On 10 October 2024, TD Bank agreed to pay approximately $3.09 billion in combined penalties to the US Department of Justice, FinCEN, and the Office of the Comptroller of the Currency.
Investigators concluded TD had failed to detect and report over $670 million in suspicious transactions tied to narcotics trafficking and other criminal networks.
Buried in the settlement documents was a detail every US compliance officer noticed: TD’s enterprise-wide AML risk assessment had not been refreshed to reflect emerging typologies, and when the methodology was updated, overrides were not documented and the output never reached the right committees.
The penalty was not just about missed SARs. It was about a risk assessment that had stopped telling the truth.
| Key Takeaways — AML Risk Assessment Questionnaire |
| An AML risk assessment questionnaire is the structured instrument a financial institution uses to capture inherent money-laundering risk across customer, product, geographic, channel, and transaction factors. It converts risk judgment into auditable scores that drive customer due diligence, transaction monitoring thresholds, and enhanced due diligence decisions. |
| In the US, the BSA/AML risk assessment has been an expected regulatory output for decades under the FFIEC BSA/AML Examination Manual. In April 2026, FinCEN issued a Notice of Proposed Rulemaking that would, for the first time, codify risk-assessment procedures as an express statutory requirement for AML/CFT programs — turning what was implicit expectation into explicit rule. |
| The Wolfsberg Correspondent Banking Due Diligence Questionnaire (CBDDQ) is the de facto global template for the correspondent-banking segment. Its 100-plus questions span governance, KYC, sanctions, transaction monitoring, training, and risk assessment. Version 1.4 (2022) and its accompanying FAQ remain the current reference as of 2026. |
| TD Bank’s October 2024 penalty of approximately $3.09 billion — DOJ $1.8B, FinCEN $1.3B, OCC $450M — sits at the top of the 2024 league table and underlines the cost of a flawed AML risk assessment. Regulators specifically cited failures to update the risk assessment as transaction volumes and typologies shifted. |
| Global AML fines rose 417% in H1 2025 versus H1 2024 to roughly $1.23 billion (Nasdaq Verafin data). The 2026 enforcement posture emphasizes “material” and “systemic” failures over isolated errors, but material failures almost always trace back to a stale or incomplete AML risk assessment questionnaire. |
| The five risk-factor framework — customer, product/service, geography, delivery channel, transaction — is the most widely accepted AML risk assessment questionnaire architecture. Score each factor inherent and residual; total the matrix; document overrides; refresh at least every 18 months or whenever a material change occurs. |
| US institutions rolling out an AML risk assessment questionnaire in 2026 should map it to four anchors: the FFIEC Manual, the FinCEN AML/CFT Priorities (eight priorities published June 2021), the 2026 FinCEN NPRM requirements, and the Wolfsberg CBDDQ for correspondent relationships. One questionnaire, four audiences. |
The AML risk assessment questionnaire is the instrument that tries to prevent that outcome. It is the structured set of prompts a bank, a credit union, a broker-dealer, a money-services business, or a fintech uses to surface the inherent money-laundering and terrorist-financing risks in its customer base, products, geographic footprint, and transaction flows.
The output feeds everything downstream: customer due diligence levels, enhanced due diligence triggers, transaction monitoring rules, SAR-filing prioritization, training focus, and board-level reporting.
A weak AML risk assessment questionnaire does not just fail audits — it mis-prices the work every other control does.
This guide rebuilds the AML risk assessment questionnaire for 2026. It covers the FFIEC expectations, the five risk-factor architecture, the Wolfsberg CBDDQ for correspondent banking, the April 2026 FinCEN NPRM that reshapes program rules, and practical pitfalls regulators now flag on examination.
It is written for the US BSA Officer, head of financial crime, or fintech compliance lead who owns the questionnaire and the remediation plan that follows.
Pair it with riskpublishing’s broader compliance risk analysis and enterprise risk management framework references.
What the AML Risk Assessment Questionnaire Actually Is
An AML risk assessment questionnaire is a structured instrument a financial institution uses to capture inherent money-laundering risk across five dimensions — customer, product/service, geography, delivery channel, and transaction — and to assess the controls mitigating each.
The output is a residual-risk score that drives due diligence tiers, monitoring rules, and enforcement priorities. It is the single most examined AML document in an OCC, FDIC, or FinCEN review.
AML Risk Assessment Questionnaire: Purpose and Regulatory Anchor
The purpose is straightforward: quantify exposure before allocating resources. Under the FFIEC BSA/AML Examination Manual, a US financial institution must identify, assess, and understand its money-laundering and terrorist-financing risks as the foundation of its BSA compliance program.
