Why an AML Policy Has to Be Driven by a Risk Assessment

Here is what happens at most small and mid-size regulated businesses: someone downloads an AML policy template from the internet, fills in the company name, dates it, and files it in a compliance binder. Six months later, an examiner asks for the risk assessment that informed the policy. The business owner looks confused.

That confusion is expensive. FinCEN and the FFIEC both explicitly require that an AML program be risk-based. A risk-based program means the policy is built around the specific risks the business actually faces not around a generic template that covers everything and addresses nothing.

The common mistake is treating the risk assessment as a formality that happens after the policy is written. That gets it exactly backward. The policy is supposed to be the written expression of the risk assessment, not the other way around.

FinCEN's core expectation is straightforward: every AML program must be "commensurate with the risks presented." The FFIEC BSA/AML Examination Manual states that the risk assessment is the foundation of the AML program and should drive the scope of the written policies, procedures, and internal controls.

The risk assessment must consider the specific products and services offered, the customers and entities served, the geographic locations of operations, and the volume and nature of transactions. A casino in Miami faces different risks than a mortgage broker in Phoenix. Their policies should reflect that.

Examiners are trained to look for this alignment. If a business's policy covers wire transfer monitoring but the business does not offer wire transfers, that is a clear sign the policy was copied from a template without risk assessment input.

A proper risk assessment is not a paragraph in a policy document. It is a standalone, dated, reviewed document that identifies the specific risks the business faces and assigns a risk level to each one.

For an MSB in a high-traffic border city, the risk assessment might flag cash-intensive transactions, cross-border remittances, and rapid-structuring patterns as high-risk. The policy would then dedicate specific controls to those risks enhanced customer due diligence for large cash transactions, real-time structuring alerts, and documented escalation procedures for cross-border wires.

For a mortgage company with limited products and low cash volume, the same controls would be overkill. The risk assessment would instead focus on third-party payment red flags, beneficial ownership gaps in all-cash purchases, and geographic targeting order compliance. The policy would be shorter, more targeted, and more useful.

The most common examination finding for small businesses is not the absence of a policy it is the absence of a connection between the policy and the actual business. Examiners see policies that mention products the company no longer offers, controls for risks that do not exist, and training requirements that do not match the staff's actual roles.

This disconnect signals one thing to an examiner: the policy was not built from a risk assessment. It was built from a template, and the business is treating compliance as a paperwork exercise rather than a risk management function.

That is the difference between a passing examination and a consent order. The businesses that get cited are rarely the ones with no policy. They are the ones with a policy that clearly does not match their business.

The correct order is simple but rarely followed. Step one: identify and document the specific risks your business faces based on its products, customers, geography, and transaction patterns. Step two: write policies that directly address those risks with proportionate controls. Step three: train staff on the risks specific to their roles. Step four: test whether the controls actually work.

Training is where this sequence breaks down most often. A generic AML training program covers everything CTRs, SARs, CDD, EDD, beneficial ownership, PEPs, sanctions whether the employee's role touches any of it or not. The result is disengaged staff who retain nothing and an examiner who sees training documentation that proves attendance, not competence.

Role-appropriate training, based on the risk assessment, is the fix. Customer-facing staff need different depth than back-office analysts. High-risk product teams need different training than low-risk service teams. And every completion needs to be documented in a way that an examiner can verify which is exactly what NAMLC certification provides.

If your policy was written before your risk assessment, the fix is not to throw it away and start over. It is to reverse-engineer the connection. Pull your existing policy apart into individual controls and ask: what risk is this control addressing? If you cannot answer, the control is probably unnecessary. If there is a risk you face that the policy does not address, you have a gap.

Then document the risk assessment as a standalone document with a date, a review schedule, and a clear path from each identified risk to the corresponding control in the policy. When the examiner asks how you decided which controls to implement, you have an answer that makes sense.

If you need help conducting a proper risk assessment or aligning your AML policy with it, contact Soflo Consulting through sofloconsulting.com.