AML risk assessment in Canada: a step-by-step guide and checklist

An AML risk assessment is a documented analysis of how exposed your business is to money laundering and terrorist financing, and how you control that exposure. Under Canada's Proceeds of Crime (Money Laundering) and Terrorist Financing Act and its regulations, it is one of the required elements of a compliance program, alongside a compliance officer, written policies and procedures, ongoing training, and a two-year effectiveness review. This guide walks through what to assess, gives a checklist you can use, and shows how to mitigate and document what you find.

Why the risk assessment matters more under Bill C-12

Bill C-12 has been in force since March 2026 and sets the standard that every compliance program must be reasonably designed, risk-based, and effective. The risk assessment is what makes a program risk-based: it is the evidence that your controls are aimed at your actual exposure rather than applied at random. A FINTRAC examiner reads the risk assessment first, because everything else in the program should trace back to it. The wider changes are covered in our Bill C-12 compliance guide.

The two halves of an AML risk assessment

FINTRAC guidance frames the assessment in two parts. The first is the inherent risk of your business itself. The second is the risk of the relationships you enter into. You assess each, rate it, then decide how to mitigate it.

Step 1: Assess your business-based risk

Business-based risk is the exposure built into what you offer and how you offer it. Work through each factor and rate it low, medium, or high.

• Products and services. Which of your products are most attractive for laundering, for example high-value, anonymous, or fast-settlement products?
• Delivery channels. Do you onboard and transact in person, or non-face-to-face and fully online, which carries higher impersonation risk?
• Geography. Where are you located and where do you do business, including any higher-risk jurisdictions?
• New technology. Are you launching new products, channels, or technologies whose risk you have not yet assessed?
• Volume and velocity. What is the scale and speed of the transactions you handle?

Step 2: Assess your relationship-based risk

Relationship-based risk is the exposure that comes from who you deal with. Assess it across your client base and each business relationship.

• Client types. Do you serve higher-risk clients, such as cash-intensive businesses, other money services businesses, or politically exposed persons?
• Client geography. Where are your clients based, and do any operate in or send funds to higher-risk jurisdictions?
• Patterns of activity. Are the expected transaction patterns consistent with the client's stated business, and what would look anomalous?
• Beneficial ownership. Can you identify who ultimately owns or controls your business clients?
• Nature of the relationship. Is this a one-time transaction or an ongoing relationship, and how well do you know the client?

Step 3: Rate the risk and apply a risk-based approach

Combine the factors into an overall rating for each product, channel, and relationship. A simple low, medium, and high scale, applied consistently and explained, is enough. The rating then sets the response: low-risk areas get standard controls, and high-risk areas get enhanced measures. Applying effort in proportion to risk is the risk-based approach in practice.

Step 4: Mitigate the high-risk areas

Every high-risk rating has to carry a control that brings it down, and the control has to be written into your policies. Common enhanced measures include:

• Enhanced due diligence. Collect more information on higher-risk clients and verify the source of funds where warranted.
• More frequent monitoring. Review higher-risk relationships and transactions more often than standard ones.
• Senior approval. Require management sign-off to take on or keep a high-risk relationship.
• Tighter thresholds. Tune screening and monitoring more sensitively for higher-risk segments.

Step 5: Document, approve, and keep it current

An assessment that is not written down does not exist for an examiner. Record the factors you considered, the ratings you gave, the reasoning behind them, and the mitigation you applied. Have it approved, date it, and revisit it whenever the business changes materially, such as a new product, a new market, or a new channel, and at least as part of the two-year effectiveness review. Keeping the assessment alive is what an audit-ready program looks like.

The AML risk assessment checklist

Use this as a working checklist. Each item should end with a documented rating, and where the rating is medium or high, a documented control.

• Products and services rated for laundering attractiveness
• Delivery channels rated, with non-face-to-face onboarding addressed
• Geographic exposure rated, including higher-risk jurisdictions
• New products, channels, and technologies assessed before launch
• Client types and higher-risk categories identified and rated
• Politically exposed persons and their close associates identified
• Beneficial ownership of business clients determined
• Expected versus actual activity defined for monitoring
• Enhanced due diligence applied to high-risk clients
• Ongoing monitoring frequency set by risk level
• Senior approval required for high-risk relationships
• Assessment written, approved, dated, and version-controlled
• Review triggers and a two-year review cadence in place

How BriteBase helps

BriteBase builds the controls a risk assessment calls for, then operates them. The verification and screening technology applies the front-door and ongoing controls, the compliance bench helps you write and maintain the assessment itself, and every decision is recorded so the risk-based approach is evidenced rather than asserted. The detail is on the platform overview, and software selection is covered in the AML software buyer's guide.

FAQ