The AML risk assessment questionnaire is the practical mechanism that produces that understanding. When the 2026 FinCEN AML/CFT Program NPRM takes effect, the risk assessment obligation becomes explicit in rule, not merely in examination practice.
AML Risk Assessment Questionnaire: Where It Sits in the Program
The questionnaire is the upstream input to every downstream BSA/AML control: customer onboarding segmentation, EDD triggers, transaction-monitoring rule calibration, OFAC sanctions screening tuning, independent testing scope, and board reporting content.
A well-built AML risk assessment questionnaire produces residual-risk scores that map to specific control actions. A weak one produces a colorful heatmap nobody uses.
The test of quality is whether a newly hired BSA analyst can read the questionnaire output and know what action to take on a flagged account.
The Five Risk Factors Any AML Risk Assessment Questionnaire Must Cover
Every credible AML risk assessment questionnaire covers five risk-factor categories: customer (who the client is), product/service (what you sell), geography (where activity occurs), delivery channel (how the relationship opens), and transaction (what flows through the account).
Each factor is scored inherent (pre-control) and residual (post-control). This architecture is consistent with the FFIEC Manual, FATF recommendations, and Wolfsberg guidance.
AML Risk Assessment Questionnaire: Customer Risk
Customer risk captures who the client is and how that identity shapes money-laundering exposure. Key prompts: Is the customer a Politically Exposed Person (PEP) or close associate? A cash-intensive business?
A money-services business? A shell or holding company with opaque beneficial ownership? A non-profit operating in high-risk jurisdictions?
After FinCEN’s February 2026 exceptive relief order on beneficial ownership collection, the questionnaire should document how the institution still satisfies FATF Recommendation 10 on customer due diligence even where the historical CDD Rule no longer applies. See how to manage third party risk for adjacent supplier-side controls.
AML Risk Assessment Questionnaire: Product and Service Risk
Product risk asks which of your offerings most attract illicit flows. Correspondent banking, international wire transfers, private wealth management, trade finance, prepaid cards, cryptocurrency custody, remote deposit capture, and shell-company onboarding all score high. Retail checking for W-2 employees scores low.
A 2026 AML risk assessment questionnaire should also tag each product to the FinCEN AML/CFT National Priorities — corruption, cybercrime (including ransomware), terrorist financing, fraud, transnational criminal organizations, drug trafficking, human trafficking, and proliferation financing.
AML Risk Assessment Questionnaire: Geography Risk
Geography captures jurisdictional exposure through three lenses: where the customer is located, where beneficiaries and counterparties sit, and where transactions originate or settle.
Anchor the scoring to authoritative lists: FATF high-risk and grey-list jurisdictions, OFAC comprehensive sanctions programs (Cuba, Iran, North Korea, Syria, Crimea, the so-called DNR/LNR regions of Ukraine),
Basel AML Index scores, Transparency International Corruption Perceptions Index, and the US State Department’s International Narcotics Control Strategy Report. A geographic score of 5 is reserved for comprehensive sanctions or FATF grey-list exposure.
AML Risk Assessment Questionnaire: Delivery Channel Risk
Delivery channel risk examines the mechanism by which the customer relationship is opened and maintained.
Non-face-to-face onboarding via mobile apps, relationships opened through third-party introducers, agents or brokers of record, outsourced CIP providers, and white-label fintech partnerships all elevate risk.
For fintechs and neobanks, the delivery-channel score is often the single largest contributor to a high inherent-risk rating — this is where the OCC and state departments of financial services focus attention in the 2026 enforcement cycle.
AML Risk Assessment Questionnaire: Transaction Risk
Transaction risk is the factor regulators test hardest on examination. It captures what actually flows through the account once the relationship is open.
Prompts include: large-value round-dollar transactions, structuring indicators, rapid movement through the account (pass-through), wire transfers to high-risk jurisdictions, dormant-then-active patterns, and transactions inconsistent with the stated purpose of the account.
