The AML risk assessment is the single most important document in your compliance program - and it's the first thing a competent examiner evaluates. If it doesn't accurately reflect your actual business, every policy and procedure built on top of it is suspect. Here's how to build one that holds up under scrutiny.
Products, customers, and geography must each be assessed independently with honest analysis
Start with your products and services. List every activity your business engages in that involves the movement, exchange, or storage of value. For each item, ask honestly: how could this be exploited by someone trying to launder money? What characteristics of this transaction type make it attractive to bad actors? What controls exist today to detect or prevent misuse? Most businesses discover during this exercise that they have risks they've never formally acknowledged.
South Florida's regulatory environment demands explicit acknowledgment in geographic risk analysis
Next, assess your customer base with the same rigor. Who are your customers? Where do they come from geographically? What are their typical transaction patterns, and how much do those patterns vary? Are there customer segments that present elevated risk - foreign nationals, politically exposed persons, cash-heavy businesses, or customers with complex ownership structures? Your risk assessment needs to describe your actual customer population, including the uncomfortable segments.
The output must be a risk-rating matrix that matches inherent risks to specific mitigating controls
Geographic risk is the third dimension. If your business operates in South Florida, your geographic risk is elevated whether or not you acknowledge it. FinCEN has explicitly targeted Miami-Dade for geographic targeting orders, identified it as a high-risk real estate market, and deployed examination resources here disproportionately relative to business volume. A risk assessment that doesn't acknowledge your geographic environment is not a credible document.
Risk assessments must be updated annually and after any material business change
The output of a sound risk assessment is a risk-rating matrix: each product, service, customer segment, and geography rated for inherent risk, then matched to specific mitigating controls, producing a residual risk rating. This matrix is the backbone of your program - it justifies your monitoring thresholds, informs your training content, and explains to examiners why your program looks the way it does.
Examiners check assessment dates - a stale document signals an unmanaged program
Critically, a risk assessment is not a one-time exercise. Update it annually - and immediately following any material change to your business, your customer mix, your products, or the regulatory environment. An assessment from 2022 that has never been touched is not a compliant program in 2026. Examiners check dates, and a stale risk assessment signals a program that isn't actually being managed.
Tags
BSA/AML Principal Consultant · Soflo Consulting
Elena Vargas is a BSA/AML Principal Consultant at Soflo Consulting with over a decade of experience building and auditing compliance programs for regulated businesses across the United States. She specializes in enforcement action remediation, risk assessment development, and examination preparation for money services businesses, mortgage lenders, and fintech companies.
5 sections
Key Takeaways
- 1Products, customers, and geography must each be assessed independently with honest analysis
- 2South Florida's regulatory environment demands explicit acknowledgment in geographic risk analysis
- 3The output must be a risk-rating matrix that matches inherent risks to specific mitigating controls
- 4Risk assessments must be updated annually and after any material business change
- 5Examiners check assessment dates - a stale document signals an unmanaged program
Need Expert Guidance?
Put these insights into action. Schedule a free consultation with a Soflo Consulting compliance specialist.
Stay Ahead of Compliance
Get FinCEN updates, BSA/AML guidance, and federal compliance news delivered to your inbox - no fluff.
