Skip to content
RiskTemplates · The Daily Brief Friday, July 10, 2026
Wire CFPB's New Enforcement Principles: What the Bilt Case Tells You About How the Bureau Intends to Police Consumer Finance JUN 22
Template Updated July 2026

AML/BSA Risk Assessment Template (Fintech Edition)

32 pre-populated fintech risk factors in the FFIEC exam manual structure, with customer risk rating methodology, five-pillar control inventory, and board dashboard.

Price

$79

One-time. No subscription. Use forever.

Buy now →
Secure checkout Emailed access Fully editable 30-day money-back

Delivered immediately after checkout — your template and guide links are emailed to you with your receipt.

Used by compliance teams at banks, fintechs, and asset managers

◆ Quick buying summary

What you get and when you can use it

Good fit if
Your sponsor bank asked for your BSA/AML risk assessment and you don't have one
Format
Editable workbook plus PDF/supporting guide materials where included. Instant download after checkout.
Time to value
Start reviewing, editing, and assigning owners the same day; customize to your organization before sharing outputs externally.
After purchase
After checkout, your templates and guides are available immediately and the download link is sent to your email with your Stripe receipt. No account required.

◆ What's included

  • 32 pre-populated fintech risk factors across the four FFIEC risk categories
  • Inherent → control strength → residual scoring with auto-calculated ratings
  • Customer risk rating methodology with scoring bands, override flags, and 10 worked archetypes
  • Product risk register covering 13 fintech products and services
  • 30-control inventory mapped to the five BSA pillars with evidence and testing status
  • Formula-driven Board Summary Dashboard with pillar coverage and top residual risks

Use rights: customize for internal business use and use outputs with your auditors, customers, bank partners, and regulators. Do not resell or redistribute the template files.

◆ Preview

See what the template covers.

Institutional BSA/AML risk assessment — 32 fintech risk factors across the four FFIEC categories with inherent, control strength, and residual ratings

Institutional BSA/AML risk assessment — 32 fintech risk factors across the four FFIEC categories with inherent, control strength, and residual ratings

Customer risk rating methodology — weighted five-factor scoring with bands, override flags, and worked archetypes

Customer risk rating methodology — weighted five-factor scoring with bands, override flags, and worked archetypes

Board Summary Dashboard — FFIEC category summary, five-pillar control coverage, and top residual risks

Board Summary Dashboard — FFIEC category summary, five-pillar control coverage, and top residual risks

◆ Good fit if any of these sound familiar

When teams reach for this template.

Your sponsor bank's annual review is coming and the request list includes "current BSA/AML risk assessment" — and what you have is two years old and doesn't mention half your products.

Bank partners compare your assessment against your live product set. This template's Product Risk Register covers 13 fintech products so the comparison is boring, and the guide's refresh chapter shows how to handle products launched since the last version.

You're a compliance team of one and "build the BSA risk assessment" is on your list next to forty other things.

The workbook ships pre-populated: 32 risk factors, 30 controls, 10 customer archetypes. Your job becomes deleting what you don't do and editing what you do differently — the guide's worked example shows the full four-pass process for a P2P + prepaid fintech.

The examiner asked how you risk-rate customers and the honest answer is "the onboarding vendor gives us a score."

The FinCEN CDD Rule expects a documented customer risk profile driving ongoing monitoring. The Customer Risk Rating tab gives you a weighted five-factor methodology with scoring bands, override flags, and worked examples — a method you own and can defend, whatever vendor sits underneath it.

◆ Why now

The document examiners and sponsor banks ask for first

The FFIEC BSA/AML Examination Manual directs examiners to evaluate whether your risk assessment adequately identifies your risk — and to build their own view of your risk profile if you don't have one. The FinCEN CDD Rule makes a documented customer risk profile the basis for ongoing monitoring, and the Anti-Money Laundering Act of 2020 pushed supervisory focus from "do you have a program on paper" to "is it effective against your actual risk." Meanwhile, sponsor banks have made a current BSA/AML risk assessment standard due diligence for fintech program onboarding and annual reviews. If your assessment is missing, stale, or generic, every one of those audiences notices — and each of them reads it as a signal about the entire program.

◆ Where this fits

Where this fits in your risk program

  • If you have no BSA/AML risk assessment — start here. The FFIEC four-category structure with 32 pre-populated fintech risk factors gives you a credible draft to edit instead of a blank page.
  • If you have the KRI Library — the BSA/AML KRIs in it are the monitoring layer; this assessment is the document that justifies which KRIs you track and where thresholds sit. Examiners trace from one to the other.
  • If you run an RCSA — the RCSA covers your whole control environment; this is the BSA/AML-specific deep dive with the customer risk rating and five-pillar mapping that AML exams require. The inherent/control/residual logic will feel familiar.
  • If you're preparing for a partner bank review — bring the Institutional Risk Assessment, the Board Summary Dashboard, and the board minutes approving them. That's the package their compliance team needs to check the oversight box.

◆ What this isn't

Setting expectations.