Transaction-risk scoring should tie directly to the transaction monitoring system’s rule library, closing the loop between assessment and detection. Pair with approaches and tools for risk identification.
| Risk Factor | Low (1-2) | High (4-5) |
| Customer | Local retail, W-2 employees, long-tenured | Foreign PEPs, shell companies, NGOs in high-risk jurisdictions |
| Product / service | Savings, CDs, domestic retail loans | Correspondent banking, private wealth, crypto custody, trade finance |
| Geography | US domestic, FATF low-risk members | FATF grey-list, OFAC comprehensive sanctions exposure |
| Delivery channel | In-branch with document verification | Non-face-to-face via third-party introducer or agent |
| Transaction | Predictable retail volumes | Structuring, round-dollar, high-velocity cross-border |
AML Risk Assessment Questionnaire Process: 7 Steps
Figure 2. AML risk assessment questionnaire process — seven repeatable steps from scoping through refresh.
A defensible AML risk assessment questionnaire runs through seven steps: define scope and governance, identify inherent risks across the five factors, score inherent risk on a likelihood-impact matrix, assess the control environment, calculate residual risk, document and secure board or BSA Committee approval, and refresh at least every 18 months or when material change occurs.
Skip a step and the questionnaire loses evidentiary weight in an examination.
AML Risk Assessment Questionnaire: Step-by-Step
Step 1 — Scope and governance. Define the legal entity, lines of business, products, channels, and subsidiaries in scope. Name the BSA Officer as accountable owner and the BSA Committee as approval body. Document the methodology version and effective date.
Step 2 — Identify inherent risks. Use the five-factor framework to surface risk in every product line and geography. Pull data from core banking, transaction monitoring, SAR history, Wolfsberg responses, and third-party feeds. A common failure mode: using last year’s risks as this year’s, without rerunning the data.
Step 3 — Score inherent risk. Apply a 1-5 likelihood-impact matrix to each inherent risk. Keep scoring criteria transparent — examiners ask why a score is a 3 and not a 4, and the questionnaire must answer in writing.
Step 4 — Assess the control environment. For each inherent risk, list the preventive and detective controls (KYC, screening, monitoring, training, independent testing) and rate their effectiveness. Rate honestly. Inflated control ratings produce deflated residual risk and blown-up examination findings.
Step 5 — Calculate residual risk. Combine inherent risk with control effectiveness. A common formula: Residual = Inherent × (6 − Control Effectiveness)/5, capped at the inherent value. The exact algebra matters less than the defensibility of the logic. Use a qualitative and quantitative risk assessment approach.
Step 6 — Document and approve. Write the narrative, quantify the findings, circulate a draft to business-line owners, record their feedback, and secure BSA Committee and board approval. The approval record is the single most important artifact an examiner asks for.
Step 7 — Monitor and refresh. Set quarterly KRIs, trigger an interim update for any material change (acquisition, new product, new geography, major enforcement action in sector), and conduct a full refresh at least every 18 months. The Wolfsberg CBDDQ mandates the same 18-month cadence.
The Wolfsberg CBDDQ: The AML Risk Assessment Questionnaire for Correspondent Banking
The Wolfsberg Correspondent Banking Due Diligence Questionnaire (CBDDQ) is the industry-standard AML risk assessment questionnaire for cross-border correspondent banking.
Current version 1.4 (2022) contains more than 100 questions spanning AML/CFT program governance, KYC/CDD/EDD, sanctions, transaction monitoring, training, quality assurance, and risk assessment itself.
Refresh cadence: at least every 18 months. It is maintained by the Wolfsberg Group of 13 global banks.
AML Risk Assessment Questionnaire: What the CBDDQ Covers
The CBDDQ is organized into sections covering the respondent bank’s entity details and ownership, AML/CFT and sanctions program, KYC/CDD and EDD, PEPs, sanctions-control model, transaction monitoring, training and education, quality assurance and audit, and board and senior management reporting.
Many of these sections require attachments — the AML policy, sanctions policy, board minutes approving the program, risk-assessment methodology summary. Treat the CBDDQ as the public front-end of your internal AML risk assessment questionnaire.
AML Risk Assessment Questionnaire: Who Uses the CBDDQ
Any bank maintaining correspondent relationships — US money-center banks, regional banks with FX and trade finance, and US subsidiaries of foreign banks — answers the CBDDQ for each relationship and receives CBDDQs from respondents.
Payment-service providers with high-volume cross-border flows are increasingly pulled into the CBDDQ framework by correspondent counterparties.
Publishing a completed Wolfsberg CBDDQ on an institutional investor-relations page has become standard practice for global banks through 2026.
The 2026 FinCEN NPRM and What It Means for Your AML Risk Assessment Questionnaire
On 7 April 2026, FinCEN issued a Notice of Proposed Rulemaking to reform AML/CFT program rules under the Bank Secrecy Act.
