Client Risk Assessment for AML Compliance with FigsFlow
Ready to Simplify Risk Reviews?

Client Risk Assessment

Evaluate the potential money laundering or terrorist financing risks posed by each client based on their background, transaction history, and geographical location to determine required due diligence.

AML Essentials Kit Breakdown:
Try FigsFlow Now

Every client your firm accepts must be assessed for the risk they may pose in relation to money laundering, terrorist financing or other financial crime. This is a legal requirement under UK Money Laundering Regulations and forms the basis for determining what level of due diligence you need to apply.

Risk assessment is not a one size fits all exercise. Each client must be evaluated individually, considering their specific circumstances, the nature of your relationship with them and the services you are providing.

The purpose of risk assessment

A properly conducted risk assessment allows you to direct your compliance resources where they are most needed. It helps you identify clients who require more intensive scrutiny and those who can be subject to standard checks. This protects your firm from being exploited by criminals and reduces the likelihood of regulatory breaches or enforcement action.

A clear and structured approach to risk assessment also makes compliance more manageable for your team and ensures consistency across your client base.

Factors that determine client risk

The Money Laundering Regulations 2017 set out the categories of risk you must consider when assessing a client. These are organised into four broad areas: the client themselves, the transactions they engage in, the services you are providing and the geographical factors relevant to their business or location.

  1. Risk factors relating to the client
    You must consider whether the client:
  • Operates in circumstances that are unusual or difficult to explain
  • Is resident in or connected to a jurisdiction identified as high risk
  • Uses corporate structures designed to hold personal assets or involves nominee shareholders or directors
  • Runs a business that handles large amounts of cash
  • Has a complex ownership structure that makes it difficult to identify who ultimately controls or benefits from the entity
  • Is seeking citizenship or residency rights in return for capital transfers or investment

The presence of one or more of these factors does not automatically mean the client is high risk. However, it does require you to consider the matter carefully and document your reasoning if you conclude that the risk remains low or standard.

  1. Risk factors relating to transactions
    When evaluating transactional risk, you should assess whether:
  • The transactions involve arrangements that favour anonymity or the use of third parties without clear justification
  • Payment flows are structured in ways that appear unusual or unnecessarily complex
  • There is little or no face-to-face interaction during the relationship
  • The nature of the goods or services involved are inherently high risk, such as dealings in precious metals, gemstones, cultural property or arms
  • Understanding how funds move through the client’s business, and whether that movement aligns with their stated commercial activity, is central to identifying potential money laundering risk.

 

  1. Risk factors relating to services and delivery
    You must also consider the nature of the services you are providing and how those services are delivered. Questions to ask include:
  • Does the service involve little or no direct contact with the client?
  • Is the service one your firm does not routinely provide or have significant experience in?
  • Does it involve forming companies, providing registered office addresses, or acting as a nominee director or shareholder?
  • Could the service allow the client to conceal their identity or the true ownership of assets?

Remote relationships are not necessarily high risk, but they can make it harder for you to verify information and understand the client properly. That limitation should be reflected in your risk assessment.

  1. Risk factors relating to geography
    Geographical risk arises where a client or their business activities are connected to jurisdictions that present a higher risk of financial crime. You should consider whether:
  • The client is based in or conducts business with countries that have high levels of corruption, organised crime or terrorism
  • The jurisdiction appears on the Financial Action Task Force list of high-risk countries or countries under increased monitoring
  • The client or their business interests are subject to international sanctions or embargoes

Geographical risk does not mean you cannot work with clients in certain locations, but it does require you to apply greater scrutiny and potentially enhanced due diligence.

  1. Services that carry heightened risk

Certain accountancy services are more frequently targeted by those seeking to launder money or obscure the origin of funds. Your firm should be particularly alert when providing:

  • Company formation or dissolution services
  • Bookkeeping that could be used to create misleading financial records
  • Payroll administration
  • Trust or company service provider functions
  • Registered office addresses, nominee directorships or nominee shareholdings

These services can lend legitimacy to otherwise questionable structures or activities. Criminals may specifically target accountants and professional advisers because of the credibility and respectability your involvement brings.

Additional Risk Considerations:

a) Client bank accounts
If your firm operates client bank accounts, you must ensure these are only used in connection with services you are genuinely providing. Regular or unexplained use of client accounts for payments, transfers or payroll functions increases your exposure to money laundering risk and must be carefully justified, monitored and documented.

b) Ownership structures and beneficial ownership
Clients with layered, complex or opaque ownership arrangements present an elevated risk. If you cannot readily identify who ultimately owns or controls the client, or if the structure appears unnecessarily complicated given the nature of the business, this should influence your risk assessment.

