AML Risk Assessment Template: A Practitioner's Methodology for Banks and Fintechs

TL;DR

• Your BSA/AML risk assessment is the map examiners use to scope their entire exam — if it doesn’t reflect your actual risk profile, you’re walking in with a broken compass.
• The FFIEC framework requires scoring across four categories: customers/entities, products/services, geographies, and delivery channels — each evaluated for inherent risk, then adjusted for controls to produce residual risk.
• FinCEN’s April 2026 NPRM would require institutions to explicitly incorporate FinCEN’s published AML/CFT Priorities into the risk assessment; comment period closes June 9, 2026.
• The most common exam finding isn’t a bad score — it’s a stale assessment that no longer reflects what the institution actually does.

Your BSA/AML risk assessment isn’t a filing cabinet document. It’s the playbook examiners pull out before they set foot in your building. If your risk assessment says wire transfers to high-risk jurisdictions represent “low” risk — and your SAR filings show a different pattern — that inconsistency becomes the first line of inquiry on day one of the exam, not a footnote.

In 2025, prudential regulators, state officials, and DOJ concluded an estimated 35 AML enforcement actions. FinCEN concluded just two. The enforcement pressure is diffuse — it runs through BSA exam findings, MRAs, and consent orders rather than FinCEN headlines. A weak risk assessment doesn’t typically produce a fine directly. It produces a deficiency that produces MRAs that produce consent orders. The path from “stale risk assessment” to “operating under formal regulatory oversight” is shorter than most compliance teams realize.

What a BSA/AML Risk Assessment Actually Is

The FFIEC BSA/AML Examination Manual defines the risk assessment as a process that identifies and evaluates the money laundering, terrorist financing, and other illicit financial crime risks inherent in the institution’s products, services, customers, and geographic locations — and then evaluates the controls in place to mitigate those risks.

Two outputs matter:

1. Inherent risk — the raw risk profile before controls
2. Residual risk — what remains after controls are applied

Both need to be documented. An examiner seeing only one will ask where the other is.

There’s no mandated format. The FFIEC manual is explicit that “there are many effective methods and formats.” What’s not flexible is the substance: you have to cover all four risk categories, document your methodology, and link the output to your program controls.

The Four Risk Categories (and How to Score Them)

1. Customers and Entities

This is usually where the highest inherent risk lives. High-risk customer types under FFIEC guidance include:

• Cash-intensive businesses (restaurants, car washes, convenience stores, parking garages)
• Money services businesses (MSBs), particularly unlicensed ones
• Foreign financial institutions
• Politically exposed persons (PEPs) and their immediate family and close associates
• Non-resident aliens and foreign nationals conducting significant domestic transactions
• High-net-worth private banking clients
• Charities and non-profit organizations
• Cannabis-related businesses (where legally permitted)

For each customer segment, you’re scoring the population: what share of your customer base fits high-risk profiles, what volume of transactions they generate, and whether your CDD procedures are calibrated to that risk. A community bank with 2% of accounts classified as high-risk businesses has different inherent risk than an MSB aggregator where that’s 40% of the portfolio.

If you wrote a Customer Identification Program (CIP) template recently, your CIP customer profiles should map directly to your risk assessment’s customer categories. CIP is the entry point; the risk assessment is the ongoing framework.

2. Products and Services

Score each product line for inherent ML/TF risk. The FFIEC has flagged specific products as higher risk:

For a fintech offering ACH transfers, debit card issuance, and lending — the wire transfer risk is lower, but ACH volume risk and potential for synthetic identity fraud in lending need to be assessed at the product level. Don’t let the absence of high-inherent-risk products like correspondent banking make you underweight the risks that are present.

3. Geographies

Two dimensions: where your customers are located, and where their transactions flow.

Customer geography: The FFIEC manual references FinCEN advisories, OFAC sanctions lists, and FATF’s lists of high-risk jurisdictions as inputs. FATF maintains a list of jurisdictions under increased monitoring (the “grey list”) and a list of high-risk jurisdictions subject to a call for action (the “black list”). Transactions involving countries on either list require elevated scrutiny and documentation.

Transaction geography: Where are your wires going? Which correspondent relationships involve high-risk jurisdictions? A U.S.-based fintech whose customers regularly send remittances to FATF grey-list countries has geography risk even if the customers themselves are domestic residents.

Domestic high-risk areas also factor in: FinCEN geographic targeting orders (GTOs), high-intensity drug trafficking areas (HIDTAs), and high-intensity financial crime areas (HIFCAs) are all relevant inputs to the geographic risk component.

4. Delivery Channels

How products are accessed affects the ML/TF risk profile. Non-face-to-face account opening creates higher identity verification risk. Fully digital onboarding with limited human review compounds it. Mobile deposit, remote onboarding, and API-driven BaaS relationships each introduce monitoring gaps that brick-and-mortar delivery doesn’t create.

If your onboarding is entirely digital and you’ve delegated identity verification to a third-party KYC vendor, your risk assessment needs to address that channel risk explicitly — and document that the delegation arrangement meets the reliance requirements under 31 CFR 1020.220(a)(6).

Inherent Risk Scoring: Making the Matrix Defensible

The most common format uses a 1–5 scale (some institutions use 1–3), applied to each risk factor within each category. Here’s a simplified framework for the customer category:

Scores are weighted by volume — number of accounts, dollar value of transactions — to produce a composite category inherent risk rating.

