Firm-wide AML Risk Assessment — the UK guide
What MLR 2017 Reg 18 actually requires, the five risk dimensions to cover, what the document must contain, when to review it, and why it's the #1 supervisory finding.
By Mehmood Rajoka · Last updated 2026-06-08
TL;DR — Quick Summary
- •A firm-wide AML risk assessment is the documented analysis under MLR 2017 Regulation 18 of the money-laundering and terrorist-financing risks facing a practice — covering client types, services, geographies, delivery channels, and transactions.
- •Every business within MLR 2017 scope must have one. It is the foundation document inspectors ask to see first — supervisory inspection reports consistently list a missing or stale firm-wide risk assessment as the #1 finding.
- •Five risk dimensions must be considered: client risk, product/service risk, geographic risk, delivery-channel risk, and (post-2022) proliferation financing risk.
- •The assessment must be approved by senior management, reviewed at least annually, and updated when the firm's circumstances or external risk landscape changes materially.
- •It must be documented, retained for 5 years (Reg 40), and provided to the supervisor on request.
Answer-first summary
What is a firm-wide AML risk assessment?
A firm-wide AML risk assessment is the documented analysis required by MLR 2017 Regulation 18 of the money-laundering and terrorist-financing risks facing a practice. It covers five risk dimensions — client risk, service/product risk, geographic risk, delivery-channel risk, and (post-2022) proliferation financing risk — produces an overall residual risk rating, identifies mitigations, and drives client-level CDD tier selection. The assessment is approved by senior management, reviewed at least annually, retained for 5 years, and provided to the AML supervisor on request. It is the foundation document inspectors ask to see first.
- Required under MLR 2017 Reg 18
- Five risk dimensions, plus proliferation financing
- Senior management sign-off mandatory
- Annual review minimum + change-driven updates
The five risk dimensions
MLR 2017 Reg 18(2) lists four risk dimensions; the 2022 update added proliferation financing as the fifth:
Client risk
Types of client the firm serves — natural persons vs entities, regulated vs unregulated, individual vs corporate, charity vs commercial. Within entities: ownership transparency, complexity of structures, presence of trusts or nominees. Within individuals: PEP exposure, jurisdiction of residence.
Product / service risk
The services the firm offers — bookkeeping (typically lower risk), tax advisory (medium), TCSP services like registered-office or nominee director (higher), trust formation (higher), litigation support (variable). The higher-risk services drive the firm-wide assessment upward.
Geographic risk
Where the firm's clients are based, where they transact, and where their counterparties operate. High-Risk Third Countries listed in MLR 2017 Schedule 3ZA elevate the assessment. Sanctioned jurisdictions, jurisdictions with weak AML regimes, and offshore financial centres each warrant explicit treatment.
Delivery channel risk
How the firm onboards and serves clients — face-to-face, remote, via intermediaries, via online portals, through agents or referrers. Non-face-to-face channels historically elevated risk; reliable electronic verification with liveness checks has reduced (but not eliminated) the differential.
Proliferation financing risk (post-2022)
Following the 2022 update to MLR 2017, firms must explicitly assess proliferation financing risk — funding the development or proliferation of weapons of mass destruction. Most practices have minimal exposure, but firms with clients in defence, dual-use goods, or trade with sanctioned states must document a specific proliferation assessment.
