknowledged and controlled for.
How to Structure the Risk Assessment Document
A complete, examination-ready AML risk assessment document should include these sections:
Executive Summary — Your business model overview, scope of the assessment, the date conducted, and the overall risk conclusion.
Business Overview — Detailed description of products, services, customer types served, geographies of operation, and delivery channels.
Inherent Risk Analysis — Rated assessment of risk levels across all four categories — customer, product, geography, delivery channel — before any controls are applied. This is your raw risk.
Control Environment — Description of the specific AML controls in place and how each addresses the inherent risks identified. Controls include KYC procedures, transaction monitoring rules, sanctions screening, SAR filing process, training, and independent testing.
Residual Risk Conclusion — Your overall risk rating after controls are applied. Most fintech businesses will land at medium to medium-high residual risk — this is normal and manageable.
Risk Rating Definitions — Clear written definitions of what constitutes low, medium, and high risk in your specific context, applied consistently throughout the assessment.
Date and Approval — The date the assessment was completed and the name of the senior manager who approved it.
How Frequently Should You Update It?
Your AML risk assessment is a living document. Review and update it:
— At minimum annually — as a regulatory baseline requirement
— When you launch new products or services
— When you enter new geographic markets
— When your customer base changes significantly in type, volume, or risk profile
— After a significant compliance event — such as a pattern of SAR filings, an examination finding, or a regulatory change
— When a material change in the regulatory environment affects your risk calculus
Document the date of every update and retain all prior versions. Examiners want to see clear evidence that your risk assessment evolves with your business rather than being a static document.
Common Mistakes That Create Examination Risk
Using a generic template without customization. A risk assessment that does not reflect your actual products, customers, and geographies is not compliant and is immediately identifiable to experienced examiners. Every section must be specific to your business.
Assessing risk without mapping to controls. The document must show both your inherent risk and how your specific controls reduce it. A list of risks without corresponding mitigations is an incomplete assessment.
Never updating it. A pre-launch risk assessment sitting unchanged two years into operations signals a compliance program that is not keeping pace with the business.
Treating it as a one-time compliance checkbox. The risk assessment is the foundation every other element of your AML program is built on. It must remain current and accurate to be useful.
Senior management not owning it. Your risk assessment must be approved by senior management, not produced by a junior compliance analyst and filed away. Examiners look for evidence of genuine leadership engagement.
Frequently Asked Questions
What is the difference between inherent risk and residual risk in an AML risk assessment?
Inherent risk is the level of money laundering risk your business faces before any controls are applied — based purely on your products, customers, geography, and delivery channels. Residual risk is the risk that remains after your AML controls are applied. Most fintech businesses have moderate-to-high inherent risk and aim to bring residual risk to a manageable level through strong controls.
How detailed does an AML risk assessment need to be?
The level of detail should be proportionate to the complexity and risk level of your business. A simple, single-product fintech with a narrow customer base may produce a 10-15 page assessment. A multi-product platform serving diverse customer types and geographies may need a much more comprehensive document. FinCEN's standard is that the assessment must be sufficient to justify your program's design.
Can a fintech use a template for their AML risk assessment?
Templates can be useful as a structural starting point, but the content must be entirely specific to your business. A template filled with generic language that does not describe your actual products, customers, and controls will not satisfy FinCEN requirements and will be flagged immediately in examination.
Who should conduct the AML risk assessment?
The risk assessment can be conducted internally by your BSA Officer or compliance team, or with the assistance of an external compliance consultant. For early-stage fintechs, external support is often valuable to ensure the assessment meets examination standards. The assessment must be approved by senior management regardless of who prepares it.
How ComplyOne Helps
ComplyOne works with fintechs to conduct structured, examination-ready AML risk assessments that satisfy FinCEN requirements and sponsor bank expectations — through advisory services, compliance technology, or both. We help you understand your risk profile, document it with the specificity examiners expect, and make sure your controls are calibrated to match.
Talk to the ComplyOne team to get started.
The information in this article is for general educational purposes and does not constitute legal or regulatory advice. Compliance requirements vary based on your business model, jurisdiction, and regulatory relationships. Consult a qualified compliance professional for guidance specific to your situation.