Recent updates to U.S. regulatory materials, including revisions to the BSA/AML examination framework, have reduced or removed references to reputational risk.
For many institutions, that terminology has historically played a central role in how adverse media and politically exposed person (PEP) risks were evaluated and documented.
Its removal creates a practical challenge. Decisions that were previously supported using a broadly understood category now need to be explained using more specific risk-based reasoning, particularly when those decisions are reviewed under examination or investigation.
How should those decisions now be justified?
The expectation to assess risk has not changed. The expectation to explain that assessment clearly has increased.
The underlying exposure has not changed. What has changed is how institutions need to articulate and support their reasoning.
The Shift: From Label to Defined Risk
Reputational risk often functioned as a broad category that grouped together:
- Adverse media reporting
- PEP exposure
- Other indicators of potential misconduct
Without that label, institutions need to rely on specific, identifiable risk factors.
This means:
- Identifying what the adverse media indicates
- Linking that information to defined risk categories such as AML, sanctions, fraud, or corruption
- Explaining why those factors support a particular decision
The focus shifts from labeling risk to clearly explaining how it was evaluated.
Where Institutions Are Struggling
In practice, the challenge is not the decision itself, but how it is documented and explained.
Common challenges include:
Adverse media without clear risk linkage
Adverse media is identified, but documentation does not clearly explain how the information relates to a defined risk category or regulatory obligation.
PEP classifications without supporting rationale
Customers are identified as PEPs, but documentation does not explain:
- The nature of the exposure
- The jurisdictional risk
- Why enhanced due diligence is required
In both cases, the underlying issue is the same: decisions are recorded, but the reasoning behind them is not clearly documented, making it difficult to demonstrate consistency under examination.
What Examiners Expect to See
Examiners do not focus on terminology. They focus on how decisions are made and supported.
They expect to see:
- How the risk was identified
- How it was evaluated
- How the decision aligns with internal policies and regulatory expectations
For compliance teams, this means documentation needs to explain not just what was identified, but how it was assessed and why it led to a specific outcome.
Adverse Media: What Good Documentation Looks Like
A well-documented adverse media assessment should clearly show:
- What the issue is
What specific conduct or allegation is described? - Source credibility
Is the information reliable, corroborated, or unverified? - Risk linkage
How does the information relate to defined risks such as money laundering, sanctions exposure, or corruption? - Customer connection
What is the relationship between the customer and the reported issue? - Decision rationale
Why does this information support onboarding, escalation, or exit?
The goal is not more documentation. It is clear documentation.
PEP Reviews: What Needs to Be Documented
For PEPs, expectations are more clearly defined across regulatory frameworks.
Documentation should show:
- PEP classification
Domestic, foreign, or international organization - Position and influence
Role, authority, and access to public funds or decision-making - Jurisdictional risk
Corruption risk and governance environment - Source of wealth and funds
How wealth was accumulated and how funds are derived - Monitoring approach
How frequently the relationship will be reviewed and why
These elements remain relevant regardless of changes in regulatory terminology.
What This Means for Your Team
The expectation to assess risk has not changed. The expectation to explain that assessment clearly has increased.
This means:
- Relying less on broad labels
- Documenting specific risk factors
- Showing how those factors connect to regulatory obligations
- Ensuring that decisions can be clearly understood and explained later
This is especially important for institutions operating across jurisdictions where different regulators and examiners may review the same decision.
Moving Forward
Institutions that are adapting effectively are not replacing one label with another.
They are improving how decisions are documented and explained.
These are the types of documentation questions institutions are working through right now. The practical answers depend on the regulatory frameworks in play, the jurisdictions involved, and the decisions being reviewed.
