Methodologies

Financial Crime Risk Assessment Methodology

Version 1.3 - March 2025

Introduction

Financial crime risk assessments are essential to assess a firm’s risk of financial crime exposure and to meet regulatory requirements for an effective, risk-based compliance program.

Cable’s Risk Assessment is based on regulatory guidance, industry experience, and user feedback. It is designed to be responsive to information provided by users about their firm’s exposure to risks, and it automatically calculates suggested inherent and residual risk ratings (based on a firm’s controls) on a Risk, Risk Area, and business-wide level.

Cable’s Risk Assessment can be completely configured to a firm’s understanding of their own risk exposure and to incorporate their risk appetite. All automatically suggested Risks or risk ratings can be edited, with rationale and notes documented within the risk assessment, to ensure that a firm can communicate their assessment of risk to all relevant stakeholders.

Questionnaire

Cable’s Risk Assessment guides firms through a series of questions designed to identify applicable Risks and their inherent risk levels. Cable’s questionnaire ensures all areas flagged by regulatory guidance are considered and allows a firm to prioritize its time considering the nuanced risks posed by their business.

Risks

Cable’s Risk Assessment is organised into 10 high-level Risk Areas that firms should consider according to regulatory guidance or expectations from the Wolfsberg Group, FATF, FFIEC, JMLSG Guidance, and national risk assessments, as well as from industry best practice.

  • Regulatory Risk
  • Operational Risk
  • Geographic Risk
  • Size and Nature of Business Risk
  • Processes and Systems Risk
  • Product/Services Risk
  • Delivery Channel Risk
  • Customer Risk
  • Transaction Risk
  • Typology Risk

Each high-level Risk Area is then divided into individual Risks, which are identified based on the answers to the questionnaire. The answers to the questionnaire enable Cable to suggest an inherent risk score between 1 and 5.

Users are able to add their own individual Risks and disable any Risks Cable has identified, as well as manually adjust any automatically calculated risk ratings as needed to reflect their own assessment of risk.

As a result, the Risks and risk ratings generated by answering the Cable questionnaire are only the starting place for a firm’s risk assessment. Ultimately Cable’s Risk Assessment is a tool but does not replace the firm’s requirement to fully assess and understand their own risks.

Controls

Against each Risk, firms can assign controls that they have in place to mitigate the particular Risk. Once a control is mapped to a Risk, users provide their own assessment of control adequacy and effectiveness on a scale of 0-100%. Users can either input an exact percentage or select a more qualitative rating as explained below.

Based on the control adequacy and effectiveness, an overall control efficacy score for each Risk is calculated. A residual risk rating is also calculated. These scores can be manually adjusted at any time and users have the ability to leave detailed notes against each Risk.

Approvals

Cable’s Risk Assessment has an approval flow with audit tracking of who was involved in completing the Risk Assessment, and who approved it. Once approved, the Risk Assessment is locked and cannot be changed, although it can be viewed and downloaded.

Automatically Updating Risk Assessments

When a risk assessment is approved, a new copy of the approved risk assessment is created, which is labelled as a “live” assessment. This live assessment can be updated on an ongoing basis, either manually by firms, or automatically, if the firm is also using Cable’s Automated Testing product. An overview of Automated Testing can be found here.

If the firm is using Cable’s Risk Assessment for managing the risks of third parties, then the third party risk assessments can also be automatically included in the firm’s own risk assessment. The methodology for how third party risk assessments are incorporated into a firm’s risk assessment is here.

Methodology

Questionnaire

Cable’s Risk Assessment guides firms through a series of questions designed to identify applicable risks and their inherent risk levels. The questionnaire is dynamic, so the questions shown to firms may vary based on their answers. The full list of questions is included in the Appendix.

Most questions are multiple choice, although a few require the firm to enter a specific number. Many questions include “unknown” as a potential answer, which is always treated as the highest risk (5), since there is no information to determine that the risk could be lower.

Risks

After completing the questionnaire, individual Risks are enabled for the firm, and these Risks are grouped into 10 high-level Risk Areas according to regulatory guidance and expectations from the Wolfsberg Group, FATF, FFIEC, JMLSG Guidance, and national risk assessments. Users have full flexibility to add custom Risks to any Risk Area or to disable suggested Risks.

Initial inherent risk ratings are automatically calculated for any Risks that are automatically enabled through the questionnaire process. The inherent risk rating for any custom Risks that a firm adds must be added manually.

After a firm reviews the inherent risk, adds the relevant controls, control adequacy and effectiveness scores, Cable’s Risk Assessment calculates the recommended residual risk.

  • Inherent risk is a measure of a firm’s exposure to a risk without any controls mitigating the risk.
  • Residual risk is a measure of the risk remaining after mitigating controls are applied to the inherent risk, and is dependent on inherent risk and the overall efficacy of controls.

Risk Rating Key

Both inherent and residual risks are rated on a scale of 1 to 5.

  • 1 - Lowest risk
  • 2 - Low risk
  • 3 - Medium risk
  • 4 - High risk
  • 5 - Highest risk

Inherent risk calculation

Firms should review the recommended Risks and inherent risk ratings before proceeding. Users have the full flexibility to change both the Risks and the inherent risk ratings.

The following methods are used to calculate the inherent risk ratings for Risks that are automatically enabled through the questionnaire process. Below you can see which calculation method is used for each specific Risk.

  • Binary: Any exposure to the Risk means the firm faces the full risk level associated with the Risk. Therefore, if the firm has any exposure to the Risk, the firm’s inherent risk rating is equal to the initial risk score of the Risk. In certain cases, Cable automatically deems firms to have exposure to a Risk based on regulatory guidance as to the prevalence of the risk, and the Risk is displayed by default, e.g. the Risk “Inadequate policies, procedures, and controls”.

  • Quantitative exposure: The firm’s inherent risk depends on its amount of exposure to the Risk, which can be assessed through quantitative metrics (e.g., % of customers or transactions). Based on the firm’s responses about its percent exposure amount to the Risk, an inherent risk rating is assigned as follows, with the maximum value capped at the initial risk score of the Risk:

    • 1 - None

    • 2 - <1%

    • 3 - 1-5%

    • 4 - 6-10%

    • 5 - >10%

  • Qualitative exposure: The firm’s inherent risk depends on its exposure to certain risk factors associated with a Risk, which can be assessed through qualitative characteristics or thresholds. Based on the firm’s responses about its exposure to relevant risk factors, an inherent risk rating is assigned based on the presence or absence of these risk factors.

