How-to guide: How to assess your organization for money laundering and terrorist financing risk (USA)

Introduction

This guide will assist in-house counsel and private practice lawyers in assessing an organization’s risk for non-compliance with laws regarding money laundering (ML) and terrorist financing (TF). It sets out key issues to address, and points to consider when reviewing risk, in order to develop and implement an effective compliance program.

The guide covers the following sections:

Overview of money laundering
Conducting a money laundering and terrorist financing risk assessment
Application of risk-based controls

This guide may be read in conjunction with the following How-to guides: How to comply with due diligence requirements for financial institutions determined to be of primary money laundering concern, How to monitor Bank Secrecy Act (BSA) compliance, How to appoint a Bank Secrecy Act (BSA) compliance officer, How to ensure sanctions screening and sanctions due diligence is effective, How to identify relevant sanctions regimes and deal with conflicting obligations and Checklists: Screening employees for roles in AML compliance and Staff awareness and training to prevent money laundering and terrorist financing.

Section 1 – Overview of money laundering

Money laundering is the commonly used term for the technique of making the proceeds from illegal activities (sometimes known as 'dirty money') appear to have been derived from legal sources (ie, clean). ML typically involves three processes: placement, layering, and integration. Placement is when illegal monies are smuggled into the legitimate financial system. Layering occurs when the money is shifted around to create confusion as to its source, often by wiring or moving funds between multiple accounts and financial institutions. Integration is the use of further transactions to move funds into the licit financial system, making the dirty money appear clean.

1.1 Evolving legislation

Financial institutions, including bank holding companies and their subsidiaries, are required to comply with numerous federal laws and regulations to combat ML and TF risks. The Currency and Foreign Transactions Reporting Act of 1970 (commonly referred to as the Bank Secrecy Act (BSA)) was established in 1970 as the foundational law to fight ML. Since then, many additional anti-money laundering (AML) laws have been enacted. Most recently, in January 2021, Congress enacted the Anti-Money Laundering Act of 2020 (AMLA), which focuses on countering the financing of terrorism (CFT) through ML.

In May 2024, an additional piece of rulemaking was proposed by the Securities and Exchange Commission (SEC) and the Financial Crimes Enforcement Network (FinCEN) that would require SEC-registered investment advisers and exempt reporting advisers to establish customer identification programs. These programs would be delegable to third parties as permissible by existing rules. The proposed rule has not yet been enacted.

The Corporate Transparency Act (CTA), enacted in 2021, aims to combat illicit activities such as tax fraud, money laundering, and terrorism financing by collecting more ownership information from certain US businesses. The CTA requires eligible businesses to submit a Beneficial Ownership Information (BOI) report to FinCEN. The BOI report identifies individuals associated with the business. The CTA is intended to prevent individuals with criminal intent from concealing or exploiting ownership of US entities to facilitate their illegal activities, a tactic identified by Congress as a threat to national security and the economic integrity of the US.

On December 26, 2024, a US appeals court paused the enforcement of the AML law mandating corporate entities to disclose their true beneficial owners to the US Treasury Department. This decision came just before the deadline for most companies to comply. The 5th US Circuit Court of Appeals in New Orleans reinstated a nationwide injunction, originally issued by a federal judge in Texas, who ruled that the CTA was unconstitutional. The case has been appealed to the Supreme Court.

On March 21, 2025, FinCEN issued an interim final rule relieving all US companies and persons from the BOI reporting requirements. Foreign companies are, however, still required to report.

A traditional ML investigation focuses on linking funds to a previous criminal act. However, a TF investigation focuses on preventing organizations with terrorist ties from procuring legitimate funds or gaining access to otherwise legitimate business dealings that could be used to fund future criminal activity. The AMLA mandates that equal attention be given to ML and TF. This dual focus should be reflected in the development of compliance processes and the assessment of risks. It is also reflected in the choices made when establishing other regulatory requirements.

Section 2 – Conducting a money laundering and terrorist financing risk assessment

The AMLA requires financial institutions to implement compliance programs that include a stringent ML and TF risk assessment program. These risk-based programs are customized programs that are tailored to fit an organization’s particular risks and needs. They are designed to ensure that a financial institution is able to direct more attention and resources toward its own higher-risk customers and activities.

In a proposed rule issued July 3, 2024, but not yet finalized, FinCEN stresses 'Effective, Risk-Based, and Reasonably Designed' AML/CFT Program requirements. In addition, in June 2025, FinCEN issued a press release titled 'Financial Action Task Force Identifies Jurisdictions with Anti-Money Laundering, Countering the Financing of Terrorism, and Counter-Proliferation Finance Deficiencies.' The Release alerts US financial institutions to the increased risk associated with dealings with Foreign Financial Institutions that may be associated with any of the jurisdictions identified in the Release.

