10 Questions Boards Should Be Asking About Financial Crime Risk

Financial crime governance has become a board-level issue as regulators increasingly expect senior leaders to understand the risks facing their organisations, challenge management where necessary, and make informed decisions about resources, controls, accountability, and oversight.

Many boards receive AML reports, dashboards, risk assessments, training updates, and regulatory summaries throughout the year. Yet important questions about control weaknesses, ownership, escalation, resourcing, and risk concentrations may receive less attention than operational metrics such as alerts reviewed, cases closed, customers onboarded, or training delivered.

Boards do not need to become AML specialists. Their role is to ask questions that help them understand the organisation's financial crime exposure and exercise effective oversight. The quality of those questions often shapes the quality of the discussion.

The following questions can help boards, senior management, MLROs, and compliance leaders identify areas that may warrant closer attention and determine whether they have sufficient visibility over the risks they are expected to manage.

1. Which financial crime risks have increased during the last 12 months?

A board should be able to understand how the organisation’s financial crime risk profile has changed over time. New products, customer segments, jurisdictions, delivery channels, technologies and third-party relationships can all change the nature and level of exposure.

When the answer to this question feels too general, outdated or disconnected from current business activity, that may indicate that the risk assessment is no longer driving meaningful governance discussions.

2. Which AML controls create the greatest concern?

Every AML framework has areas that require closer attention. The concern may relate to manual work, inconsistent application, backlogs, system limitations, quality assurance findings, employee dependency or increasing transaction volumes.

A board does not need operational detail on every control, yet it should understand which controls management worries about most and why those concerns matter.

3. Where do we have the greatest concentration of higher-risk customers, products or jurisdictions?

Financial crime exposure is often concentrated in specific parts of the business. A small number of relationships, products, corridors, customer types or jurisdictions may create a disproportionate share of risk.

When board reporting does not clearly show where these concentrations exist, the board may receive a broad view of the AML framework without seeing where the organisation is most exposed.

4. What concerns does the MLRO believe deserve board attention?

This question often opens a more useful discussion than a standard compliance update. MLROs usually see patterns across investigations, escalations, business pressure, staff capability, customer behaviour and control performance. Their concerns may reveal issues that metrics alone cannot show.

A board that understands these concerns is better placed to assess whether management has the information, resources and support needed to manage risk effectively.

5. If a regulator reviewed us tomorrow, which area would require the most explanation?

This question helps boards move beyond comfort and into preparedness. The answer may relate to customer risk assessments, ongoing monitoring, sanctions screening, governance records, outsourcing, training, documentation, beneficial ownership, transaction monitoring or escalation decisions.

A confident answer should be supported by evidence, current workplans and a clear explanation of how management is addressing known weaknesses.

6. Which critical controls depend heavily on manual work or key individuals?

This question matters because many AML processes continue to function through the effort and judgement of experienced people. That experience has value, yet heavy dependence on individuals can create operational vulnerability when volumes increase, staff leave, workloads change or complex cases accumulate.

If the board does not know where these dependencies exist, it may have an incomplete understanding of the organisation's ability to manage financial crime risks effectively.

7. When did we last test our response to a serious financial crime scenario?

Risk assessments identify exposure. Scenario testing reveals how the organisation may respond under pressure. A serious fraud event, sanctions concern, cyber-enabled financial crime incident, high-risk customer escalation or third-party failure can test decision-making, escalation routes, communication, evidence gathering and management accountability.

Boards should understand whether the organisation has tested its response to realistic scenarios and what those exercises revealed.

8. Can our AML controls support the organisation’s growth plans?

Growth affects financial crime controls directly. More customers, more transactions, more markets, more products and more complexity can increase pressure on onboarding, monitoring, investigations, screening, reporting and governance.

A board discussion about growth should include the control environment required to support that growth safely. When AML capacity is discussed only after pressure appears, the organisation may already be operating with avoidable strain.

9. Which financial crime risks are difficult to see through our current board reporting?

Board reporting can show activity while missing friction, uncertainty, near misses, workarounds, judgement calls and emerging concerns. A dashboard may look complete while still failing to explain where management attention is most needed.

Boards should periodically ask what the current reporting pack does not show clearly enough.

10. Are we measuring AML activity, control performance or risk management?

Many reports focus on activity: alerts reviewed, cases closed, training completed, customers screened and reports submitted. These figures have value, yet they do not always explain whether controls are working as intended or whether risks are being managed well.

Boards should understand what the metrics actually say about the organisation’s financial crime risk position and where additional assurance may be needed.

Three warning signs these questions deserve immediate attention

1. Confidence without evidence

An answer that sounds confident without clear evidence behind it deserves further examination. Financial crime governance depends on documented understanding, meaningful reporting, and informed challenge. General reassurance has limited value when the board needs to understand exposure, pressure points, and priorities.

2. Inconsistent answers

If the board, senior management, compliance, operations, and business teams would answer the same question differently, the organisation may have a governance or communication gap. Different perspectives can be useful, yet conflicting understanding around ownership, risk, escalation, or control performance deserves closer attention.

3. Silence

Some of the most important AML issues are known internally long before they become regulatory findings, audit observations, or operational failures. When concerns remain unspoken, unclear, or buried inside routine reporting, boards may lose the opportunity to address them early.

Final thoughts

Strong financial crime governance begins with better questions. The purpose of these questions is not to create discomfort for management. The purpose is to help boards, senior leaders and compliance teams understand where attention is needed before issues become more difficult to manage.

During AML reviews, board workshops and in-house training, I often find that organisations already have a significant amount of information. The challenge is usually deciding what the information means, where the real exposure lies and which conversations should happen next.

That is where independent review, board training and practical AML support can help. A good discussion can reveal whether the organisation has enough visibility, whether responsibilities are clearly understood, whether controls remain appropriate and whether financial crime risk is being managed in a way that matches the business.

If your board or senior management team would struggle to answer some of these questions with confidence, that may be the right place to start.