Firm-wide risk assessments

Why FWRAs matter

A strong FWRA helps you focus on the risks that matter most and ensures your AML approach is proportionate. Regulators often cite poor or missing FWRAs as a top compliance issue — so having a clear, up-to-date FWRA is critical to protecting your firm and staying compliant.

How to carry out a firm-wide risk assessment

Your FWRA should cover five core areas, as required by regulation 18 of the Money Laundering Regulations (MLR 2017):

• Your client base
  
• The countries you operate in or deal with
  
• The services you offer
  
• The types of transactions you carry out
  
• How your services are delivered
  
  

The FWRA must be documented, regularly reviewed, and made available to your supervisory body on request.

1. Understanding AML risk

To assess risk effectively, your firm needs a shared understanding of what AML risk actually means.

AML risk includes:

• The risk of being exploited to move criminal property
  
• The risk of failing to spot the proceeds of crime
  
• The risk of breaching legislation such as Proceeds of Crime Act 2002
  
• The reputational and regulatory risks to your firm
  

You’re expected to notice when something seems off — and build processes that make it easier to detect red flags.

The 2020 UK National Risk Assessment (NRA) states the highest risk occurs when firms don’t fully understand their risk exposure and fail to implement risk-based controls.

2. Your client base

Your FWRA should look at the types of clients you serve. This includes:

• Whether you specialise in high-risk sectors (e.g. crypto)
  
• Whether you deal with complex ownership structures
  
• Whether clients are based overseas or linked to PEPs
  
• Whether you deal with groups that span multiple jurisdictions
  

This view across your whole client base helps you tailor training, shape your onboarding process, and strengthen your controls for higher-risk relationships.

3. Geographic exposure

You need to assess the countries and regions your clients operate in — especially where they involve cross-border services, payments, or supply chains.

Consider:

• FATF-designated high-risk countries
  
• Jurisdictions under international sanctions
  
• Countries with high levels of corruption, terrorism, or organised crime
  

Clients linked to these regions may require enhanced due diligence (EDD) and closer monitoring.

4. Services and transactions

Look at the services you offer and the types of transactions you facilitate. Some services are considered higher risk because they may:

• Provide anonymity
  
• Add perceived legitimacy to criminal operations
  
• Obscure ownership or fund flows
  

The National Risk Assessment highlights these high-risk services:

• Payroll
  
• Trust or company services

If your firm handles client money, this must also be assessed — many firms choose not to operate client accounts at all, and it can help to document this as formal policy.

5. Delivery channels

How you deliver your services also matters. If you work remotely or through intermediaries, your ability to properly understand and verify your client may be reduced.

Your FWRA should consider:

• How you onboard clients (e.g. remotely or face-to-face)
  
• Whether third parties are involved in delivering services
  
• How digital tools or automated systems are used in AML processes
  

You should document your usual delivery approach and how your firm maintains effective relationships with clients.

6. Using supervisory guidance

Your FWRA must take into account guidance from your supervisory authority, which in turn is shaped by the UK government’s National Risk Assessment.

Some professional bodies also provide risk assessment templates or checklists. Using these alongside your own procedures helps ensure your FWRA reflects current regulatory expectations.

7. Keeping it documented and up to date

Your FWRA must be:

• Clearly written
  
• Based on a structured process
  
• Regularly reviewed
  
• Kept available for your AML team and supervisory body
  
  

Some supervisors require you to submit your FWRA annually. A thorough, well-documented assessment that clearly shows how your firm has responded to risk is far more valuable than a generalised one that simply states “low risk.”

Be prepared to update your FWRA if:

• The firm’s services, structure or clients change
  
• Your internal AML review reveals gaps
  
• New guidance or regulations are introduced
  

Your FWRA should be part of your broader AML compliance review — typically done annually but reviewed whenever key changes occur.

Summary

A firm-wide risk assessment is the foundation of a strong, proportionate AML programme. It helps you identify your firm’s exposure, implement better controls, and stay compliant with MLR 2017.

To get it right:

• Assess risk across your clients, services, transactions, and regions
  
• Use your FWRA to inform client risk assessments, training, and controls
  
• Keep it updated, well-documented, and aligned to your firm’s actual operations
  
• Make sure staff understand it and know where to access it
  

A clear and effective FWRA shows your supervisors — and your team — that you’re taking your AML responsibilities seriously.

This article was summarised by the Firmcheck content team. The original content was written by an independent AML expert and is available on our blog.

‍