  • Manual input: The firm is always able to input their own inherent risk ratings, based on their internal methodology.

Residual risk calculation

Residual risk ratings for each Risk are a function of the inherent risk rating and overall control efficacy (the methodology for which is described below).

  • Standard residual risk rating calculation methodology:
    • The residual risk rating is capped at the inherent risk rating, i.e. the residual risk cannot be higher than the inherent risk.
    • Beneath the cap of the inherent risk rating, the residual risk rating will be:
      • 1, if the overall control efficacy is 95-100%
      • 2, if the overall control efficacy is 90-94 %
      • 3, if the overall control efficacy is 85-89%
      • 4, if the overall control efficacy is 80-84%
      • 5, if the overall control efficacy is <80%

Controls

Cable’s Risk Assessment suggests potential common controls for each Risk (listed out in the Appendix). However, users also have full flexibility to add custom controls to any Risk.

To calculate residual risk, a firm’s controls need to be assessed for both control adequacy and effectiveness.

  • Control adequacy is a measure of whether controls are properly designed to fully mitigate the risk.
  • Control effectiveness is a measure of whether controls, however designed, are operating effectively and as expected.

Users provide their own assessments of control adequacy and effectiveness for each Risk, on a scale of 0-100%. Users can either input an exact percentage or select a more qualitative rating (very weak to very strong).

Adequacy and Effectiveness Key

  • Very strong - 95-100%
  • Strong - 90-94%
  • Moderate - 85-89%
  • Weak - 80-84%
  • Very weak - <80%

Overall Control Efficacy

Overall control efficacy for each Risk is the product of control adequacy and control effectiveness, expressed as a percentage.

  • Overall control efficacy = Overall control adequacy * Overall control effectiveness
    • Overall control adequacy = simple average of the control adequacy for all active controls for the Risk
    • Overall control effectiveness = simple average of the control effectiveness for all active controls for the Risk

Aggregate Risk Ratings

Once the inherent risk rating, overall control efficacy, and residual risk ratings for each Risk have been determined, Cable’s Risk Assessment automatically aggregates these risk ratings into an overall risk score for each high-level Risk Area. Subsequently, a business-wide risk score is determined based on the risk scores for the Risk Areas.

Below are the calculation methods for both the Risk Area and business-wide risk ratings. Further down in the methodology we list out which calculation methods are used for each Risk Area.

Risk Area Risk Rating Calculation Methods

  • Maximum risk rating: Inherent and residual risk ratings equal the highest risk ratings for any Risk in the Risk Area.
  • Evenly weighted: Inherent and residual risk ratings are simple averages of the risk ratings for each Risk in the Risk Area.
  • Weighted by exposure: Inherent and residual risk ratings are weighted averages of the risk ratings for each Risk in the Risk Area, with weighting corresponding to the firm’s exposure to each Risk.
  • Manually weighted: Inherent and residual risk ratings are weighted averages of the risk ratings for each Risk in the Risk Area, with weighting manually assigned by Cable for each Risk.

Business-wide Risk Rating Calculation

  • Manually weighted: Inherent and residual risk ratings are weighted averages of the risk ratings for each Risk Area, with weighting manually assigned by Cable for each Risk Area as follows, based on regulatory guidance and industry best practices:

    • 15% - key Risk Areas to account for in risk assessments, as commonly identified in regulatory guidance (Geographic Risk, Product/Services Risk, Customer Risk, Transaction Risk)
    • 10% - other significant Risk Areas identified in regulatory guidance or industry best practice (Delivery Channel Risk, Regulatory Risk)
    • 5% - additional Risk Areas, based on regulatory guidance or industry best practice (Operational Risk, Size and Nature of Business Risk, Processes and Systems Risks, Typology Risk)

Other Calculation Methodologies

All mathematical calculations in the Financial Crime Risk Assessment are rounded and stored at 6 decimal points of precision (e.g., 0.123456). For ease of use, the Risk Assessment user interface only displays rounded integers.

Methodologies Used by Risk Area

Regulatory Risk

Risks with Initial Risk Score

  • Regulated activity - 5, binary exposure
  • Registration/Licence Requirement - 5, binary exposure

Inherent Risk Rating Calculation Methodology

  • Binary

Residual Risk Rating Calculation Methodology

  • Standard residual risk rating calculation

Risk Area Risk Rating Methodology

  • Maximum risk rating

Default Risk Area Weighting for Business-Wide Risk Rating

  • 10%, other significant Risk Area identified in regulatory guidance or industry practice

Operational Risk

Risks with Initial Risk Score

  • No designated AML compliance officer with sufficient expertise/experience - 5, binary exposure
  • No Board-level compliance committee - 5, binary exposure
  • Inadequate governance and management oversight - 5, binary exposure
  • Inadequate policies, procedures, and controls - 5, risk displayed by default
  • Inadequate company-wide training - 5, binary exposure
  • Inadequate independent testing and oversight - 5, binary exposure
  • Inadequate compliance staffing and resources - 5, binary exposure
  • Reliance on third party firm for CDD measures - 5, binary exposure
  • Recent enforcement actions or supervisory matters - 5, binary exposure
  • Remediation projects or initiatives related to AML compliance matters - 5, binary exposure
  • Recent AML compliance employee turnover - 1-5, depending on qualitative exposure
    • Factors: AML compliance employee turnover rate; Key personnel turnover
  • Recent/planned acquisitions - 1-5, depending on qualitative exposure
    • Factors: Target is regulated financial institution; Target maintains AML compliance program; Weaknesses or deficiencies in target AML compliance program; Target financial crime risk assessment
  • Recent internal audit or other material findings - 1-5, depending on qualitative exposure
    • Factors: Regulatory breaches; Control failures; High risk findings

Inherent Risk Rating Calculation Methodology

  • Binary
  • Qualitative exposure

Residual Risk Rating Calculation Methodology

  • Standard residual risk rating calculation

Risk Area Risk Rating Methodology

  • Evenly weighted

Default Risk Area Weighting for Business-Wide Risk Rating

  • 5%, additional Risk Areas to account for in risk-based approach based on regulatory guidance or industry practice

