Table of contents
- What is an AML risk assessment and why is it mandatory?
- Who must prepare the risk assessment in writing?
- The four required risk assessment areas under FAÚ Guideline No. 11
- Inherent vs residual risk: the key distinction
- Risk matrix: how is the final risk score calculated?
- How does the risk score affect client handling?
- Comply or explain: why “the client is low risk” is not enough
- When and how should the risk assessment be updated?
- The most common risk assessment mistakes according to FAÚ
- What must the risk assessment prove during a FAÚ inspection — checklist
- What risk assessment looks like in practice: real estate agent vs accountant
- What does the NRA 2020–2024 say about non-financial sector risks?
- Frequently asked questions about risk assessment
What is an AML risk assessment and why is it mandatory?
A money laundering and terrorist financing (ML/TF) risk assessment is a statutory obligation under Section 21a of Act No. 253/2008 Coll. (the Czech AML Act). It is an internal analytical document in which an obliged entity identifies and assesses the risks arising from its clients, products, operating model and geographical exposure.
A risk assessment is not a formal exercise. It is the foundation on which the entire system of internal AML policies must stand. Without it, internal policies cannot be properly set up, and the procedures for client identification and due diligence cannot be risk-based.
The law does not prescribe a fixed template. However, FAÚ Methodological Guideline No. 11, effective from 5 September 2025 and aimed mainly at non-financial obliged entities, defines the minimum content and methodology expected from a risk assessment.
Who must prepare the risk assessment in writing?
The obligation to prepare a written risk assessment applies to the affected obliged entities under Section 21a(2) of the AML Act — the same group that must have written internal AML policies:
| Type of obliged entity | Written risk assessment |
|---|---|
| Credit institutions — Section 2/1/a | Mandatory |
| Financial institutions — Section 2/1/b | Mandatory* |
| Gambling operators — Section 2/1/c | Mandatory* |
| Real estate intermediaries, auctioneers — Section 2/1/d | Mandatory* |
| Trust and company service providers — Section 2/1/h | Mandatory* |
| Accountants, tax advisers, auditors — Section 2/1/e | Not mandatory in writing — strongly recommended |
| Lawyers, notaries — Section 2/1/g | Not mandatory in writing — strongly recommended |
*An exception applies where there are no employees or the AML activity is performed exclusively for one other obliged entity (Section 21(3) and (4) of the AML Act).
The risk assessment must be approved by the statutory body of the obliged entity and kept up to date.
The four required risk assessment areas under FAÚ Guideline No. 11
FAÚ Guideline No. 11 defines four areas in which an obliged entity must identify ML/TF risk factors. Each area must be addressed concretely, not through generic statements.
Area 1: Client and business relationships
Client type is the strongest risk factor. The assessment must distinguish between private individuals, sole traders, legal entities, PEPs, third-country nationals, clients from high-risk jurisdictions and clients with unusual behaviour. It must also consider the purpose, regularity and duration of the business relationship.
Area 2: Products and services
Every product or service must be assessed by explaining how it could specifically be misused for money laundering. It is not enough to state that a product is risky. The assessment must describe the misuse scenario and the mitigating controls.
Area 3: Geographical risk
The assessment considers the client’s origin, payment destinations and locations of operations. High-risk countries include those listed by FATF and the EU. Geography affects both client categorisation and transaction red flags.
Area 4: Distribution channels
The way an obliged entity communicates with clients and closes business is a separate risk factor. Remote identification, online channels and intermediated contact increase risk compared with in-person client presence.
Inherent vs residual risk: the key distinction
FAÚ Guideline No. 11 distinguishes two types of risk that must be captured:
- Inherent risk is the ML/TF risk level before any mitigating measures are applied. It is the raw risk arising from the nature of the client, product or operating model.
- Residual risk is the risk that remains after AML measures are applied. Residual risk equals inherent risk minus the effect of controls.
Practical example: a client who is a foreign national residing in a high-risk third country has high inherent risk. After enhanced due diligence under Section 9a, verification of source of funds and ongoing monitoring, the residual risk may fall to a medium or manageable level. This reasoning must be demonstrable in the risk assessment.
Let AML PROOF calculate the risk score for you — automatically in every check
AML PROOF uses an internal WAR model (Weighted Average Risk) that calculates the final risk score from the four statutory areas for every case and automatically determines whether the case requires the standard process or enhanced due diligence (EDD).
Try the WAR model for freeRisk matrix: how is the final risk score calculated?
FAÚ Guideline No. 11 recommends assessing risks on a three- or four-level scale. AML PROOF implements this logic through a WAR model (Weighted Average Risk), a weighted average of risk factors calculated automatically for each client check.
| Low impact | Medium impact | High impact | |
|---|---|---|---|
| Low probability | Low | Low | Medium |
| Medium probability | Low | Medium | High |
| High probability | Medium | High | High |
Each client receives a final WAR score combining the four areas: client, product, geography and distribution channel. The factor weights are set in line with the National Risk Assessment (NRA, approved by Government Resolution No. 3 of 5 January 2026) and FAÚ guidance.
The final risk score places the client into one category:
- Low risk — standard process, with possible simplified due diligence under Section 13.
- Medium risk — standard process with increased attention during ongoing monitoring.
- High risk — triggers enhanced due diligence (EDD) under Section 9a.
- Unacceptable risk — refusal of the transaction or termination of the business relationship under Section 15.
How does the risk score affect client handling?
The resulting score is not just an internal number. It directly determines the scope of obligations when working with a concrete client:
Low and medium score (standard case)
Identification was performed properly under Sections 7–8, due diligence under Section 9, the client acts on their own behalf, there is no PEP or sanctions hit, and the source of funds is clear. The case can be finalised by a trained employee.
High score (EDD — enhanced due diligence)
The extended process under Section 9a is triggered automatically. Any employee may start EDD, but approval or rejection must be made by the designated person (MLRO), as required by Section 9a(3)(d).
Sanctions or PEP hit
A partial match (NON_CRITICAL_HIT) may be resolved by a standard employee. A full match (MAJOR_HIT) requires an MLRO decision and will often lead to a suspicious transaction report.
Comply or explain: why “the client is low risk” is not enough
FAÚ Guideline No. 11 introduces the comply or explain principle for risk assessment. For every risk factor, the obliged entity must either demonstrate that its controls sufficiently mitigate the risk, or explain why it rates the factor lower in its specific circumstances.
In practice, FAÚ rejects assessments that contain only generic claims such as “our clients are low-risk individuals”. A proper risk assessment must include:
- A concrete misuse scenario for each client type or product.
- An explanation of why the chosen controls sufficiently cover the scenario.
- For low-risk categories, a detailed explanation of why the client or product is genuinely low risk.
If the assessment lacks sufficient reasoning, FAÚ may reject it as inadequate and impose remedial measures or initiate administrative offence proceedings.
When and how should the risk assessment be updated?
A risk assessment is not a one-off document. Section 21a requires obliged entities to update it regularly, and FAÚ Guideline No. 11 specifies the triggers:
An update is required whenever:
- The NRA is issued or updated and affects the obliged entity’s activity.
- FAÚ issues new methodological guidance or the EU SNRA is updated.
- New products or services are launched.
- New technologies are introduced that may affect ML/TF risk.
- The business model or client portfolio changes.
How to perform the update:
- Review whether the existing risk categories still reflect reality.
- Update risk scores where circumstances have changed.
- Document the reasons and date of the change.
- Have the update approved by the statutory body.
- Train employees on any changes under Section 23(3).
The most common risk assessment mistakes according to FAÚ
FAÚ Guideline No. 11 and supervisory practice repeatedly identify these shortcomings:
- Template assessment without individualisation: a document copied from the internet or generated without understanding the business model.
- Missing distribution channel assessment: remote and intermediary channels are often omitted.
- No link between risk assessment and internal policies: the assessment marks a client as high risk, but the policies do not contain the corresponding procedure.
- Outdated assessment: no update after a new NRA or FAÚ Guideline No. 11.
- Unjustified low-risk categories: broad claims that all clients are low risk without comply or explain analysis.
What must the risk assessment prove during a FAÚ inspection — checklist
During an inspection, FAÚ assesses not only whether the risk assessment exists, but whether its conclusions are demonstrable. Check whether your document would stand up:
Formal requirements
- The risk assessment is part of the written internal AML policies or is explicitly linked to them.
- The document is approved by the statutory body (signature + date).
- A previous version is available with the update date and reason for change.
- The assessment reflects the current NRA approved by Government Resolution No. 3 of 5 January 2026.
Content — four areas
- Client: are client categories distinguished and is each score justified?
- Product/service: is a concrete ML/TF misuse scenario described for each product?
- Geography: are high-risk third countries reflected in both client categorisation and transaction red flags?
- Distribution channel: is remote identification distinguished from in-person identification?
Risk categorisation
- Is a risk score assigned to each client category?
- Do low-risk categories include comply or explain reasoning?
- Are low-risk categories supported by analysis rather than assertion?
Link to policies and practice
- The internal policies contain a matching procedure for each risk category.
