Internal risk assessment: at a glance
- What: the internal risk assessment, also called the enterprise-wide risk assessment, is a reporting entity’s own enterprise-level study of its money-laundering, terrorist financing and proliferation-financing risk, and how well its controls answer it.
- Why: it is the bedrock of the risk-based approach and sets every other control (RBI Internal Risk Assessment Guidance, 10 October 2024).
- How: assess customer, geographic, product and delivery-channel risk, weight and score them, apply the strength of controls, and derive the residual risk.
- When: put it before the Board, review it at least annually, and refresh it on any major trigger such as a new product, a new geography or a change in profile.
This guide is general information on Indian law, not legal advice. For your own assessment, speak to a qualified AML professional.
An internal risk assessment (IRA), known internationally as the enterprise-wide risk assessment (EWRA), is the organisation-level exercise in which a reporting entity identifies its money-laundering, terrorist financing and proliferation-financing risk factors, weights and scores them to rate its inherent risk, tests the strength of its controls, and derives the residual risk that remains. India’s most comprehensive published methodology is the RBI Internal Risk Assessment Guidance dated 10 October 2024. The binding duty to assess risk is set out in the applicable KYC Directions and traces back to the PML Rules and the PMLA.
Internal Risk Assessment (IRA/EWRA) in India
The internal risk assessment is where an anti-money-laundering programme begins. This guide explains the internal risk assessment in India, grounded in the RBI Internal Risk Assessment Guidance for ML/TF Risks of 10 October 2024, the most detailed methodology any Indian regulator has published. It covers the two levels of assessment, the step-by-step methodology, the risk factors and their weighting, how to rate inherent and residual risk, the controls to test, how to build in proliferation-financing risk, and what the report must contain. It then sets out how the exercise differs by sector.
The RBI guidance is intended for RBI-regulated entities such as banks and non-banking financial companies, and provides the methodology. The binding duty to assess is set out in the applicable KYC Directions (paragraph 10 of the RBI Commercial Banks – KYC Directions, 2025 for banks), under the parent framework of the PMLA and the PML Rules. Other reporting entities, from DNFBPs to securities intermediaries and virtual digital asset service providers, follow their own regulatory, supervisory, or FIU frameworks. The risk-based logic is the same, although the governing instrument, the level of prescription and the approval route differ. This is a deep-dive companion to the AML programme; for the programme it sits within, see AML compliance requirements in India.
This matters because the RBI regards the enterprise-level risk assessment as the foundation of the entire AML programme. A risk assessment that is not, in the guidance’s words, sufficiently granular or specific to the entity’s own activities cannot meet the objective of the exercise, and everything built on top of it inherits the weakness. It is also one of the first things an inspector tests.
Key takeaways
- An internal risk assessment is the entity-level AML/CFT/PF risk assessment, carried out at both the business and individual customer levels.
- For commercial banks, paragraph 10 of the RBI Commercial Banks – KYC Directions, 2025 requires a documented ML/TF risk assessment to be placed before the Board and reviewed at least annually.
- The RBI Internal Risk Assessment Guidance of 10 October 2024 is India’s most detailed published methodology and the supervisory reference point.
- The assessment should cover customers, geographies, products, services, transactions and delivery channels.
- The output should show inherent risk, control effectiveness, residual risk, Board consideration and a mitigation plan.
What is an Internal Risk Assessment (IRA)?
The internal risk assessment is a reporting entity’s own organisation-level study of how exposed it is to money-laundering, terrorist financing, and proliferation-financing risks, and how well its controls address that exposure. The RBI guidance refers to it as the internal risk assessment (IRA) and the enterprise-level risk assessment. It implements the risk-based approach required by Recommendation 1 of the FATF Recommendations, the PML Rules and the KYC Directions. The same exercise is widely known as the enterprise-wide risk assessment (EWRA) in international practice.
The guidance is clear that the IRA is not a tick-box. The RBI treats the enterprise-level assessment as the starting point for everything an entity does on AML, because it lets the entity understand how and to what extent it is vulnerable, and therefore where to direct its attention and AML resources. It also warns that an assessment that is insufficiently granular or not specific to the entity’s own functions and activities will fail to meet the objective of the exercise.
