What a Compliant Risk Assessment Must Cover
Under the March 2026 revised FSA Guidelines, an institution’s AML/CTF risk assessment must be enterprise-wide — encompassing all business lines, products, customer segments, and geographic exposures. It must address:
- Customer risk: the ML/TF risk profile of the institution’s customer base by segment, product type, and geography. This requires an analysis of the proportion of PEPs, high-risk jurisdiction customers, high-risk sector customers, and non-face-to-face relationships in the customer book — not just a general statement that the customer base is low risk.
- Product and service risk: the inherent ML/TF risk of each product and service the institution offers, assessed against factors including anonymity, transaction velocity, cross-border exposure, and value thresholds. A foreign currency remittance service carries different inherent risk from a standard domestic savings account.
- Geographic risk: the risk associated with jurisdictions in which the institution operates, where customers are resident, and where counterparties are located — assessed against current FATF designation lists, FSA guidance on high-risk jurisdictions, and the institution’s own experience of transaction patterns in specific corridors.
- Channel and delivery risk: the ML/TF risk differential between face-to-face and non-face-to-face customer relationships, and between physical branch delivery and digital channel delivery.
- Emerging and inherent risks: risks that do not yet materialise in current business activity but represent future exposure — including virtual asset counterparty risk for institutions with CASP client relationships, stablecoin exposure, and cross-border payment channel risk arising from new product development.
From Risk Assessment to Operational Controls
A risk assessment that informs a document but does not demonstrably inform operations fails the FSA’s requirements. The March 2026 revised guidelines explicitly require that risk assessment findings directly drive:
- CDD tier assignments: the risk classification assigned to individual customers at onboarding must derive directly from — and be demonstrably consistent with — the institution’s enterprise risk assessment. An institution whose risk assessment identifies a specific customer segment as high-risk must apply EDD to customers in that segment, or document a specific rationale for an individual exception.
- Transaction monitoring parameters: alert thresholds, rule sets, and monitoring intensity must be calibrated to the risk assessment’s findings. A customer segment identified as high-risk must receive correspondingly intensive monitoring. The calibration rationale must be documented and periodically reviewed.
- Resource allocation: compliance staffing levels, technology investment, and supervision intensity must be proportionate to the risk assessment’s findings. The FSA specifically examines whether institutions have adequately resourced their highest-risk areas.
- EDD trigger criteria: the specific circumstances that trigger enhanced due diligence must be traceable to the risk assessment’s identification of elevated-risk factors — not applied arbitrarily.
Board Governance Requirements
The March 2026 FSA guideline revision strengthened requirements for board-level governance of the AML/CTF risk assessment. The board is now expected to:
- Approve the institution’s enterprise-wide AML/CTF risk assessment, with documented evidence that substantive review took place — not just that the assessment was presented and noted.
- Receive regular management reporting on the risk assessment’s key findings and any material changes in the institution’s risk profile — through management information that is actually informative, not formulaic.
- Be briefed on material FSA and FATF developments that affect Japan’s overall risk environment, with documented briefing dates and board responses.
- Demonstrate through board meeting minutes that AML/CTF risk is treated as a substantive governance agenda item — not merely a compliance officer report received without discussion or challenge.
An institution that cannot produce board minutes evidencing meaningful governance engagement with AML/CTF risk — questions asked, challenges raised, decisions made — will face adverse FSA examination findings on governance. The quality of board minutes is itself an examination evidence point.
Dynamic Risk Management: Keeping the Assessment Current
Risk assessments are not annual documents filed and ignored for 12 months. The FSA expects a genuinely dynamic risk management process that updates the risk assessment in response to:
- Material changes in the institution’s business model, customer base, product offering, or geographic exposure.
- New FATF guidance, FSA supervisory guidance, or changes to Japan’s National AML/CTF Action Plan priorities.
- New ML/TF typologies identified through JAFIC, FSA guidance, or industry intelligence.
- Examination findings — either at the institution itself or at peer institutions that reveal systemic gaps applicable to the institution’s own programme.
- Significant changes in the institution’s monitoring outputs — changes in STR filing rates, alert volumes, or false positive rates that are inconsistent with the existing risk assessment findings.
All reviews, updates, and the rationale for any changes must be documented, with the revised assessment subject to board approval as a substantive governance action.
Frequently Asked Questions
AML Risk Assessment Japan: Building an FSA-Compliant Framework | Nexiant
How to build an enterprise-wide AML/CTF risk assessment under Japan’s March 2026 revised FSA Guidelines — covering scope, operational connection, board governance, and dynamic review.
Speak to our teamThis article was accurate at the time of publication in June 2026 and is intended for general informational purposes only. It does not constitute legal, regulatory or compliance advice. Organisations should seek qualified professional guidance in relation to their specific obligations.




