Emerging money laundering risks outside the risk assessment framework

Mar 4 / Leonard Nwogu-Ikojo
Not every risk arrives with a label. In this compliance fiction story, Max encounters a transaction pattern that isn't fraudulent, isn't sanctioned, and fits none of the pre-determined categories in the framework. Under the AMLR, that gap is not a minor oversight — a static risk model that lags behind operational reality will inevitably become obsolete.

This article is intended for educational and informational purposes only and does not constitute legal, regulatory, or professional compliance advice. The scenario and recommendations provided are illustrative and may not capture all applicable requirements or risks in specific cases. Readers should follow their organization’s internal policies, data protection requirements, and seek professional advice tailored to their circumstances.

A new year. Some old tasks and some new tasks. The risk taxonomy and risk board included established risks related to money laundering, terrorist financing, and targeted financial sanctions, as well as new and emerging risks. It all sounded familiar. The annual risk assessment for 2026 had been approved well in advance. Everything was as it should be.

During a transaction review escalation, Max realized that the activity didn’t fit any pre-determined category. The activity wasn’t clearly fraudulent, wasn’t sanctioned, and wasn’t even unusual by last year’s definitions. It simply didn’t belong anywhere in the framework.

“That’s not a listed risk,” the analyst said. “So there’s no guidance.”

Ella scanned the file. Funds entered through a regulated fintech partner, were split across multiple wallets, recombined, then exited as fiat through a payment institution in another Member State. No single step breached a rule. Together, they formed a pattern that the risk assessment had never contemplated.

“Interesting catch,” Luc said. “It is a good thing the Compliance Head insisted on dynamic risk models. When the model shifts, we react and map the risk.”

"You are right," Ella concurred. "Business dynamics are constantly evolving. New fintech collaborations, in particular, introduce indirect risks. Payment chains are becoming more extended, often with unclear ownership. Crypto-to-fiat conversion pathways are now integral to standard client interactions, and remittance corridors linked to migration are expanding rapidly, outpacing regulatory oversight."

AMLR requirements: why money laundering risk assessment must be continuous

The AMLR does not recognize static risk models. Obliged entities must identify, assess, and mitigate money laundering risks relevant to their business model. Risk assessments are expected to be documented, kept up-to-date, and regularly reviewed. This obligation is ongoing. A risk assessment that lags behind operational reality is, by definition, ineffective.

During internal reviews, firms should increasingly test whether they have mechanisms to capture emerging risk signals between formal assessments. The absence of such mechanisms could be an indication of a structural weakness.

Observed risks without language to describe them are new typologies. They might not appear on the risk taxonomy. When a risk cannot be named, it should be escalated so that it does not disappear into "normal processing."

Final thoughts: preventing obsolete AML risk frameworks

While annual risk assessments provide a necessary structure, they are not enough. Without continuous challenge, they fail to keep pace with an evolving threat landscape. Employees should be encouraged to seek clarification on observed risk patterns, which may or may not have been documented.

Money laundering is constantly changing. Anti-money laundering (AML) frameworks that lack this real-time adaptability will inevitably become obsolete documents, reviewed only after a breach has occurred.
Created with