Firm-wide risk assessments
Firm-wide risk assessments
Updated 21 September 2023 (Date first published: 29 October 2019)
This guidance is to help you understand your legal and regulatory obligations and how to comply with them. We will have regard to it when exercising our regulatory functions.
Who is this guidance for?
All firms that are subject to the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (the money laundering regulations).
Purpose of this guidance
This guidance is aimed to help firms subject to the money laundering regulations comply with the requirement to have a firm wide risk assessment under regulation 18.
This guidance is a living document and we will update it from time to time.
Firms that are within scope of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 ('the money laundering regulations') must have a written firm-wide risk assessment in place.
The requirement to produce a firm risk assessment is set out at regulation 18 of the money laundering regulations. The risk assessment must be appropriate to the size and nature of your business and take into account:
- any take into account information we publish in particular our sectoral risk assessment
- the risk factors set out in the money laundering regulations, namely:
- your firm's customers
- the countries or geographic areas in which you operate
- the products or services which your firm provides
- your firm's transactions
- how your firm's products and services are delivered
Regulation 18A of the money laundering regulations also requires you to identify the risk of proliferation financing to your business. This can either be considered separately or within your firm-wide risk assessment. Further guidance on how to carry out a proliferation financing risk assessment can be found in the Legal Sector Affinity Group guidance.
Why is it important to have a firm wide risk assessment?
The purpose of a firm wide risk assessment is to help you identify the money laundering risks your firm is, or could be, exposed to, and consider how any risks could be mitigated. Essentially, it will help your firm to take a risk-based approach to preventing money laundering.
Having a firm wide risk assessment in place will also help you to develop appropriate policies, controls and procedures. Fee earners may also need to refer to your firm wide risk assessment when assessing risk at client and matter level.
It is an important document which should be regularly reviewed, kept up to date and approved by senior management.
What we have seen
As part of our supervisory activities, we review firm wide risk assessments during our inspections to firms and desk-based reviews.
We have found that most firms now have a firm wide risk assessment in place. Over the last few years, we have also seen an improvement in the quality of firm wide risk assessments which reflects the thought, effort and time that many firms put into these documents.
However, we continue to find a significant proportion of firm wide risk assessments which fall short of our expectations.
Most worrying are those firms who only put in place a firm wide risk assessment after we request to see it. The requirement to have a firm wide risk assessment has now been in force since 2017. The purpose of a firm wide risk assessment is help identify the risks a firm is or could be exposed to, and the measures which should then be put in place to help mitigate the firms' exposure to financial crime. It is a crucial step in being able to prevent money laundering. We will continue to take robust action against any firms who do not have a firm wide risk assessment in place.
We also continue to see a minority of firm wide risk assessments which we deem to be non-compliant or partially compliant.
This could be because the firm has failed to consider the information we publish, or consider one or more of the risk factors set out in the money laundering regulations. For example, of the 73 firm wide risk assessments we reviewed during our desk based reviews in 2021/2022:
- Almost 20% did not refer to areas identified by our sectoral risk assessment.
- We provided feedback to half of firms on what they had included about client and / or the firm's transactions in their firm wide risk assessment. It is important that firms do this as it will then help inform the client and matter risk assessments.
- 10% of firms did not properly consider the potential money laundering risks associated with how their services are delivered. We consider this to be a growing risk area for firms especially as more services are now being delivered by email or through online meetings.
- Almost a third of firms used templates or templated text which had not been tailored to the firm. While there is nothing inherently wrong in using a template, you must make sure you adapt and tailor it to your firm and avoid copying and pasting specimen text.
Next steps and further information
Money laundering presents a financial, reputational and regulatory risk to firms, and you should take action to prevent your firm from being exploited by criminals.
As mentioned above, some firms still need to familiarise themselves with the requirements of regulation 18 of the money laundering regulations.
We expect firms to be compliant in this area and have provided a variety of resources to help firms draft an effective firm risk assessment:
- a sectoral risk assessment, setting out common risks
- the Legal Sector Affinity Group Anti Money Laundering Guidance for the Legal Sector 2023 (PDF 220 pages)
- a checklist to help firms prepare for a firm risk assessment (DOC 8 pages, 44KB)
- a template (DOC 5 pages, 42KB) which we have developed using learning from our review and which firms can use to frame their risk assessment – unlike the other templates we have seen, this does not include specimen text.
Tips for completing your risk assessment
Below, we set out some of the good and poor practice we saw, as well as four common questions we are asked.
1. Should I use a template risk assessment?
This is entirely up to you. Some firms find template risk assessments useful in helping get to grips with the AML requirements.
If you use a template, however, you must ensure that it is tailored to your practice. In many cases we found that the risk assessment did not match a firm's profile and did not reflect the risks from its services and client demographic. The money laundering regulations are clear: you must carry out a risk assessment which must be relevant to the size and nature of your business. In this sense, you are the expert.
Remember, you cannot pass the regulatory risk of non-compliance on to a third party. If a consultancy gives you the wrong advice, the responsibility remains with you.
2. What is the difference between matter and firm risk assessments?
Firms often confused a matter or client risk assessment with a firm-wide risk assessment. These are different documents which do different jobs, but both are a requirement of the money laundering regulations.
A firm-wide risk assessment should evaluate the money laundering risk that your whole business is exposed to and set out how you have arrived at that conclusion. It should then set out the steps which will be taken to help mitigate any risks.
A matter or client risk assessment is linked to a specific client file, and should assess the money laundering risk associated with that particular client or matter. It should also then inform the level of customer due diligence and ongoing monitoring required.
The two documents should correspond with each other, and client or matter risk assessments should be informed by the themes identified in the firm-wide risk assessment.
3. Do I need to include proliferation financing in my firm wide risk assessment?
You are required to carry out a risk assessment which assesses the inherent proliferation financing risks your firm faces given your clients, services, geographic and delivery channels. You may include this as part of your firm wide risk assessment or you may create a stand alone document.
For the majority of firms, we expect the risk of proliferation financing to be low. The risk may be higher for firms providing services in the following sectors:
- trade finance
- commercial contracts
- manufacturing particularly in relation to dual-use goods
- commodities – particularly mined metals and chemicals
4. How should I deal with politically exposed persons (PEPs)?
You can find further information in the LSAG guidance.
Some firms stated that they would never act for PEPs. This suggests that are not aware that the definition of a PEP is very wide, or they believe that they cannot, or should not act on behalf of PEPS.
You should be aware of the type of person likely to be a PEP. As well as political figures, the definition includes state-run enterprises and international organisations. For example, the following are PEPs:
- the business partner of a member of the board of Network Rail, Channel 4 or the BBC
- the children of certain Church of England bishops.
Further information can be found in the FCA guidance note FG17/6 at paragraph 2.16.
It is for firms to decide their own risk appetite, but your policies should be realistic. If a firm has an overly-restrictive PEP policy, it is at risk of:
- turning away clients for no good reason
- being counter-productive if the firm has a policy which is ignored or routinely breached.
The table below sets out the different areas you should consider under regulation 18 along with examples of good practice and bad practice we have seen.
|Regulation 18 risk||Questions to ask||Good practice||Bad practice|
Products & services: