Firm-wide Risk Assessment
Assess your firm’s overall vulnerability to money laundering, terrorist financing, or other financial crimes, considering client base, services offered, jurisdictions, and your delivery methods for compliance.
AML Essentials Kit Breakdown:
A firm-wide risk assessment is a formal evaluation of your practice’s vulnerability to being used for money laundering, terrorist financing or proliferation financing. It examines your entire business operation, including the clients you serve, the work you do, where those clients are based and how you deliver your services.
The assessment identifies where your highest risks are and helps you decide how to allocate your compliance resources. It also informs the policies you put in place, the training you provide to your team and the level of due diligence you apply to individual clients.
What the assessment covers
Regulation 18 of the Money Laundering Regulations 2017 requires you to assess and document the risks your firm faces across five specific areas. These are:
- The types of clients you work with
- The jurisdictions where your clients are based or operate
- The services you provide
- The nature of the transactions your clients engage in
- The way you deliver your services
Your assessment must be written down, kept up to date and made available to your supervisory body when requested. A firm-wide risk assessment is not a theoretical exercise. It should reflect the reality of your practice and provide a clear picture of where your vulnerabilities lie.
Building your assessment
What money laundering risk means in practice
Before you can assess risk properly, you and your team need a shared understanding of what you are assessing. Money laundering risk is not just the risk that a client is a criminal. It includes:
- The possibility that your firm could be used, knowingly or otherwise, to move the proceeds of crime
- The risk that you fail to recognise suspicious activity when it occurs
- The legal and regulatory consequences of breaching your obligations under the Proceeds of Crime Act 2002 and related legislation
- The reputational damage and operational disruption that follow a compliance failure
According to the 2020 UK National Risk Assessment, the greatest risk arises when firms do not understand their own exposure and fail to put controls in place that match the risks they face. Your firm-wide assessment is the tool that helps you avoid this.
Evaluating your client base
You should begin by looking at the types of clients your firm serves and the characteristics that define your client base. This is different from assessing individual clients. You are looking for patterns and concentrations of risk.
Consider whether your firm:
- Works predominantly with clients in sectors that are considered higher risk, such as cryptocurrency, property development or cash intensive businesses
- Acts for clients with multi layered ownership structures or those involving offshore entities
- Has clients who are politically exposed persons or who have close connections to such individuals
- Deals with groups or structures that operate across multiple countries
Understanding the composition of your client base allows you to design your onboarding process, tailor your training and identify where you may need to strengthen your controls.
Assessing geographical risk
You must evaluate the countries and regions your clients are connected to, either through their own location, the location of their operations or the jurisdictions they transact with. Geography matters because some regions present a higher inherent risk of corruption, organised crime, weak regulatory oversight or terrorist activity.
Your assessment should identify whether your clients have links to:
- Countries identified by the Financial Action Task Force as high risk or subject to increased monitoring
- Jurisdictions under sanctions or international restrictions
- Regions with elevated levels of financial crime, political instability or weak enforcement of anti-money laundering laws
Where clients have connections to these areas, you may need to apply enhanced due diligence and conduct more frequent monitoring.
Understanding the services you provide
Not all services carry the same level of risk. Some are more attractive to those seeking to launder money because they can help create legitimacy, obscure ownership or facilitate the movement of funds in ways that are harder to trace.
The UK National Risk Assessment identifies certain accountancy services as presenting heightened risk, including:
- Payroll services
- Acting as a trust or company service provider
- Forming or winding up companies
- Providing nominee services, registered office addresses or similar arrangements
If your firm offers these services, your assessment should acknowledge the risk they present and explain what controls you have put in place to mitigate that risk.
Client money and bank accounts
If your firm operates client bank accounts, this must form part of your firm-wide assessment. Handling client funds increases your exposure and requires robust controls and oversight. Many firms choose not to operate client accounts at all, and if that is your approach, it is worth documenting this as a formal policy decision in your risk assessment.
Reviewing transactional risk
The nature of the transactions your clients engage in can also indicate risk. Transactions that involve anonymity, complexity or opacity are more likely to be used for illicit purposes. Your assessment should consider whether your clients typically:
- Make payments through circuitous or unexplained routes
- Engage in high value transactions that do not appear consistent with their stated business model
- Deal in goods or assets that are commonly associated with money laundering, such as precious metals, fine art or luxury goods
You do not need to assess every transaction individually at this stage, but you should understand the general transactional patterns across your client base and identify any areas of concentration or concern.
