siteLogo
CPDStore Logo

AML Firm-Wide Risk Assessments: Often Overlooked but Integral to a Firm’s Compliance

Cover Image for AML Firm-Wide Risk Assessments: Often Overlooked but Integral to a Firm’s Compliance

| Courtney Price

Money laundering has an enormous impact on society, with the UK economy estimated to lose over £100 billion annually due to these illicit activities. It distorts markets, erodes trust, and funds serious crimes—from drug trafficking to terrorism. Accountants and bookkeepers, as gatekeepers of the UK financial system, hold a vital role in detecting and preventing such crimes.

In a recent webinar, Lucy Brown explained that under Regulation 18 of the Money Laundering Regulations 2017, firms are legally required to identify, assess, and document the risks of money laundering and terrorist financing relevant to their business. Despite this, professional body supervisors repeatedly report that many firms either fail to conduct adequate risk assessments or neglect to perform them entirely.

A firm-wide risk assessment (FWRA) is not a box-ticking exercise—it’s the foundation of an effective AML compliance framework.

Purpose of a Firm-Wide Risk Assessment

The FWRA is the cornerstone of a firm’s AML strategy. Its purpose is to help firms understand where and how they are most vulnerable to the risks of money laundering and terrorist financing, allowing them to direct resources effectively and implement proportionate controls.

By identifying key risk areas, firms can:

  • Prioritise their mitigation efforts in the most vulnerable business areas.
  • Develop appropriate policies, controls, and procedures (PCPs) that reflect real-world risks.
  • Demonstrate compliance to supervisory bodies and regulatory authorities.
  • Enhance staff awareness and training, ensuring everyone understands the firm’s exposure and responsibilities.

Importantly, this is not a one-time document—it’s a living framework that evolves with the firm’s operations, client base, and external risk environment.

Core Components of a Firm-Wide Risk Assessment

There is no prescribed format for a FWRA; however, supervisory bodies expect it to contain certain essential elements that collectively provide a clear picture of the firm’s risk landscape.

1. Firm Overview

Start with a high-level description of the business:

  • Legal structure (sole trader, partnership, limited company)
  • Services offered
  • Client profile (types of clients, sectors, and size)
  • Geographic areas of operation
  • Use of staff, subcontractors, or overseas partners

This context “sets the scene,” allowing reviewers to understand how and why the firm is exposed to certain risks.

2. Assessment of Six Key Risk Factors

Regulation 18 requires firms to assess specific areas of exposure:

  1. Client Risk – What types of clients does the firm serve? Are there high-risk sectors or politically exposed persons (PEPs)?
  2. Geographical Risk – Does the firm or its clients operate in jurisdictions with weak AML controls or under sanctions?
  3. Service Risk – Are certain services, such as tax advice, payroll, or company formation, more vulnerable to misuse?
  4. Transaction Risk – Do transactions involve large sums, complexity, or non-transparent ownership structures?
  5. Delivery Channel Risk – How are services delivered? In-person, online, through intermediaries?
  6. Proliferation Financing Risk – Could the firm’s services be used to finance the spread of weapons or other sanctioned activities?

Each risk should be analysed for likelihood and potential impact, often using a risk scoring matrix. While there’s no mandated calculation method, a documented rationale is essential for transparency.

3. Mitigating Actions

For each identified risk, outline the controls and safeguards implemented to manage or reduce exposure.
Examples include:

  • Enhanced due diligence for high-risk clients
  • Restricting services in certain jurisdictions
  • Regular staff training on typologies and red flags

Although mitigating actions can appear within the FWRA, they should also be cross-referenced in the firm’s Policies, Controls, and Procedures (PCP) document, ensuring consistency across compliance documentation.

4. Reference to External Guidance and National Assessments

Firms must take into account external information sources:

  • The UK National Risk Assessment (NRA) – The 2025 edition highlights updated threats such as fraud, sanctions evasion, and cybercrime, and identifies accountancy services (e.g., payroll, trust, and tax advisory) as high-risk areas.
  • Supervisory Body Guidance – Regular updates, alerts, and annual reports from professional bodies (as required under Regulation 46A) highlight common weaknesses and emerging risks.
  • Accountancy AML Supervisors’ Group (AASG) Risk Outlook – Provides sector-specific red flags and typologies relevant to accountancy services. The 2025 edition offers particularly current insight into emerging risks.

Referencing these documents demonstrates that your firm is aligned with national and sectoral risk perspectives.

5. Governance, Documentation, and Review

Senior management bears ultimate responsibility for approving, implementing, and maintaining the FWRA. It must:

  • Be recorded in writing and kept up to date.
  • Be reviewed at least annually—or more frequently if new services, clients, or risks emerge.
  • Include version control, showing evidence of review and updates.
  • Be signed by the author and approved by management, confirming ownership and accountability.