IRA, EWRA and customer risk assessment: the difference
A few terms are used loosely in practice. It helps to keep them straight.
Term | What it covers | Level |
Internal risk assessment (IRA) | The entity’s own enterprise-level view of money-laundering, terrorist financing and proliferation-financing risk. | Organisation |
Enterprise-wide risk assessment (EWRA) | The common international term for the same organisation-level exercise. | Organisation |
Customer risk assessment | The rating of an individual customer as high, medium or low risk, which drives the level of due diligence. | Individual |
Why the IRA matters: it drives the whole programme
The IRA is the first link in the chain. Its findings shape the AML policy, set the method for rating each customer, decide where enhanced due diligence and the most attention go, focus staff training on the typologies that matter, choose the controls and software to deploy, and set how often and how deeply the programme is independently audited. The same customer can be low risk at one institution and high risk at another because each institution’s own profile sets the baseline. That is the business-level IRA calibrating the judgement at the individual level.
Sector challenges
The shape of the ML/TF internal risk assessment is common, but the pressure points differ. Commercial banks carry correspondent banking, trade finance, and cross-border wire risks that increase inherent risk. Payments banks and small finance banks are dominated by digital-onboarding volume and money-mule risk. Cooperative and rural banks feel the governance, related-party, and cash risks more heavily, while DNFBPs and the professions undergo a lighter assessment under their own supervisor. Across all of them, three failings recur: a thin or generic assessment that does not reflect the actual book, poor data quality feeding the model, and treating the assessment as a one-off rather than a living document.
“The risk assessment is the one document everything else is built from. When it is generic, the whole programme is pointed at the wrong risks. When it is specific to your book and refreshed honestly, the rest of the programme almost designs itself.”
Pathik Shah, FCA, CAMS, CISA, CS, DISA, FAFD
Who does this requirement apply to
Applies to | All reporting entities under the PMLA: banks, NBFCs and other financial institutions, securities and insurance intermediaries, DNFBPs and the notified professions, and VDA service providers. |
Does not apply to | Persons who are not reporting entities under the PMLA. |
National and sectoral risk assessment
The entity’s own assessment does not sit in a vacuum. India conducts a National Risk Assessment (the last completed in 2022 and not public) and sectoral risk assessments that set out where the country sees the greatest risk of money laundering and terrorist financing. The RBI guidance treats the outcomes of the National and sectoral assessments as a named input to the IRA, and as a trigger for review when the Government shares an update. Use them to inform and justify the risk weights in your own assessment, and reference their existence and the FATF summary rather than quoting figures you cannot verify against a source you hold.
How to conduct an internal risk assessment
The RBI guidance sets out the internal risk assessment as a ten-step methodology, each step building on the one before it. The risk factors, weighting, and residual-risk matrix referred to in the steps are expanded in the sections that follow.
1. Understanding the business
Map the entity’s products, services, customers, delivery channels and geographies, because the assessment can only be as good as the picture of the business it starts from.
2. Documenting "risk appetite"
Set out and have the Board approve how much money-laundering and terrorist-financing risk the entity is willing to accept, which anchors all subsequent judgement.
3. Identifying risk scenarios
List the realistic ways the entity could be misused for laundering or terrorist financing, across its customers, products, channels and geographies.
4. Assessing likelihood
Rate how likely each scenario is, drawing on the entity’s own experience, sector typologies and the national risk picture.
5. Determining potential impact
Rate the harm each scenario would cause if it occurred, in financial, regulatory and reputational terms.
6. Identifying "gross risk"
Combine likelihood and impact to score the inherent, or gross, risk of each scenario before any controls are considered.
7. Defining the required controls
For each material risk, set out the controls the entity needs, from CDD and monitoring to screening and reporting.
8. Evaluating controls' efficacy
Test how well the existing controls actually work in practice, not just whether they exist on paper.
9. Determining "residual risk"
Reduce the gross risk by the assessed control efficacy to arrive at the residual risk the entity genuinely carries.
10. Evaluating need for additional controls
Where residual risk exceeds the risk appetite, decide what further controls or remediation are required, and feed this into the action plan.
