MLR 2017 Firm-Wide Risk Assessment: Structure and Content

The firm-wide risk assessment is the foundation of every AML compliance programme. Without a well-structured, specific and regularly updated risk assessment, a firm’s AML controls — however individually sound — are built on uncertain ground that will not withstand FCA scrutiny.

Regulation 18 of the Money Laundering Regulations 2017 requires regulated firms to identify and assess the risks of money laundering and terrorist financing to which they are subject — taking into account their customers, the countries and geographic areas in which they operate, their products and services, their transactions and their delivery channels. The assessment must be in writing, kept up to date, and made available to the FCA or HMRC on request. This post covers how to structure and produce a firm-wide risk assessment that meets those requirements.

Why the Firm-Wide Risk Assessment Matters

The firm-wide risk assessment is not a compliance document produced for its own sake. It is the analytical foundation on which every other element of the AML programme rests. The risk assessment determines the scope and calibration of the customer due diligence framework — which customer types attract standard CDD, which attract enhanced scrutiny, and on what basis. It determines the focus of transaction monitoring — which scenarios and thresholds are calibrated to the firm’s actual risk profile rather than generic templates. And it determines the frequency and focus of the MLRO’s annual report to the board.

A firm with a well-structured risk assessment that is genuinely used to calibrate its controls — where the documented risks connect logically to the documented controls — presents very differently to FCA supervisors than one with a generic, boilerplate assessment that does not reflect the firm’s actual business. The FCA’s AML supervisory approach explicitly includes assessment of whether the firm’s risk assessment is fit for purpose, and whether the firm’s AML controls are calibrated to the risks it identifies.

The Five Risk Factors: Structure of the Assessment

Regulation 18 identifies five categories of risk factor that the firm-wide assessment must cover. These provide the natural structure for a well-organised assessment.

Customer risk. What types of customers does the firm serve? What is the inherent money laundering risk associated with different customer segments — retail consumers, sole traders, SMEs, large corporates, financial institutions, professional services firms, charities, politically exposed persons? The assessment should identify the firm’s actual customer mix, assign an inherent risk rating to each category, and note any concentrations that create elevated risk at the aggregate level.

Country and geographic risk. Where are the firm’s customers based, and where does the firm operate? The assessment should identify which jurisdictions the firm has material exposure to, reference the relevant risk indicators — FATF grey and black lists, the EU’s list of high-risk third countries, Transparency International’s corruption perceptions index, the Basel AML Index — and document the firm’s conclusion on the geographic risk profile of its customer base. For payment firms, this includes the jurisdictions to which outbound payments are made and from which inbound payments are received.

Product and service risk. What products and services does the firm offer? The assessment should consider the inherent money laundering risk of each product type: the degree to which it enables anonymity, the speed and volume of transactions it facilitates, the ease with which proceeds could be layered through it, and the extent to which it enables cross-border transfers. High-risk products — correspondent banking, trade finance, private banking, high-value payments, cryptocurrency services — should be specifically identified and their risk assessed at a granular level.

Transaction risk. What is the nature and volume of transactions the firm processes? The assessment should consider: the typical transaction size and frequency; the proportion of transactions that are cash-based or cash-equivalent; the proportion that are cross-border or involve high-risk jurisdictions; and any patterns in the transaction profile that create elevated risk — for example, a high proportion of transactions to or from third-party accounts, or a significant volume of transactions in round-number amounts.

Delivery channel risk. How does the firm acquire and interact with its customers? Non-face-to-face customer acquisition — digital onboarding, introduced business, intermediary relationships — creates higher inherent risk than face-to-face interaction. The assessment should reflect the firm’s actual delivery channel mix and the verification challenges created by each channel.

Terrorist Financing Risk

Regulation 18 requires the assessment to cover terrorist financing risk alongside money laundering risk. In practice, many firms’ risk assessments give insufficient attention to TF risk — either addressing it briefly at the end of the assessment or using generic language that does not reflect the firm’s actual TF risk profile. The FCA’s supervisory approach includes specific assessment of TF risk coverage, and firms in sectors with elevated TF exposure — payment firms, charities, trade finance — should ensure this section is specific and credible.

Inherent Risk, Controls and Residual Risk

A well-structured firm-wide risk assessment distinguishes between inherent risk (the level of risk before controls are applied), the controls in place to mitigate each risk, and residual risk (the level of risk after controls). This structure — which mirrors the standard risk management methodology used across enterprise risk frameworks — allows the firm to demonstrate that its controls are appropriately matched to its risk profile, and to identify areas where residual risk remains elevated and additional mitigation is needed.

The controls section should be specific: not “we conduct customer due diligence” but “we conduct standard CDD for retail customers, enhanced CDD for corporate customers with beneficial owners from high-risk jurisdictions, and EDD for PEPs and their close associates.” The connection between the risk identified and the control deployed must be clear.

Review and Update Requirements

The firm-wide risk assessment must be kept up to date. The MLR 2017 does not prescribe a specific review frequency, but the FCA expects the assessment to be reviewed and updated: at least annually; following any significant change to the firm’s business, customer base or product range; when new money laundering or terrorist financing typologies emerge that are relevant to the firm’s activities; and following significant regulatory developments, including new FATF or EU high-risk country designations, sanctions list updates, or changes to the MLR 2017 itself.

The MLRO should own the firm-wide risk assessment and be responsible for coordinating its review. The review process should involve input from across the firm — operations, customer-facing teams and technology — rather than being produced entirely by the compliance function in isolation.

Key References

• MLR 2017, Regulation 18 — Risk assessments by relevant persons
• FCA — AML and terrorist financing guidance