How to conduct a Business and Customer Risk Assessment

Updated: Sep 20

Business Risk Assessment


A business risk assessment provides visibility of the levels of AML risks within your firm to demonstrate the application of a risk-based approach.


The outcome of the BRA is an AML risk rating for you and the organisational chart of business units is differentiated into high, medium or low risk. The BRA evaluates the AML risks faced by the business and demonstrates that it allocates resources according to the risk-based approach.


Remember, under the 2007 AML Regulations, JMLSG Guidance and FSA SYSC Chapters 3 and 6, firms are required to identify their money laundering risk.


Other elements of the BRA include:

  • Allowing you to assess whether resources are being allocated appropriately and effectively



Steps you can take


Risk assess each distinct business unit within the organisation according to information that is as objective and quantitative as possible, preferably customer data on:

  • Country location

  • Entity type

  • Industry sector/trading activities

  • Products & services

  • Distribution channel


Information on particular risks should be sought from each business unit to identify the concentration of specific risks, e.g:

  • High volumes of SARs

  • High volumes of legal orders/frozen accounts

  • High proportion of high risk customers according to the CRA

  • High proportion of PEPs in total customer population


  1. The methodology should be applied as consistently as possible across you in order to ensure the outcomes are accurate and representative of the risk levels

  2. The methodology should rely on quantitative data. Where this is unavailable, qualitative information that is reasonably reliable can be employed

  3. Areas of unknown risks, such as data gaps, should be treated as high risk

  4. The methodology should be aligned with other existing operational and conduct risk methodologies used by you, e.g. thresholds for determining what is high, medium or low risk, controls evaluation criteria, determination of residual risk, etc



Good Risk Assessment Tips

  • There is evidence that your risk assessment informs the design of anti-money laundering controls

  • You have identified good sources of information on money-laundering risks

  • The risk assessment is a continuous process based on information from internal and external sources


Client Risk Assessment

Establishing a client risk assessment ensures you have a thorough understanding of the financial crime risks prevalent to a client. It is important to help your team understand the minimum requirements for calculating financial crime risk rating for customers. The risk rating is determined by evaluating certain customer attributes aligned to the key risk drivers.


The determination of Low, Medium or High is a representation of an institution’s risk appetite towards each customer. The Customer Risk Rating should inform:

  • Decisions to initiate, maintain, limit or discontinue particular relationships

  • Frequency and level of CDD

  • Application of different levels of on-going monitoring

  • Triggering of approval

Customer type risk

Certain types of customers have been associated with an increased risk of money laundering:

  • Cash Intensive Businesses

  • Money Service Businesses

  • Casinos and Gambling

  • Unregulated Charities

Customer product risk

Certain products and services have been associated with an increased risk of money laundering or terrorist financing because they allow a customer to conduct unusually large or rapid transactions or they allow transactions to occur with relative anonymity:

  • Products that allow customers to convert cash to other monetary instruments (such as traveller’s checks, money orders, cashiers checks and bank drafts)

  • Products or service that allow customers to readily move value from one jurisdiction to another

  • Private banking services

Customer Geography Risk

Certain geographic locations have been associated with an increased risk of money laundering or terrorist financing. The fact that a customer is domiciled in such a location or a transaction is originating or concluding in such a location, may not, in and of itself, signify an increased risk. However, geographic risk, in conjunction with other risk factors, may provide useful information as to the potential money laundering or terrorist financing risks:

  • Countries subject to sanctions, embargoes or similar measures issued by governmental bodies and international organisations, such as OFAC, HM Treasury or the United Nations

  • Countries identified by the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN) as of primary money laundering concern or the subject of FinCEN Advisories

  • Countries identified by the Financial Action Task Force (FATF) with strategic AML/CFT deficiencies in the fight against money laundering or the subject of a FATF statement