Evaluating how services are delivered
The way you interact with clients affects your ability to verify their identity, understand their business and detect unusual activity. Your firm-wide assessment should consider:
- How much of your work is carried out remotely rather than face to face
- Whether you rely on third parties or intermediaries to introduce clients or deliver services
- The extent to which you use digital tools or automated systems as part of your identity verification or ongoing monitoring processes
Remote working is now common and does not automatically mean higher risk. However, it can reduce the opportunities you have to build familiarity with a client and verify information directly. Where your delivery model limits your visibility, this should be recognised and addressed in your controls.
Using available guidance and templates
Your firm-wide risk assessment must consider guidance issued by your supervisory authority. That guidance is itself informed by the UK government’s National Risk Assessment, which evaluates money laundering risk at a national level.
Many professional bodies and supervisors provide templates, checklists or worked examples to help you structure your assessment. Using these resources can ensure that your approach is consistent with regulatory expectations and that you are considering all relevant factors.
You should not simply adopt a generic template without tailoring it to your own practice. Your assessment must reflect the specific nature of your firm, the clients you act for and the services you provide.
Maintaining and updating your approach
Documentation and accessibility
Your firm-wide risk assessment must be written down in a clear and structured way. It should be accessible to your AML compliance team and available for review by your supervisory body. Some supervisors require you to submit your assessment annually as part of your regulatory return.
A strong assessment does more than state conclusions. It explains how you reached those conclusions, what evidence you considered and what actions you have taken in response to the risks you identified. An assessment that simply describes everything as low risk without explanation is unlikely to satisfy a regulator and does not provide useful guidance to your team.
When to review and update
Your firm-wide risk assessment is not a static document. It should be reviewed regularly and updated whenever there are material changes to your practice. This includes situations where:
- You begin offering new services or stop providing existing ones
- The profile of your client base changes significantly
- You expand into new geographical markets or jurisdictions
- Your supervisory body issues new guidance or the government updates the National Risk Assessment
- Your own internal AML reviews or audits reveal gaps or weaknesses in your controls
Most firms review their assessment annually as part of their broader compliance cycle. However, you should also be prepared to update it between scheduled reviews if circumstances change.
Integration with your wider AML programme
Your firm-wide risk assessment is the foundation for everything else you do in relation to anti money laundering compliance. It informs:
- The level of due diligence you apply to individual clients
- The content and focus of your staff training
- The design of your policies and procedures
- The way you allocate resources within your compliance function
Your team should understand what the assessment says and know where to find it. It should not sit on a shelf gathering dust. It should be a working document that actively shapes how your firm operates.
Frequently Asked Questions
What is a firm-wide risk assessment and why does it matter to me?
A firm-wide risk assessment is an evaluation we carry out of our entire practice to understand where we might be vulnerable to being used for money laundering or financial crime. It looks at the types of clients we work with, the services we provide, and where our clients are based. This assessment shapes how we interact with you. It determines what questions we ask, what checks we carry out, and how we monitor our relationship with you. It ensures we are applying our resources in the right places and managing risk appropriately.
I only need basic bookkeeping. Why are you asking me so many questions?
Even straightforward services like bookkeeping can be misused to create misleading financial records or disguise the movement of illicit funds. Our firm-wide risk assessment identifies which services present a higher risk, and bookkeeping is one of them. This does not mean we suspect you of anything. It means we need to understand your business properly so we can identify whether the transactions we are recording make commercial sense and are consistent with what you have told us about your activities.
Does your risk assessment ever change, and will that affect me?
Yes. We review our firm-wide risk assessment regularly and update it whenever there are material changes to our practice or when new regulatory guidance is issued. If our assessment changes, it may affect how we work with you. For example, if we identify that a particular service or sector has become higher risk, we may need to ask you for additional information or apply more frequent monitoring. We will always explain why we are making changes and what it means for you.
Can I see your firm-wide risk assessment?
The firm-wide risk assessment is an internal document that we prepare for regulatory purposes. It is not something we routinely share with clients. However, if you have questions about how we assess risk or why we are applying certain measures to your relationship, we are happy to explain our reasoning. The assessment informs how we work with you, but it does not contain any personal information about individual clients. Its purpose is to help us understand and manage risk across our entire practice.
AML Essentials Kit Breakdown:
Don’t forget to share this post!
English (UK) 
English