The Plain English Version

Before a firm can design effective AML controls, it needs to understand what risks it faces. The Business-Wide Risk Assessment answers that question systematically. It documents who the customers are, what products and services are offered, which geographies are involved, how customers are onboarded, and what transaction patterns look like. From that picture, the firm derives its inherent risk level and designs controls proportionate to it.

A BWRA done in a Word document and filed once a year is a regulatory liability. Regulators expect it to be a live document, refreshed when the business changes, and used to drive control decisions on an ongoing basis.

The Five Risk Dimensions

  • Customer risk - Politically Exposed Persons, high-net-worth individuals, non-resident customers, legal entities with complex ownership, customers subject to sanctions.
  • Product and service risk - Correspondent banking, private wealth management, cash-intensive products, trade finance, crypto assets, anonymous payment instruments.
  • Geographic risk - FATF Black-list and Grey-list jurisdictions, countries subject to comprehensive sanctions, high corruption index scores, conflict zones, tax havens.
  • Channel risk - Non-face-to-face onboarding, agent network reliance, mobile and online channels, API and open banking, cross-border wire transfers.
  • Typology risk - High-value transactions, structuring and smurfing patterns, rapid in-and-out movement of funds, counterparty concentration.

Risk-Based Approach

The FATF 40 Recommendations require a risk-based approach to AML. This means the intensity of controls applied to a customer or transaction should be proportionate to the risk it presents. The BWRA is the evidence base for that proportionality. Without a credible BWRA, the firm cannot demonstrate that its controls are calibrated to its actual risks.

What Regulators Expect

  • BWRA reviewed and approved by the Board at least annually
  • Refreshed when material changes occur (new products, new geographies, acquisitions)
  • Covers all five risk dimensions with specific evidence for each
  • Links directly to the firm's risk appetite statements
  • Drives the design of CDD, EDD, and transaction monitoring controls
  • Maintained by the MLRO with Board-level sign-off

Want to Know More?

RateYourCyber's Financial Crime Compliance (FCC) module replaces the annual Word document with a structured 58-question BWRA across 10 sections, scored against a defined methodology, with authored recommendations and automatic risk register population on completion.

Read: Financial Crime Compliance Is Now Live on RateYourCyber