◆ Quick answer
A New Product Risk Assessment template should include trigger questions that determine full vs. light review, a risk identification questionnaire spanning 12 categories (Compliance, Regulatory, Operational, Technology, Fraud, Third-Party, Credit, Liquidity, Data/Privacy, Reputational, Strategic, Model Risk), a 4x4 impact-by-likelihood scoring method, a risk register with inherent and residual ratings, a pre-launch checklist with Required and Recommended items tracked by owner and evidence, and sign-off rows for first line, second line, and Risk Committee approval.
Guide vs. template
This guide explains what belongs in the template. The paid template gives you the editable working files so you're not rebuilding from a blank page.
Paid template includes
- ◆ New Product Risk Assessment questionnaire (12 risk categories: Compliance, Regulatory, Operational, Technology, Fraud, Third-Party, Credit, Liquidity, Data/Privacy, Reputational, Strategic, Model Risk)
- ◆ Risk scoring matrix with inherent and residual ratings
- ◆ Money/data flow mapping tab for operational dependency tracing
- ◆ Pre-Launch Checklist — 58 items across 9 categories (Regulatory & Licensing, BSA/AML & Fraud, Consumer Protection & Compliance, Technology & Security, Data Privacy, Third-Party / Vendor Management, Operational Readiness, Financial & Risk Management, Governance & Documentation)
What is this template for?
A New Product Risk Assessment (NPRA) is the structured review a product goes through before launch: a questionnaire that surfaces risks across 12 categories, a scoring step that rates each identified risk on impact and likelihood, a pre-launch checklist that gates go-live on required items, and a sign-off flow through first line, second line, and the risk committee. The useful version starts with trigger questions — new credit exposure, new regulatory obligations, new third-party dependencies, new customer segments, or significant technology change — so a pricing tweak gets a light review while a stablecoin launch gets the full treatment. If your fintech operates on a bank partner model, the bank will want to see this assessment before approving the launch, and several checklist items exist specifically to prove you asked them first.
◆ Audience
Who needs this.
- ◆ Your bank partner is asking for a formal risk assessment before approving a new product launch.
- ◆ You're launching BNPL, embedded finance, instant payments, or stablecoins and need a worked example to start from instead of a blank page.
- ◆ Your new product review committee needs a standard submission template that makes reviews consistent and defensible.
- ◆ You're a product team that needs to move fast without skipping the risk review process.
- ◆ You want a pre-launch checklist that covers regulatory, BSA/AML, consumer protection, and operational readiness in one place.
◆ Required fields
What every row needs.
The fields that make this template defensible to an auditor, bank partner, or examiner — and what goes in each.
| Field | Why it matters | Example |
|---|---|---|
| Risk questionnaire spanning 12 categories | Broad identification comes first — every Yes answer becomes a risk to evaluate and score. | Compliance: "Does this product trigger new consumer protection requirements (e.g., Reg E, Reg Z, TILA, EFTA)?"; Regulatory: "Does this fall under the OCC's new activities supervisory expectations?"; Operational: "Does this product introduce new failure modes not covered by existing incident response?" |
| Yes / No / N/A answers with a notes column | The notes are the context the committee and the bank partner read — a bare Yes is not defensible. | Yes — money transmitter licensing analysis in progress for 12 states; notes capture scope, counsel engaged, and expected completion |
| Impact rating on a 1-4 scale across four dimensions | Forces consistent severity judgments across financial, customer, regulatory, and reputational harm. | Moderate (2): $100K–$1M loss, 1K–10K customers affected, regulatory observation or informal supervisory feedback, 90-day remediation; Severe (4): >$5M loss, >100K customers, consent order or enforcement action, 30-day remediation |
| Likelihood rating on a 1-4 scale with frequency indicators | Anchors likelihood to control maturity and observed frequency instead of gut feel. | Likely (3): will probably occur, controls exist but have known gaps, occurred 1–2 times in past 12 months; Unlikely (1): controls robust and well-tested, has not occurred |
| Risk register with inherent and residual scores | Aggregates questionnaire findings into the view the committee actually votes on. | Each identified risk scored inherent (before controls) and residual (after planned controls), mapped to the 4x4 heat map |
| Pre-launch checklist items with priority, status, owner, and evidence | Turns "we're ready" into a verifiable list — Required items are launch gates, not suggestions. | BSA/AML: "Transaction monitoring rules configured, tested, and validated" — Required; "Sanctions screening (OFAC) confirmed operational for new transaction types" — Required; Consumer Protection: "UDAAP/UDAP review completed on all marketing materials and product design" — Required |
| Rollback / shutdown plan | The launch review has to answer what happens if the launch goes badly — before it does. | Operational Risk question 16: "Is there a documented rollback or product shutdown plan if the launch encounters critical issues?" |
| Sign-off rows for 1st line, 2nd line, and Risk Committee | Approval without documented sign-off is the gap examiners and bank partners find first. | Risk Register includes sign-off rows for first-line owner, second-line risk review, and Risk Committee approval before go-live |
◆ Worked example
Example questionnaire, rating, and checklist rows
| Questionnaire question | Regulatory Risk: "Does your bank partner require advance notification or approval for this type of activity?" Answered Yes / No / N/A with notes for context. |
|---|---|
| Impact rating | Significant (score 3) — $1M–$5M loss or revenue impact; 10K–100K customers affected; Matter Requiring Attention (MRA/MRIA) or formal regulatory finding; 60-day remediation timeline. |
| Pre-launch gate | "Bank partner written approval obtained (if applicable)" — Required priority. Do not launch with any Required item incomplete. |
◆ Implementation roadmap
How to roll this out.
