Risk Appetite Statement

Risk Appetite Statement

A risk appetite statement (RAS) is a board-approved document declaring how much financial-crime risk an institution is willing to take to pursue its strategy, and — just as important — which business it will not accept at any price. It is the bridge between high-level strategy and the day-to-day limits that the first line operates within.

Appetite, tolerance, and limits

These three terms are tested as a hierarchy, and candidates routinely confuse them.

Appetite is strategic and qualitative; tolerance and limits make it measurable and enforceable. A RAS that says only "we have a low appetite for AML risk" without limits is non-operational — examiners view it as window dressing.

Prohibited business and exclusions

A strong RAS names categories the institution refuses outright: for example, customers in sanctioned jurisdictions, shell banks (prohibited as correspondents under the USA PATRIOT Act Section 313), anonymous "payable-through" arrangements, or unlicensed money-services businesses. When a CAMS scenario describes onboarding a customer that falls in a stated exclusion, the appetite is breached, and the correct response is escalation and decline — not an undocumented exception.

De-risking versus risk management

The Financial Action Task Force (FATF) warns against de-risking: wholesale exit from entire customer segments (e.g., all money-services businesses, all charities, or all correspondents in a region) to avoid the cost of managing them. De-risking can push activity into less-transparent channels and harm financial inclusion. The exam-preferred answer favors risk-based management — enhanced due diligence, tighter monitoring, controlled limits — over blanket exit, unless the residual risk genuinely exceeds appetite.

Scenario workflow

When an item gives a RAS and a proposed relationship, ask:

• Does the customer fall in a stated prohibition or exclusion? If yes, decline and document.
• Does it sit within tolerance but at the high end? If so, apply enhanced controls and monitor against limits.
• Is the proposed action a blanket de-risking exit where managed risk would suffice? Prefer management.
• Was any breach of appetite escalated to the board or its committee?

The best answer keeps the institution inside its stated appetite, escalates breaches rather than hiding them, and avoids both reckless growth and reflexive de-risking. A common distractor lets a senior business leader "override" the RAS for a profitable client; overrides must go through governance, not personal authority.

Worked example

A commercial bank's RAS prohibits relationships with unlicensed money-services businesses (MSBs) and caps high-risk clients at 8% of the portfolio. A regional manager wants to onboard a remittance business that has applied for — but not yet received — a state license, arguing the revenue is significant. Walk the analysis: the customer falls in a stated prohibition (unlicensed MSB), so the appetite is breached. The correct response is to decline until the license is granted and document the decision; if the bank still wants the relationship, the exception must be escalated to the AML committee, not approved by the manager alone.

Onboarding now would also push toward the 8% tolerance cap, a second control signal.

Connecting appetite to the program

The RAS is not a standalone document — it must flow down into the enterprise risk assessment, the customer-risk-rating model, and product-approval gates.

Regulators expect the board to review and re-approve the RAS at least annually and after material strategy shifts. A RAS that is written once and never revisited — or one that the front line has never seen — is a governance weakness. Equally, an institution whose actual book of business drifts well outside its stated appetite without escalation has a monitoring failure: the limits exist but nothing enforces them. The exam consistently rewards answers that keep stated appetite, operational limits, and actual practice aligned, with breaches escalated through documented governance rather than quietly absorbed.

Common appetite categories tested

A mature RAS typically draws bright lines around several recurring categories. Expect scenarios built on each:

• Sanctioned jurisdictions and persons — zero appetite; any nexus triggers immediate escalation and likely decline.
• Shell banks — prohibited as correspondents (USA PATRIOT Act Section 313); not a high-risk item to manage but a flat no.
• Cash-intensive businesses (casinos, MSBs, cannabis where applicable) — limited appetite with mandatory EDD and caps.
• Virtual-asset service providers — increasingly addressed explicitly given the 6th-edition emphasis; many institutions set tight conditions or exclusions.
• High-net-worth and PEP relationships — accepted within limits, always with senior approval and source-of-wealth documentation.

The distinction between prohibited (never, regardless of profit) and restricted/high-risk (allowed with enhanced controls and within limits) is the single most testable idea here. When a scenario tempts you to "manage" a shell-bank or sanctioned relationship, recognize it as prohibited and decline; when it presents a cash-intensive but lawful business, the answer is enhanced management within tolerance, not reflexive exit. Keeping that line clear — and routing every exception through the board or AML committee rather than an individual executive — is the behavior the RAS exists to enforce and the behavior the exam rewards.