AML risk assessment: a practical methodology for regulated professions
The overall money-laundering risk assessment is the requirement most scrutinised by Belgian supervisors. Here is a 5-step methodology usable by accountants, notaries, lawyers and real-estate agents to produce a document that holds up under inspection.
In brief
The overall money-laundering risk assessment (Article 16 of the Act of 18 September 2017) is the first document requested by SPF Economie, the NBB or the FSMA during any AML inspection. It must analyse 4 dimensions (client risk, product risk, geographic risk, channel risk), be written in 5 documented steps, signed by management, updated annually and consistent with the KYC and CTIF procedures of the structure. A generic or incomplete document leads directly to a structural deficiency finding.
Why the risk assessment is the document n°1 demanded during inspection
When SPF Economie, the NBB or the FSMA inspects a regulated entity, the first document requested is not the client register or the KYC files: it is the overall money-laundering risk assessment, required by Article 16 of the Act of 18 September 2017.
This document is not an administrative form: it is the motherboard of the entire AML framework. It describes how the profession identifies, measures and mitigates the money-laundering and terrorist-financing risks specific to its activity. Without this document, or with a generic one copied from the internet, the inspection concludes to a structural deficiency — and the fine follows. Its content must be consistent with the obligations of the Act of 18 September 2017 and directly feed the KYC files maintained by each obliged entity.
The 4 dimensions to analyse
Any serious assessment relies on crossing four risk factors, common to the European Banking Authority (EBA) guidelines and the Belgian framework:
1. Client risk
Who are your clients? Categorise them:
- Individuals vs companies
- Belgian vs foreign
- Simple vs complex structures (holdings, trusts, shell companies)
- Politically exposed persons (PEPs)
- Clients whose real economic activity is hard to verify
- Clients onboarded remotely with no face-to-face
A fiduciary serving mostly local SMEs with transparent shareholding has low client risk. A notary's office regularly dealing with foreign companies with non-resident UBOs → high risk.
2. Product (or service) risk
What services do you provide? Some are inherently risky:
- Company incorporation and domiciliation (capacity to create opaque structures)
- Real-estate operations (historic money-laundering channel)
- Third-party fund management (lawyers' trust accounts, notaries' funds)
- International tax advice, structure optimisation
- Cash transactions above thresholds
Other services have structurally low risk: simple bookkeeping for micro-businesses, HR consulting, pure statutory audit.
3. Geographic risk
Do your clients or their counterparties operate in:
- The high-risk third countries identified by the European Commission (published, updated list)
- Preferential tax jurisdictions (former tax havens, OECD lists)
- Areas under international sanctions (Russia, Iran, North Korea, Belarus...)
- Countries with weak AML frameworks (FATF reports)
A client domiciled in Brussels with Belgian-French activity: low geographic risk. A Belgian company whose 80 % of inbound flows come from Dubai or the Seychelles: high risk.
4. Channel risk
How was the relationship established and how does it run?
- Face-to-face on your premises (low risk)
- Introduced by a known peer or correspondent (moderate risk)
- 100 % remote via online platform (heightened risk if no strong identification)
- Through an intermediary (business introducer) — who is this intermediary?
The methodology in 5 steps
Step 1 — Map the activity
Describe your activity factually:
- Which services exactly (exhaustive list, with revenue share)
- How many active clients and their typology (local SMEs / individuals / international companies)
- Which geographic zones (where your clients are, where their counterparties are)
- Which onboarding channels
This mapping is the factual basis of everything that follows. It is updated annually.
Step 2 — Identify inherent risks
For each combination client × product × geography × channel, list the money-laundering risks before any mitigating measure. Examples:
- Incorporation of a company for a non-resident client from an opaque jurisdiction → shell-company risk
- Cash real-estate operation with multiple transfers from different accounts → structuring (smurfing) risk
- Tax mandate for a client receiving crypto-asset revenue → doubtful source of funds
Step 3 — Assess the inherent risk level
Use a 3- or 5-level grid: low / standard / high (or 1-5). Document the criteria placing each combination at each level. Don't put everything at "low": a regulated entity claiming no high-risk zone will be viewed sceptically.
Step 4 — Describe mitigating measures
For each risk level, which controls do you implement?
- Low risk: standard KYC, annual monitoring, normal archiving
- Standard risk: full KYC with UBO and register verification, semi-annual monitoring
- High risk: enhanced KYC, source-of-funds verification, senior management approval before onboarding, quarterly monitoring, expedited CTIF reporting
Be concrete: "enhanced monitoring" is not enough. Specify: "quarterly review of the file by the AMLCO, comparison of flows with the client's VAT returns, written validation".
Step 5 — Compute the residual risk and conclude
After mitigating measures, is the residual risk acceptable? If yes, the framework is consistent. If no, two options: strengthen measures, or refuse the type of activity.