Need a board-ready risk assessment built to the RBI guidance?
An IRA is only as good as its methodology and its evidence. AML India builds and reviews risk assessments that map to your actual book and stand up at inspection.
The risk factors the guidance requires you to assess
The guidance gives an indicative, not exhaustive, list of risk factors, and expects each entity to define its own. It groups them as follows: each entity should examine every group.
Risk-factor group | What to assess |
Customer | The type of customer, the complexity of ownership and control, occupation or industry, PEP status, and adverse information from credible independent sources, including on beneficial owners. |
Countries and geographical areas | The jurisdictions the customer and beneficial owner are connected to, their main places of business, relevant personal or business links, and the jurisdictions the entity itself operates in. |
Products, services and transactions | The transparency or opaqueness of the transaction, the complexity of the product, and the value or size involved. |
Delivery channels | The extent of non-face-to-face dealing, the use of intermediaries such as business correspondents, payment aggregators or gateways, and any observed vulnerability of a channel. |
Other factors | Outcomes of the sectoral and National Risk Assessment, planned new products, changes to AML alert systems, AML staff turnover, and enforcement or supervisory actions for AML or KYC lapses. |
The guidance also flags risks from new technology, payment methods, and digital products; the difficulty of obtaining wire-transfer information; reliance on outsourced or unregulated intermediaries; and patterns of collective small-value transactions. Some risks compound: a politically exposed person buying a high-risk product carries more risk than either factor alone, and the assessment should capture that combination.
Weighting and scoring: the rules that keep the IRA honest
How an entity weights its risk factors determines whether an assessment is made or broken, and the guidance sets specific rules to prevent the weighting from being gamed.
- The weight on a factor and its score need not move together. A factor can carry a high weight but a low score, for example, complex ownership, where only a few customers have complex structures.
- No single factor should unduly dominate the outcome.
- Economic or profit considerations must not influence the risk weights.
- The method must never make it impossible to rate a relationship as high risk. The entity must be able to override a calculated score upward and document the rationale.
- The views of regulators or law enforcement agencies regarding past violations should be taken into account.
- Where a vendor tool or IT model allocates the scores, the entity must understand how it weighs the factors and be able to demonstrate to the supervisor that the scores reflect its own risk understanding.
From inherent risk to residual risk: the matrix
Residual risk is the risk that remains after controls are applied to inherent risk. The guidance illustrates how to derive it with a residual-risk matrix that reads the strength of control against the inherent risk level. An entity can adapt the scale, but the illustrative matrix is as follows.
Strength of control / Inherent risk | High | Medium | Low |
Strong | Medium | Low | Low |
Satisfactory | High | Medium | Low |
Weak | High | High | Medium |
The matrix tells the story the IRA exists to tell. An entity reduces its residual risk only by reducing the inherent risk or strengthening its controls. Residual risk should then be read against the entity’s own risk appetite, the level of risk it is willing to accept, and its risk tolerance, the boundary beyond which risk is unacceptable. A good IRA records a formal risk-appetite statement, and anything above appetite goes into the mitigation plan.
A worked scoring example.
This illustration shows how weighted factor scores roll up into an inherent-risk score, which the residual-risk matrix then converts into residual risk. The weights and scores are illustrative; an entity sets its own.
Risk factor | Weight | Score | Weighted score |
Customer risk | 35% | High / 3 | 1.05 |
Geography risk | 20% | Medium / 2 | 0.40 |
Product risk | 25% | High / 3 | 0.75 |
Delivery-channel risk | 20% | Medium / 2 | 0.40 |
Total inherent risk | 100% |
| 2.60 / High |
Apply the residual-risk matrix to this inherent score of 2.60 (High): strong controls bring residual risk down to Medium, satisfactory controls hold it at High, and weak controls leave it High. An entity lowers residual risk only by strengthening controls or by reducing the inherent exposure itself.
The control factors to assess
The other half of the assessment is the strength of the entity’s controls. The guidance lists twelve control factors to evaluate, and to document not only how each is identified but how its effectiveness is judged.
- Governance and senior-management oversight.
- The integrity and compliance culture of staff.
