Anti-Money-Laundering (AML) Risk Approach Explained

Learn why Top Industry Analysts consistently name Okta and Auth0 as the Identity Leader

Anti-money-laundering (AML) risk assessments limit your company from inadvertently participating in criminal activities. Implement them properly, and you'll help ensure that criminals can't use your bank or financial institutions to make unethical transactions seem legitimate.

While estimates vary, experts believe criminals launder about $2 trillion every year. If you're not watching your customers and acting proactively, you're unwittingly part of this crime.

What are AML risk assessments?

Most AML risk assessments involve organising your customers into groups based on how likely they are to launder money.

To make this work, you need to know quite a lot about your customers, including their:

  • Location. Where do they live? Where do they do business?
  • Industry. How do they make money? Who pays them?
  • Quantity. How much money do they take in?
  • Transactions. Do they pull in dozens of small payments, or do they pull in a few big amounts?

Once you understand your customers, you stratify based on risk. And then, you react to limit the risks they pose to your industry. You document each step, so you can prove to government officials that you take money laundering very seriously.

What are AML risk factors?

Any client poses a risk. And sometimes, seemingly innocent people can do terrible things you never thought possible. Spotting every risk is impossible. But most AML risk assessments focus on items that are closely related to crime.

Five recognised primary divisions of risk are:

  • Structure. The nature, size, and complexity of an organisation can raise risks.
  • Customers. The size of an organisation's client base could raise or lower risks.
  • Products. The types of services offered to clients could raise or lower risk.
  • Acquisition. The methods banks use to gain and train new clients could contribute to risk.
  • Location. Some countries are closely tied to money laundering, and criminals tend to keep their finances close to home.

You must ask your clients a lot of questions about their finances, both when they set up accounts and as they work with you each month. Think about:

  • Structure. Does the client have a leaky organisational chart that could allow criminal activity to slide in unnoticed?
  • Regulations. Does your client pay attention to state and federal laws? Can they prove compliance?
  • Fraud. Can you verify everything the client tells you?

You may choose to avoid working with some clients altogether, as they pose too many risks. These are known key risk drivers:

  • Offshore businesses
  • Trusts
  • Business-to-business relationships
  • Commissions
  • Cash exposure

Once you've vetted your clients, AML risk assessments help you monitor ongoing transactions. If you see sudden spikes in transactions or another form of suspicious activity, it's time to act.

How to conduct an AML risk assessment

Effective programs don't just label past worrisome activity. They predict trouble ahead, and they keep banks from repeating their mistakes.

Most companies use an app or computer program to conduct AMK risk assessments. These systems deploy machine learning. The system understands when transactions are benign, and they flag problems for humans to analyse. A system like this can do much more than a human can do.

No matter how you conduct your AML risk assessments, you must prove compliance. You must demonstrate:

  • Approval. Your senior manager must provide a statement that proves your organisation uses a specific program.
  • Efficacy. Your program must be designed properly to detect suspicious activity and report it. That program must also show you the true identity of your clients. You must test it regularly.
  • Use. Anyone working with the program has been trained to use it. Your employees repeat training often.

To ensure that you're truly compliant, follow a few best-practice steps:

  • Update client data. Your customers can change with time. If you don't ask for new information, you could miss emerging risks.
  • Mind your data. Your system relies on good inputs. Ensure that you're loading up the program with the best information possible.
  • Learn and grow. Set your limits too tight, and you could flag perfectly reasonable transactions. Similarly, set things too loose, and you could miss critical problems.

At Okta, we've developed a Risk Ecosystem API that helps you to share signals from your security stack and reduce the hazards you face. This stronger security does not interfere with great customer experiences. Find out how it works.


Money Laundering. United Nations.

What Is a Money Laundering Risk Assessment? Intercom.

The Risk-Based Principle of AML Management. (September 2017). ACAMS Today.

Anti-Money Laundering. FINRA.