Product Risk Assessment for AML Compliance
Introduction
In today’s regulated business environment, Anti-Money Laundering (AML) compliance is not just about identifying suspicious customers—it’s equally about understanding the inherent risks associated with your products and services.
Every product a business offers can be exploited by criminals to launder money or finance terrorism. Therefore, the Product Risk Assessment (PRA) is an essential component of an entity’s overall AML Risk-Based Approach (RBA).
In the UAE, under Federal Decree-Law No. 20 of 2018, Cabinet Decision No. 10 of 2019, and Cabinet Decision No. 109 of 2023, DNFBPs (Designated Non-Financial Businesses and Professions) such as gold and precious metals traders, auditors, real estate brokers, and lawyers must evaluate the ML/TF risks of the products and services they offer as part of their Entity-Wide Risk Assessment.
________________________________________
1. What Is a Product Risk Assessment (PRA)?
A Product Risk Assessment evaluates how vulnerable each product or service is to money laundering or terrorist financing misuse.
It answers questions such as:
• Can this product be used to move or hide illicit funds?
• Does it allow large or anonymous transactions?
• Does it involve complex ownership or cross-border elements?
• Can it facilitate quick value transfer with minimal traceability?
Through PRA, businesses can prioritize higher-risk products for stronger controls and monitoring while applying simplified due diligence for low-risk offerings.
________________________________________
2. Why Is Product Risk Assessment Important?
The Product Risk Assessment is vital for several reasons:
• Regulatory Compliance: Required by UAE AML laws and FATF standards.
• Operational Efficiency: Ensures AML resources are allocated proportionately to risk.
• Fraud Prevention: Detects products that may attract suspicious or high-risk customers.
• Inspection Readiness: Demonstrates a structured and documented risk-based approach during MOE inspections.
• Reputation Protection: Prevents misuse of your products for illicit purposes.
________________________________________
3. Legal and Regulatory Foundation
The Product Risk Assessment is embedded in the UAE’s AML framework:
• Article 6 – Federal Decree-Law No. 20 of 2018: Requires entities to identify and evaluate ML/TF risks.
• Articles 7–9 – Cabinet Decision No. 10 of 2019: Mandates DNFBPs to assess product and service risks as part of overall risk assessments.
• FATF Recommendation 1: Requires countries and entities to adopt a risk-based approach, including product-level risk evaluations.
________________________________________
4. Key Steps in Conducting a Product Risk Assessment
Step 1 – Identify All Products and Services
List every product or service your business offers.
For example:
• Gold bullion trading
• Jewelry resale or exchange
• Real estate brokerage services
• Company formation or trust services
• Consultancy, audit, or accounting services
• Virtual asset or prepaid card offerings
Each product should be analyzed separately.
________________________________________
Step 2 – Determine Inherent Risk Factors
Evaluate how each product can be misused for ML/TF. Common inherent risk factors include:
Risk Factor Examples
Transaction Size High-value goods or large cash deals
Anonymity Products that allow non-face-to-face transactions
Complexity Services involving multiple intermediaries or cross-border transfers
Liquidity Easily convertible assets like gold or diamonds
Payment Method Cash, third-party, or virtual currency payments
Customer Type Non-residents, offshore entities, or PEPs
________________________________________
Step 3 – Assess Likelihood and Impact
Use a risk matrix to rate the likelihood and potential impact of ML/TF risk for each product:
Product Likelihood Impact Inherent Risk
Gold Bullion Trading High High High
Real Estate Brokerage Medium High High
Audit and Assurance Services Low Low Low
This scoring provides a clear overview of which products require enhanced controls.
________________________________________
Step 4 – Evaluate Existing Controls
Review how effectively your current controls mitigate product risks, such as:
• KYC and Enhanced Due Diligence (EDD) processes
• Transaction monitoring systems
• Customer risk profiling
• Sanctions and PEP screening
• Record-keeping and reporting systems
Document whether controls are strong, moderate, or weak for each product.
________________________________________
Step 5 – Determine Residual Risk
Residual risk = Inherent risk – Effectiveness of controls
If controls are robust, the residual risk may be downgraded. If not, it remains high and requires enhanced monitoring.
Example:
If gold trading has strong KYC and automated transaction alerts, its residual risk might reduce from High to Medium.
________________________________________
Step 6 – Implement Risk Mitigation Measures
Depending on the product’s risk level, apply appropriate measures:
• Require EDD for high-risk products
• Limit cash transactions or impose payment thresholds
• Obtain source of funds/source of wealth documentation
• Increase frequency of monitoring and audits
• Restrict certain customer types for high-risk offerings
________________________________________
Step 7 – Document and Review
Maintain a Product Risk Assessment Report detailing:
• Product list and classification
• Risk factors and ratings
• Control measures and residual risk
• Review date and responsible person
The report must be reviewed annually or whenever new products/services are launched.
________________________________________
5. Example: Product Risk Assessment for a Gold Trader
Product/Service Risk Level Reason Control Measures
Sale of gold bars High High-value, easily transportable, and liquid EDD, cash limits, source of funds verification
Jewelry resale Medium Lower value but possible anonymity CDD, screening, record retention
Scrap gold purchase High Risk of mixing legal and illicit goods Supplier KYC, invoice matching
Corporate bulk trade High Potential for layering EDD, transaction monitoring
Retail sale Low Small-scale, in-person Simplified due diligence
________________________________________
6. Technology’s Role in Product Risk Assessment
Modern AML systems like MyAML.io and Finabooks.com simplify product risk assessment through:
• Automated product risk scoring
• Real-time transaction pattern analysis
• Integration with KYC and screening databases
• Customizable dashboards for ongoing monitoring
Technology ensures consistency, accuracy, and audit readiness.
________________________________________
7. Common Mistakes DNFBPs Make
• Using a one-size-fits-all approach for all products
• Failing to update product risk when launching new services
• Ignoring the link between product and customer risk
• Not documenting assessment methodology
• Inadequate periodic review
Regulators expect a methodical and documented approach, not assumptions.
________________________________________
8. Continuous Review and Improvement
Product risks evolve with market trends, new regulations, and emerging typologies (e.g., virtual assets).
Therefore, DNFBPs must:
• Reassess product risks annually
• Monitor FATF and UAE FIU advisories
• Conduct internal AML audits
• Train staff to recognize new product-related risks
________________________________________
Conclusion
A well-executed Product Risk Assessment is essential to protecting your business from financial crime and ensuring full compliance with UAE AML law.
By systematically identifying, assessing, and mitigating risks associated with your products and services, DNFBPs not only meet regulatory obligations but also build stronger, more transparent operations.
Implementing automated tools, maintaining documentation, and adopting a risk-based approach ensures that your organization remains compliant, efficient, and inspection-ready at all times.
________________________________________
Sheikh Anwar Accounting & Auditing LLC
Licensed Auditor – Ministry of Economy (Entry No. 5817)
📍 Dubai Creek Tower, Office M35, Dubai, UAE
🌐 www.sa-auditors.com
✉️ info@sa-auditors.com