2.1 Prosecutorial viewpoint

When analyzing and assessing an AML and CFT system, it is often helpful to consider the prosecutorial perspective of an ML and TF criminal investigation. If, at the time of the offense or charging decision, there is an effective and well-designed compliance program, then this may help a financial institution to avoid or mitigate liability. It may also affect the monetary penalty or the institution’s future compliance obligations. While there is no rigid formula to assess the effectiveness of any given compliance program, the US Department of Justice (DOJ) has set three ‘fundamental questions’ it considers when evaluating corporate compliance programs.

Is the corporation’s compliance program well designed?
Is the program being applied earnestly and in good faith? In other words, is the program adequately resourced and empowered to function effectively?
Does the corporation’s compliance program work in practice?

2.2 Factors to evaluate a compliance program

When evaluating the design, application, and functioning of a compliance program from a prosecutorial viewpoint, financial institutions should examine the following factors and weigh each factor depending on the size, structure, and risk profile of the institution.

The structure of the compliance program;
The seniority and stature of compliance program personnel;
The experience and qualifications of compliance program personnel;
The funding and resources available for the compliance program;
The data resources and access granted to compliance program personnel;
The autonomy of the compliance program and its personnel; and
The decisions made regarding the outsourcing of compliance functions.

Each of these factors are described more fully in the following sections.

2.2.1 Structure of the program

Structure looks at the place of the program within the organization. Is the AML and CFT compliance function housed within an in-house legal department, under a business function, or as an independent function reporting to senior management?

Structure also considers who leads the oversight of the program, and to whom those implementing the program must report, such as a designated chief compliance officer or another executive within the institution. Compliance personnel may be dedicated solely to compliance responsibilities, or, in some smaller organizations, they may have other, non-compliance-related responsibilities. Consider the reasons for the choice of compliance structure.

2.2.2 Seniority and stature

Do not consider compliance functions as an afterthought, but rather compare them with other strategic functions in the institution, such as stature, compensation levels, rank, title, reporting line, resources, and access to key decision-makers.

Institutions must assess whether those responsible for compliance have sufficient seniority within the institution. A high turnover rate for compliance and relevant control-function personnel is indicative of a poorly run, ineffective program. See compliance as playing an important role in the organization’s strategic and operational decisions. Regulators and prosecutors will also consider how the institution has responded to specific historical instances where compliance personnel have raised concerns.

2.2.3 Experience and qualifications

Compliance and control personnel should have the appropriate experience and qualifications to fulfill their roles and responsibilities. The evolving compliance needs of the organization often mean that the level of experience and qualifications in these roles will change over time. Be prepared to invest in further training and development of the compliance and other control personnel as the requirements change. Undertake frequent performance reviews of the compliance function.

For more information regarding the experience and qualifications of compliance personnel, see How-to-guide: How to appoint a BSA (Bank Secrecy Act) compliance officer and Checklist: Screening employees for roles in AML compliance.

2.2.4 Funding and resources

Institutions must examine whether sufficient resources, including personnel, are allocated to AML and CFT compliance functions. Provide compliance personnel with sufficient staff to effectively audit, document, analyze, and act on the results of the AML and CFT compliance efforts. Ensure you allocate sufficient funds for these functions.

It is important for institutions to consider whether compliance personnel have made previous requests for resources that were denied and, if so, why those requests were denied. This consideration can provide valuable insight for the institution’s senior leaders when deciding whether their compliance program is adequately equipped, whether to allocate additional resources to the compliance program, and what specific resources are needed.

2.2.5 Data resources and access

Compliance and control personnel must be allowed to have sufficient access to relevant sources of data to allow the timely and effective monitoring or testing of policies, controls, and transactions. Address and remove any impediments that limit access to relevant sources of data, if possible.

2.2.6 Autonomy

Institutions must analyze whether, and to what degree, those responsible for compliance have autonomy from management. Ensure that personnel engaged in compliance and the relevant control functions have direct reporting lines to the board of directors and the audit committee. It should be clear, however, that neither the board nor the audit committee may control or influence the compliance function.

2.2.7 Outsourced compliance functions

Many institutions outsource all or parts of their compliance functions to an external firm or consultant. Consider why the outsourcing decision was made. Clearly designate the people within the organization who are responsible for overseeing and liaising with the external provider. That person will be responsible for supervising the level of access the external firm or consultant has to institutional information, and for implementing the criteria for assessing the effectiveness of the outsourced process.