The rule would codify an explicit risk-assessment obligation — comprehensive evaluation of AML risks, incorporation of FinCEN’s AML/CFT Priorities, and refresh on material change. Comments close 9 June 2026.
Every US AML risk assessment questionnaire should be mapped to the NPRM’s expectations now, not after finalization.
Figure 3. The cost of a stale or incomplete AML risk assessment questionnaire — 2024’s top penalties.
AML Risk Assessment Questionnaire: Three NPRM Requirements
The proposal would require every covered financial institution’s AML/CFT program to include a risk assessment process that (1) comprehensively evaluates AML risks across the five-factor framework,
(2) reviews and as appropriate incorporates the FinCEN AML/CFT Priorities, and (3) is refreshed when material change occurs.
Unlike FinCEN’s 2024 draft, the 2026 NPRM leaves design, frequency, and scope to the institution — rewarding tailored programs and penalizing check-the-box templates. See PwC analysis of the April 2026 NPRM.
AML Risk Assessment Questionnaire: FinCEN AML/CFT Priorities Mapping
The eight FinCEN Priorities — corruption, cybercrime (including relevant cybersecurity and virtual-currency risks), terrorist financing, fraud, transnational criminal organizations, drug trafficking, human trafficking, and proliferation financing — must be incorporated as appropriate.
Map each of your five-factor scores to the Priority or Priorities it implicates. A product offering that primarily exposes the institution to fraud risk should score differently in the questionnaire than a product exposing it to proliferation financing. The mapping is what makes the questionnaire defensible.
AML Risk Assessment Questionnaire: Frequently Asked Questions
What is the purpose of an AML risk assessment questionnaire?
An AML risk assessment questionnaire identifies and quantifies inherent money-laundering and terrorist-financing risk across customer, product, geography, channel, and transaction factors, then tests the controls mitigating each.
The output drives due diligence levels, transaction monitoring rules, staffing, and board reporting. Regulators view the AML risk assessment questionnaire as the foundation of a BSA/AML compliance program.
Who must complete an AML risk assessment questionnaire in the US?
Every BSA-covered financial institution — banks, credit unions, money-services businesses, broker-dealers, investment advisers (FinCEN has extended the AML program rule to investment advisers), casinos, and certain fintechs operating as bank partners — must produce and maintain an AML risk assessment.
The FinCEN April 2026 NPRM would make this an express statutory requirement for all covered institutions.
How often should an AML risk assessment questionnaire be updated?
Industry practice sets the refresh cycle at a minimum of once every 12-18 months, with interim updates triggered by material change — a new product, a new geographic market, an acquisition, or a shift in threat environment.
The Wolfsberg CBDDQ mandates an 18-month refresh at most. Examiners will ask for the refresh log, so document every update event.
What is the Wolfsberg CBDDQ and how does it relate to an AML risk assessment questionnaire?
The Wolfsberg CBDDQ is a standardized AML risk assessment questionnaire for correspondent banking relationships, containing over 100 questions covering governance, KYC/CDD, sanctions, transaction monitoring, training, and risk assessment.
It is used when a respondent bank asks a correspondent for due diligence information. Most global banks now treat Wolfsberg completion as a required onboarding artifact for every correspondent relationship.
How do I score an AML risk assessment questionnaire?
Apply a 1-5 likelihood-impact matrix to each inherent risk identified under the five-factor framework, rate control effectiveness separately on a 1-5 scale, then calculate residual risk.
A common formula: Residual = Inherent × (6 − Control Effectiveness)/5. Aggregate across risks to produce department, legal-entity, and enterprise scores. Document the scoring rationale in writing for each line item.
What are the FinCEN AML/CFT Priorities and how do they fit the AML risk assessment questionnaire?
FinCEN issued eight national AML/CFT Priorities in June 2021: corruption, cybercrime, terrorist financing, fraud, transnational criminal organizations, drug trafficking, human trafficking, and proliferation financing.
The April 2026 NPRM would require AML programs to incorporate these Priorities as appropriate. Map each inherent risk in your AML risk assessment questionnaire to the Priority or Priorities it implicates.
Can an AML risk assessment questionnaire be done in Excel?
Yes, but only for smaller institutions. Excel-based AML risk assessment questionnaires run into version-control, audit-trail, and refresh-discipline problems above roughly $5 billion in assets or 30,000 customers.
Mid-size and large institutions move to dedicated GRC platforms — Wolters Kluwer OneSumX, LogicGate, ServiceNow GRC, Archer, MetricStream — for the workflow, evidence, and board-reporting capabilities regulators now expect.
