Assessing money laundering and terrorism financing risk is a key obligation for every obligated institution – from accounting firms to insurers and banks. This requirement will become even more important in 2025 due to growing expectations from regulators and updated EU and national guidelines. This guide explains how to properly develop an AML risk assessment, what factors should be considered, and how to avoid common mistakes.
What is an AML risk assessment?
An AML risk assessment is a document describing the likelihood that money laundering or terrorist financing may occur at a given institution. Under the AML Act, an institution must identify threats, assign them a priority, determine the risk level, and implement appropriate security measures.
Which institutions must prepare it?
The obligation applies to every entity listed in the AML Act, including:
- banks, credit unions, insurers,
- accounting offices, tax advisors,
- notaries, attorneys, legal advisors (to a certain extent),
- real estate agents,
- investment funds and payment institutions.
Each institution must tailor its assessment to the scale, profile and type of activity.
What are the legal bases?
An AML risk assessment should include:
- national risk assessment (last published by the Ministry of Finance),
- findings from the European Commission reports on Directive 2015/849,
- current recommendations and announcements from supervisors, including the Polish Financial Supervision Authority.
The institution should update the assessment at least every 2 years or more frequently if risk factors change.
What risk factors should be analyzed?
The AML Act identifies four main areas that must be assessed:
1. Customer Risk
- legal status,
- business profile,
- source of financing,
- the nature of the business relationship (occasional or long-term).
2. Geographical risk
The following should be analyzed, among others:
- country of the customer's headquarters,
- country of origin of the transaction,
- ties with high-risk countries (FATF, EU).
Transactions from high-risk countries are a warning signal.
3. Product and service risk
The risk is higher if:
- anonymous transactions are possible,
- the product enables quick transfer of funds,
- the design of the service makes it difficult to identify the beneficial owner.
The KNF recommendations indicate that each product must be assessed before it is placed on the market.
The following should be taken into account:
- long distance relationships,
- automatic processes,
- use of agents or intermediaries.
How to assess customer risk?
The institution should:
- Determine who the customer is – in accordance with the statutory definition.
- Examine its profile, scale of operations and source of funds.
- Check the expected regularity and purpose of the business relationship.
- Identify unusual behaviors, e.g.:
- inadequate amounts,
- lack of economic logic,
- sudden changes in trading patterns.
How to analyze products, services and transactions?
Key questions:
- Does the product enable fast transfers?
- Is it susceptible to third-party use?
- Does it allow you to hide the source of funds?
- Does the institution have the technical resources to handle it safely?
Products and transactions should also be assessed for:
- typical property values,
- transaction volume,
- deviations from the norm.
What are risk matrices?
Risk matrices are point systems that allow you to assign:
- customer,
- transaction,
- product
into categories: low / medium / high risk.
IMPORTANT: An AML risk assessment is not a business risk assessment – these are two separate processes.
What safety measures need to be taken?
The risk assessment results determine which financial security measures the institution must implement. These include:
✔ customer identification and verification (KYC)
✔ determining the beneficial owner
✔ analysis of the purpose and nature of the relationship
✔ ongoing transaction monitoring
✔ examination of the source of funds (if necessary)
✔ documenting each stage
FAQ
How often should the AML risk assessment be updated?
At least once every 2 years, but more frequently if legal circumstances, customer profile or products change.
Does a small accounting firm need to have the same risk assessment as a bank?
No. The document must be appropriate to the scale of the business – the scope of the analysis may be smaller, but the obligations are the same.
Does a risk assessment have to be in writing?
Yes – the legislator requires written or electronic form.
Does the risk assessment cover individual occasional transactions?
Yes – every transaction must be analyzed in terms of threats.
Is a risk matrix mandatory?
No, but it is recommended – it organizes the process and supports the audit.
Summary
An AML risk assessment is the foundation of an effective anti-money laundering system. It requires a systematic approach, regular updates, and consideration of customer, geographic, product, and transaction-specific factors. A well-developed risk assessment facilitates the implementation of appropriate security measures and minimizes the risk of sanctions.
This article is for informational purposes only and does not constitute legal advice.
Legal status as of November 26, 2025
Author:
Series editor:
