When to Update Your AML Risk Assessment: 7 Triggers You Can't Ignore

The BSA requires that your AML risk assessment be current and accurate. "Current" means updated to reflect your actual business - not the business you had when you last wrote the assessment. Most businesses understand that annual updates are required, but fewer understand that certain events require immediate updates regardless of where you are in your annual cycle. Waiting for the annual review when a material change has occurred is a compliance failure.

Trigger #1: New products or services. Every new product or service your business offers creates new money laundering risk that must be assessed before the product launches. A mortgage lender that adds a new loan product, an MSB that begins offering a new payment service, or a fintech that launches a new feature - each of these requires a risk assessment update that addresses the specific risks of the new offering.

Trigger #2: New customer segments. If your business begins serving a new category of customers - foreign nationals, cash-intensive businesses, politically exposed persons, or customers in high-risk industries - your risk assessment must be updated to reflect the risk profile of the new segment. Customer base changes are among the most significant risk drivers in AML, and they must be assessed promptly.

Trigger #3: Geographic expansion. Opening a new location, beginning to serve customers in a new state or country, or expanding into a new market all create geographic risk that must be assessed. Geographic risk is one of the three primary dimensions of AML risk assessment, and changes to your geographic footprint require immediate assessment.

Trigger #4: Regulatory changes. When FinCEN issues new guidance, proposes new rules, or publishes new typologies relevant to your industry, your risk assessment must be reviewed to determine whether updates are required. Regulatory changes that affect your industry's risk profile - new GTO requirements, new CDD guidance, new SAR filing expectations - must be reflected in your assessment.

Trigger #5: Examination findings. If a regulatory examination identifies deficiencies in your AML program, your risk assessment must be updated to address the identified gaps. An examination finding that reveals a risk your assessment didn't address is evidence that the assessment was incomplete - and the response must include updating the assessment, not just fixing the specific finding.

Trigger #6: Internal compliance failures. When your own monitoring or testing identifies a compliance failure - a missed SAR filing, a CDD gap, a training lapse - the risk assessment must be reviewed to determine whether the failure reflects a risk that wasn't adequately assessed. Internal failures are often symptoms of assessment gaps.

Trigger #7: Significant staff changes. When your BSA officer, senior management, or key compliance staff change, the risk assessment should be reviewed to ensure that the new personnel understand the risk framework and that the assessment reflects current institutional knowledge. Staff changes are a common source of compliance continuity failures.