- Policies, controls and procedures.
- KYC and customer due diligence.
- Transaction monitoring.
- Ongoing monitoring of relationships.
- The AML unit and its resourcing.
- Suspicious transaction reporting.
- Sanctions screening under targeted financial sanctions.
- Independent testing and audit.
- Record-keeping.
- Training and awareness.
The guidance singles out the integrity of the critical processes of customer due diligence, transaction monitoring, sanctions screening, alert management and CTR and STR reporting as needing particular assurance.
Incorporating proliferation-financing risk
Proliferation-financing and targeted-financial-sanctions exposure should be assessed within the IRA where the applicable framework requires it, and the guidance frames risk throughout as money-laundering, terrorist financing and proliferation-financing risk together. It explains that PF risk arises broadly from two things: the risk of a breach or non-implementation of targeted financial sanctions, and the risk that those sanctions are evaded. Anchored in the Master Direction on KYC and in step with Section 12A of the WMD Act 2005 and the associated Government Orders, an entity should carry out a PF risk assessment, build it into the IRA, and put suitable mitigation in place, with the FATF Guidance on Proliferation Financing Risk Assessment and Mitigation of June 2021 as a reference.
Frequency and triggers for IRA review
For banks, the position is explicit. Under paragraph 10 of the Commercial Banks KYC Directions, 2025, the Board or a Board committee sets the periodicity, but the entity must review the assessment at least annually. The RBI guidance adds that a review should also happen whenever business activities change, or new threats emerge, and that the entity should set its own internal triggers alongside the periodic cycle. The guidance names include a new product, expansion into new jurisdictions, the Government sharing the National Risk Assessment, sectoral risks or adverse observations shared by the regulator, adverse internal audit findings, and a change in the entity’s own profile. An entity can also bring the next review forward based on the gravity of its findings.
Data and inputs that the guidance expects
The guidance presses entities towards a data-oriented, objective approach that avoids bias, while still using expert judgement where needed. It expects internal and external sources to be used together while conducting the Internal Risk Assessment. Internal sources include data from across the institution, including the fraud, cyber and IT risk verticals, the entity’s own threat and vulnerability assessments, and its future business plans. External sources include the National Risk Assessment, FATF reports and public statements, advisories from the Government, FIU-IND and the RBI, market and technology developments, permitted law-enforcement databases, and open-source intelligence. Data quality is treated as a condition of a meaningful assessment: a model fed poor data produces a misleading picture.
What the IRA delivers, and what the report should contain
A well-run IRA produces concrete outcomes, not just a report: Board oversight and accountability, a documented and repeatable framework, an honest analysis of the likelihood and impact of each risk, a test of how effective the controls actually are, a clear list of gaps with a mitigation plan, lessons that feed the next cycle, and a basis for allocating budget to the highest-risk areas. The guidance expects the exercise and its methodology to be documented, maintained, communicated to stakeholders and made available to the authorities if needed.
The report itself should include a brief profile of the entity and an executive summary; the threats faced and the inherent risks assessed; the methodology and the risk factors; the controls applied and the residual risk; the outcomes and proposed mitigation; enforcement actions by supervisors and law-enforcement over the last five years; internal-audit observations on AML and CFT; a formal risk-appetite statement showing inherent risk, controls and residual risk; the high-risk products and their share of the business; any compounded-risk scenarios; the reliance on historical data and assumptions; and the procedure for approving the assessment.
Governance: who owns the IRA and who approves it
The guidance places ownership at the top of the entity. The outcome of the IRA must be put before the Board or a committee of the Board, with sufficient supporting information to enable them to understand and take a view. The results should also reach the relevant business verticals. Senior management is expected to give the exercise its full attention. Just as important is who does the work: the guidance warns against a siloed approach in which only the AML team runs the assessment and expects a cross-functional team, including product owners, internal audit, and compliance. Where the entity is part of a group, the IRA can be a group-wide assessment supporting a group-wide policy.
RACI: who owns each part of the IRA
A defensible IRA has clear ownership. The matrix below sets out who does what.
