ANQA Compliance Training | FATF R.1 & IO1 | 7 Pages | 30 Questions | 80% Pass Mark
Understand how governments assess their ML/TF risks, what the NRA means for your institution's own risk programme, and why FATF effectiveness assessments place so much weight on whether NRA findings are actually used.
A National Risk Assessment is the foundation of a country's entire AML/CFT system. It determines where supervisory resources are directed, which sectors are targeted for enforcement, and — critically for compliance officers — what the baseline risk profile for their institution's operating environment looks like.
Many compliance professionals work in jurisdictions where an NRA exists but its findings are never translated into practice. FATF mutual evaluations consistently find that completing an NRA is not enough: the findings must drive policy, supervisory activity, and individual financial institution risk programmes. This course explains the NRA framework, how assessors evaluate it, and what compliance teams in emerging markets must do to incorporate NRA findings into their own work.
Core coverage: FATF R.1 and the risk-based approach, the Threat/Vulnerability/Consequence formula, available NRA methodologies (World Bank, IMF, MONEYVAL), Immediate Outcome 1 effectiveness ratings, and common NRA failures in emerging markets.
FATF R.1 establishes the risk-based approach as the governing principle of the entire FATF framework. The NRA is the primary mechanism through which countries comply with R.1's identification and assessment requirement. Without a credible NRA, a country cannot demonstrate that it genuinely understands its risk environment — and therefore cannot design an effective AML/CFT system.
October 2020 update: An amendment to R.1 extended the risk-based approach obligation to include proliferation financing. Countries must now assess PF risk in their NRAs — not just ML and TF risk. Many African and Asian jurisdictions assessed since 2021 have been found lacking in this area.
A National Risk Assessment (NRA) is a structured, government-led process for identifying, assessing and understanding the ML, TF and PF risks faced by a country. It examines:
The NRA is jurisdiction-owned — the national government drafts it and is responsible for acting on its findings. It is not produced by external assessors, though international tools (World Bank, IMF) are used to structure the analysis.
| Feature | NRA | Mutual Evaluation |
|---|---|---|
| Who conducts it | The national government (self-assessment) | External peer team from the FATF, FSRB (e.g. ESAAMLG, GIABA, APG), IMF or World Bank |
| What it assesses | Domestic ML/TF/PF risk landscape | Technical compliance (laws in place) AND effectiveness (do they work?) |
| Frequency | No fixed cycle — countries update as needed | Typically every 10 years in the 5th round |
| Output | A risk assessment report for national policy | A Mutual Evaluation Report published on the FATF/FSRB website |
| Consequence | Informs domestic strategy | Can result in grey listing or black listing for serious failures |
Risk is a function of all three components. A country with high drug trafficking (threat) but well-regulated financial sector (low vulnerability) and a small economy (limited consequence) will have a different overall risk profile than a country with moderate threat but a large informal economy and weak supervision.
Threat analysis asks: Who are the criminal actors, and what crimes generate the largest ML/TF proceeds in this jurisdiction?
| Threat Category | Examples | Data Sources |
|---|---|---|
| Organised crime | Drug trafficking, human trafficking, firearms | Law enforcement intelligence, prosecution data, FIU financial flows |
| Corruption & fraud | Public procurement fraud, tax evasion, cybercrime | Anti-corruption agency data, tax authority data |
| Terrorism financing | Domestic and cross-border TF networks | Intelligence services, FATF typologies, UNSC designations |
| Proliferation financing | Sanctions evasion for WMD-related procurement | UNSC resolution data, export control authorities |
Data challenge: In many emerging markets, the threat assessment is the weakest component of the NRA because prosecution data is incomplete, FIU feedback loops are limited, and law enforcement intelligence is not systematically shared with the NRA team. Without reliable criminal proceeds data, threat analysis is largely qualitative.
Vulnerability analysis asks: Which sectors, products and channels are most exposed to being used for ML/TF?
The World Bank NRA Tool (Module 2) identifies eight sector sub-modules for vulnerability analysis:
For each sector, vulnerability is assessed based on: product/service characteristics, delivery channels, geographic reach, quality of AML supervision, and known typologies.
Consequence analysis asks: What would be the impact of a successful ML/TF attack on the financial system? In practice, consequence is often incorporated into the threat and vulnerability analysis rather than treated as a standalone component. Key consequence factors include:
The FATF does not mandate a single NRA methodology. Countries choose from three main internationally recognised tools, which are published in FATF's NRA Toolkit Annexes. Each tool uses the same Threat/Vulnerability/Consequence framework but differs in structure and the depth of sectoral analysis.
| Tool | Developed by | Primary Users | Structure |
|---|---|---|---|
| World Bank NRA Tool (Second Generation) | World Bank | Primarily low- and middle-income countries; 114 jurisdictions supported since 2012 | Module 1: National Threat Assessment Module 2: National Vulnerability Analysis (8 sector sub-modules) |
| IMF Approach | International Monetary Fund | Often used alongside the World Bank tool; IMF provides data collection tools and report templates | Data collection tools, raw analysis, and NRA report template — national authorities draft the final report |
| MONEYVAL Approach | Council of Europe | European countries and those under MONEYVAL oversight (Council of Europe member states) | Tailored to the European legal and regulatory context |
Most African and Asian jurisdictions that have conducted NRAs have used the World Bank tool, often in combination with IMF support. The process typically involves:
Key point: The NRA is produced by national authorities. The World Bank and IMF provide tools, data templates and technical support — they do not write the NRA. National ownership is a FATF requirement: the government must take responsibility for its risk assessment.
An NRA is only valuable if its findings are used. The FATF expects NRA findings to drive:
Before 2013, FATF mutual evaluations focused primarily on technical compliance — whether the correct laws and regulations were in place. The revised 2013 Methodology introduced effectiveness assessment: do the measures that are in place actually work?
This shift was significant for emerging markets. A country could have a perfectly drafted AML/CFT law and still receive low effectiveness ratings if the law was not being enforced, STRs were not being filed, or the financial sector did not understand the risks it faced.
IO1 asks: Does the country genuinely understand its ML/TF/PF risks, and is that understanding translating into coordinated action? Assessors examine:
Africa and emerging markets: Most African jurisdictions assessed in recent FATF/ESAAMLG/GIABA rounds have received LE or ME ratings on IO1. This typically reflects not an absence of NRAs, but the failure to use NRA findings to drive policy, supervision and FI-level risk management. Completing an NRA is necessary but not sufficient for effectiveness.
When a country is placed on the FATF grey list (Increased Monitoring), persistent IO1 weaknesses — including an outdated or unused NRA — are typically among the findings. To exit the grey list, the country must demonstrate that it has addressed the identified deficiencies through concrete action plans with measurable outcomes.
From FATF, ESAAMLG, GIABA, and APG mutual evaluation reports across Africa and Asia, the following weaknesses recur:
| # | Weakness | Impact |
|---|---|---|
| 1 | NRA not completed or outdated — Some jurisdictions had no NRA at evaluation; others had a 2015 report not updated before their 2024 evaluation | LE on IO1; accelerates grey list risk |
| 2 | Top-down NRA without private sector input — Conducted entirely by government without meaningful FI or DNFBP consultation | Missing the most granular financial crime data held by the private sector |
| 3 | NRA findings not disseminated — Classified or restricted NRAs never shared with financial institutions | FIs cannot incorporate national risk findings into their own risk programmes |
| 4 | NRA not used to drive strategy — Countries complete NRAs to satisfy FATF but don't change supervisory priorities or law enforcement resource allocation | Tick-box compliance without substantive change |
| 5 | Incomplete sector coverage — NRA covers banking sector but omits DNFBPs (lawyers, real estate agents, trust and company service providers) | High-risk sectors left unassessed and unsupervised |
| 6 | No PF risk assessment — Many jurisdictions have not included proliferation financing since the October 2020 R.1 amendment | Direct technical compliance gap under R.1 |
| 7 | Lack of criminal proceeds data — No reliable quantification of proceeds of crime, making threat analysis primarily qualitative | Weak threat assessment undermines the entire NRA |
Financial institutions are not passive consumers of the NRA — they have active obligations. Under the FATF risk-based approach:
Practical tip: Compliance officers should maintain a record of which version of the national NRA their institution's EWRA is based on, and schedule an EWRA review whenever a new NRA is published. Regulators increasingly ask this question during supervisory examinations.
The FATF increasingly expects the private sector to actively contribute to the NRA process — not just receive and implement its findings. Financial institutions can provide:
Key takeaway: The NRA is the foundation of the national AML/CFT architecture. A compliance officer who understands their country's NRA — and has incorporated its findings into their institution's risk programme — is operating at the level FATF expects. A compliance officer who has never read their country's NRA is working without the most important risk document available to them.
30 questions — Multiple Choice, Scenario, and True/False. Score 80% (24/30) or above to pass and receive your certificate.