AML Risk Assessment Template: Building a Defensible 2026 Document
Your AML risk assessment is the document every examiner reads first. Here is the 2026 template that consistently passes scrutiny.
The AML risk assessment is the foundation document of your compliance program. It justifies your controls, drives your monitoring rules, scopes your audits and answers the first question any examiner asks: 'how did you decide what risk to manage and how?'
This guide walks through the methodology, structure and content of a 2026-ready AML risk assessment, plus the common pitfalls that turn a strong program into an exam finding.
Methodology First
Open with the methodology: what you are assessing, on what scoring scale (typically 1–5), how you weight inherent risk and controls, how you compute residual risk and how often you refresh. A documented, repeatable methodology beats a glossy spreadsheet every time.
Risk Dimensions to Cover
Four dimensions are non-negotiable: customers, products and services, geographies and delivery channels. Score each dimension's inherent risk on its own merits before considering mitigants.
Customer Risk
Score by customer type — retail, SMB, corporate, PEP, MSB, crypto, charity — using the FATF and FFIEC categorizations as starting points.
Geography Risk
Use FATF grey and blacklists, OFAC sanctions, Basel AML Index and the institution's own exposure data.
Controls Inventory
List every control that mitigates each inherent risk — onboarding KYC, sanctions screening, transaction monitoring rules, EDD, training, audit. Rate control effectiveness 1–5 with evidence (test results, audit findings, KPIs).
Residual Risk Computation
Combine inherent risk and control effectiveness into a residual risk score. Anything above your stated tolerance becomes a remediation action with an owner and a due date.
Board Reporting
The risk assessment is a board-level document. Summarize the heat map, the residual risks above tolerance and the remediation plan on a single page. Attach the detail as appendices.
Refresh Cadence and Triggers
Refresh annually at minimum, and after any material change in products, geographies, customer base, leadership or regulation. Document the trigger that prompted each off-cycle refresh.
Key Takeaways
- Methodology first — repeatability beats polish.
- Score four dimensions: customers, products, geographies, channels.
- Residual risk above tolerance must drive action, not just discussion.
- Refresh annually and on material change.
Related Verification Services
Review existing AML compliance programs.
Annual/quarterly recertification of customer data.
Configure rules for suspicious activity detection.
In-depth investigation for high-risk customers.
Frequently Asked Questions
What scoring scale should we use?
A 1–5 scale is standard. Avoid overly granular scales — they create false precision and disagreement.
How long should an AML risk assessment be?
30–80 pages for a mid-sized institution including appendices. Shorter is fine if defensible.
Who approves the risk assessment?
The BSA Officer drafts; senior management reviews; the board or designated committee formally approves.
Is a template enough?
A template is a starting point. The content must reflect your actual products, customers and geographies.
What is the most common gap?
No documented methodology. Examiners reverse-engineer your reasoning from your scoring — make the reasoning explicit.
Need a defensible AML risk assessment?
We deliver examiner-ready AML risk assessments — methodology, scoring, controls inventory and board pack — in 30 days.