Function | Role in the IRA |
Board / Board committee | Approves the outcome and the risk-appetite statement |
Senior management | Owns implementation and resource allocation |
Principal Officer / AML compliance | Coordinates the methodology and the report |
Business teams | Validate products, customers, channels and the risks |
Internal audit | Challenges the methodology and tests control effectiveness |
IT, transaction-monitoring and screening teams | Provide system data and control evidence |
Questions a regulator may ask about your IRA
If an inspector reviews the assessment, expect questions like these. A strong IRA answers each one from its own documentation.
- Why did you assign this weight to customer risk?
- What data supports your high-risk geography exposure?
- How did you test control effectiveness?
- Why did residual risk reduce from high to medium?
- Who challenged the methodology?
- When was the assessment last reviewed, and by which Board meeting?
- What changed in the AML programme as a result of the IRA?
Red flags: the warning signs of a weak IRA
Because supervisors test the IRA early, it is worth knowing the signs of a weak one. Each of these should trigger a closer look and, usually, a rebuild.
- No documented methodology or weights, so the conclusions cannot be retraced.
- An assessment run only by the AML team, in a silo, with no business input.
- Weights swayed by profit, or by a single dominant factor.
- Risk ratings that never change between cycles and are not tied to data.
- No ability to override a score to a higher risk.
- A residual risk that conveniently ignores known control weaknesses.
The internal risk assessment checklist
Use this to keep the assessment complete and inspection-ready. It gathers the inputs the IRA needs and the outputs an inspector looks for.
- Business profile and model, and the customer risk data behind it.
- Geographic risk exposure, products and services, and delivery channels.
- Transaction typologies, NRA and sectoral inputs, and FATF and FIU-IND typologies.
- Sanctions and proliferation-financing exposure.
- Internal audit findings and the enforcement history of the last five years.
- Control-effectiveness testing, the residual risk and the mitigation plan.
- The Board paper and the minutes recording the Board’s consideration.
Best practices for a defensible IRA
- Use a clear, documented methodology with weighted, evidence-based risk factors.
- Draw on both internal and external data, including FATF and FIU-IND typologies.
- Involve the business, not just the AML team, through a cross-functional assessment team.
- Keep it a version-controlled, living document, refreshed on a cycle and in response to triggers.
Want an expert to review your residual-risk logic?
The hardest part of an IRA is defending the weights and the residual ratings. Have Pathik or Dipali review your methodology before the regulator does.
“The override rule is the one most assessments fail. If your method cannot rate a relationship high risk, or cannot push a score upward when judgement says so, it is not risk-based, it is arithmetic. Build the override in, and document why you used it.”
Dipali Vora, AML and regulatory compliance specialist
How IRA differs by sector
Every reporting entity under the PMLA must comply with the preventive AML/CFT obligations applicable to its sector. The internal risk assessment requirement, its methodology, the approval route, and the review cycle should be read from the applicable regulator, supervisor, or FIU framework, so the governing source, the review frequency, and who approves it differ by sector. The RBI IRA Guidance above is the most detailed RBI-published methodology for AML/CFT internal risk assessment and serves as a useful reference model for others.
Sector | Primary source | Approval / governance | Review expectation |
Commercial banks | RBI Commercial Banks – KYC Directions, 2025, with the RBI IRA Guidance | Board or Board committee | At least annually |
NBFCs | RBI NBFC – KYC Directions, 2025, with the RBI IRA Guidance | Board or Board committee | Per the applicable RBI framework |
VDA service providers | FIU-IND VDA AML/CFT Guidelines (updated 8 January 2026) | Per the FIU framework | Risk-based, framework-led |
DNFBPs and professions | ICAI / ICSI / ICMAI AML/CFT guidelines; DGoA guidance for real estate and DPMS | Firm-level governance | Risk-based |
Securities intermediaries | SEBI AML/CFT framework | Board or senior management | Per the SEBI framework |
Insurers | IRDAI AML/CFT framework | Board or senior management | Per the IRDAI framework |
IFSC entities | IFSCA AML/CFT and KYC framework | Governing body or senior management | Per the IFSCA framework |
Whatever the sector, the granularity rule holds: the assessment must reflect the entity’s own activities, not a borrowed profile. For the full programme in your sector, see AML compliance requirements for the banking sector in India or the compliance hub for your sector.
