Optimizing Financial Crime Programs through Actionable Risk Assessments

Introduction

In an increasingly interconnected global financial system marked by geopolitical tensions, a top priority for regulators and financial institutions involves combating money laundering and terrorist financing, as well as sanctions evasion. Budget constraints demand smarter, more strategic deployment of compliance resources. To maximize the impact of financial crime resources, institutions should implement a well-designed and actionable financial crime risk assessment, as well as leverage emerging technologies such as generative artificial intelligence (GenAI). Used appropriately, a well-formulated financial crime risk assessment enhances both efficiency and effectiveness, making financial crime programs more targeted, data-driven, and resilient.

The Risk Assessment Equation

At the heart of an effective financial crime risk assessment is the framework:

Inherent Risk – Controls = Residual Risk

Though straightforward in form, this equation represents a nuanced and dynamic process that the institution must carefully customize to reflect its risk profile and operations, as well as the evolving threat landscape. Understanding and operationalizing each component is key to both the design and performance of financial crime programs.

Inherent Risk: Tailor the Basics

Inherent risk represents the level of exposure before mitigating controls are applied. A July 2024 Financial Crimes Enforcement Network (FinCEN) Notice of Proposed Rulemaking (NPRM)[1] highlights the following core categories:[2]

1. Customers
2. Geographic Locations
3. Distribution Channels
4. Products and Services
5. Intermediaries

Risk assessments should go beyond superficial ratings and apply meaningful quantitative and qualitative methods to each risk category. Institutions should integrate industry- and business model–specific nuances, as risk drivers can vary significantly depending on the nature of the financial institution’s operations. For instance, a virtual asset service provider (VASP), such as a crypto exchange or stablecoin issuer, may face on-chain exposure to sanctioned jurisdictions and other high-risk attribution categories; while a broker-dealer may face risks related to direct market access or omnibus account structures.

Sources such as FinCEN’s NPRM, JMLSG’s Sectoral Guidance,[3] and The Wolfsberg Frequently Asked Questions on Risk Assessments for Money Laundering, Sanctions and Bribery & Corruption[4] can help inform the risk identification process.

Controls: Measure Effectiveness and Gain Efficiency

Controls are the systems and processes implemented to mitigate financial crime risk. While some are regulatory mandates (e.g., Customer Identification Program (CIP)), many are based on the financial institution’s risk appetite (e.g., transaction monitoring thresholds).

• Design and operational effectiveness: Controls must be both well designed and well executed. Using existing audits, compliance reviews, and testing results, rather than duplicating testing efforts, is an effective way to assess whether controls are operating as intended.
• Efficiency review: Identify outdated or overlapping controls, particularly those built on legacy systems. Rationalizing duplicative controls not only improves resource efficiency but also enhances program responsiveness.

Organizing controls by program element (e.g., know your customer (KYC), transaction monitoring) can streamline both assessment and remediation efforts. If a control does not serve a purpose (i.e., mitigate risk), then stakeholders should challenge themselves to understand why it exists. As part of evaluating control effectiveness, financial institutions should evaluate how to safely apply emerging technologies, such as GenAI, to automate manual controls, enrich transaction monitoring scenarios, and enhance name screening precision. Institutions should consider specific use cases for these technologies during control evaluations—for example, GenAI-powered alert and case analysis or advanced data reconciliation in onboarding.

Residual Risk: Understand What’s Left

Residual risk is the exposure that remains after all controls have been applied. It is a crucial component of any financial crime risk assessment and directly informs whether the institution is operating within its established risk appetite.

Enterprise-level residual risk assessments are useful for senior management and board reporting, but they often lack the granularity to drive meaningful action. In addition to composite ratings at the enterprise level, institutions should aim to assess residual risk at the business line, customer segment, or product level. Assessing residual risk should answer:

• Are critical risks sufficiently mitigated?
• Where are remaining vulnerabilities?
• Should additional controls be implemented or existing ones enhanced?

Residual risk ratings should be not just an end result, but a continuous feedback loop used to inform program improvements, policy revisions, and investment decisions. Institutions that can clearly articulate how residual risk is identified, monitored, and acted upon will be better positioned for risk management, long-term resilience, and regulatory exams.

US Regulatory Considerations

Under FinCEN’s proposed rulemaking, BSA-covered institutions will be required to formally implement risk assessments that:

• address the five core risk categories
• incorporate AML/countering the financing of terrorism (CFT) priorities (e.g., cybercrime, fraud, proliferation financing)
• consider data from suspicious activity reports and other regulatory filings

Institutions should proactively align their processes with the NPRM to ensure future compliance.

Take Action: Embedding the Risk Assessment into Strategy

Financial crime risk assessments are a regulatory expectation to demonstrate a risk-based program and soon may be a federal regulatory requirement. However, regulatory oversight should not be the motivating factor. Financial crime risk assessments are strategic tools that help financial institutions:

• optimize financial crime resources, including both human and technology
• improve the efficiency and efficacy of detection systems
• support enterprise-wide risk management
• assess operations against risk appetite
• communicate to senior management and the board of directors, allowing them to discharge their obligation to manage risk within the financial institution

Financial crime risk assessments must become living tools—updated regularly, informed by data, and embedded into decision-making processes across the enterprise. When financial crime risk assessments are actionable, dynamic, and aligned to business strategy, they can elevate a compliance program from defensive to strategic.

How BRG Can Help

Every financial institution is different. BRG’s team of experts has designed and executed risk assessments for various financial institutions. We have decades of experience managing financial crime risk and understand how to design a risk assessment that allows the financial institution to focus on its true financial crime risk without being overly complex and difficult to explain to senior management or a regulator.

[1] Financial Crimes Enforcement Network, “Anti-Money Laundering and Countering the Financing of Terrorism Programs,” Federal Register 89, no. 128 (July 3, 2024): 55428. https://www.govinfo.gov/content/pkg/FR-2024-07-03/pdf/2024-14414.pdf

[2] In the NPRM, FinCEN indicates distribution channels and intermediaries may be new terms for certain financial institutions and helps to clarify their meaning, including how they may be applicable in the context of a risk assessment.

[3] Joint Money Laundering Steering Group (JMLSG), Prevention of money laundering/ combating terrorist financing, 2023 Revised Version, Part II: Sectoral Guidance (revised September 2023). https://www.jmlsg.org.uk/guidance/current-guidance/

[4] The Wolfsberg Group, The Wolfsberg Frequently Asked Questions on Risk Assessments for Money Laundering, Sanctions and Bribery & Corruption (2015). https://db.wolfsberg-group.org/assets/3deb66d7-6aca-490c-bcd9-c1a3d34a807b/17.%20Wolfsberg-Risk-Assessment-FAQs-2015.pdf