When the CBN examines a fintech's AML programme, the risk assessment is the first thing they ask for. It is the foundation everything else is supposed to be built on, and regulators can quickly tell whether it reflects how the business actually operates. 

The CBN's March 2026 circular mandating automated AML systems and compliance roadmaps across all regulated institutions has raised the bar. A risk assessment that does not reflect your current products, customer segments, and risk exposure will not survive that level of examination.

This article covers what an AML risk assessment includes, how to score and document it, and how to make sure yours holds up for your fintech.

What an AML Risk Assessment Actually Covers

An AML risk assessment is a structured analysis of where your business is exposed to money laundering and financial crime risk across four dimensions. The CBN's AML/CFT/CPF Regulations 2022 uses these same four dimensions as the basis for its risk-based supervisory approach.

1. Customer risk:  Who the business onboards and what risk profile they carry. This includes customer type, PEP status, income source, and expected transaction behaviour. A fintech serving informal traders carries a different customer risk profile than one serving salaried employees.

2. Product risk:  Which products and services the business offers and how each one can be exploited for financial crime. High-value instant transfers, crypto offramps, and anonymous wallet top-ups carry higher inherent risk than low-limit savings products.

3. Channel risk: How customers access the platform and transact. Fully digital onboarding with no face-to-face verification carries higher channel risk than in-person account opening. Third-party agent networks add another layer of exposure.

4. Geographic risk:  Where the business operates and where its customers and counterparties are located. Processing cross-border transactions through FATF grey-listed corridors or serving customers in high-risk jurisdictions significantly increases geographic risk exposure.

How to Score and Tier Risk Across Your Business

Once the four risk dimensions are mapped, each needs to be scored so the fintech can tier its overall risk exposure accordingly. The scoring does not need to be complex, but it needs to be documented and consistent across all aspects.

1. Scoring framework 

Most fintechs use a simple low, medium, high scoring framework applied across each risk dimension. Each score should be based on specific documented criteria, not judgment calls. A customer in a FATF grey-listed country scores high on geographic risk regardless of their individual profile.

2. Weighting

 Not all dimensions carry equal weight for every business. A fintech processing high-volume cross-border remittances should weight geographic risk more heavily than one operating exclusively within Nigeria. The weighting rationale needs to be written down.

3. Risk tiering

 The combined score across dimensions produces an overall risk tier for each customer segment, product, and channel. High-risk tiers require enhanced due diligence and tighter monitoring thresholds. Low-risk tiers can be handled with standard controls.

4. What exposure remains after controls 

After controls are applied, the business needs to document what risk is still left. Given the controls in place, where are you still exposed? The CBN's AML/CFT framework requires this step explicitly, and regulators want to see that the business has asked and answered that question honestly, not just listed its controls and stopped there.

What the Document Needs to Include and How to Structure It

The CBN's AML/CFT/CPF Regulations 2022  require that the risk assessment is a written, structured document a regulator can read without needing to ask the compliance team for context. Structure and clarity matter as much as content.

Here is what the document needs to contain:

1. Executive summary: One page covering the business model, the overall risk rating, and the key risk drivers. This is what the examiner reads first, and it should give them a complete picture before they go further.

2. Business overview: A brief description of the products, customer segments, channels, and geographies the assessment covers. This grounds the risk analysis in the actual business, not a generic description.

3. Risk dimension analysis: One section per dimension covering the scoring criteria, the score assigned, and the rationale. Vague statements like "customer risk is medium" without supporting criteria will draw examination pushback.

4. Control mapping: A section that links each identified risk to the specific control in place. The control needs to be described in enough operational detail to show it is actually functioning, not just listed by name.

5. What exposure remains: A clear statement of where risk remains after controls and what the plan is to address it. An assessment that claims all risks are fully controlled will not be credible to an examiner.

6. Review schedule and sign-off:  The date of the assessment, the next scheduled review date, and written approval from senior management. The CBN expects the risk assessment to be a board-level document, not something that lives only in the compliance team's files.

Common Mistakes African Fintechs Make 

Here are some common mistakes fintechs make with an AML risk assessment: 

• Treating it as a one-time exercise: A risk assessment completed at licence application and never updated does not reflect the business as it exists now. When the product portfolio changes, a new market is entered, or a new customer segment is onboarded, the assessment needs to be updated to match.
• Keeping it too generic to be useful: Statements like "customer risk is medium" with no supporting criteria are placeholders, not analysis. Examiners will push back on assessments that do not show genuine scoring logic behind each rating.
• Not mapping controls to risks: Identifying risks without documenting the specific controls in place to address them leaves the assessment incomplete. The document should show the link between each risk and the control designed to mitigate it.
• Skipping the question of what exposure remains: Documenting inherent risk and listing controls without asking what risk is left after those controls are applied leaves out the part regulators are most interested in. If the business cannot answer that question, the assessment has not done its job.
• Missing senior management sign-off:  A risk assessment that has never been presented to or approved by senior management does not meet the governance standard the CBN expects. It signals that AML risk is a compliance team concern rather than a business-level one.

How Dojah’s Profiled Risk Supports AML Risk Assessment for African Fintechs

A risk assessment is only as accurate as the data it is built on. If the customer risk scores, transaction patterns, and channel behaviours in the document are based on assumptions or static onboarding data, it does not reflect real exposure, and a regulator will see that immediately.

Dojah’s Profiled Risk gives compliance teams the data layer that makes an AML risk assessment defensible at every dimension.

• Real transaction patterns inform your product and channel risk scoring: Rather than estimating where risk is concentrated, Profiled Risk shows you where it actually is across your customer base, updated continuously as behaviour evolves.
• Behavioural signals surface risk before scheduled reviews catch it:  Velocity shifts, dormancy breaks, and account behaviour inconsistent with customer profile are tracked in real time, so your risk assessment reflects the business as it operates today, not six months ago.
• Every risk signal is logged and retrievable: When a regulator examines your AML programme and asks what data your risk assessment is built on, the answer is already documented inside Profiled Risk's case management panel

For African fintechs building or formalizing their AML risk assessment, Profiled Risk gives you the identity and transaction data to back every risk decision you document.

See how Profiled Risk helps you build and maintain a customer risk assessment grounded in real behaviour. 

FAQs on AML Risk Assessment for African Fintechs

1. What is an AML risk assessment and why do fintechs need one? It is a structured analysis of where your business is exposed to money laundering and financial crime risk across your customers, products, channels, and geographies. Regulators use it to assess whether your AML controls are proportionate to your actual risk exposure.

2. How often should a fintech update its AML risk assessment? Any time there is a significant change to the business, a new product, a new market, or a new customer segment. At minimum, it should be reviewed annually and signed off by senior management.

3. What happens if a fintech does not have a documented AML risk assessment? It is a direct examination finding. Under the CBN's AML/CFT framework, a documented risk assessment is a baseline requirement. Operating without one or with one that does not reflect the current business leaves the fintech exposed to regulatory sanctions.

4. Does an AML risk assessment need board approval? Yes. The CBN expects the risk assessment to be a board-level document, not something that sits only with the compliance team. Missing senior management sign-off signals that AML risk is not being treated as a business-level concern.

5. What is the difference between inherent risk and residual risk?

Inherent risk is the level of risk a customer or product carries before any controls are applied. Residual risk is what remains after controls are in place. Regulators want to see both documented, not just the controls themselves.