Guidance
Guidance
Firm risk assessments
Firm risk assessments
Updated 25 November 2019 (Date first published: 29 October 2019)
Status
This guidance is to help you understand your legal and regulatory obligations and how to comply with them. We will have regard to it when exercising our regulatory functions.
Who is this guidance for?
All firms that are subject to the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (the money laundering regulations).
Purpose of this guidance
This guidance is aimed to help firms subject to the money laundering regulations comply with the requirement to have a firm wide risk assessment under regulation 18.
This guidance is a living document and we will update it from time to time.
General
Firms that are within scope of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 ('the money laundering regulations') must have a written firm-wide risk assessment in place. This has been a legal requirement since 26 June 2017.
The requirement to produce a firm risk assessment is set out at Regulation 18 of the money laundering regulations. The risk assessment must:
- take into account information we publish
- address the risk factors set out in the money laundering regulations, namely:
- your firm's customers
- the countries or geographic areas in which you operate
- the products or services which your firm provides
- your firm's transactions
- how your firm's products and services are delivered
- take into account, and be appropriate to, the size and nature of your business.
What we have seen
In spring 2019, we called in 400 firms' anti-money laundering risk assessments. We found high levels of non-compliance with the money laundering regulations, with 21% not compliant. Of the 400 firms we contacted:
- 83 risk assessments were not compliant:
- 40 firms did not send us a firm risk assessment, instead sending us something else
- 43 firms did not address one or more of the Regulation 18 criteria.
We found that 135 of the risk assessments we received (38%) were dated after our request went out. A proportion of these may have been updates of earlier risk assessments, however others may have been a newly created document, suggesting that some firms within our sample did not have an existing risk assessment at the time our request was received.
When we reviewed our records and the firms' own websites, we found that many risk assessments were not appropriate to:
- the size of the firm’s business
- the services the firm offered
- the geographical area in which the firm operated.
We also found that the use of templates had an impact, with risk assessments based on a template being generally lower quality. Those risk assessments which were not based on a template tended to be better. If you are choosing to use a template, you must make sure to tailor it to your firm and avoid copying and pasting specimen text.
Next steps and further information
Money laundering presents a financial, reputational and regulatory risk to firms, and you should take action to prevent your firm from being exploited by criminals.
A considerable minority of firms still need to familiarise themselves with the requirements of Regulation 18 of the money laundering regulations.
We expect firms to be compliant in this area and have provided a variety of resources to help firms draft an effective firm risk assessment:
- a sectoral risk assessment, setting out common risks
- the Legal Sector Affinity Group Anti-Money Laundering Guidance for the Legal Sector 2021 (PDF 212 pages, 2.2MB)
- a checklist to help firms prepare for a firm risk assessment (DOC 8 pages, 44KB)
- a template (DOC 5 pages, 42KB) which we have developed using learning from our review and which firms can use to frame their risk assessment – unlike the other templates we have seen, this does not include specimen text.
Tips for completing your risk assessment
Below, we set out some of the good and poor practice we saw, as well as three common questions we are asked.
1. Should I use a template risk assessment?
This is entirely up to you. Some firms find template risk assessments useful in helping get to grips with the AML requirements.
More than half of the risk assessments we received (64%), used a template. While there is nothing inherently wrong in using a template we noted that many we saw were almost or completely identical.
In many cases, we found that the risk assessment did not match a firm's profile and did not reflect the risks from its services and client demographic. The money laundering regulations are clear: you must carry out a risk assessment which must be relevant to the size and nature of your business. In this sense, you are the expert. We were encouraged that small practices and sole practitioners tended to produce very good and detailed risk assessments, often from scratch using their expert knowledge of their clients and work.
Remember, you cannot pass the regulatory risk of non-compliance on to a third party. If a consultancy gives you the wrong advice, the responsibility remains with you.
2. What is the difference between matter and firm risk assessments?
Firms often confused a matter or client risk assessment with a firm-wide risk assessment. Of the 40 firms which sent us the wrong document, 22 were matter risk assessments. These are different documents which do different jobs, but both are a requirement of the money laundering regulations:
- A firm-wide risk assessment should evaluate the money laundering risk that your whole business is exposed to
- A matter or client risk assessment is linked to a specific client file, and should assess the money laundering risk of that client or client matter.
3. How should I deal with politically exposed persons (PEPs)?
A number of firms stated that they would never act for PEPs. This suggests that are not aware that the definition of a PEP is very wide, or they believe that they cannot, or should not act on behalf of PEPS.
You should be aware of the type of person likely to be a PEP. As well as political figures, the definition includes state-run enterprises and international organisations. For example, the following are PEPs:
- the business partner of a member of the board of Network Rail, Channel 4 or the BBC
- the children of certain Church of England bishops
- senior office holders of international bodies such as the Red Cross or Amnesty International.
It is for firms to decide their own risk appetite, but your policies should be realistic. If a firm has an overly-restrictive PEP policy, it is at risk of:
- turning away clients for no good reason
- being counter-productive if the firm has a policy which is ignored or routinely breached.
Regulation 18 risk | Questions to ask | Good practice | Bad practice |
---|---|---|---|
Clients:
|
|
|
|
Geographical area:
|
|
|
|
Products & services:
|
|
|
|
Delivery channels:
|
|
|
|
Transactions:
|
|
|
|