FATF’s new guidance: A step forward for Financial Inclusion, but what about better risk assessments? 

Written By Stefania Cirignano

The FATF’s latest Guidance on Financial Inclusion and Anti-Money Laundering and Terrorist Financing Measures marks a clear intent to balance integrity and inclusion in the global financial system. The guidance encourages jurisdictions to “allow and encourage” simplified due diligence measures in lower-risk scenarios, framing this as essential to both effective AML/CFT regimes and financial inclusion. 

Yet, for many MLROs and Heads of Financial Crime, a familiar concern lingers: how do we really determine what constitutes lower or higher risk?  And can today’s risk assessment frameworks support the vision the FATF sets out? 

A Welcome Shift, But the Same Foundations 

The 2025 revision of Recommendation 1 rightly formalises proportionality and simplified measures in lower-risk situations. This is commendable. The guidance goes further than previous iterations in recognising that excessive compliance burdens, and financial exclusion, are also risk factors.  

However, what remains largely untouched is the engine that powers these decisions: the business-wide risk assessment (BWRA). Without meaningful evolution in how BWRAs are structured, there is a real danger that the FATF’s vision will remain aspirational rather than operational. 

The Problem: Risk Assessments That Stop at Risk Factors, Not Risk Events 

The FATF’s guidance rightly encourages institutions to identify lower-risk scenarios by assessing customer, product, delivery channel, and geographic factors. This is an implicit recognition that risk is situational and contextual, not simply tied to static characteristics. 

However, many current risk assessment frameworks stop at the level of these broad factors. They describe risk in terms of customer type, geography, or delivery channel, but fall short of mapping the risk events (the actual activities or behaviours that give rise to exposure and harm). 

Without this event-level clarity, assessments often default to broad-brush categorisations. This can stifle the very proportionality the FATF seeks to promote and risks entrenching de-risking of entire customer segments, based on perceived risk labels rather than genuine exposure or effective mitigants. 

Control Effectiveness: Meaningless Without Real Risk 

The FATF rightly emphasises that residual risk should reflect the effectiveness of mitigation measures, not just their presence. But in practice, this principle is hard to realise when assessments are built on abstract risk categories rather than concrete risk events. 

If we don’t start with a clearly defined risk (an actual event that could cause harm) then assessing whether a control is effective becomes speculative at best. A control can only be meaningfully evaluated when it is anchored to something specific it is designed to prevent or detect. As soon as we define the real risk event, the relevance of a control, and whether it is achieving its intended purpose, becomes crystal clear. 

To produce genuinely useful BWRAs, institutions must go beyond listing controls and begin isolating and testing those that matter most in relation to clearly defined risks. Without this, residual risk remains a theoretical exercise, undermining the goals of both financial crime prevention and financial inclusion. 

A Missed Opportunity for True Disruption 

The 2025 guidance highlights digital identity, tiered due diligence, and regulatory encouragement of simplified measures. These are valuable tools, but they rest on the same traditional risk assessment foundations. 

What is needed now is a shift toward more scenario- (or risk event-) driven BWRAs that dynamically link exposure, control performance, and residual risk. Such models can support the FATF’s aims more effectively than static matrices of risk factors ever will. They can help institutions dial up and dial down their controls with confidence, based on real drivers of harm. 

The Path Forward 

At Avyse Partners, we believe the next generation of BWRAs must move beyond compliance documentation toward becoming decision-support tools that genuinely align with operational realities and financial inclusion objectives. 

As the FATF guidance acknowledges, “one size fits all” approaches no longer suffice. The same can be said for our industry’s approach to BWRA. The opportunity, and imperative, for disruption is clear. 

Let’s Discuss What BWRA Should Really Be 

As the FATF calls for more meaningful, proportionate, and inclusive AML/CFT practices, now is the time to rethink the foundations of our risk assessments.   

As always, we’d love to hear your views, perhaps start by asking yourself: 

  • Is your BWRA still built around regulatory checkboxes, or is it grounded in the actual events that expose your firm to harm? 

  • Are your control assessments honest about performance, or are you still treating existence as effectiveness? 

  • Does your BWRA tell you anything you didn’t already know, or has it become a compliance artefact, disconnected from operational risk? 

If we want to deliver on the promise of smarter, fairer financial crime risk management, we need to move beyond descriptive compliance into meaningful insight. Let’s open that conversation. 

Stefania Cirignano
Previous

Lessons from the Jes Staley Case on leadership, accountability, and the FCA
Next

Avyse Partners: Now a Certified B Corp™