Geographic Risk

Risks with Initial Risk Score

  • Own Bank/FI Geographic Risk - 1-5, depending on qualitative exposure
    • Factors: Country risk ratings
  • Customer Geographic Risk - 1-5, depending on qualitative exposure
    • Factors: Country risk ratings
  • Transactions Geographic Risk - 1-5, depending on qualitative exposure
    • Factors: Country risk ratings

Inherent Risk Rating Calculation Methodology

  • Qualitative exposure

Residual Risk Rating Calculation Methodology

  • Standard residual risk rating calculation

Risk Area Risk Rating Methodology

  • Maximum risk rating

Default Risk Area Weighting for Business-Wide Risk Rating

  • 15%, key Risk Area to account for in risk assessment as commonly identified in regulatory guidance

Size and Nature of Business Risk

Risks with Initial Risk Score

  • Multiple geographies - 1-5, depending on qualitative exposure
    • Factors: Number of geographies
  • Expected geographic expansion - 1-5, depending on qualitative exposure
    • Factors: Number of geographies; Country risk ratings
  • Multiple subsidiaries, branches or agent networks - 1-5, depending on qualitative exposure
    • Factors: Number of subsidiaries, branches or agent networks
  • Client base stability - 1-5, depending on qualitative exposure
    • Factors: Annual change in customer base
  • Number of customers - 1-5, depending on qualitative exposure
    • Factors: Total number of customers
  • Expected customer growth - 1-5, depending on qualitative exposure
    • Factors: Expected customer growth per month
  • High estimated annual revenue - 1-5, depending on qualitative exposure
    • Factors: Estimated annual revenue
  • High expected annual revenue growth - 1-5, depending on qualitative exposure
    • Factors: Estimated annual revenue growth
  • Nature of business risk, binary exposure
    • Asset Management - 3
    • Brokerage - 4
    • Wholesale/Commercial Banking - 4
    • International Correspondent Banking - 5
    • Credit & Other Card Banking - 3
    • Investment Banking - 3
    • Retail banking - 4
    • Private Banking/Wealth Management - 5
    • Money service business - 4
    • Payment services/e-money services - 3
    • Capital markets/wholesale markets - 4
    • Trade finance - 4
    • Investment firms/managers - 3
    • Investment funds - 3
    • Crowdfunding platform - 3
    • Currency exchange services - 4
    • Corporate finance - 3
    • BaaS Platform/Provider - 4
    • Virtual asset service provider - 4

Inherent Risk Rating Calculation Methodology

  • Binary
  • Qualitative exposure

Residual Risk Rating Calculation Methodology

  • Standard residual risk rating calculation

Risk Area Risk Rating Methodology

  • Evenly weighted

Default Risk Area Weighting for Business-Wide Risk Rating

  • 5%, additional Risk Area to account for in risk-based approach based on regulatory guidance or industry practice

Processes and Systems Risk

Risks with Initial Risk Score

  • Limitations, issues, or gaps involving complex technologies (e.g. AI/ML) - 1-5, depending on qualitative exposure
    • Factors: AI/ML experts explaining or maintaining tools; Duration of use; AI/ML models designed or validated using real customer data
  • Limitations, issues, or gaps due to recent/planned introduction of new technologies - 1-5, depending on qualitative exposure
    • Factors: Integration with legacy systems; Technical experts explaining new technology; Technical experts maintaining new technology
  • Limitations, issues or gaps in integration of IT systems - 1-5, depending on qualitative exposure
    • Factors: Identified data integrity gaps in AML/sanctions compliance systems; Experts overseeing data management between IT and AML/sanctions compliance systems; End-to-end data mapping for AML/sanctions compliance program
  • Reliance on third party service providers - 1-5, depending on qualitative exposure
    • Factors: Third party service providers used for AML/sanctions compliance measures

Inherent Risk Rating Calculation Methodology

  • Qualitative exposure

Residual Risk Rating Calculation Methodology

  • Standard residual risk rating calculation

Risk Area Risk Rating Methodology

  • Evenly weighted

Default Risk Area Weighting for Business-Wide Risk Rating

  • 5%, additional Risk Areas to account for in risk-based approach based on regulatory guidance or industry practice

Product/Services Risk

Risks with Initial Risk Score

  • Private Banking/Wealth Management - 1-5, depending on quantitative exposure
  • International Correspondent Banking, binary exposure
    • International Wire Transfers - 5
    • Pouch Services - 5
    • Banknotes - 5
    • Pass-through/Payable-through accounts - 5
    • Nested or downstream correspondent clearing - 5
    • Bank draft services - 5
    • Other correspondent banking - 5
  • Special Use/Concentration/Omnibus Accounts - 1-5, depending on quantitative exposure
  • Brokered Deposits - 1-5, depending on quantitative exposure
  • Safe Deposit Services - 1-5, depending on quantitative exposure
  • Precious Metals (Delivery) Services - 1-5, depending on quantitative exposure
  • Unlimited Cards - 1-5, depending on quantitative exposure
  • Alternative Investment/Structured Products - 1-4, depending on quantitative exposure
  • Trade/Export Finance - 1-4, depending on quantitative exposure
  • Pooled client accounts - 1-4, depending on quantitative exposure
  • Bearer shares - 1-4, depending on quantitative exposure
  • Fiduciary deposits - 1-4, depending on quantitative exposure
  • Prepaid access/stored value cards - 1-4, depending on quantitative exposure
  • Remote Deposit Capture - 1-4, depending on quantitative exposure
  • Cash letter - 1-4, depending on quantitative exposure
  • Monetary instruments - 1-4, depending on quantitative exposure
  • Mobile phone payments - 1-4, depending on quantitative exposure
  • Internet-based payments - 1-4, depending on quantitative exposure
  • Bulk cash delivery - 1-4, depending on quantitative exposure
  • Foreign exchange - 1-4, depending on quantitative exposure
  • Commercial letters of credit or bills for collection - 1-4, depending on quantitative exposure
  • Virtual assets (e.g., cryptocurrencies) - 1-3, depending on quantitative exposure
  • Insurance - 1-3, depending on quantitative exposure
  • Investment account - 1-3, depending on quantitative exposure
  • Credit cards - 1-3, depending on quantitative exposure
  • Expense management - 1-3, depending on quantitative exposure
  • Lending - 1-3, depending on quantitative exposure
  • Savings accounts - 1-3, depending on quantitative exposure
  • Current accounts - 1-3, depending on quantitative exposure
  • May be used by or on behalf of unknown or unidentified third parties - 5, risk displayed by default
  • Recent/planned introduction of new products or services - 5, binary exposure
  • Cash-intensive - 4, binary exposure
  • High or unlimited thresholds for transaction value, transaction frequency or account balance - 4, binary exposure

