CLARITY - our library of practical, frank compliance information for regulated businesses

From National to Individual: Understanding Your AML Risk Framework

Ask most business owners whether they understand their AML risk and the answer is usually some version of yes. Ask them to show you the documented assessment, and the answer tends to get less confident.

That gap between understanding and documentation is exactly where regulators focus their attention. And it is exactly what a well-constructed risk assessment framework is designed to close.

The Isle of Man’s AML/CFT framework requires regulated businesses to carry out a series of interlocking risk assessments. Understanding how they fit together makes the whole exercise considerably less daunting.

The funnel

Think of it as a funnel. At the top sits the National Risk Assessment, the NRA, which is the Isle of Man Government’s picture of the jurisdiction’s overall exposure to money laundering, terrorist financing and proliferation financing. It identifies which sectors carry the highest risk and sets the national context within which every regulated business operates.

The current NRA dates from 2020. The third NRA is being published in segments ahead of the Moneyval on-site evaluation confirmed for October 2026, with separate assessments covering terrorist financing, non-profit organisations, money laundering and proliferation financing. Each update should be reflected in your BRA and TRA.

Beneath the NRA sits your Business Risk Assessment, or BRA. This is where the national picture meets your specific business. The BRA is your firm’s documented understanding of the money laundering and terrorist financing risks it faces, given the nature of what it does, who it does it with, and how.

Below that sits the Technology Risk Assessment, or TRA, which looks specifically at the risks introduced by the systems and technology your business uses to deliver its services. And at the narrowest point of the funnel sits the Customer Risk Assessment, the CRA, which applies the firm’s risk framework to individual clients.

Each layer of the funnel narrows the focus. The NRA tells you about the landscape. The BRA tells you about your position within it. The TRA tells you about the specific risks your technology introduces. The CRA tells you about the individual in front of you. Together, they form a coherent, documented picture of how you understand and manage risk.

How the BRA works

The BRA is the engine of the framework. It is not a form to complete once and file away. It is a living document that should reflect your actual business, updated when your circumstances change and reviewed at least annually.

The FSA’s AML/CFT Handbook provides detailed guidance on what a BRA should cover, so some of the groundwork has been done for you. The FSA has also published thematic reports specifically on BRAs, covering the TCSP sector in 2023 and 2024, and a cross-sectoral review in 2025, which set out good practice observations and are worth reading regardless of which sector you operate in.

For each relevant risk area, your products and services, delivery channels, client types and geographic exposure, the process is consistent. Identify the risk and whether it applies, assess the inherent risk before any controls are applied, set out your specific mitigations, and arrive at a residual risk rating that reflects your actual position.

The distinction between inherent and residual risk matters. Inherent risk is the raw exposure before you do anything about it. Residual risk is what remains after your controls are applied. A business with high inherent risk but strong, well-documented mitigations can arrive at a perfectly defensible residual risk rating. The regulator is not expecting every firm to be low risk. It is expecting every firm to know its risk and manage it proportionately.

Risk in practice

Take a simple example. An estate agency operating on the Isle of Man which handles high-value transactions, often involving corporate purchasers, overseas funds, and complex ownership structures. The inherent risk profile is elevated on several dimensions: transaction size, client type, geographic exposure.

But if that agency has robust CDD procedures, clear escalation paths, a documented approach to source of funds verification, and a trained team that applies those procedures consistently, its residual risk rating can reasonably reflect those controls. The BRA is the document that makes that argument coherently, and makes it in advance, not after the fact.

Why the framework matters

With Moneyval visiting the Isle of Man in October 2026, the FSA is increasingly focused on whether firms can demonstrate genuine, evidenced understanding of their risk profile. Thematic reviews, on-site inspections and supervisory engagement all test the same thing: not whether your business is risk-free, but whether you understand your risk and can show how you manage it.

A BRA that was completed three years ago and has not been touched since other than a perfunctory annual “review” by the board is not evidence of understanding. It is evidence that the exercise was treated as a box to tick. The funnel framework is useful precisely because it makes the logic visible: national risk informs business risk, business risk informs technology risk, and all of it informs how you assess the individual in front of you.

Get the framework right, and everything that flows from it becomes easier to build, easier to explain, and considerably easier to defend.