How the IRA connects to policy, CDD and monitoring
The IRA’s findings feed the rest of the programme. Read those companion guides next: AML policy, controls and procedures in India, customer due diligence and KYC in India, and ongoing monitoring and periodic updation in India. To see the whole programme this assessment underpins, return to AML compliance requirements in India.
Documents to keep as evidence of your IRA
| Evidence | Why it matters |
| IRA report | Shows the final assessment and its conclusions |
| Business profile | Proves the assessment is entity-specific |
| Data extracts | Support the risk scores and weights |
| Weighting rationale | Makes the methodology defensible |
| Control-testing results | Support the residual-risk conclusions |
| Board paper and minutes | Prove governance and approval |
| Mitigation plan | Shows action on unacceptable residual risk |
| Version history | Shows annual and trigger-based refresh |
Buried in alerts, or behind on periodic updation?
Manual monitoring misses patterns and lets KYC go stale. AML India helps you select and configure monitoring and updation tools that fit your size and clear the backlog.
“The banks that clear an inspection are rarely the ones with the longest policy manual. They are the ones whose risk assessment, screening and reporting visibly line up and can be evidenced on demand.”
Pathik Shah, FCA, CAMS, CISA, CS, DISA, FAFD
Frequently Asked Questions
It is the entity’s own, organisation-level study of where its money-laundering, terrorist financing and proliferation-financing risks lie, and how well its controls answer them. Under the RBI Internal Risk Assessment Guidance of 10 October 2024, the entity identifies risk factors, scores and weights them, assesses the strength of controls and derives a residual risk. The RBI calls the enterprise-level assessment the bedrock of the risk-based approach. Everything else in the AML programme is built on it.
In substance, yes. The RBI guidance uses the terms “internal risk assessment” and “enterprise-level risk assessment”. The enterprise-wide risk assessment, or EWRA, is the common international term for the same exercise. They all describe a single, entity-wide view of risk, as distinct from the rating of an individual customer. Use whichever term your policy adopts consistently.
The guidance requires the IRA at two levels. The business-level IRA assesses the risk arising from the entity’s business model and must be proportionate to the entity’s size and complexity. The individual-level IRA assesses each customer and each occasional transaction, resulting in a high, medium, or low risk categorisation. The two connect because the individual-level results feed the weighting in the business-level exercise. This two-level structure is the RBI-guided methodology; entities in other sectors apply the same risk-based logic under their own regulator, supervisor or FIU framework.
Yes. For banks, the binding obligation is paragraph 10 of the RBI Commercial Banks KYC Directions, 2025, which requires that the assessment be carried out, documented, reviewed at least annually, and placed before the Board. The RBI IRA Guidance dated 10 October 2024 provides a methodology rather than a binding rule. The duty traces back to the PML Rules and the PMLA, and the risk-based approach implements FATF Recommendation 1. Other sectors carry the same duty under their own regulator or FIU framework.
Residual risk is what remains after the entity’s controls are applied to its inherent risk. The guidance illustrates a residual-risk matrix that reads the strength of control, strong, satisfactory or weak, against the inherent risk level, high, medium or low. Strong control over a high inherent risk yields a medium residual risk, while weak control leaves it high. The enterprise-wide residual risk should be derived using the documented methodology, which may combine weighted scores, matrix logic, override rules and management judgement. The method must be consistent, evidence-based, and explainable to the supervisor.
The guidance provides an indicative list across five groups: customer risk, including type, ownership, occupation, and PEP status; countries and geographical areas; products, services, and transactions; delivery channels; and other factors, such as the National Risk Assessment outcomes, new products, AML staff turnover, and past enforcement actions. It also flags risks related to new technology and wire transfer information. The entity must define its own factors for its book.
The guidance sets rules to keep weighing honestly. No single factor should dominate, profit considerations must not influence the weights, and the method must always allow a relationship to be rated high risk, with the ability to override a score upward and document the reason. The views of the regulator and law enforcement regarding past violations should be taken into account. Where a vendor model assigns the scores, the entity must understand and be able to demonstrate the logic to the supervisor.