- Mitigating measures are concrete, not just “increased monitoring”.
- The update interval is stated.
What risk assessment looks like in practice: real estate agent vs accountant
Risk assessment must reflect the specific sector. Below are the key differences between two common types of non-financial obliged entities:
Real estate agent (Section 2(1)(d) AML Act)
According to the NRA 2020–2024, the real estate sector is a medium to high risk area. Typical factors include:
| Area | Typical risk | Recommended score |
|---|---|---|
| Client — legal entity with opaque ownership | Concealing the beneficial owner | High |
| Client — foreign national from a high-risk jurisdiction | Cross-border money laundering | High |
| Client — buyer paying the full price in cash | Cash-based laundering | High to unacceptable above EUR 10,000 |
| Product — brokerage of real estate sale | Overpricing or underpricing | Medium |
| Geography — client from post-Soviet region | ML through real estate market | High |
| Distribution channel — remote identification without face-to-face contact | Risk of identity theft | Medium to high |
Key EDD obligation: determine the source of funds used for the purchase and take reasonable measures to determine the origin of assets under Section 9(2)(e) and (f).
Accountant (Section 2(1)(e) AML Act)
Accountants are not legally required to have a written risk assessment, but FAÚ typically expects it during inspections and treats its absence as an aggravating factor. Typical factors include:
| Area | Typical risk | Recommended score |
|---|---|---|
| Client — purpose-built legal entity | Misuse for ML structures | High |
| Client — sole trader with opaque income structure | Concealing sources of income | Medium |
| Product — accounting for a cash-heavy client | Concealing origin of funds | High |
| Product — tax advice for foreign transactions | Tax crime + ML | Medium |
| Geography — cross-border transactions to high-risk countries | Cross-border ML | High |
| Distribution channel — exclusively online communication | Risk of identity theft | Medium |
Key difference from real estate agents: accountants usually maintain a long-term business relationship, which means ongoing due diligence and monitoring of the client’s business activity over time.
What does the NRA 2020–2024 say about non-financial sector risks?
The National ML/TF Risk Assessment for 2020–2024 (NRA, approved by Czech Government Resolution No. 3 of 5 January 2026) is a mandatory reference point that every obliged entity must reflect when preparing a risk assessment under Section 21a(1).
The NRA identifies four money laundering risk models in Czechia. The following are most relevant for the non-financial sector:
- Risk model 1 — fraud: offenders abuse victims’ trust to obtain funds that are then inserted into the financial system.
- Risk model 3 — other property and economic crime: corruption, tunnelling and insolvency proceedings. A key model for TCSPs, real estate and tax advisers.
- Risk model 4 — crime with a foreign element: approximately 25–30% of illicitly obtained funds come from predicate crime with a cross-border element.
New phenomena identified in the NRA 2020–2024 that must be reflected:
- The major shift of fraud into cyberspace — social engineering, deepfakes and AI-generated content.
- The establishment of virtual assets and their growing misuse for ML.
- Concealed employment intermediation linked to tax evasion.
- New sanctions evasion linked to the war in Ukraine.
These phenomena must be expressly reflected in each obliged entity’s risk assessment. A generic reference to the NRA is not enough. FAÚ checks whether concrete measures were adopted in response to the identified trends.
The non-public NRA version with more detailed sector typologies can be requested directly from FAÚ.
Frequently asked questions about risk assessment
Has FAÚ published a risk assessment template?
No. FAÚ has not published a risk assessment template and does not plan to. The assessment must always be tailored to the specific obliged entity.
Must the risk assessment be approved by the managing director?
Yes. The risk assessment forms part of the internal AML policies, which must be approved by the statutory body under Section 21(2).
How detailed must the risks of individual clients be?
The risk assessment is typological. It describes categories, not concrete individuals. A concrete client receives a risk profile during identification and due diligence.
What is a low-risk client and how can I identify one?
Section 13 allows simplified due diligence only where the risk assessment demonstrably supports a low ML/TF risk. A mere statement is not enough.
Must I reflect the NRA in the risk assessment?
Yes. This is a statutory obligation under Section 21a(1). The current NRA was approved by Czech Government Resolution No. 3 of 5 January 2026.
If my business changes significantly, must I rewrite the whole assessment?
Not necessarily. You must assess whether the existing categorisation still applies and update the affected parts. Each update should be documented with the date and reason.
Risk assessment built into every check — not as a static document
AML PROOF calculates the WAR risk score automatically in every case. The result is stored in the audit trail, determines the client workflow and forms evidence for your organisation-wide risk assessment.
Start for free