An LFI’s risk assessment is a critical tool for ensuring that the institution has a complete, accurate, and up-to-date understanding of the sanctions risks to which their institution may be exposed, and for facilitating a risk-based approach to sanctions compliance. In the context of targeted financial sanctions, the risk-based approach cannot provide a justification for failing to apply sanctions-related controls, including sanctions screening, to all customer relationships and transactions, as defined below, which is a minimum legal requirement for all LFIs. Rather, the risk-based approach should be utilized by LFIs to apply additional or more rigorous controls—above the minimum legal requirement—to areas of heightened sanctions risk.

The LFI’s risk assessment should include, at a minimum, an assessment of the customers, products and services, delivery channels, and geographies through which the LFI is most likely to engage, directly or indirectly, with sanctioned persons, parties, countries, or regions, as well as the strength of the controls currently in place to mitigate sanctions risks. The risk assessment should be updated at periodic intervals (at least annually or otherwise as appropriate and justified by the required circumstances) and also upon the occurrence of “trigger events,” such as material changes in the LFI’s business or risk profile or its legal and regulatory environment.