In the RBI-guided methodology, proliferation-financing and targeted-financial-sanctions exposure should be considered within the IRA, particularly where the entity faces risks of sanctions breach, non-implementation or evasion. The guidance frames risk throughout as money-laundering, terrorist financing and proliferation-financing risk together. PF risk arises from a breach or non-implementation of targeted financial sanctions and from their evasion. Anchored in the Master Direction on KYC and Section 12A of the WMD Act, the entity conducts a PF risk assessment, incorporates it into the IRA, and implements mitigation measures, with the FATF June 2021 PF guidance as a reference.
For banks, the Commercial Banks KYC Directions, 2025 require the assessment to be reviewed at least annually, with the Board or a Board committee setting the periodicity. Beyond that, the RBI guidance expects a review whenever the business changes or new threats emerge, and the entity should set its own triggers. Named triggers include a new product, a new jurisdiction, the issuance of the National Risk Assessment, adverse regulatory or audit observations, and a change in the entity’s profile. A review can also be brought forward based on the gravity of what is found.
The outcome must be presented to the Board or a committee of the Board with sufficient information for them to take a view, and the results should also reach the relevant business verticals. Senior management is expected to fully support the exercise. The work itself should be done by a cross-functional team, including product owners and internal audit and compliance, rather than by the AML team in a silo. Recording the Board’s consideration is part of the evidence trail.
No. The RBI guidance targets RBI-regulated entities, but every reporting entity under the PMLA must assess its risk under its own regulator, supervisor or FIU framework. See the sector breakdown above for how the obligation differs by sector.
Inherent risk is the risk an entity faces before its controls are applied, driven by its customers, products, geographies and channels. Residual risk is what remains after the controls are applied. The gap between the two indicates how much work the controls are performing and where the entity remains exposed. An entity lowers its residual risk only by reducing inherent risk or by strengthening controls, and it assesses the residual risk against its own risk appetite.
A tool can do much of the heavy lifting, pulling data, applying weights and producing scores, but the entity stays responsible for the result. The RBI guidance is explicit that where a vendor tool assigns the scores, the entity must understand how it weighs the factors and be able to demonstrate to the supervisor that the scores reflect its own understanding of risk. So software supports the assessment and makes the refresh repeatable, but it does not replace the entity’s judgement, the cross-functional input or the Board’s ownership.
Keep the IRA report itself, with the business profile, the methodology, the risk factors with their weights and scores, the inherent and residual risk, and the mitigation plan. Alongside it, keep the data inputs the assessment relied on, the control-effectiveness testing, the internal audit findings, the five-year enforcement history and the Board paper and minutes that record the Board’s consideration. This evidence pack is what an inspector asks for.
Official sources and review
This guide is grounded in the following primary official sources, linked to their official source where available.
- Prevention of Money-laundering Act, 2002 (India Code)
- Prevention of Money-laundering (Maintenance of Records) Rules, 2005 (India Code)
- RBI category-specific Know Your Customer Directions, 2025
- FATF Recommendations, including the June 2026 update to Recommendation 6 on targeted financial sanctions, which incorporates the UN humanitarian exemption (UNSCRs 2664 and 2761)
- Financial Intelligence Unit – India, including the Annual Report 2024-25
Why work with AML India
Why work with AML India
AML India builds and reviews internal risk assessments in line with RBI guidance, so they hold up during inspection. The team is practitioner-led and risk-based, and every position is checked against the source instrument and signed off by a named expert.
Case study A mid-sized reporting entity came to AML India after an inspection flagged its risk assessment as generic and undated. We rebuilt it as a two-level, weighted assessment tied to the entity’s actual book, added an override rule and a formal risk-appetite statement, and took the outcome to the Board with a remediation plan. The next inspection cycle accepted the methodology with no major findings. “For the first time the assessment actually described our business, not a template.” Compliance head, regulated reporting entity |
Ready to make your risk assessment defensible?
Whether you are building your first IRA or fixing an inspection finding, AML India can help. Talk to our team about an assessment built for your book and your risk.
About the Author
Pathik Shah
FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)
Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.