How to Document an AML Risk Assessment Report

Introduction

An Anti-Money Laundering (AML) Risk Assessment Report is a cornerstone document that demonstrates a business’s understanding of its exposure to money laundering (ML) and terrorist financing (TF) risks.

In the UAE, Federal Decree-Law No. (20) of 2018, Cabinet Decision No. (10) of 2019, and Cabinet Decision No. (109) of 2023 require all Designated Non-Financial Businesses and Professions (DNFBPs)—including gold and jewellery traders, real estate brokers, auditors, accountants, and lawyers—to conduct and document a risk assessment as part of their AML compliance framework.

This outlines how to properly document an AML Risk Assessment Report, ensuring alignment with both UAE regulations and FATF international standards.

________________________________________

1. Purpose of the AML Risk Assessment Report

The AML Risk Assessment Report serves multiple purposes:

• Demonstrates the entity’s understanding of its ML/TF risks.

• Forms the foundation for a Risk-Based Approach (RBA) to compliance.

• Helps prioritize high-risk areas requiring Enhanced Due Diligence (EDD).

• Provides a reference document for regulatory inspections by the Ministry of Economy (MOE) or free zone authorities.

• Supports ongoing monitoring and internal audits.

Without proper documentation, even the best internal controls may fail to satisfy regulators.

________________________________________

2. Key Components of an AML Risk Assessment Report

A comprehensive AML Risk Assessment Report should include the following sections:

A. Executive Summary

Provide a clear overview of the report, including:

• Objective of the risk assessment.

• Summary of key findings.

• Overall risk rating (Low, Medium, or High).

• Summary of mitigation measures implemented.

The executive summary helps management and regulators quickly grasp your compliance posture.

________________________________________

B. Regulatory Framework

List the laws, decisions, and guidelines followed during the assessment:

• Federal Decree-Law No. 20 of 2018 on AML/CFT.

• Cabinet Decision No. 10 of 2019 – Implementing Regulations.

• Cabinet Decision No. 109 of 2023 – Updates for DNFBPs.

• Ministry of Economy AML Guidelines for DNFBPs.

• FATF Recommendations and Guidance Papers.

Documenting the legal foundation ensures your risk assessment is compliant and up-to-date.

________________________________________

C. Methodology and Approach

Describe the step-by-step approach adopted to conduct the assessment:

1. Data Collection – Information gathered from client profiles, transactions, systems, and staff.

2. Risk Identification – Recognition of threats and vulnerabilities.

3. Risk Evaluation – Likelihood and impact analysis.

4. Control Assessment – Evaluation of internal AML controls.

5. Residual Risk Rating – Determining remaining exposure after controls.

Use clear and measurable parameters for consistency and transparency.

________________________________________

D. Risk Categories

The report must cover all core risk areas identified by UAE and FATF standards:

Risk Category Description

Customer Risk Type of clients (individuals, corporates, PEPs, non-residents)

Product/Service Risk Nature of offerings (gold, real estate, corporate structuring, auditing)

Geographic Risk Jurisdictions involved and exposure to high-risk countries

Delivery Channel Risk Mode of interaction (face-to-face, agents, online)

Transaction Risk Type, volume, and frequency of transactions

Each category must be supported with examples, risk indicators, and justifications for assigned ratings.

________________________________________

E. Risk Scoring and Rating

Present a structured risk scoring model, typically using:

• Likelihood Scale: Low (1), Medium (2), High (3).

• Impact Scale: Low (1), Medium (2), High (3).

Then calculate Inherent Risk = Likelihood × Impact.

For example:

Risk Factor Likelihood Impact Inherent Risk Level

Cash transactions over AED 55,000 High High High

Domestic clients with verified IDs Low Low Low

This scoring system makes the assessment measurable and repeatable.

________________________________________

F. Evaluation of Existing Controls

Document your internal AML controls that mitigate identified risks:

• Customer Due Diligence (CDD) & Enhanced Due Diligence (EDD) procedures.

• Sanctions and PEP Screening.

• Transaction Monitoring Systems.

• Record Keeping Policies.

• Reporting Procedures (STR, SAR).

• Staff AML Training Programs.

Evaluate control effectiveness using criteria such as “Effective,” “Partially Effective,” or “Ineffective.”

________________________________________

G. Residual Risk Assessment

After applying mitigation controls, determine the residual risk remaining in each category.

For example:

High inherent risk from foreign clients may reduce to Medium if strong EDD and transaction monitoring controls are applied.

Summarize residual risks in a matrix and assign an overall entity-level risk rating (Low, Medium, or High).

________________________________________

H. Mitigation Plan

List the recommended actions to further minimize risks:

• Implement new AML software tools.

• Conduct quarterly compliance reviews.

• Strengthen internal training and onboarding checks.

• Update the AML policy to address identified gaps.

Each action should include responsible personnel and implementation timelines.

________________________________________

I. Documentation and Record Keeping

Clearly mention how the report and related data are maintained:

• Store all assessments securely for at least five years.

• Maintain version control for each update.

• Ensure access is restricted to authorized personnel.

• Keep both digital and hard copies for inspection readiness.

Proper documentation is critical for passing MOE compliance inspections.

________________________________________

J. Approval and Review

The final report must be:

• Approved by Senior Management or the MLRO (Money Laundering Reporting Officer).

• Reviewed annually or whenever significant business or regulatory changes occur.

• Dated and signed to confirm its authenticity and accountability.

________________________________________

3. Common Mistakes to Avoid

• Copying templates without tailoring to your business activities.

• Failing to quantify risks (only qualitative remarks).

• Ignoring residual risks after mitigation.

• Not linking AML risk assessment with your Customer Due Diligence (CDD) process.

• Not reviewing the report annually.

A weakly documented report can lead to compliance failures and penalties.

________________________________________

4. Technology’s Role in Documentation

Modern AML platforms like MyAML.io and Finabooks.com make risk documentation more efficient by:

• Automating customer risk scoring and country risk analysis.

• Generating ready-to-inspect AML Risk Assessment reports.

• Maintaining version-controlled digital audit trails.

• Integrating CDD, STR, and transaction monitoring in one dashboard.

Automation reduces human error and ensures regulatory alignment with UAE MOE expectations.

________________________________________

5. Final Checklist for AML Risk Assessment Report

Before submission or inspection, ensure your report:

✅ Covers all five risk categories.

✅ Includes both inherent and residual risk scoring.

✅ Details the methodology and data sources.

✅ Lists controls and mitigation measures.

✅ Has management approval and version control.

✅ Is reviewed annually.

________________________________________

Conclusion

Documenting an AML Risk Assessment Report is not just a regulatory formality—it is a reflection of your organization’s understanding, control, and commitment to fighting financial crime.

A properly structured and well-documented report helps you:

• Strengthen your AML framework,

• Demonstrate compliance to regulators, and

• Build credibility with stakeholders and financial institutions.

By adopting a risk-based approach, supported by technology and continuous improvement, DNFBPs can ensure full compliance and safeguard their reputation in the UAE’s robust regulatory environment.

________________________________________

Sheikh Anwar Accounting & Auditing LLC

Licensed Auditor – Ministry of Economy (Entry No. 5817)

📍 Dubai Creek Tower, Office M35, Dubai, UAE

🌐 www.sa-auditors.com

✉️ info@sa-auditors.com