The FFIEC Appendix J Quantity of Risk Matrix provides the framework examiners use in their own scoping. Your methodology doesn’t need to mirror it exactly, but your scoring rationale should hold up when compared against it. If your scoring produces a “low” composite that Appendix J would produce a “moderate” for, be ready to explain the discrepancy.

Controls Assessment: The Step Most Institutions Underweight

Inherent risk gets the attention. Controls get the boilerplate. That gap is where most risk assessments fall apart.

Your controls assessment needs to evaluate, for each risk category:

• CIP/CDD completeness: Is customer risk rating applied consistently at onboarding? Is enhanced due diligence triggered for high-risk customers?
• Transaction monitoring: Are rules calibrated to your risk profile? Are alert thresholds defensible? What’s your false positive rate — and does it reflect over-alerting or under-alerting?
• SAR filing: Are you filing on time? Are narratives sufficient? Are there patterns of suspicious activity that aren’t being connected across accounts?
• Independent testing: When was your last AML program audit? Were findings remediated?
• Training: Are employees trained on the specific typologies relevant to your actual customer base?

Controls are typically rated across three levels:

• Strong: Procedures are documented, tested, and operating effectively
• Adequate: Procedures exist with minor gaps that don’t materially impair effectiveness
• Weak: Material gaps, outdated procedures, or controls not operating as intended

Residual risk equals inherent risk adjusted downward for strong controls, unchanged or adjusted upward for weak controls. A high inherent risk rating with strong controls can produce a moderate residual risk. A moderate inherent risk rating with weak controls can produce a high residual risk — and that’s what triggers the examiner’s deep dive.

What FinCEN’s April 2026 NPRM Changes

On April 7, 2026, FinCEN issued a notice of proposed rulemaking that would fundamentally restructure AML/CFT program requirements under the Bank Secrecy Act. The comment period closes June 9, 2026, with a proposed 12-month implementation timeline after the final rule.

Three specific risk assessment changes to track:

1. Mandatory FinCEN Priorities integration. Institutions would be required to review and incorporate FinCEN’s published AML/CFT National Priorities — corruption, cybercrime, terrorist financing, fraud, transnational criminal organizations, drug trafficking, human trafficking, and proliferation financing — into the risk assessment process. This isn’t just acknowledging the priorities exist; the assessment must analyze how each priority applies to the institution’s actual risk profile.

2. Effectiveness-based evaluation. The proposed rule signals a shift away from checking technical compliance boxes toward evaluating whether the AML program actually identifies and reports suspicious activity. A thorough risk assessment paired with a weak detection program would fare worse under this framework than under the current technical compliance model.

3. Enforcement threshold. FinCEN indicates it would generally not take enforcement action against an institution with a program established under the new rule unless there is a “significant or systemic failure.” That’s meaningful protection for institutions with good-faith programs — but it requires the risk assessment to be genuinely comprehensive, not superficial.

For more on the proposed rule’s broader implications, see our analysis of FinCEN’s AML/CFT proposed rule and BSA program reform.

Common Exam Findings (and How to Pre-Empt Them)

Based on BSA examination trends and FFIEC guidance, the most common risk assessment deficiencies are:

1. Stale assessment. The most cited finding. A risk assessment updated annually but not triggered by material events — new product launch, acquisition, significant change in customer mix, new geography, new fintech partnership. Put a trigger list in your BSA policy with named events that require an immediate update.

2. Risk scores that don’t match activity. Wire transfer volume or SAR filing patterns suggest higher risk than the assessment reflects. Examiners cross-reference your risk assessment scores against your actual transaction data. Inconsistencies are flags.

3. No link to program controls. The assessment scores risk but doesn’t explain how program elements address the identified risks. FFIEC Appendix I is explicit: the risk assessment should inform your monitoring rules, CDD thresholds, staffing levels, and board reporting.

4. Failure to incorporate FinCEN Priorities. This was voluntary before the NPRM. Under the proposed rule, it’s required. Start incorporating it now so it’s embedded before the final rule takes effect.

5. Narrative-only assessment without supporting data. A narrative that says “customer risk is moderate” without underlying data — number of accounts by risk tier, transaction volume by product — isn’t defensible when an examiner asks how you got there.

Template: What Your Risk Assessment Document Should Contain

A defensible BSA/AML risk assessment document should include these sections:

The action items section is what separates a risk assessment that satisfies regulators from one that creates risk. If you identify control gaps and don’t document a remediation plan with dates and ownership, the gap becomes a finding.

Your compliance monitoring and testing program is the operational validation of what your risk assessment documents — the testing schedule, sampling methodology, and exception reporting that demonstrates your controls are actually working.

So What?

A BSA/AML risk assessment written for the file drawer and one written for the examiner look different. The file drawer version scores everything at “moderate,” vaguely references controls, and gets dusted off for an annual refresh. The examiner version reflects what your institution actually does — and when transaction monitoring testing or SAR filing reviews surface gaps, your risk assessment is the document they hold up to show you either knew and didn’t act, or didn’t know and should have.

FinCEN’s April 2026 NPRM is moving toward effectiveness-based compliance. The institutions that will fare best are the ones who can demonstrate their risk assessment is connected to real program decisions — calibration of monitoring rules, CDD thresholds, staffing levels, and board reporting — not just a compliance artifact filed once a year.

Write it like the examiner is reading it on day one of the exam. Because they are.