Inherent Risk Rating Calculation Methodology

  • Binary
  • Quantitative exposure

Residual Risk Rating Calculation Methodology

  • Standard residual risk rating calculation

Risk Area Risk Rating Methodology

  • Weighted by exposure

Default Risk Area Weighting for Business-Wide Risk Rating

  • 15%, key Risk Area to account for in risk assessment as commonly identified in regulatory guidance

Delivery Channel Risk

Risks with Initial Risk Score

  • Face-to-face account origination - 1, binary exposure
  • Mix of face-to-face and non-face-to-face account origination - 3, binary exposure
  • Non-face to face account origination - 5, binary exposure
  • Unsolicited account origination (including walk-ins) - 4, binary exposure
  • Customer introduced from third parties or other parts of the same financial group, but firm cannot be satisfied it knows its customer and the level of risk of the business relationship - 5, binary exposure
  • Face-to-face account servicing - 1, binary exposure
  • Mix of face-to-face and non-face-to-face account servicing - 3, binary exposure
  • Only non-face-to-face account servicing, and customer is known through reliable form of non-face-to-face CDD - 3, binary exposure
  • Only non-face-to-face account servicing via intermediary/agent - 3, binary exposure
  • Only non-face-to-face account servicing, and customer is not known - 5, binary exposure

Inherent Risk Rating Calculation Methodology

  • Binary

Residual Risk Rating Calculation Methodology

  • Standard residual risk rating calculation

Risk Area Risk Rating Methodology

  • Maximum risk rating

Default Risk Area Weighting for Business-Wide Risk Rating

  • 10%, other significant Risk Area identified in regulatory guidance or industry practice

Customer Risk

Risks with Initial Risk Score

  • Subject to or target of government sanctions or other economic restrictive measures - 5, binary exposure
  • High Net Worth Individuals - 1-5, depending on quantitative exposure
  • Politically Exposed Persons (PEPs) - 1-5, depending on quantitative exposure
  • Nonresidents/foreign individuals - 1-3, depending on quantitative exposure
  • Retail - 1, binary exposure
  • Registered companies and partnerships - 1-4, depending on quantitative exposure
  • Shell companies - 1-4, depending on quantitative exposure
  • Complex ownership and control structures (e.g., offshore trusts, private investment companies or offshore vehicles) - 1-4, depending on quantitative exposure
  • Publicly held companies on recognised stock exchange with adequate ownership transparency information requirements - 1, binary exposure
  • Publicly held companies not listed on recognised stock exchange - 1-3, depending on quantitative exposure
  • Privately held operating companies - 1, binary exposure
  • Privately held non-operating companies - 1-3, depending on quantitative exposure
  • Privately held companies with bearer shares or nominee shareholders - 1-5, depending on quantitative exposure
  • Government entities - 1-5, depending on qualitative exposure
    • Factors: Country risk ratings
  • Banks, non-bank financial institutions or regulated firms listed on recognised stock exchange and located in jurisdiction with effective AML/CTF regime and supervised for compliance with local AML/CTF obligations - 1-2, depending on quantitative exposure
  • Banks, non-bank financial institutions or regulated firms not listed on recognised stock exchange but located in jurisdiction with effective AML/CTF regime and supervised for compliance with local AML/CTF obligations - 1-3, depending on quantitative exposure
  • Banks, non-bank financial institutions or regulated firms not listed on recognised stock exchange and not located in jurisdiction with effective AML/CTF regime - 1-5, depending on quantitative exposure
  • Banks, non-bank financial institutions or regulated firms subject to supervisory action for failure to comply with AML/CTF obligations or wider conduct requirements in past 5 years - 1-5, depending on quantitative exposure
  • Money services businesses - 1-4, depending on quantitative exposure
  • Intermediaries/commission agents - 1-4, depending on quantitative exposure
  • Real estate/letting agents - 1-4, depending on quantitative exposure
  • High value goods dealers - 1-4, depending on quantitative exposure
  • Art market participants - 1-4, depending on quantitative exposure
  • Precious metals & stones dealers - 1-4, depending on quantitative exposure
  • Gatekeepers/professional service providers (e.g., accountants, lawyers, trust and company service providers) - 1-4, depending on quantitative exposure
  • Arms dealers - 1-4, depending on quantitative exposure
  • Private military firms - 1-4, depending on quantitative exposure
  • Virtual asset service providers - 1-4, depending on quantitative exposure
  • Construction industry - 1-4, depending on quantitative exposure
  • Pharmaceuticals and healthcare industry - 1-4, depending on quantitative exposure
  • Defence industry - 1-4, depending on quantitative exposure
  • Extractive industries - 1-4, depending on quantitative exposure
  • Public procurement - 1-4, depending on quantitative exposure
  • Cash-intensive businesses - 1-4, depending on quantitative exposure
  • Independent ATM owners/operators - 1-4, depending on quantitative exposure
  • Investment advisers not subject to effective AML/CTF compliance regime or supervised for AML/CTF compliance - 1-4, depending on quantitative exposure
  • Casinos (including Internet gambling) - 1-3, depending on quantitative exposure3
  • Charities and non-profit organisations - 1-3, depending on quantitative exposure
  • Payment services/e-money services/third party payment processors - 1-3, depending on quantitative exposure
  • Crowdfunding platforms - 1-3, depending on quantitative exposure
  • Customer has provided false or stolen identification documentation or information - 5, risk displayed by default
  • Customer or beneficial owner has been previously subject of a SAR - 1-4, depending on quantitative exposure
  • Customer or beneficial owner has adverse media reports or other relevant information sources - 1-4, depending on quantitative exposure
  • Customer or beneficial owner has been subject to administrative or criminal proceedings or law enforcement sanctions in relation to proceeds-generating crimes, or allegations of terrorism or terrorist financing - 4, risk displayed by default
  • Customer cannot reasonably be expected to produce detailed evidence of identity and may be financially excluded - 1-4, depending on quantitative exposure

