Firms risk assessment exercise

29 October 2019

Summary of methodology

All firms that are within scope of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 ('the money laundering regulations') are required to have a firm wide risk assessment. This has been a legal requirement since 26 June 2017.

On 28 March 2019, we called in 400 firms' anti-money laundering firm risk assessments. All firms had declared to us that they were offering services within scope of the money laundering regulations. Of the 400, we targeted mostly firms that we have assessed as being of high risk of being used for money laundering, with a smaller sample of medium and low risk firms.

In response to our request, we received 398 risk assessments. We also received two unsolicited risk assessments. Of the two firms that did not provide their risk assessments, one had never traded and has subsequently closed, and the other firm has been passed to our investigations team.

We assessed all 400 firms' risk assessment for compliance with the regulations and we did a further, more detailed qualitative assessment on a quarter of the files.


We found that 21% of firms had difficulty meeting their obligations:

  • 40 firms did not send us a firm risk assessment, instead sending us something else, for example a matter risk assessment or AML Policy.
  • 43 firms did not include all of the required areas set out in regulation 18 of the money laundering regulations.

We expect firms to be compliant in this area and have provided a variety of resources to help firms draft an effective firm risk assessment: