Writing Your BWRA: A Business-Wide Risk Assessment Template for Crypto

Part 1 of our "CASP Compliance Toolkit" series — the practical documents and processes a crypto business actually has to produce. Everything in an AML programme is justified by reference to one document, and most firms write it last and worst: the business-wide risk assessment.

The BWRA is the foundation an examiner reads first, because every other control is supposed to be calibrated to it. If your enhanced due diligence triggers, your monitoring thresholds, and your customer risk scoring don't trace back to a documented assessment of your risks, they look arbitrary — and arbitrary controls fail an inspection even when they happen to work. Here is what a defensible crypto BWRA contains and how to keep it from being a one-time PDF.

The Four Risk Dimensions

A crypto BWRA assesses inherent risk across four standard categories, then documents the controls that reduce each to a residual level:

• Customer risk — who your customers are: retail vs institutional, PEPs, high-net-worth, the mix of jurisdictions, the proportion using unhosted wallets. A CASP serving anonymous retail across many jurisdictions carries different inherent risk than one onboarding KYC'd institutions.
• Product & service risk — what you offer: custody, exchange, transfers, staking, privacy-coin support, fiat on/off-ramps, DeFi access. Each product has its own laundering and sanctions exposure, and offering privacy assets or instant withdrawals raises it.
• Geographic risk — where your customers and counterparties are: exposure to high-risk and sanctioned jurisdictions, FATF grey/black-list countries, and the on-chain reality that funds arrive from everywhere regardless of where the customer says they are.
• Channel / delivery risk — how customers reach you: fully remote onboarding, third-party introducers, API access, and whether identity is verified directly or relied upon from another party.

The Crypto-Specific Layer

A generic financial-services BWRA misses the dimension that defines crypto risk: on-chain exposure. A defensible crypto BWRA quantifies the actual inbound and outbound exposure of the business — what proportion of flows touch mixers, sanctioned clusters, high-risk exchanges, or darknet infrastructure — rather than asserting risk in the abstract. This is the difference between "we consider mixer exposure a high risk" and "X% of our inbound volume last quarter was within two hops of a mixer; here is the trend and the control response."

Keeping It Alive

A BWRA is not an annual filing; it is a living document that should be revisited when the business changes — a new product, a new market, a new customer segment, a material shift in on-chain exposure, or a regulatory change. The version history itself is evidence: it shows an examiner that risk is actively managed, not assessed once and shelved.

How BA helps. The on-chain exposure layer of a BWRA — the proportion of flows touching mixers, sanctioned clusters, and high-risk counterparties — is exactly what BA's screening and analytics quantify across 80+ chains. Instead of asserting your exposure, you can measure it, trend it, and cite the numbers in the assessment. For the AML programme the BWRA underpins, see Building Your AML/KYC Programme.

Next in the series: SAR Filing for Crypto, the document at the other end of the programme — what FIUs expect, and the mistakes that get a report sent back.