Inherent Risk Rating Calculation Methodology

  • Binary
  • Quantitative exposure
  • Qualitative exposure

Residual Risk Rating Calculation Methodology

  • Standard residual risk rating calculation

Risk Area Risk Rating Methodology

  • Weighted by exposure

Default Risk Area Weighting for Business-Wide Risk Rating

  • 15%, key Risk Area to account for in risk assessment as commonly identified in regulatory guidance

Transaction Risk

Risks with Initial Risk Score

  • Significant or unusual cash/cash-like - 1-5, depending on quantitative exposure
  • Pass-through/payable-through transactions - 1-5, depending on quantitative exposure
  • Nested or downstream accounts - 1-5, depending on quantitative exposure
  • Rapid in/out (high velocity turnover) - 5, risk displayed by default
  • Smurfing - 5, risk displayed by default
  • Structured transactions - 5, risk displayed by default
  • Suddenly active - 5, risk displayed by default
  • International funds transfers - 1-4, depending on qualitative exposure
  • Related to oil, arms, precious metals, tobacco products, cultural artefacts, ivory and other items related to protected species, and other items of archaeological, historical, cultural and religious significance, or of rare scientific value - 1-4, depending on quantitative exposure
  • Transactions initiated by noncustomers - 1-5, depending on quantitative exposure
  • Transactions to noncustomer beneficiaries with no specific account to deposit funds into (i.e., payable upon proper identification transactions) - 1-5, depending on quantitative exposure
  • Bank transfers - 1-3, depending on quantitative exposure
  • Third-party payments - 1-3, depending on quantitative exposure
  • High-value real estate transactions - 1-4, depending on quantitative exposure
  • Mirror trades - 1-4, depending on quantitative exposure
  • Low-priced securities transactions - 1-4, depending on quantitative exposure
  • Securities transaction cleared/settled through an unregulated entity - 1-4, depending on quantitative exposure
  • Transactions to or from illegal/high-risk sources - 1-5, depending on quantitative exposure
  • Transactions missing originator or beneficiary, customer or transactional information - 4, risk displayed by default
  • Overpayments where not normally foreseen - 1-4, depending on quantitative exposure
  • High value transactions - 4, risk displayed by default
  • High aggregate volume or frequency of transactions - 1-5, depending on quantitative exposure
  • Transactions that are complex or unusually large, part of an unusual or unexpected pattern, or having no apparent economic or legal purpose - 4, risk displayed by default
  • Increasing number of SARs - 1-5, depending on qualitative exposure
    • Factors: Estimated annual percentage increase in SAR filings
  • Increasing number of TM alerts - 1-5, depending on qualitative exposure
    • Factors: Estimated annual percentage increase in transaction monitoring alerts
  • Increasing number of CTRs - 1-5, depending on qualitative exposure
    • Factors: Factors: Estimated annual percentage increase in CTR filings
  • Transactions involving high-risk virtual assets - 1-4, depending on quantitative exposure
  • Virtual asset and fiat currency exchange - 1-4, depending on quantitative exposure
  • Transfer of virtual assets between virtual asset exchanges- 1-4, depending on quantitative exposure
  • Peer-to-peer virtual asset transfers - 1-4, depending on quantitative exposure

Inherent Risk Rating Calculation Methodology

  • Binary
  • Quantitative exposure
  • Qualitative exposure

Residual Risk Rating Calculation Methodology

  • Standard residual risk rating calculation

Risk Area Risk Rating Methodology

  • Weighted by exposure

Default Risk Area Weighting for Business-Wide Risk Rating

  • 15%, key Risk Area to account for in risk assessment as commonly identified in regulatory guidance

Typology Risk

Risks with Initial Risk Score

  • Money Laundering - 1-5, depending on qualitative exposure
    • Factors: Nature of business risk
  • Terrorist Financing - 1-5, depending on qualitative exposure
    • Factors: Sanctioned customers; Country risk ratings; Charities and non-profit organisation customers; Retail banking; Money services business
  • Bribery/Corruption - 1-5, depending on qualitative exposure
    • Factors: PEPs; Country risk ratings; Government entity customers
  • Sanctions - 1-5, depending on qualitative exposure
    • Factors: Sanctioned customers; Country risk ratings
  • Cybercrime - 1-5, depending on qualitative exposure
    • Factors: Sanctioned customers; Country risk ratings; Virtual asset products; Internet-based payments
  • Account Takeover Fraud - 1-5, depending on qualitative exposure
    • Factors: Non-face to face account servicing; accounts that can hold balance
  • Authorised Push Payment Fraud - 1-5, depending on qualitative exposure
    • Factors: Bank transfers
  • Unauthorised Card Fraud - 1-5, depending on qualitative exposure
    • Factors: Card products
  • First-party Fraud - 5, risk displayed by default
  • Second-party Fraud - 5, risk displayed by default
  • Third-party Fraud - 1-5, depending on qualitative exposure
    • Factors: Non-face to face account servicing
  • Transnational Criminal Organisation Activity - 1-5, depending on qualitative exposure
    • Factors: Sanctioned customers; Country risk ratings; Cash-intensive products; Virtual asset products; Money services business
  • Drug Trafficking Organisation Activity - 1-5, depending on qualitative exposure
    • Factors: Sanctioned customers; Country risk ratings; Cash-intensive products; Virtual asset products; Money services business
  • Human Trafficking and Human Smuggling - 1-5, depending on qualitative exposure
    • Factors: Country risk ratings; Cash-intensive products
  • Proliferation Financing - 1-5, depending on qualitative exposure
    • Factors: Factors: Sanctioned customers; Country risk ratings; Virtual asset products; Money services business

Inherent Risk Rating Calculation Methodology

  • Binary
  • Qualitative exposure

Residual Risk Rating Calculation Methodology

  • Standard residual risk rating calculation

Risk Area Risk Rating Methodology

  • Evenly weighted

Default Risk Area Weighting for Business-Wide Risk Rating

  • 5%, additional Risk Area to account for in risk-based approach based on regulatory guidance or industry practice

Appendix 1 - Country Risk Ratings

Cable’s Country Risk Assessment details the underlying ratings used for all geographic risk ratings. Countries are identified when firms select them as answers in the questionnaire (for example, listing the countries in which they have operations).

