Annual updates are required, but seven specific events require immediate updates regardless of cycle timing

The BSA requires that your AML risk assessment be current and accurate. "Current" means updated to reflect your actual business - not the business you had when you last wrote the assessment. Most businesses understand that annual updates are required, but fewer understand that certain events require immediate updates regardless of where you are in your annual cycle. Waiting for the annual review when a material change has occurred is a compliance failure.

New products, new customer segments, and geographic expansion each require immediate risk assessment updates

Trigger #1: New products or services. Every new product or service your business offers creates new money laundering risk that must be assessed before the product launches. A mortgage lender that adds a new loan product, an MSB that begins offering a new payment service, or a fintech that launches a new feature - each of these requires a risk assessment update that addresses the specific risks of the new offering.

Regulatory changes must be reflected in the risk assessment promptly after publication

Trigger #2: New customer segments. If your business begins serving a new category of customers - foreign nationals, cash-intensive businesses, politically exposed persons, or customers in high-risk industries - your risk assessment must be updated to reflect the risk profile of the new segment. Customer base changes are among the most significant risk drivers in AML, and they must be assessed promptly.

Examination findings and internal compliance failures are evidence of assessment gaps that must be addressed

Trigger #3: Geographic expansion. Opening a new location, beginning to serve customers in a new state or country, or expanding into a new market all create geographic risk that must be assessed. Geographic risk is one of the three primary dimensions of AML risk assessment, and changes to your geographic footprint require immediate assessment.

Significant staff changes require risk assessment review to ensure compliance continuity

Trigger #4: Regulatory changes. When FinCEN issues new guidance, proposes new rules, or publishes new typologies relevant to your industry, your risk assessment must be reviewed to determine whether updates are required. Regulatory changes that affect your industry's risk profile - new GTO requirements, new CDD guidance, new SAR filing expectations - must be reflected in your assessment.

Trigger #5: Examination findings. If a regulatory examination identifies deficiencies in your AML program, your risk assessment must be updated to address the identified gaps. An examination finding that reveals a risk your assessment didn't address is evidence that the assessment was incomplete - and the response must include updating the assessment, not just fixing the specific finding.

Trigger #6: Internal compliance failures. When your own monitoring or testing identifies a compliance failure - a missed SAR filing, a CDD gap, a training lapse - the risk assessment must be reviewed to determine whether the failure reflects a risk that wasn't adequately assessed. Internal failures are often symptoms of assessment gaps.

Trigger #7: Significant staff changes. When your BSA officer, senior management, or key compliance staff change, the risk assessment should be reviewed to ensure that the new personnel understand the risk framework and that the assessment reflects current institutional knowledge. Staff changes are a common source of compliance continuity failures.