2.3 Types of risks to consider

‘Inherent risk’ is the degree of ML and TF risk present before systems and controls are implemented to decrease that risk. Similarly, ‘residual risk’ is the degree of ML and TF risk that remains after systems and controls have been implemented. Identify inherent risks by developing an acceptable risk assessment technique or model, including a mechanism for measuring the likelihood and effect of ML and TF hazards.

Once inherent risks have been identified, implement systems and controls to limit or mitigate them. Then calculate the residual risk, and once the residual risk is calculated, put in place systems, procedures, and controls to manage it.

2.4 Documenting the risk assessment, systems, and controls

The starting point for conducting a risk assessment is to consider the institution’s business from a commercial standpoint. Institutions must understand how their own organization identifies, evaluates, and defines its risk profile, and must recognize the extent to which their organization scrutinizes risks and provides resources to address those risks. To conduct an adequate risk assessment, analyze and address the various risks present, based on the following factors:

the institution’s locations;
the institution’s industry;
market conditions;
the institution’s current and potential customers, clients, and partners;
the regulatory landscape;
the institution’s transactions or potential transactions with foreign governments;
payments to foreign officials;
political and charitable donations; and
the institution’s utilization of third parties.

This is not an exhaustive list of factors for consideration, and institutions may need to assess additional factors based on their particular size, customer base, and business operations.

You must document the risk assessment. It is not feasible to build adequate risk-based procedures and controls in an AML and CFT program if the organization has not correctly documented its risk assessment. Appropriate documentation must include the items listed below.

The methods used to conduct risk assessments.
An evaluation of the likelihood of inherent ML and TF risk, and of the impact of that risk.
A scale for assessing the relative importance of ML and TF risk, such as low, medium and high.
A record of whether the organization has considered the following risk factors, as specified by AML and CFT rules:
- the risks associated with customer types, including politically exposed persons;
- the products and services the business offers and the channels used to distribute them; and
- the risks associated with any foreign jurisdictions where the business operates.
A record of how the organization considered the nature, size, and complexity of its business, and any additional risks posed by the specific business sector.

Suitable risk-based systems and controls must change over time, and they must be assessed, adapted, and updated on a regular basis. This adaptation and updating requires a constant understanding of emergent, evolving, and changing threats and risks.

A thorough risk assessment should be based on all available information. To perform a complete evaluation of the risks, the institution needs to examine data on product or channel usage patterns, transaction tracking, suspicious-matter reporting, internal financial crime reporting, and information from government agencies and law enforcement.

Section 3 – Application of risk-based controls

Appropriate risk-based systems and controls must be proportional to the amount of risk presented and take into account the type of ML and TF risk uncovered after screening and due diligence have been performed. To be certain that a system or control is applied consistently, it must be appropriately documented.

3.1 Understanding the types of risk-based controls

The types of risk-based controls that should be deployed by institutions fall into two control categories: preventative and detective.

Preventative controls limit the ability of a product or channel to be used in a way that increases ML and TF risks. Examples include setting transaction limitations or having a management approval procedure for high-risk customers, items, or regions, using separate identification techniques for clients with whom the institution does not interact in person, or not accepting customers perceived as presenting too much risk.

Detective controls seek only to monitor activity. Examples of detective controls are gathering information on how your goods or channels are used, as well as information from internal records, such as transaction monitoring and suspicious-issue reporting.

Just using detective controls will likely lead to a failure of the controls to correspond with the institution’s ML and TF risks, and may not decrease the institution’s inherent risks. Both preventative and detective controls should be employed.

3.2 Strength of the systems and controls

Systems and controls should be robust. When determining the strength of a system or control, an institution should consider, at a minimum, the following factors:

the scope of coverage of the relevant system or control in the business;
how frequently the system or control is applied;
the resources and the expertise necessary to carry out or manage the system or control; and
the level of internal reporting and oversight by senior staff for ensuring the effectiveness of the system or control.

In considering these factors, ensure that systems and controls are applied consistently. Also, maintain a clear understanding of which personnel must participate in managing and executing control functions and make significant investments into the continuous development of risk assessment systems and controls.

3.3 Continuous ML and TF risk assessment

One of the defining features of an effective compliance program is a capacity to improve and to evolve.