Good Practice and Common Pitfalls

  • Don’t rely on templates alone: Customise your FWRA to reflect your firm’s unique operations and risk exposure.
  • Keep it practical: The FWRA should inform day-to-day decision-making, not sit unused on a shelf.
  • Integrate with training and controls: Staff awareness of the firm’s risks is critical to effective AML compliance.
  • Review proactively: Regulatory inspections often find outdated or incomplete assessments—regular updates signal a culture of compliance.

A well-crafted Firm-Wide Risk Assessment is both a regulatory obligation and a strategic defence mechanism. It enables firms to identify, evaluate, and mitigate the risks that threaten not only compliance but also the integrity of the UK’s financial system.

As Lucy Brown emphasises, understanding your risks is the first step to managing them. By embedding risk awareness into the fabric of your firm, you not only protect your business from regulatory action but also uphold your professional duty to society—helping to combat financial crime and preserve trust in the profession.

FAQs

1. What is a Firm-Wide Risk Assessment (FWRA)?

A FWRA is a written document that identifies and evaluates the risks of money laundering and terrorist financing to which a firm is exposed. It serves as the foundation for a firm’s anti-money laundering (AML) strategy and compliance framework.

2. Why is a FWRA required under the Money Laundering Regulations 2017?

Regulation 18 of the Money Laundering Regulations 2017 requires all firms to take appropriate steps—relevant to their size and nature—to assess and document money laundering and terrorist financing risks. It ensures firms understand their exposure and can apply proportionate controls.

3. What is the main purpose of a FWRA?

The purpose is to help firms:

  • Identify areas of greatest AML risk
  • Allocate resources effectively
  • Implement suitable policies, controls, and procedures
  • Demonstrate compliance to regulators
  • Strengthen staff awareness and training

4. Who is responsible for preparing and maintaining the FWRA?

Senior management is responsible for approving, maintaining, and ensuring the FWRA is implemented across the firm. They must also ensure it is reviewed regularly and that staff receive appropriate AML training.

5. How often should the FWRA be reviewed?

Supervisory bodies expect firms to review their FWRA at least annually. It must also be updated whenever new risks emerge—such as when launching a new service, expanding geographically, or taking on high-risk clients.

6. What should a FWRA include?

While there is no prescribed format, it should include:

  • An overview of the firm (structure, services, clients, geography)
  • Assessment of six risk factors:
    1. Client risk
    2. Geographical risk
    3. Service risk
    4. Transaction risk
    5. Delivery channel risk
    6. Proliferation financing risk
  • Mitigating actions for each risk
  • References to external risk sources (e.g., National Risk Assessment, supervisory body guidance, AASG Risk Outlook)
  • Version control and sign-off by management

7. What are the six key AML risk factors?

  1. Client risk – High-risk sectors, PEPs, or complex ownerships
  2. Geographical risk – Exposure to high-risk or sanctioned countries
  3. Service risk – Services vulnerable to abuse (e.g., payroll, tax advice)
  4. Transaction risk – Unusual or complex transactions
  5. Delivery channel risk – Remote services or intermediaries
  6. Proliferation financing risk – The Possibility of aiding sanctioned entities or weapons proliferation

8. What external information should be considered when drafting the FWRA?

Firms should take into account:

  • UK National Risk Assessment (NRA) – The 2025 version highlights new threats and typologies.
  • Supervisory Body Guidance and Reports – Highlight common weaknesses and areas of focus.
  • AASG Risk Outlook – Identifies key risks and red flags for the accountancy sector.

9. How should risks be measured?

Firms can use a risk scoring matrix assessing both likelihood and impact of each risk. There is no standard method; the approach should be clear, consistent, and justified within the document.

10. What is the relationship between the FWRA and Policies, Controls & Procedures (PCPs)?

The FWRA identifies risks and their mitigating actions, while the PCP document explains how these mitigations are applied in practice. The two should cross-reference each other for consistency.

11. What common mistakes do firms make with their FWRAs?

  • Using generic templates without customisation
  • Failing to review the FWRA regularly
  • Not aligning with the latest National Risk Assessment
  • Lacking evidence of management approval or version control
  • Omitting clear mitigating actions

12. What are the benefits of a well-maintained FWRA?

  • Stronger AML compliance and regulatory defence
  • Targeted resource allocation
  • Improved staff awareness of risk
  • Enhanced firm reputation and client trust
  • Reduced exposure to financial crime

The contents of this article are meant as a guide only and are not a substitute for professional advice. The author/s accept no responsibility for any action taken, or refrained from, as a result of the material contained in this document. Specific advice should be obtained before acting or refraining from acting, in connection with the matters dealt with in this article. The information at the time of publishing was accurate and could be subject to final changes.

Image of Courtney Price

About the Author

Courtney Price is a content creator for CPDStore UK. Courtney joined us during the COVID-19 pandemic and has been involved in the ever-evolving world of accounting ever since. Her passion for reading and writing, coupled with her degree in copywriting from Vega School has allowed her to channel her creativity and expertise into crafting engaging and informative content.

YOU MAY ALSO LIKE