Conclude on the overall risk level of your profession and list the priority focus points for the next 12 months.
Format and frequency
The risk assessment must be:
- Written — no oral analysis, no "it's in the AMLCO's head"
- Dated and signed by management
- Updated at least annually, or immediately after a significant change (new service, new target clientele, new regulation)
- Consistent with the written procedures for KYC, monitoring, CTIF reporting
- Kept for the duration of operations + 10 years
In practice, a 10- to 30-page document, structured by the 4 dimensions above, is sufficient for most mid-sized practices.
Frequent mistakes seen during inspection
The AMLCO's role
The Anti-Money Laundering Compliance Officer (AMLCO) is the main drafter and guardian of the risk assessment. The appointment is mandatory for all regulated structures, formally named by decision of the board of directors or equivalent body.
For small structures, the AMLCO can be a manager themselves. For larger ones, it is a dedicated role. In all cases: direct access to management, functional independence, documented initial and ongoing training.
How Company Belgium structures your risk assessment
The risk assessment required by Article 16 becomes a controlled deliverable with Company Belgium:
- Automatic mapping of your client base: breakdown by size (BCE), legal form, NACE codes, geography of head offices and establishments
- Profession-specific assessment templates (accountant, notary, lawyer, real-estate agent, company service provider)
- Preconfigured risk matrix over the 4 dimensions client × product × geography × channel
- High-risk country alerts: automatic cross-check with the official lists (EU, Belgian Treasury, international sanctions)
- Review tracking: annual deadline reminders, timestamped versions, full traceability of AMLCO decisions
- Signed PDF export ready to present during inspection
Your AMLCO produces a compliant, defensible document in hours, not weeks.
Bottom line
The risk assessment is the exercise that makes the difference between an entity substantively compliant and one that ticks boxes. It is also the unique document showing the inspector that the profession has understood its exposure and deployed proportionate measures. Be factual, be specific, be up-to-date — and this piece becomes an asset, not a risk.
Frequently asked questions
What is the overall AML risk assessment and who must produce it in Belgium?
The overall money-laundering risk assessment is a written document, dated and signed by management, required under Article 16 of the Act of 18 September 2017. It is mandatory for all obliged entities: law firms, accountants, notaries, real estate agents, domiciliation centres, company service providers and financial institutions. The AMLCO drafts and updates it, under the formal responsibility of management. Without this document, any inspection concludes to a structural deficiency.
What are the 4 dimensions of a compliant AML risk assessment in Belgium?
A compliant AML risk assessment analyses 4 dimensions: client risk (who your clients are, their nationality, structural complexity, any PEP presence), product risk (what services you provide, notably company incorporation, domiciliation, fund management), geographic risk (whether your clients or their counterparties are linked to high-risk third countries or sanctions), and channel risk (how the relationship was established, remotely or face-to-face). The EBA and the Belgian framework require that these 4 dimensions be crossed in a documented matrix.
How often must an AML risk assessment be updated in Belgium?
The law requires an update at least annually. An immediate update is also required after any significant change: launch of a new service, expansion of the target clientele, regulatory change (new AML directive, new high-risk country list), or a notable incident (CTIF report, external investigation). Supervisors check the consistency between the date of the last revision and the actual evolutions of the activity.
What are the most frequent errors in an AML risk assessment during a Belgian inspection?
The most often sanctioned errors are: a generic document not tailored to the firm's real activity, a uniformly low risk level without justification, vague non-auditable mitigating measures (for example mentioning monitoring without describing how it is organised), no link with the written KYC and CTIF procedures, no update for more than a year, and no analysis of refused files or issued CTIF reports, which are nevertheless calibration signals for the matrix.
Comments
Related articles

Notaries: verifying beneficial owners before an authentic act
Notaries are on the front line to block money-laundering setups via companies. Incorporation, merger, share transfer, real estate sale: every act demands enhanced UBO due diligence. Here is the complete checklist to secure an authentic act without burdening practice.

The Belgian trial period is back: what the Clarinval reform changes for SMEs from day one
On 21 May 2026, the Belgian Chamber voted to reinstate a trial regime covering the first six months of the employment contract. Notice cut to one week, written reasoning, scope limited to new contracts: what employers need to grasp before publication in the Moniteur belge.

Branch in Belgium and the UBO register: what the foreign company must do
A foreign company opening a branch in Belgium is not a Belgian company: the branch has no separate legal personality. That changes everything for the UBO register. Find out who must declare what, and why a Belgian SRL subsidiary offers a cleaner compliance footprint.
