Why a Formal Risk Assessment Is Non-Negotiable
Every major AML framework — FATF, the EU's AMLD, the UK's MLRs, the US BSA — requires VASPs to conduct a formal, documented assessment of the money laundering and terrorist financing risks they face. This isn't a bureaucratic box-tick. A well-constructed risk assessment tells you where to focus your compliance resources and serves as the primary evidence that your programme is proportionate and effective.
Regulators will ask to see your risk assessment during supervision visits, authorisation applications, and enforcement investigations. If you can't produce one — or if it's generic and undated — that itself becomes evidence of inadequate governance.
The Four Dimensions of VASP Risk
VASP risk assessments should evaluate risk across four key dimensions:
1. Customer Risk
Who are your customers, and what risk do they represent?
- Retail vs. institutional customers
- Geographic origin of customers (high-risk jurisdictions per FATF, EU, OFAC)
- Proportion of PEPs and their associates
- Anonymous or pseudonymous account structures
- Business customers with complex ownership chains
2. Product and Service Risk
Not all crypto products carry the same risk profile:
- Privacy coins (Monero, Zcash) — higher anonymity, higher risk
- DeFi integrations — reduced KYC capability for counterparties
- Custodial vs. non-custodial services
- Peer-to-peer trading platforms
- High-frequency trading or arbitrage products that generate large volumes
3. Geographic Risk
Where do you operate, and where do your customers and transactions originate?
- Countries on FATF grey or black lists
- Jurisdictions with weak AML supervision or high corruption indices
- Countries subject to international sanctions
- Markets with high crypto adoption but low regulatory oversight
4. Delivery Channel Risk
- Online-only onboarding (higher risk than face-to-face verification)
- Use of intermediaries or introducers
- API integrations with third-party wallets or DeFi protocols
- P2P or OTC desk operations
Step-by-Step Risk Assessment Process
- Scope the assessment: Define which entities, products, geographies, and customer segments are in scope
- Identify risk factors: Use the four dimensions above as a structured framework
- Rate inherent risk: Score each risk factor (e.g., Low/Medium/High or 1–5) before controls are applied
- Evaluate existing controls: For each risk, assess the quality and effectiveness of current mitigating controls
- Calculate residual risk: After applying controls, what risk remains?
- Determine risk appetite: Define what level of residual risk is acceptable for your business
- Action plan: Where residual risk exceeds appetite, document remediation steps with owners and deadlines
- Sign off and review: Senior management or board should approve the assessment; review at least annually or following material changes
Risk Scoring: A Simple Matrix
| Inherent Risk | Control Effectiveness | Residual Risk |
|---|---|---|
| High | Strong | Medium |
| High | Weak | High |
| Medium | Strong | Low |
| Medium | Weak | Medium |
| Low | Any | Low |
Common Mistakes to Avoid
- Copying a generic template: Regulators can tell. Your risk assessment must reflect your specific business model and customer base.
- Failing to update it: A risk assessment from two years ago that hasn't been revised is almost worthless if you've launched new products or entered new markets.
- Treating it as a one-person job: Risk assessment should involve input from compliance, operations, product, and senior management.
- Ignoring emerging risks: New threat typologies (e.g., crypto-enabled sanctions evasion) should be incorporated as they are identified by regulators and FIUs.
Integrating Your Risk Assessment Into Daily Operations
A risk assessment only adds value if it informs your actual controls. Connect it directly to your:
- Customer risk-rating model
- Transaction monitoring rules and thresholds
- EDD trigger criteria
- Staff training curriculum
- Internal audit plan