  • × Not a transaction monitoring system or screening tool — this is the risk assessment that tells you what your monitoring should cover, not the software that does the monitoring.
  • × Not a full BSA/AML policy or program document — the assessment is the foundation your program documents build on; it doesn't replace your procedures.
  • × Not a generic bank template with "fintech" in the title — every pre-populated row is a fintech risk factor: reload networks, crypto ramps, BaaS partner onboarding, remittance corridors, referral fraud channels.
  • × Not legal advice — it implements the FFIEC exam manual structure and FinCEN CDD Rule framing, but your BSA officer and counsel own the final judgments.

◆ Regulatory alignment

Built on the frameworks examiners test against

The structure and methodology map directly to the sources examiners and sponsor banks reference:

  • FFIEC BSA/AML Examination Manual (four-category institutional risk structure)
  • Bank Secrecy Act — 31 U.S.C. § 5318(h) (AML program pillars)
  • FinCEN Customer Due Diligence Rule — 31 CFR 1010.230 (beneficial ownership; CDD as fifth pillar)
  • Anti-Money Laundering Act of 2020 (effectiveness expectations)

Every tab names its framework source so you can answer "where did this requirement come from?" without leaving the workbook.

Last updated: July 9, 2026

◆ FAQ

Frequently asked questions.

Is this built for fintechs or banks?

This is the Fintech Edition — the pre-populated risk factors cover P2P transfers, prepaid card reload networks, ACH origination, crypto on/off-ramps, cross-border remittance, instant payments, marketplace/FBO flows, and BaaS partner programs. The methodology itself (the FFIEC four-category structure and five-pillar control mapping) is the same one banks use, so bank and credit union teams can use it too — you'll just replace more of the sample rows.

How does the residual risk scoring work?

You rate inherent risk (Low/Moderate/High) for each factor and assess the strength of the controls mitigating it (Strong/Adequate/Weak). Residual risk calculates automatically: Strong controls lower the rating one notch, Adequate holds it level, Weak raises it one notch. The matrix deliberately never takes a High inherent risk to Low — which matches how examiners think about products like cross-border remittance.

Does it follow the FFIEC exam manual structure?

Yes — the Institutional Risk Assessment is organized on the FFIEC BSA/AML Examination Manual's risk categories: products & services, customer types, geographies, and delivery channels. That's the format examiners and sponsor bank compliance teams expect, so they can navigate your assessment without translation.

What's in the customer risk rating methodology?

A weighted five-factor model (customer type, geography, products used, expected activity, channel), each scored 1-5 with editable weights, scoring bands that map to Low/Medium/High with CDD refresh cycles, and override flags that force High for PEP and MSB status regardless of the weighted score. It comes with 10 worked customer archetypes — from a domestic salaried consumer to a non-resident remitter — so you can calibrate against your real customer base.

How are the five BSA pillars covered?

The Control Inventory maps all 30 pre-populated controls to the five pillars: internal controls, BSA officer designation, training, independent testing, and customer due diligence (the fifth pillar per the FinCEN CDD Rule). Each control has an owner, the evidence that proves it operates, a frequency, and a testing status — and the Board Summary Dashboard shows coverage and testing gaps by pillar automatically.

My sponsor bank asked for our BSA/AML risk assessment. Will this satisfy them?

This is exactly the document that request refers to. Sponsor banks want to see the FFIEC-structured institutional assessment, a documented customer risk rating methodology, and evidence that controls map to the five pillars — all of which this template produces. You still need to replace the sample data with your actual products, customers, and controls; the guide's worked example walks through doing that for a P2P + prepaid fintech in four passes.

Can I share completed outputs externally?

Yes. You can use completed outputs with auditors, customers, bank partners, regulators, and internal stakeholders. Customize the template for internal business use — just don't resell or redistribute the source template files.

How do I receive the files?

Checkout is handled through Stripe. After purchase, you receive the template and guide download link immediately on the confirmation page and by email, along with your Stripe receipt. No account is required.

What if it's not a fit?

Email within 30 days for a full refund, no questions asked. The guarantee is meant to remove purchase risk while you evaluate whether the template fits your use case.

● First-time buyer offer

Get 20% off your first template.

Drop your email and we'll send the code.

◆ Not ready to buy?

Start with the free Risk Register.

141 pre-populated fintech risks across 21 categories. ISO 31000 structure.

Download free Risk Register →

◆ Related templates

Pairs well with.

Template
$49

KRI Library (132 Key Risk Indicators)

132 KRIs with thresholds, data sources, and escalation triggers pre-built for financial services.

Template
$69

RCSA (Risk & Control Self-Assessment)

141 pre-populated fintech risks with control assessments, questionnaire framework, and testing calendar.

★ Free
Free

Risk Register — Fintech Edition (Free)

141 pre-populated fintech risks across 21 categories. ISO 31000 structure. Ready to use in a week.

◆ Ready when you are

Get the AML/BSA Risk Assessment Template (Fintech Edition).

Start building a defensible risk program today.

Buy — $79 →
Secure checkout Emailed access Fully editable 30-day money-back

Immaterial Findings · Newsletter

The brief, in your inbox.

Enforcement of the week, a framework breakdown, and the prompts that are actually worth running. Delivered to your inbox. Free.