Foundations
AML policy framework
The policies and procedures that are the operational response to the risk the assessment identifies.
AML policy frameworkAML risk
assessment
The institution-wide risk assessment is the foundation the entire AML framework stands on, and the first thing an SRO auditor reads. It analyses where money-laundering risk concentrates across your clients, products, channels and geographies, and everything downstream (onboarding due diligence, risk classification, monitoring rules, policies) should derive from it. We build it specific to your firm, not from a template, so the framework above it is coherent.
At a glance
The foundation everything else is calibrated to.
Specific to your firm: the first document the auditor reads.
- Scope
- Institution-wide, firm-level
- Covers
- Clients, products, channels, geographies
- Drives
- Onboarding, monitoring, policies
- Owned by
- The governing body
- Updated
- Periodically & on change
The essentials
What the risk assessment is
The AML risk assessment is the firm-level analysis of money-laundering and terrorist-financing risk a financial intermediary faces, required under the framework around the Anti-Money Laundering Act. It examines the client base, products, channels and geographies, and concludes where the firm’s risk concentrates. It is the foundation everything else is calibrated to (onboarding, classification, monitoring, policies) and the document an auditor reads first to judge whether the framework is built on understanding or on a template.
Who this is for
- financial intermediaries building or rebuilding their framework;
- firms whose risk assessment is generic or out of date;
- new intermediaries establishing the foundation correctly;
- firms that have had findings rooted in a weak assessment.
Where it fits
The assessment drives the onboarding classification and the monitoring rules, and is the basis of the policy framework.
The dimensions
What the assessment analyses
The risk assessment looks across the firm and concludes where the exposure sits. Each dimension drives a part of the framework that should respond to it.
| Dimension | Drives |
|---|---|
| Client base | Onboarding risk classification |
| Products & services | Where enhanced due diligence applies |
| Channels | Remote vs face-to-face onboarding rules |
| Geographies | Country-risk weighting in monitoring |
A firm-specific assessment produces firm-specific controls; a generic one produces a framework that fits no one. The point is to analyse the firm’s real exposure, not to assert a conclusion, because the auditor (and the quality of every control downstream) depends on this being genuine. We do the analysis, not the assertion.
The grading
How risk ratings are set
Each relationship is scored across the same dimensions, and the highest factor usually pulls the rating up. What separates a standard client from one needing enhanced due diligence is concrete: here is the pattern most Swiss frameworks apply.
| Factor | Lower risk | Higher risk → EDD |
|---|---|---|
| Client | Swiss-resident, transparent ownership | PEP, complex or opaque ownership |
| Geography | Switzerland, FATF-aligned states | High-risk or sanctioned jurisdictions |
| Product | Plain, traceable services | Cash-like, cross-border, crypto exposure |
| Channel | Face-to-face onboarding | Remote, introduced or chained relationships |
One high-risk factor (a PEP, a high-risk jurisdiction) is usually enough to trigger enhanced due diligence on its own, regardless of how clean the other factors are. The grading is not an average; it is a floor set by the worst factor. We build the rating logic into the assessment so the onboarding classification follows it automatically rather than by hand.
Where risk assessments fall down
The findings that recur at audit are rarely about the template. They are about the assessment not matching the business:
- a generic document that could belong to any intermediary, with no firm-specific conclusion;
- a rating logic on paper that the onboarding and monitoring do not actually follow;
- an assessment never refreshed after a new product, market or client segment was added;
- no evidence the governing body engaged with it, rather than signing it off unread.
Each is cheap to fix at the assessment stage and expensive to explain once an auditor has written it up. We build the assessment so these gaps do not open in the first place.
How it runs
How it is built
The assessment is built from the firm’s real activity, owned at board level, and connected to the controls it drives.
- Step 1
Map the business
Gathering the firm’s real client base, products, channels and geographies as the raw material of the assessment.
- Step 2
Analyse the risk
Assessing each dimension for money-laundering risk and concluding where the firm’s exposure concentrates.
- Step 3
Board ownership
Preparing the assessment to a standard the governing body can genuinely own and approve.
- Step 4
Drive the controls
Connecting the assessment to the onboarding classification, monitoring rules and policy framework.
- Periodic
Review & update
Refreshing the assessment as the business changes or new products and markets are added.
Budget
What it costs
The assessment is scoped to the firm’s size and complexity: a small, low-risk intermediary’s assessment is proportionately lighter than a large, multi-product one, though both must do real analysis. It is usually built once and maintained, rather than re-created each year.
We scope and quote against the firm’s profile. Pricing is on request.
Discuss your assessment
What you need
What the assessment requires
A risk assessment that actually founds the framework rests on:
- real analysis of the firm’s clients, products, channels and geographies;
- conclusions specific to the firm, not a template;
- genuine ownership and approval by the governing body;
- a direct connection to the controls it drives;
- periodic review as the business evolves.
A risk assessment that fits any firm fits none
The clearest sign of a weak framework is a risk assessment so generic it could belong to any intermediary in the sector: the same risks, the same conclusions, no trace of the firm’s actual clients or products. An auditor reads it first to test this, and a template assessment undermines confidence in everything built on it. The value is in the specific analysis: this firm’s clients, these products, those geographies, and where the risk really sits. We do that work, because a foundation that fits any firm supports none.