While this underlying methodology cannot be edited, firms always have the ability to substitute their own country risk assessment and simply override the Cable-populated ratings for geographic risk.

Risk Rating Key:

  • 5 - highest risk: activity potentially restricted
  • 4 - high risk: listed jurisdiction for AML deficiencies; subject to multiple sanctions programs; regulatory guidance identifying heightened concerns
  • 3 - medium risk: some higher AML/sanctions/corruption concerns
  • 2 - low risk: some moderate corruption concerns
  • 1 - lowest risk: no significant concerns identified
CountryRisk Rating
Cuba5
Democratic People’s Republic of Korea (North Korea)5
Iran5
Russia5
Syria5
Ukraine Sanctioned Regions (Luhansk, Donetsk, Crimea)5
Afghanistan4
Albania4
Barbados4
Belarus4
Bosnia and Herzegovina4
Burkina Faso4
Cambodia4
Cayman Islands4
Central African Republic4
Democratic Republic of the Congo4
Gibraltar4
Haiti4
Hong Kong SAR, China4
Iraq4
Jamaica4
Jordan4
Lebanon4
Libya4
Mali4
Morocco4
Myanmar (Burma)4
Nicaragua4
Pakistan4
Panama4
Philippines4
Senegal4
Somalia4
South Sudan4
Sudan4
Trinidad and Tobago4
Turkey (Türkiye)4
Uganda4
Ukraine4
United Arab Emirates4
Vanuatu4
Venezuela4
Yemen4
Croatia4
Mozambique4
Nigeria4
Tanzania4
Algeria4
Angola4
Bulgaria4
Cameroon4
Cote d’Ivoire4
Kenya4
Namibia4
South Africa4
Vietnam4
Monaco4
China4
Zimbabwe3
Armenia3
Azerbaijan3
Bahamas3
Bangladesh3
Bhutan3
Burundi3
Cabo Verde (Cape Verde)3
Chad3
Comoros3
Congo3
Egypt3
Equatorial Guinea3
Eritrea3
Ethiopia3
Guatemala3
Guinea3
Guinea Bissau3
Honduras3
Hungary3
Kosovo3
Kyrgyzstan3
Macao SAR, China3
Madagascar3
Malawi3
Malaysia3
Malta3
Mauritania3
Mexico3
Montenegro3
North Macedonia3
Palau3
Saudi Arabia3
Serbia3
Slovenia3
Solomon Islands3
Sri Lanka3
Thailand3
Tunisia3
Turkmenistan3
Turks and Caicos Islands3
Zambia3
Bahrain3
Benin3
Bolivia3
Ecuador3
El Salvador3
Eswatini3
Gabon3
Gambia3
Ghana3
India3
Indonesia3
Kuwait3
Laos3
Lesotho3
Liberia3
Moldova3
Nepal3
Niger3
Sierra Leone3
Suriname3
Togo3
Uzbekistan3
Qatar3
Rwanda3
Saint Kitts and Nevis3
Brazil3
Tajikistan3
Tonga3
West Bank3
Mongolia2
Argentina2
Colombia2
Djibouti2
Dominican Republic2
Greece2
Guyana2
Kazakhstan2
Maldives2
Papua New Guinea2
Paraguay2
Peru2
Romania2
Sao Tome and Principe2
Timor-Leste2
Oman2
Fiji1
Mauritius1
Saint Lucia1
Samoa1
Seychelles1
Andorra1
Antigua and Barbuda1
Australia1
Austria1
Belgium1
Bermuda1
Botswana1
Brunei1
Canada1
Chile1
Cook Island1
Costa Rica1
Cyprus1
Czechia1
Denmark1
Dominica1
Estonia1
Finland1
France1
Georgia1
Germany1
Grenada1
Iceland1
Ireland1
Israel1
Italy1
Japan1
Kiribati1
Latvia1
Liechtenstein1
Lithuania1
Luxembourg1
Marshall Islands1
Micronesia1
Nauru1
Netherlands1
New Zealand1
Norway1
Poland1
Portugal1
Saint Vincent and the Grenadines1
San Marino1
Singapore1
Slovakia1
South Korea1
Spain1
Sweden1
Switzerland1
Taiwan1
Tuvalu1
United Kingdom1
United States of America1
Uruguay1

Appendix 2 - Potential Common Controls

For each Risk, Cable’s Risk Assessment lists potential common controls, based on regulatory guidance, best practices and customer feedback. Firms can always add their own custom controls. The potential controls suggested include:

  • AML Corporate Governance
  • Management Oversight and Accountability
  • Designated AML Compliance Officer/Unit
  • Management Information/Reporting
  • Previous Other Risk Assessments
  • Policies and Procedures
  • KYC
  • CDD
  • EDD
  • Intermediary/agent due diligence
  • Identity Verification
  • Sanctions Screening
  • PEP Screening
  • Adverse Media Screening
  • Detection and SAR filing
  • Ongoing Monitoring
  • Recordkeeping and Retention
  • Training
  • Independent Testing and Oversight
  • Licence obtained/registration completed and up-to-date
  • Blockchain analysis

Appendix 3 - Questionnaire Content

Cable’s Risk Assessment questionnaire is dynamic, so not all questions will be presented to all customers. Please note, the numbering here may not correspond to the numbering in the application itself.