Run the trigger questions to size the review
Owner · Product lead with risk or compliance
Output · Decision — full New Product Risk Assessment vs. lighter review — based on new credit exposure, new regulatory obligations, new third-party dependencies, new customer segments, or significant technology change
Complete the risk identification questionnaire across all 12 categories
Owner · Product owner with input from compliance, engineering, and operations
Output · Yes / No / N/A answers with notes; every Yes carried forward as a risk to score
Score identified risks with the 4x4 impact-by-likelihood method
Owner · Risk or compliance reviewer with the product owner
Output · Inherent and residual ratings per risk using the documented impact scale (financial, customer, regulatory, reputational) and likelihood scale (frequency and control maturity)
Work the pre-launch checklist to completion
Owner · Named owner per item across 9 categories
Output · 58 items tracked with priority, status, owner, and notes/evidence — no launch with any Required item open, including bank partner written approval where applicable
Submit to the risk committee with sign-offs
Owner · Product owner; Risk Committee approves
Output · Product overview, risk register with inherent/residual scores, and completed checklist — with documented first-line, second-line, and committee sign-off rows
◆ Ready to use it?
Download the New Product Risk Assessment.
Use the guide to understand the structure, or buy the editable template to move faster.
◆ FAQ
Frequently asked questions.
What should a new product risk assessment template include? ⌄
Trigger questions that decide full vs. light review, a risk identification questionnaire across 12 categories, a 4x4 impact-by-likelihood scoring method with documented scales, a risk register aggregating findings into inherent and residual ratings, a pre-launch checklist with Required and Recommended items tracked by owner and evidence, and sign-off rows for first line, second line, and Risk Committee approval.
When is a full new product risk assessment required versus a lighter review? ⌄
Generally when the launch creates new credit exposure, new regulatory obligations, new third-party dependencies, targets new customer segments, or involves significant technology change. A feature tweak inside an existing product usually gets a lighter review; a new product type, new money movement, or new partner-dependent activity gets the full assessment.
What risk categories does the questionnaire cover? ⌄
Twelve: Compliance, Regulatory, Operational, Technology, Fraud, Third-Party, Credit, Liquidity, Data/Privacy, Reputational, Strategic, and Model Risk. Each category has specific questions — for example, whether the product requires new licenses or registrations, whether marketing needs UDAAP/UDAP review, whether the bank partner requires advance notification, and whether the product introduces failure modes existing incident response doesn't cover.
How is risk scored in a new product assessment? ⌄
On a 4x4 impact-by-likelihood matrix. Impact runs Minor (1) to Severe (4) across financial, customer, regulatory, and reputational dimensions — Severe means >$5M loss, >100K customers affected, or consent order/enforcement exposure with a 30-day remediation expectation. Likelihood runs Unlikely (1) to Almost Certain (4), anchored to control maturity and how often the event has actually occurred in the past 12 months to 3 years.
Does my bank partner need to approve the product before launch? ⌄
If you operate on a sponsor bank model, usually yes — and in writing. The questionnaire asks directly whether your bank partner requires advance notification or approval for the activity, and the pre-launch checklist carries "bank partner written approval obtained" as a Required item. Launching a new activity without documented bank approval is a finding waiting to happen for both you and the bank.
Can the assessment be used for partnerships, not just internal product launches? ⌄
Yes. Embedded finance and partnership-driven products go through the same framework, with specific questions about partner obligations, liability allocation, regulatory responsibility, and how the partnership changes your own risk profile. A distribution agreement that puts your product in front of new customers through someone else's channel is a new-product event even if the product itself hasn't changed.