Similarly, if the commercial rationale for a particular structure is unclear or unconvincing, you should treat this as a warning sign.

c) Client behaviour and cooperation
The way a client responds to your requests for information can itself be a risk indicator. If a client is slow to provide documents, evasive in their explanations or resistant to your due diligence enquiries, this should raise concern. While some delay may be innocent, persistent avoidance or reluctance to engage may suggest an attempt to conceal relevant facts.

You should also be alert to clients who offer unsolicited explanations for their circumstances or who provide information that seems rehearsed or inconsistent.

d) Changes over time
Risk is not static. A client who initially presents as low risk may move into a higher risk category as their circumstances change. This could be due to changes in ownership, expansion into new markets, involvement in different types of transactions or shifts in the regulatory environment.

You are required to keep your risk assessments under review and update them when relevant changes occur.

Recording your assessment

Your risk assessment must be documented. This means recording not only your conclusion about the level of risk but also the reasoning that led you to that conclusion.

If you decide that a client presenting one or more risk factors should nonetheless be treated as standard or low risk, you must explain why. Similarly, if you apply enhanced due diligence, your file should clearly show what factors led to that decision.

Documentation serves two purposes. It demonstrates to regulators that you have complied with your obligations, and it ensures that your team has a clear and consistent record to refer to as the relationship progresses.

Where possible, use templates or structured assessment tools to ensure that all relevant risk factors are considered and that nothing is overlooked. Your team should be trained to understand how these tools work and how to apply them consistently.

Frequently Asked Questions

Why do you need to assess me for risk? I am not a criminal?

We are legally required to assess every client for the risk they may pose in relation to money laundering or terrorist financing. This is not a reflection on your character or integrity. It is a regulatory obligation that applies to all clients without exception. The assessment helps us understand your circumstances and determine what level of checks we need to carry out. Most clients are assessed as standard or low risk, and the process simply ensures we are complying with our legal duties.

What makes a client high risk?

Several factors can result in a higher risk assessment. These include operating a cash intensive business, having a complex or unclear ownership structure, being connected to high-risk jurisdictions, using corporate structures that appear designed to hold personal assets, or engaging in transactions that lack a clear commercial rationale. The presence of one or more of these factors does not mean you have done anything wrong, but it does require us to conduct more thorough due diligence.

I run a cash business. Does that automatically make me high risk?

Not automatically, but cash businesses do present a higher risk of money laundering because cash transactions are harder to trace and verify. If your business legitimately handles large amounts of cash, such as a retail operation or hospitality venue, we will need to understand how you manage and account for that cash. We may ask for additional documentation and conduct more frequent monitoring. The key is whether your cash handling is consistent with the nature of your business and properly documented.

What happens if I am assessed as low risk?

If you are assessed as low risk, we can apply simplified due diligence measures. This means the onboarding process may be quicker and involve fewer checks. However, we must still verify your identity, screen you against sanctions lists, and maintain ongoing monitoring of the relationship. Low risk does not mean no checks. It simply means we can take a proportionate approach based on the level of risk you present.

What does it mean if you apply enhanced due diligence to me?

Enhanced due diligence means we need to carry out more detailed checks and gather additional information before we can proceed. This typically involves obtaining senior management approval, gathering more information about the source of your wealth and the source of funds involved in the relationship, and conducting more frequent monitoring going forward. It does not mean you are suspected of wrongdoing. It simply reflects the fact that certain circumstances or risk factors require us to apply a higher level of scrutiny to comply with our legal obligations.

Does being assessed as higher risk mean you will not work with me?

Not necessarily. A higher risk assessment means we need to apply more detailed checks and gather additional information before we can proceed. It does not automatically disqualify you from becoming a client. However, it does mean we will need to understand your circumstances more thoroughly and obtain approval from Senior management or MLRO before accepting the engagement. If we cannot satisfy ourselves that the relationship is legitimate and that we can manage the risk appropriately, we may need to decline.

AML Essentials Kit Breakdown:

Don’t forget to share this post!

Unlock the Future of AML Compliance
Sign Up
Book a Demo
figsflow demo & trial
Log In
Book a Demo
Start 30-day free trial