AML Risk Assessment Questionnaire: Common Pitfalls
| Pitfall | Root Cause | Remedy |
| Questionnaire not refreshed after new product launch | No trigger protocol | Write an MRA protocol listing every material change type that triggers an interim update |
| Inflated control-effectiveness ratings | Self-rating by the first line | Require independent validation by compliance or internal audit before sign-off |
| FinCEN Priorities not mapped | Questionnaire predates June 2021 Priorities | Add a Priority column; map every inherent risk to at least one of the eight |
| CDD gaps after beneficial ownership relief | Assumed FinCEN order removed the need to identify owners | Document the CDD methodology that now replaces the old CDD Rule; maintain FATF R.10 alignment |
| Transaction monitoring rules disconnected | AML RA and TM systems owned by different teams | Require every transaction-risk score in the questionnaire to name the corresponding TM rule and threshold |
| Board approval missing or undated | Committee never formally approved | Obtain a signed BSA Committee and full-board attestation; store in governance log |
| Wolfsberg CBDDQ out of sync | Answered once at onboarding, never refreshed | Set an 18-month refresh calendar with an owner; tie to internal AML RA refresh |
AML Risk Assessment Questionnaire: Looking Ahead to 2026 and 2027
Three things will reshape the AML risk assessment questionnaire through 2026 and 2027. First, FinCEN rule finalization.
After the June 2026 comment period closes, the final AML/CFT Program rule will codify the risk-assessment obligation for the first time. Programs that pre-build to the NPRM’s structure will not have to redesign in 2027 when the rule takes effect.
Second, technology upgrades. Behavioral analytics, graph-based counterparty analysis, and generative-AI tooling for narrative summarization are being integrated into GRC platforms through 2026.
Expect regulators to start asking whether the AML risk assessment questionnaire actually consumed these data sources, or still relied on spreadsheet lookups. Watch Financial Action Task Force guidance on AI and AML through the cycle.
Third, enforcement concentration. TD Bank’s $3.09 billion 2024 penalty, plus double-digit 2025 actions against European challenger banks, signal that regulators are focused on institutions whose risk assessment failed to keep pace with growth.
H1 2025 global AML fines ran 417% above H1 2024 per industry trackers. Post-NPRM enforcement will concentrate on “material” and “systemic” failures — almost always traceable to a stale or incomplete questionnaire. Keep the instrument current, and the rest of the program works.
Finally, convergence with wider financial-crime risk. Sanctions, fraud, and cyber-enabled financial crime now live in the same risk assessment as traditional money laundering. A 2026 AML risk assessment questionnaire worth the name captures all four.
Institutions that run separate sanctions, fraud, and cyber risk assessments should plan a converged architecture by FY 2027, with unified scoring, unified governance, and a single refresh cadence. The cost of running four programs with four questionnaires is no longer justifiable.
Ready to Rebuild Your AML Risk Assessment Questionnaire?
At riskpublishing.com we help US banks, credit unions, broker-dealers, and fintechs design AML risk assessment questionnaires that satisfy the FFIEC Manual, the April 2026 FinCEN NPRM, the Wolfsberg CBDDQ, and the FinCEN AML/CFT Priorities from a single scoring architecture grounded in ISO 31000 and the FATF 40 Recommendations.
Explore our risk advisory services — or contact us to scope a 60-day AML risk assessment questionnaire rebuild tailored to your size, business model, and examination cycle.
AML Risk Assessment Questionnaire: Authoritative References
1. FFIEC BSA/AML Examination Manual
2. FinCEN — AML/CFT National Priorities (June 2021)
3. FinCEN — April 2026 NPRM on AML/CFT Program Rules
4. FinCEN Exceptive Relief Order FIN-2026-R001 — Beneficial Ownership
5. Wolfsberg Group — CBDDQ and Resources
7. US Department of Justice — TD Bank BSA/AML Resolution (Oct 2024)
8. Financial Action Task Force — 40 Recommendations
9. FATF — High-Risk and Other Monitored Jurisdictions
10. OFAC — Sanctions Programs and Country Information
11. Basel Institute on Governance — Basel AML Index
12. Gibson Dunn — 2025 Year-End Developments in Anti-Money Laundering
13. Covington — FinCEN Proposes Reform of AML/CFT Program Requirements (April 2026)
14. Nasdaq Verafin / ComplyAdvantage — Global AML Fines 2024-2025
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.