  1. Is [COMPANY NAME] carrying out a regulated activity?
    1. [If Yes] Does [COMPANY NAME] have its own regulatory licence?
    2. [If No] Does [COMPANY NAME] intend to get its own regulatory licence?
  2. Does [COMPANY NAME] require a designated AML compliance officer (e.g., BSA Officer or MLRO)?
    1. [If Yes] Does [COMPANY NAME] currently have a designated AML compliance officer with sufficient experience for the role?
  3. Does [COMPANY NAME]’s Board or a Board Committee receive regular AML/sanctions compliance reporting?
    1. [If Yes] Please indicate how often [COMPANY NAME] provides AML/sanctions compliance reporting to its Board or a Board Committee:
  4. How many AML/sanctions compliance staff does [COMPANY NAME] have that work on operational tasks such as reviewing KYC/CDD/EDD, screening, and TM alerts?
  5. How many AML/sanctions compliance staff working on operational tasks have left in the last 6 months?
  6. How many AML/sanctions compliance staff does [COMPANY NAME] have that work in oversight and assurance functions?
  7. How many AML/sanctions compliance staff in oversight and assurance functions have left in the last 6 months?
  8. Has [COMPANY NAME] lost any senior management or key personnel in AML/sanctions compliance roles (e.g., MLRO or BSA Compliance Officer) in the last 6 months?
  9. Does [COMPANY NAME] have company-wide AML/sanctions training that all employees must complete when joining [COMPANY NAME]?
    1. [If Yes] Please indicate how often [COMPANY NAME] requires AML/sanctions compliance staff to undergo additional AML/sanctions training:
  10. Does [COMPANY NAME] conduct independent testing of its AML/sanctions compliance program by qualified parties that don’t implement or operate the program (e.g., independent 2nd line of defence, internal audit, external auditors, or specialist consultants)?
    1. [If Yes]
      1. Does [COMPANY NAME] conduct ongoing real-time independent testing?
      2. Does [COMPANY NAME]’s independent testing produce a report to [COMPANY NAME]’s Board or a Board Committee about regulatory breaches, control failures, corrective actions, and the overall adequacy of [COMPANY NAME’S] AML/sanctions compliance program?
    2. [If No/Unknown] Please indicate how often [COMPANY NAME] conducts independent testing:
  11. Has [COMPANY NAME] received any AML/sanctions internal audit or other material findings identifying any of the following in the last 12 months?
    1. [If NOT “Unknown” or “None of the above”] “Did any of these AML/sanctions findings remain unresolved or outstanding for 6 months or more?”
  12. Is [COMPANY NAME] currently working on any ongoing AML/sanctions remediation projects?
  13. Has [COMPANY NAME] received any AML/sanctions enforcement actions or supervisory matters requiring corrective action in the last 12 months?
  14. Has [COMPANY NAME] made any disclosures or reports regarding sanctions breaches or sanctioned customers to governmental authorities in the last 12 months?
  15. Does [COMPANY NAME] have agreements to rely on another regulated third-party firm to carry out customer due diligence measures (other than agents or outsourced service providers)?
  16. Does [COMPANY NAME] have any recent acquisitions or planned acquisitions in the next 12 months?
    1. [If Yes]
      1. Has [COMPANY NAME] conducted a financial crime risk assessment on the acquisition target?
      2. Does the acquisition target maintain an AML/sanctions compliance program?
      3. Does the acquisition target have any significant gaps or deficiencies in its AML/sanctions compliance program (e.g., regulatory breaches or control failures not remedied promptly and affecting a large proportion of customers)?
      4. Is the acquisition target a regulated financial institution?
  17. Has [COMPANY NAME] filed an increasing number of SARs on an annual basis?
    1. [If Yes] What is the estimated annual percentage increase in [COMPANY NAME]’s SAR filings?
  18. Has [COMPANY NAME] had an increasing number of transaction monitoring alerts on an annual basis?
    1. [If Yes] What is the estimated annual percentage increase in [COMPANY NAME]’s transaction monitoring alerts?
  19. [If in the US] Has [COMPANY NAME] filed more CTRs on an annual basis?
  20. [If Yes] What is the estimated annual percentage increase in [COMPANY NAME]’s CTR filings?
  21. Where does [COMPANY NAME] have operations? (i.e. people on the ground doing work, either as full time employees, contractors or outsourced operations)
  22. Does [COMPANY NAME] plan to expand the countries in which it has operations in the next 12 months?
    1. [If Yes] Which countries does [COMPANY NAME] plan to expand its operations to in the next 12 months?
  23. What countries does [COMPANY NAME] have customers in?
  24. Does [COMPANY NAME] plan to expand the countries in which it has customers in the next 12 months?
    1. [If Yes] Which countries does [COMPANY NAME] plan to expand its customer base to in the next 12 months?
  25. Which countries does [COMPANY NAME] allow transactions to or from?
  26. Does [COMPANY NAME] plan to expand the countries that it allows transactions to or from in the next 12 months?
    1. [If Yes] Which countries does [COMPANY NAME] plan to allow transactions to or from in the next 12 months?
  27. Does [COMPANY NAME] provide its products/services through multiple subsidiaries, branches, or agent networks?
    1. [If Yes] How many subsidiaries, branches or agent networks?
  28. What is [COMPANY NAME]’s estimated annual revenue?
  29. What is [COMPANY NAME]’s estimated annual revenue growth?
  30. What is [COMPANY NAME]’s estimated annual gross transaction volume?
  31. Please select which of the following best describes [COMPANY NAME]’s business type:
  32. Does [COMPANY NAME] use any Artificial Intelligence (AI) or Machine Learning (ML) tools or models for its AML/sanctions controls?
    1. [If Yes]
      1. How long have [COMPANY NAME]’s AI/ML tools been in use?
      2. Does [COMPANY NAME] have experts in AI/ML responsible for explaining and maintaining these tools?
      3. Were [COMPANY NAME]’s AI/ML models designed or validated using real customer data?
  33. Is [COMPANY NAME] planning on introducing any new technologies related to its AML/sanctions controls in the next 12 months?
    1. [If Yes]
      1. Does the new technology require integration with legacy systems?
      2. Does [COMPANY NAME] have technical experts responsible for explaining the technical details of the new technology?
      3. Does [COMPANY NAME] have technical experts responsible for maintaining the new technology?
  34. Has [COMPANY NAME] identified data integrity gaps in its AML/sanctions compliance systems in the past 2 years (e.g., missing customer information)?
  35. Does [COMPANY NAME] have experts overseeing data management between its IT systems and AML/sanctions compliance systems?
  36. Has [COMPANY NAME] conducted an end-to-end mapping of data used in its AML/sanctions compliance program?
  37. Does [COMPANY NAME] use third party service providers for any of the following AML/sanctions compliance measures:
  38. How many products or services does [COMPANY NAME] offer?
  39. Has [COMPANY NAME] launched any of its products or services in the last 6 months?
    1. [If Yes] Which products?
  40. Is [COMPANY NAME] planning to launch any new products or services in the next 6 months?
    1. [If Yes] Which products?
  41. Do all of [COMPANY NAME]‘s products and services use the same delivery channels for opening and servicing customer accounts?
    1. [If Yes]
      1. What delivery channels are available for customers to open [COMPANY NAME] accounts?
