AML Risk Assessment: Is Your Firm's Picture of Its Money Laundering Risk Accurate — or Just Assumed?

Every FCA-regulated firm and payment service provider subject to the Money Laundering Regulations 2017 must have a Business-Wide Risk Assessment. Not a summary. Not a policy statement. A documented, evidenced, and regularly reviewed assessment of the specific money laundering and terrorist financing risks your firm faces — and what it is doing about them.

The Business-Wide Risk Assessment is the cornerstone of your entire AML framework. It informs your policies and procedures, shapes your customer risk appetite, and tells your regulator whether you genuinely understand the financial crime risks inherent in your business model. When built properly, it is one of the most powerful demonstrations of AML competence. When built poorly — vague, generic, or disconnected from actual business activity — it is one of the first things a skilled person examiner will use to evidence a systemic failure of your financial crime controls.

In this episode, we examine what a genuinely robust Business-Wide AML Risk Assessment looks like, what the MLRs 2017 require it to contain, and why so many firms are carrying significantly more regulatory risk in this area than they realise.

Whether you are an MLRO, a compliance officer, or a senior manager with AML accountability under SMCR, this episode gives you the practical framework to assess whether your Business-Wide Risk Assessment is fit for regulatory scrutiny.

We cover:

— The regulatory requirement: Regulation 18 of the MLRs 2017, what it mandates, and how the FCA assesses compliance during supervisory visits and thematic reviews

— The factors your assessment must address: customer risk, product and service risk, geographic risk, delivery channel risk, and transaction risk — and why treating these in isolation produces an incomplete picture

— Using the National Risk Assessment: how the UK NRA should inform your firm-specific analysis and why simply referencing it is not sufficient

— Evidencing your assessment: what documentation regulators expect, how to demonstrate that risk ratings are based on analysis rather than assumption, and why generic assessments are immediately identifiable

— Connecting assessment to controls: how your Business-Wide Risk Assessment should drive your policies, procedures, customer risk appetite, and monitoring arrangements

— Review obligations: how frequently your assessment must be reviewed, what triggers an out-of-cycle update, and how to evidence it reflects your current business model

— MLRO ownership under SMCR: how personal accountability attaches to the Business-Wide Risk Assessment and what adequate discharge of that responsibility looks like

— Common failures: recurring weaknesses identified by the FCA, FATF, and OPBAS that your assessment should be specifically designed to avoid

This episode is essential listening if your firm:

— Has a Business-Wide Risk Assessment not substantively reviewed since the MLRs 2017 came into force or since your business model materially changed

— Has an assessment that describes risks generically rather than evidencing firm-specific analysis

— Is preparing for an FCA supervisory visit, s166 skilled person review, or internal AML audit

— Has recently expanded into new products, services, or markets not reflected in its current assessment

Resources mentioned in this episode:

Compliance Consultant's Business-Wide AML Risk Assessment Template is a ready-to-use toolkit for FCA-regulated firms and PSR-authorised payment service providers. It provides a structured assessment framework, risk factor scoring methodology, evidencing guidance, and governance templates enabling MLROs and compliance teams to build and maintain an assessment that genuinely reflects their firm's risk profile and satisfies current regulatory expectations.

Built by qualified regulatory consultants who know exactly what "good" looks like.

Visit complianceconsultant.org to find out more, or call us on 0800 689 0190.

Compliance Consultant — Making Compliance Work.