Think of the National Risk Assessment (NRA) as the operating system for a country’s AML/Compliance strategy. The FATF 2025 guidance tells governments — and by extension FIUs, supervisors, and obliged entities — how to organise the right people, collect the right data, and assess threats and vulnerabilities. It also covers how to rate inherent vs. residual risk, and hard-wire the results into laws, supervision, budgets, and outreach.
Done well, it’s a living cycle and not just a five-year PDF. That’s exactly how you turn risk talk into real fincrime outcomes.
“When ‘more STRs’ equals ‘better AML,’ quality suffers and FIUs drown.”
The 7 High-Impact Pitfalls to Watch
- Politicisation risk — High-level commitment is great until it nudges ratings toward a pre-agreed narrative. Two signals to watch: sudden downgrades of sensitive sectors just before evaluations, and unexplained edits that flatten dissenting views.
- Resource drag & box-ticking — Continuous cycles, deep dives, and data stacks demand capacity. Without it, the NRA can devolve into pretty heat-maps with soft evidence, soaking time and money that should target real money laundering risks.
- False precision from scoring workshops — Heat-maps and consensus scoring look scientific, but they’re not — unless assumptions and data gaps are explicit. When everyone compromises to amber, supervision loses the sharp edge that risk-based approaches need.
- Goodhart’s Law on STR/SAR metrics — When “more STRs” equals “better AML,” quality suffers and FIUs drown. Calibrate for actionable, well-narrated reports and measure hit-rates, not just volumes. Quantity without impact is theatre.
- De-risking ricochet — Focusing on higher-risk approaches can become an excuse to exit messy customers and corridors entirely. That hurts financial inclusion and pushes flows to informal rails where detection is worse and harm is higher.
- Publication knife-edge — Release too little and the private sector can’t recalibrate controls; release too much and criminals get a roadmap. Your comms plan must split public narratives from restricted indicators, or you’ll pay for it later.
- Data-sharing vs. privacy and security — Cross-agency datasets and Memoranda of Understanding (MoUs) unlock insights but also widen the attack surface. Weak legal bases, uneven cyber hygiene, and unclear access logs can turn the NRA data lake into a liability.
Additionally worth noting: outsourcing-by-stealth, AI and crypto hype cycles overshadowing core risks, path dependence from the initial “environment scan,” conflicting sectoral vs. supranational ratings, green lanes that attract abuse, and vendor lock-in can all amplify the risks above.
From Assessment to Action: Keep It Honest and Useful
Treat the NRA like a management system, not a report. Publish a plain-English methodology, keep minority notes, and pair output metrics like STR quality and supervisory actions with outcome metrics like FIU hit-rates and asset recovery. Build “anti-de-risking” checks before you tighten controls; design early-warning tripwires wherever you simplify.
That’s how you keep the guidance honest, the ecosystem aligned, and the bad guys uncomfortable.
Check out the full AML Basic Course, where we cover FATF practices, real-world typologies, and case studies.
Leave a Reply