      2. Does [COMPANY NAME] accept unsolicited customers (e.g., walk-in customers)?
      3. Does [COMPANY NAME] accept customers introduced by third parties or related parties?
        1. [If Yes] Is [COMPANY NAME] able to rely on these third parties or related parties to be satisfied it knows the introduced customers and the risk of a business relationship with these customers?
      4. What delivery channels are offered to [COMPANY NAME] customers for account servicing?
        1. [If Non-face to face only] For accounts serviced non-face to face only, please select all of the following that may apply:
  42. What is [COMPANY NAME]‘s total number of customers?
  43. What is [COMPANY NAME]‘s expected customer growth per month?
  44. What is [COMPANY NAME]‘s estimated customer churn annually?
  45. Does [COMPANY NAME] screen customers/beneficial owners for high net worth individuals?
    1. [If Yes] Does [COMPANY NAME] allow customers/beneficial owners who are high net worth individuals (i.e., generally defined as individuals with liquid assets of $1 million or more)?
  46. Does [COMPANY NAME] permit customers/beneficial owners that have true positive sanctions matches?
  47. Does [COMPANY NAME] permit customers/beneficial owners/directors who are PEPs?
  48. Does [COMPANY NAME] permit customers/beneficial owners that have true positive adverse media reports?
  49. Does [COMPANY NAME] permit customers/beneficial owners to be non-residents of the country in which [COMPANY NAME] offers its products/services to the customer?
  50. Does [COMPANY NAME] have an alternative due diligence process to allow and onboard customers that cannot reasonably provide standard evidence of identity?
  51. Please select or enter the name for each product or service:
  52. Please select any of the following descriptions that apply to this product or service from the following list:
    1. [If International Correspondent Banking selected]
      1. Please select the following international correspondent banking services offered by this product or service:
    2. What estimated percentage of [COMPANY NAME]‘s overall gross transaction volume is attributable to this product or service?
    3. Does this product or service allow customers to hold an account balance?
    4. Does this product or service have any of the following characteristics?
    5. [If question 41 = No or Unknown] What delivery channels are available for customers to open [COMPANY NAME] accounts for this product or service?
      1. Does [COMPANY NAME] accept unsolicited customers (e.g., walk-in customers) for this product or service?
      2. Does [COMPANY NAME] accept customers introduced by third parties or related parties for this product or service?
    6. [If question 41 (a)(iii) = Yes] Is [COMPANY NAME] able to rely on these third parties or related parties to be satisfied it knows the introduced customers and the risk of a business relationship with these customers for this product or service?
    7. What delivery channels are used by [COMPANY NAME] customers for account servicing for this product or service?
    8. [If question 52 (g) = Non-face to face] For accounts serviced non-face to face only for this product or service, please select all of the following that may apply:
    9. What estimated percentage of [COMPANY NAME] customers use this product or service?
    10. What kind of customers does [COMPANY NAME] offer this product or service to?
      1. [If SMEs] What types of entities does [COMPANY NAME] offer the [X] product or service to?
      2. [If Publicly Held Companies] What types of publicly held companies are permitted as customers for this product or service?
      3. [If Privately Held Companies] What type of privately held companies are permitted as customers for this product or service?
      4. [If Government entities] Government entities from which jurisdictions are permitted as customers for this product or service?
      5. [IF Banks, non-bank financial institutions or regulated firms] What type of banks, financial institutions, or regulated firms are permitted as customers for the [X] product or service?
      6. [If Q8.5 = Yes] What percentage of [COMPANY NAME]‘s customers/beneficial owners using this product or service are considered high net worth individuals?
    11. [If question 45 (a) = Yes] What percentage of [COMPANY NAME]‘s customers/beneficial owners using this product or service are confirmed sanctions matches?
    12. [If question 47 = Yes] What percentage of [COMPANY NAME]‘s customers using this product or service are PEPs, or have beneficial owners or directors who are PEPs?
    13. [If question 48 = Yes] What percentage of [COMPANY NAME] customers/beneficial owners have confirmed adverse media reports or other relevant information sources?
    14. [If question 49 Yes] What percentage of [COMPANY NAME]‘s customers/beneficial owners using this product or service are non-residents of the country in which [COMPANY NAME] offers the product or service?
    15. [If question 50 = Yes] What percentage of customers using this product or service are onboarded by [COMPANY NAME]‘s alternative due diligence process for customers that cannot reasonably provide standard evidence of identity?
    16. What percentage of [COMPANY NAME] customers/beneficial owners using this product or service have been the subject of a SAR filed by [COMPANY NAME] previously?
    17. Please confirm that only customers/beneficial owners based in the following countries are allowed to use this product or service: [List countries from previous answers]
      1. [If list is modified] Please indicate the countries in which customers/beneficial owners may be based to use this product/service:
    18. Does [COMPANY NAME] prohibit customers in certain industries from using this product or service?
      1. [If Yes] Which of the following industries are prohibited for [COMPANY NAME] customers using this product or service?
      2. [If No] What percentage of [COMPANY NAME] customers using this product or service belong to the following industries?
    19. Which of the following transactions / payment methods does [COMPANY NAME] support for this product or service?
    20. Does this product or service support securities transactions?
      1. [If Yes] Which of the following securities transactions types does [COMPANY NAME] support for this product or service?
    21. Which of the following transaction types involving third parties does [COMPANY NAME] support for this product or service?
    22. Does [COMPANY NAME] prohibit any of the following types of transactions for this product or service? Transactions related to:
    23. Does the [PRODUCT NAME] product or service support virtual asset transactions?
      1. [If Yes]
        1. Which of the following transactions involving high-risk virtual asset types does [COMPANY NAME] support for the [PRODUCT NAME] product or service?
        2. Which of the following virtual asset transaction types does [COMPANY NAME] support for the [PRODUCT NAME] product or service?

Revision Log

Mar 21, 2023

Add explanation for risk area weighting; add risk calculation methodology type for each risk; add crypto-related transaction risks; add Blockchain analysis to Appendix 2.

Apr 25, 2024

Add calculation rounding details.

March 28, 2025

Updates to the country risk assessment; add an explanation of the questionnaire and list of current questions; add overview and explanation of live risk assessment; general changes to make methodology clearer.

For any questions or comments about Cable’s Risk Assessment, or to learn more about Cable, please visit our website at cable.tech or email customers@cable.tech.