FATF standards require financial institutions to adopt a risk-based approach (RBA) that is informed by national and sectoral risk assessments. These assessments identify key threats, vulnerabilities, and typologies within a jurisdiction or industry and provide essential context for institutional risk management.
Financial institutions must reference and align their internal AML/CFT risk assessments with the findings of NRAs and sectoral assessments. This means demonstrating awareness of identified risks and showing how these risks are mitigated through policies, controls, and procedures.
However, institutions are not required to copy or mechanically apply the exact methodologies, weightings, or conclusions of these assessments. Each institution must tailor its risk assessment to its own business model, customer base, products, services, and geographic exposure.
Board oversight is required, but NRAs do not dictate how internal assessments must be written or approved. The key regulatory expectation is alignment, awareness, and effective risk management—not rigid adoption.