Why Goldblum
The assessment, in practice
The risk assessment is where a sound AML framework begins. Building one specific to the firm, owned at board level and connected to the controls is the foundation work this firm does.
Specific
Your firm, not a template
An assessment built from the firm’s real clients, products, channels and geographies: the genuine analysis an auditor reads first and finds sound.
Connected
Drives the whole framework
The assessment linked to the onboarding classification, monitoring rules and policies, so they derive from it rather than sit apart.
Owned
Board-level, and current
Prepared to a standard the governing body can genuinely own, and reviewed as the business changes, so it never goes stale.
Related
What the assessment drives
Front door
KYC & onboarding
The onboarding risk classification built directly on the assessment’s conclusions.
KYC & onboardingRun it for me
External AML officer
The officer who maintains the assessment and the framework it founds — under one mandate.
External AML officer
FAQ
AML risk assessment: FAQ
01What is an AML risk assessment?
An AML risk assessment is the institution-wide analysis of the money-laundering and terrorist-financing risk a financial intermediary faces, across its clients, products, services, distribution channels and geographies. It is not a per-client check but a firm-level picture of where the risk concentrates. It is the foundation of the whole AML framework: the onboarding due diligence, the risk classification, the monitoring rules and the policies all flow from it. Build it well and the rest of the framework is coherent; build it poorly and everything downstream is mis-calibrated.
02Why is the risk assessment the foundation of the framework?
Because every other control should be calibrated to it. The depth of due diligence at onboarding, how clients are risk-classified, how tightly transactions are monitored, what the policies emphasise: all of it should reflect where the firm's actual risk lies, as identified in the assessment. Without a real risk assessment, the controls are generic guesses rather than a proportionate response to the firm's exposure. This is why an auditor reads the risk assessment first: it tells them whether the framework is built on an understanding of the firm's risk or on a template.
03What does the risk assessment cover?
The risk dimensions the firm actually faces: the client base (types, jurisdictions, PEPs, complexity of structures), the products and services offered, the distribution and onboarding channels (face-to-face, remote, intermediated), and the geographies involved. Each is assessed for the money-laundering risk it carries, and the assessment concludes where the firm's risk concentrates and how the controls should respond. It is specific to the firm. Two intermediaries in the same sector can have very different risk profiles depending on whom and how they serve.
04How often must the risk assessment be updated?
Periodically, and whenever something material changes: a new product, a new client segment, entry into a new market, or a shift in the regulatory or threat environment. A risk assessment written once and never revisited becomes stale and disconnected from the business, which an auditor will notice. It is a living document that should track the firm as it evolves. We build it to be maintained, and review it when the business changes, so it stays an accurate picture rather than a historical one.
05What happens if the risk assessment is weak or generic?
Everything built on it is mis-calibrated, and the auditor sees it immediately. A generic risk assessment (one that could belong to any firm) signals that the framework is a template rather than a response to the firm's actual exposure, and it undermines confidence in the onboarding, monitoring and policies that should flow from it. Weak risk assessments are a common root cause of broader audit findings. Getting the foundation right is what makes the rest of the framework defensible, which is why it is worth doing properly.
06Who should own the risk assessment?
The firm's governing body owns it (the risk assessment is a management responsibility, not a back-office formality), though it is typically prepared by the AML officer or an external specialist and approved at board level. That ownership matters because the risk assessment shapes the firm's whole approach to financial crime, and the governing body is accountable for AML compliance. We prepare the assessment to a standard the governing body can genuinely own and approve, rather than a document it signs without engaging.
07How does the risk assessment drive the rest of the framework?
Directly and concretely. The risk categories it identifies become the onboarding risk-classification model; the high-risk areas it flags set where enhanced due diligence applies; the transaction patterns it analyses shape the monitoring rules; and the priorities it surfaces direct the policies and the training. A well-built risk assessment makes the rest of the framework fall out logically. We build it so it is genuinely the source the onboarding, monitoring and policies derive from, not a document that sits apart from the controls it should drive.
08Does a small firm still need a full risk assessment?
Yes, every financial intermediary needs an institution-wide risk assessment, though its depth scales with the firm's size and complexity. A small, low-risk firm's assessment is proportionately shorter than a large, complex one, but it must still genuinely analyse the firm's clients, products, channels and geographies rather than assert a conclusion. The obligation is universal; the proportionality is in the depth. We build an assessment sized to the firm that still does the real analytical work an auditor expects.
09How does it relate to the policy framework?
The risk assessment is the analysis; the policy framework is the response. The assessment identifies where the risk is, and the policies, directives and procedures set out how the firm controls it. Policies written without a risk assessment beneath them are generic and disconnected; policies built on a real assessment are targeted and coherent. The two are designed together, with the assessment first. We build the risk assessment as the foundation and the policy framework as its operational expression, so they are consistent by construction.
10What does Goldblum do on the risk assessment?
We build the institution-wide AML risk assessment around the firm's real client base, products, channels and geographies, identifying where the money-laundering risk concentrates and how the controls should respond. We make it specific rather than generic, prepare it to a standard the governing body can own, and connect it to the onboarding, monitoring and policy framework so they derive from it. We keep it current as the business changes. The aim is the genuine foundation an auditor reads first and finds sound.
Is your risk assessment real or generic?
Tell us your clients, products and markets. A partner builds an institution-wide risk assessment specific to your firm: the foundation the rest of the framework derives from.