Examine the risks of ML and TF before your institution launches new products, puts in place new or emergent technology to deliver services, or makes changes to business activities (eg, by introducing a new line of business, or a merger). Examine the systems and controls in place to mitigate and manage risks on a regular basis to verify that they are still aligned with current risks, and that they are functioning properly. Compliance teams should record not just their periodic assessments and modifications, but also how those changes reflect the outcomes of their reviews. The institution’s compliance teams should have continuous access to operational data and information across the functions of the organization. It is especially important that compliance teams keep up to date on issues affecting businesses in their sector or area, and that they can explain how any lessons learned from those issues have been applied to the design of the program.

Record any system or control that is found to have decreased a risk. The record should include the approach and the reasoning behind why that risk has been lowered. It is critical that the institution understands how the systems and controls it has implemented may influence the organization’s overall AML and CFT program.

3.4 Third-party management

Third-party management refers to managing the risks posed by a third-party partnership. In addition to due diligence during the onboarding process, monitor and manage risks throughout the duration of the relationship.

When assessing third-party partnerships, there are four essential considerations:

risk-based and integrated processes;
appropriate controls;
management of relationships; and
real actions and consequences.

3.4.1 Risk-based and integrated processes

Institutions must ensure that their third-party management process corresponds to the nature and level of the enterprise risk identified by the organization. In doing so, consider whether your third-party management process has been integrated into the relevant procurement and vendor management processes. Integration of third-party management processes provides validity to the business rationale for using third parties and helps ensure there is proper oversight of third-party relationships by relevant departments within the institution.

3.4.2 Appropriate controls

Once an institution establishes the appropriate business rationale for the use of third parties, design contract terms to specifically describe the services to be performed and appropriate payment terms. Consider the compensation structures for third parties and analyze them against compliance risks to see if they are commensurate with the services rendered. The business rationale for using the third party must be particularly strong if a third party has any history of having been involved in misconduct with any other client. Further, if the third party was involved in misconduct, the institution should use carefully crafted preventative contract terms concerning liability and indemnity of the institution or seek the services of another third party that has the necessary qualifications.

3.4.3 Management of relationships

There must be an effective way to monitor the activities of third parties, including, if possible, the right to audit and analyze the third party’s books and accounts. Third-party relationship managers should receive ongoing training about compliance risks and how to manage them.

3.4.4 Real actions and consequences

Track and address any red flags identified from due diligence on third parties. Keep a record of third parties that do not pass the organization’s due diligence or that are terminated. Unless the red flags identified can be remediated, take steps to prevent those third parties from being hired or re-hired at some later date. If the red flags have been identified and remediated, keep detailed records regarding how those red flags were resolved.

3.5 Due diligence in the merger and acquisition (M&A) process

A well-designed compliance program should include the processes necessary for comprehensive pre-acquisition and post-acquisition due diligence, and for the orderly and timely integration of the acquired entity into existing compliance and control structures, all of which should be based on best practices. It is essential to conduct AML and CFT risk assessments during these acquisitions.

During the M&A process, it is important for the institution to scrutinize whether its AML and CFT compliance program is, as implemented, able to effectively enforce its internal controls and to remediate misconduct at all levels within the institution. This is important since the level of scrutiny applied to potential M&A targets indicates whether the compliance program is truly effective at enforcing the institution’s internal controls.

3.5.1 Due diligence process

Understand the normal operation of the M&A due diligence process. Ask whether the institution is able to complete pre-acquisition due diligence. If not, why not? Can you identify misconduct or the risk of misconduct during due diligence? Who conducts the risk review for the acquired and merged entities and how is that review done?

3.5.2 Integration in the M&A process

Incorporate the AML and CFT compliance function into the merger, acquisition, and integration process. This means that, during the due diligence phase, institutions should obtain and assess information regarding the adequacy of the target’s controls, map any gaps or changes to controls that are needed before or after closing on the target, and put a plan in place to integrate these two functions. Effective integration is critical, as incomplete pre- or post-due diligence and integration may enable the target company to continue any misconduct, which will likely result in harm to the acquiring institution.

3.5.3 Connecting due diligence to implementation

Once misconduct or the risks of misconduct have been identified for an M&A target, the acquiring institution should implement a process for tracking and remediating the misconduct or the identified risks of misconduct. There should be a clear process for implementing compliance policies and procedures at newly acquired entities. Additionally, institutions should conduct post-acquisition audits to ensure that targets adhere to any due diligence-related requirements placed upon them, both before and after the acquisition.

3.6 Warning signs that trigger review of risk assessment and controls

No risk assessment or control system should function statically. With a continuously running program, an institution will be on alert for any situations, or triggers, that warrant a review or that alert the institution to the need to examine its risk assessment and controls, as well as how they affect the overall AML and CFT program.

