The AML risk assessment is the single most important document in your compliance program — and it's the first thing a competent examiner evaluates. If it doesn't accurately reflect your actual business, every policy and procedure built on top of it is suspect. Here's how to build one that holds up under scrutiny.
Start with your products and services. List every activity your business engages in that involves the movement, exchange, or storage of value. For each item, ask honestly: how could this be exploited by someone trying to launder money? What characteristics of this transaction type make it attractive to bad actors? What controls exist today to detect or prevent misuse? Most businesses discover during this exercise that they have risks they've never formally acknowledged.
Next, assess your customer base with the same rigor. Who are your customers? Where do they come from geographically? What are their typical transaction patterns, and how much do those patterns vary? Are there customer segments that present elevated risk — foreign nationals, politically exposed persons, cash-heavy businesses, or customers with complex ownership structures? Your risk assessment needs to describe your actual customer population, including the uncomfortable segments.
Geographic risk is the third dimension. If your business operates in South Florida, your geographic risk is elevated whether or not you acknowledge it. FinCEN has explicitly targeted Miami-Dade for geographic targeting orders, identified it as a high-risk real estate market, and deployed examination resources here disproportionately relative to business volume. A risk assessment that doesn't acknowledge your geographic environment is not a credible document.
The output of a sound risk assessment is a risk-rating matrix: each product, service, customer segment, and geography rated for inherent risk, then matched to specific mitigating controls, producing a residual risk rating. This matrix is the backbone of your program — it justifies your monitoring thresholds, informs your training content, and explains to examiners why your program looks the way it does.
Critically, a risk assessment is not a one-time exercise. Update it annually — and immediately following any material change to your business, your customer mix, your products, or the regulatory environment. An assessment from 2022 that has never been touched is not a compliant program in 2026. Examiners check dates, and a stale risk assessment signals a program that isn't actually being managed.
Tags
Elena Vargas
BSA/AML Principal Consultant Soflo Consulting
Specializes in BSA/AML program development and compliance training for regulated businesses nationwide from community banks and fintech startups to real estate professionals and money services businesses.
Key Takeaways
- 1Products, customers, and geography must each be assessed independently with honest analysis
- 2South Florida's regulatory environment demands explicit acknowledgment in geographic risk analysis
- 3The output must be a risk-rating matrix that matches inherent risks to specific mitigating controls
- 4Risk assessments must be updated annually and after any material business change
- 5Examiners check assessment dates — a stale document signals an unmanaged program
Need Expert Guidance?
Put these insights into action. Schedule a free consultation with a Soflo Consulting compliance specialist.
Stay Ahead of Compliance
Get FinCEN updates, BSA/AML guidance, and federal compliance news delivered to your inbox no fluff.
