Hours: Monday - Friday 8:00 am - 5:00 pm


BSA/AML and OFAC risk assessment: Best practices for financial organizations

ARTICLE | May 06, 2022

Authored by RSM US LLP

Several questions can keep risk leaders at financial institutions up at night. Do we know where our organization may be at risk? Do we have controls in place to mitigate these risks? Is our risk assessment up to date? However, developing an effective strategy for risk assessments for regulations like the Bank Secrecy Act (BSA)/Anti-Money Laundering (AML) and Office of Foreign Assets Control (OFAC) can help alleviate these common concerns.

Although having a risk assessment is not a legal requirement, regulators expect financial organizations to have one documented. The Federal Financial Institutions Examination Council (FFIEC) manual provides general guidance on developing and updating a BSA/AML and OFAC risk assessment for financial organizations. Appendix J of the FFIEC online manual includes a Quantity of Risk Matrix and Appendix M includes a Quantity of Risk Matrix—OFAC Procedures. Both appendices provide a baseline for assessing BSA/AML and OFAC risks.

By performing a risk assessment, your financial services organization can gather a holistic view of where your risks lie for your customers, products, services and geographical presence. It also allows you to identify any control gaps that may put institutions at risk of regulatory exposures leading to monetary fines.

Since risk assessments are specific to each organization, no two risk assessments will be exactly alike; however, the approach to conducting them should be similar. Below are some best practices to be mindful of when developing or enhancing a risk assessment:

  • Complete a thorough review to confirm that all customer types, products, services and geographical locations are included in the risk assessment. If specific risk areas are not applicable, institutions should still include them as a line item in the risk assessment and state why they are not applicable.
  • Provide a distinction between inherent risks and residual risks. Each risk area in the risk assessment should have an inherent risk rating and residual risk rating. Standard inherent and residual risk ratings are low, moderate or high, and the definitions for each risk level are to be determined by your organization.
    • Inherent risks—the level of risk present without consideration of the effectiveness of existing controls. Qualitative and quantitative data are used to determine the level of risk.
    • Residual risks—the level of risk remaining after considering the effectiveness of existing controls.
  • A majority of risk assessments do a good job of including mitigating controls; however, the part that is frequently left out is determining the effectiveness of the mitigating controls that are in place. Determining the effectiveness of the mitigating controls is critical in understanding the residual risk for each risk area. Standard ratings are strong, adequate or inadequate. Again, the definitions for each rating are to be determined by your organization.
  • Once the inherent risk rating and the control effectiveness rating are determined, the residual risk can be calculated for each risk area. The residual risk rating should not be determined by the individual(s) completing the risk assessment, and a methodology should be in place to limit the subjectivity of the process. Below is a residual risk rating matrix, commonly used for calculating the residual risk rating. As you can see, the inherent risk and effectiveness of the mitigating controls drive the residual risk rating.


Inherent Risk - Low

Inherent Risk - Moderate

Inherent Risk - High

Control Rating - Strong




Control Rating - Adequate




Control Rating - Inadequate




  • A methodology should be in place to determine the overall risk of the organization. Common overall risk ratings are low, moderate or high, and the threshold band (i.e., low risk is 0-2.5, moderate risk is 2.6-5, etc.) is determined by your organization.
  • When completing the risk assessment, keep the BSA/AML and OFAC risks separate. It is best to have two separate risks assessments that are tailored to the specific risks and controls. It is not uncommon for your overall BSA/AML and OFAC risks to be different. Again, it will depend on the customer base, products/services and geographical presence.
  • The FFIEC online manual states that the risk assessment should be updated when there is a change in customers, products, services or geographic locations. Outside of that, the manual does not provide specific timelines for when organizations should update their risk assessments. However, it is a best practice to update your risk assessment every 12-18 months. When the updates are made, the compliance team should inform the board of directors, so they know where current BSA/AML and OFAC risks exist.

A common misconception regarding risk assessments is that they only apply to traditional banking entities when, in reality, they apply to all non-traditional financial institutions, such as, but not limited to, broker-dealers, auto-lenders and fintech companies. With the continuous development of technology, the risk profile of organizations is constantly changing. Understanding the risk profile for non-traditional financial institutions is even more important because of the unique customers, products, services and geographical presence they may have. The risk assessment is the most important and critical point of understanding the risks and controls that are in place and helps drive the next steps for the future state of the organization.

Let's Talk!

Call us at (325) 677-6251 or fill out the form below and we'll contact you to discuss your specific situation.

  • Topic Name:
  • Should be Empty:

This article was written by Matthew Meyering and originally appeared on May 06, 2022.
2022 RSM US LLP. All rights reserved.

RSM US Alliance provides its members with access to resources of RSM US LLP. RSM US Alliance member firms are separate and independent businesses and legal entities that are responsible for their own acts and omissions, and each is separate and independent from RSM US LLP. RSM US LLP is the U.S. member firm of RSM International, a global network of independent audit, tax, and consulting firms. Members of RSM US Alliance have access to RSM International resources through RSM US LLP but are not member firms of RSM International. Visit rsmus.com/about us for more information regarding RSM US LLP and RSM International. The RSM logo is used under license by RSM US LLP. RSM US Alliance products and services are proprietary to RSM US LLP.

Condley and Company, LLP is a proud member of the RSM US Alliance, a premier affiliation of independent accounting and consulting firms in the United States. RSM US Alliance provides our firm with access to resources of RSM US LLP, the leading provider of audit, tax and consulting services focused on the middle market. RSM US LLP is a licensed CPA firm and the U.S. member of RSM International, a global network of independent audit, tax and consulting firms with more than 43,000 people in over 120 countries.

Our membership in RSM US Alliance has elevated our capabilities in the marketplace, helping to differentiate our firm from the competition while allowing us to maintain our independence and entrepreneurial culture. We have access to a valuable peer network of like-sized firms as well as a broad range of tools, expertise and technical resources.

For more information on how Condley and Company can assist you, please call (325) 677-6251.

Share This