Trigger examples might include the following:

an unusually large change in customer adoption or use of a product or channel;
a significant change in the volume or value of relevant transactions;
the institution making a modification to a product or channel, such as expanding the channel or adding more flexible features to a product;
transaction monitoring identifying unusual patterns of activity;
unusual patterns of activity identified through ongoing customer due diligence;
the financial crime compliance program identifying threats or emerging trends of criminal exploitation of a particular product or channel;
a significant change in the external environment (eg, a change in the market, or a legal or regulatory change) that leads to a change in the institution’s exposure to risk; and
communication from government agencies or law enforcement about the ML and TF risks of a product or channel.

3.7 Accessibility to senior management

Ensuring that compliance policies and procedures have been well communicated to all personnel throughout the institution is a critical duty of compliance teams. Thus, a robust and effective program needs senior management to clearly articulate the institution’s ethical standards, and to convey and disseminate those standards in unambiguous terms. Convey standards both in written policies and through the creation of a culture which emphasizes ethics and legal compliance at every level of the institution.

Likewise, keeping senior management in the chain of communication and ensuring senior management demonstrates rigorous adherence by example is vital to the program’s success. Processes must be in place within an institution to identify and escalate triggers to senior management.

At a minimum, processes should be in place to perform the following:

ensure risk updates are built into the business strategy reviews of products or channels;
identify and escalate trends from transaction monitoring;
review, escalate, and refer trends from suspicious-matter reports, international fund transfer instructions and trends of large or unusual cash activity, including from threshold transaction reports;
escalate and refer significant issues or trends identified by the institution’s financial crime compliance function relating to criminal activity;
ensure that teams dealing with warrants or notices from law enforcement escalate significant issues or trends of unusual or criminal activity;
escalate changes in the organization’s external environment that have been identified and analyzed, such as changes to legislation or the economic environment; and
otherwise carry out periodic reviews at appropriate intervals, taking into account the ML and TF risks.

3.8 Training

The institution must ensure that they have an effective training program. As a part of the evaluation of that program, the institution should evaluate the effect of the training program on employee behavior and operations. Consider developing certain metrics or conducting meaningful qualitative analysis of the program. One way of gathering that information is to conduct surveys to see if the program is having an impact.

For more information on training relevant personnel, see Checklists: Staff awareness and training to prevent money laundering and terrorist financing and Screening employees for roles in AML compliance.

3.8.1 Risk-based training

Provide tailored training to all high-risk and compliance personnel. Institutions should develop and utilize general training, both upon initial hire of compliance personnel and on a continual basis thereafter. Provide additional training if misconduct occurs. This training should address risks in the area where the misconduct occurred. Supervisory employees should receive different or supplementary training, to reflect their additional compliance responsibilities.

3.8.2 Form and content of training

Offer training in the form and language appropriate for the audience. There is no one format for training that is ‘best.’ In some instances, and for some levels of employees, online or remote training is adequate. For staff members with greater compliance responsibilities, in-person rather than remote-based training might be necessary.

3.8.3 Communication about misconduct

Senior management must make efforts to notify employees about the organization’s position concerning misconduct by employees. Institutions may provide such notice in numerous ways, including written policies, senior management’s demonstration by example, through the use of incentives for compliance and disincentives for non-compliance, or a combination of these. Similarly, employees should also understand that no retaliatory action will be taken against them for reporting misconduct.

3.8.4 Availability of guidance

Make resources available to employees to provide guidance relating to compliance policies. Resources may include a qualified compliance officer and management team, written policies that are easily located, and ready access to sources of data that assist with timely and effective monitoring of transactions and controls. Advise employees about where they should go, or the person to ask, if they have questions regarding compliance.

3.9 Provide management access to ML and TF risk information

The institution must have systems in place to guarantee that personnel with risk management responsibilities have access to complete and timely information about risks. Conduct regular internal audits and thoroughly document the results of those audits, as this process is essential for risks to be properly assessed, updated, mitigated, and managed. The completeness and quality of information presented to top management, committees, and boards is critical to effective governance and oversight.

Brief senior management on all updated risk assessments by appropriate and qualified compliance personnel, or by the compliance officer for the institution.

Additional resources

Department of Justice, Criminal Division, Evaluation of Corporate Compliance Programs (Updated June 2020)
31 USC sections 5311-5330
31 CFR Chapter X
AML Update: SEC and FinCEN Proposed Rule