What the document must contain
Standard structure used by SRA, ICAEW, ACCA, and HMRC-supervised practitioners. Thirteen sections — each contributing to the audit trail an inspector follows:
- 1Executive summary — the firm's overall residual risk rating (low, medium, high), and key changes since the last review
- 2Scope of the assessment — date, supervised by whom, applicable jurisdictions, services covered
- 3Client risk analysis — types of clients, risk-weighted distribution, identified higher-risk categories
- 4Service risk analysis — services offered, risk attached to each, mitigation measures
- 5Geographic risk analysis — jurisdictions of clients, counterparties, transactions
- 6Delivery channel risk analysis — onboarding and ongoing service delivery channels
- 7Proliferation financing risk — explicit assessment under the 2022 MLR update
- 8Sanctions exposure — particular sanctioned-jurisdiction exposure
- 9Mitigations and controls — what the firm does to reduce identified risks
- 10Residual risk rating — after mitigations, the assessment's final overall rating
- 11Action plan — specific changes or improvements identified, with owner and timeline
- 12Senior management approval — signed and dated by partner / MLCO / managing director
- 13Review schedule — date of next mandatory review, trigger events that would require interim update
When to review and update
Annual review is the minimum. Eight specific trigger events require interim updates:
- Annual scheduled review (mandatory minimum)
- Major change in services offered — entering a new service line such as TCSP, trust work, or property work
- Major change in client base — new sector exposure, new geographic exposure, significant influx of higher-risk clients
- Update to MLR 2017, POCA, or other AML legislation
- New sanctions regime affecting the firm's client portfolio
- Major supervisory action against a similar firm — particularly thematic reviews or enforcement actions that signal risk areas
- Significant internal incident — a SAR filing, a sanctions match, a CDD failure that suggests systemic weakness
- Change in firm structure — merger, acquisition, opening a new office
Five common mistakes
Treating it as a template exercise
Downloading a generic AML risk assessment template and filling in the blanks produces a document that fails inspection. The assessment must be specific to the firm's actual client base, actual services, and actual exposure — not a generic checklist.
Not updating annually
A risk assessment dated more than 12 months back is a default supervisory finding. The annual review is the minimum — major changes trigger interim updates. Diarise the next review the day the current one is signed.
No senior management sign-off
The assessment must be approved by a senior person — partner, MLCO, managing director. Sign-off by a junior staff member or an external consultant alone is not enough. The signature is the firm's commitment to the assessment as its operating reality.
Skipping proliferation financing
The 2022 MLR update added proliferation financing as a required dimension. Many firms' risk assessments still don't address it — and supervisors are increasingly flagging the gap. Even where the firm's exposure is minimal, an explicit 'we have minimal exposure because...' is required.
No linkage to client-level risk ratings
The firm-wide assessment should drive the client-level CDD tier selection (Standard, EDD, SDD). A risk assessment that lives in a binder and never touches client onboarding is a documentary exercise — supervisors expect to see the link between firm-wide risks identified and client-level mitigation applied.
FAQ
Answer-first summary
What is a firm-wide AML risk assessment?
A firm-wide AML risk assessment is the documented analysis under MLR 2017 Regulation 18 of the money-laundering and terrorist-financing risks facing a practice. It covers five risk dimensions — client risk, service/product risk, geographic risk, delivery-channel risk, and (post-2022) proliferation financing risk — produces an overall residual risk rating, identifies mitigations, and drives client-level CDD tier selection. It must be approved by senior management, reviewed at least annually, and produced to the AML supervisor on request.
Answer-first summary
Who needs a firm-wide risk assessment?
Every business within MLR 2017 scope — accountants (HMRC-supervised or professional-body-supervised), solicitors and other regulated legal-sector firms, estate agents, TCSPs, banks, investment firms, cryptoasset firms, casinos, art-market participants, and high-value dealers. Sole practitioners are not exempt. The depth and complexity of the assessment should be proportionate to the firm's size and risk profile, but the document itself is mandatory.
Answer-first summary
How often must the firm-wide risk assessment be reviewed?
At least annually — the regulatory minimum. Material changes in the firm's circumstances or external environment require interim updates: new service lines, new client-sector exposure, new geographic exposure, major AML-legislation changes, new sanctions regimes affecting the portfolio, significant internal incidents (SAR filings, sanctions matches, CDD failures), and firm-structure changes (mergers, new offices). Diarise the annual review the day the current one is signed.
Answer-first summary
What goes in a firm-wide AML risk assessment?
Thirteen sections, in standard form. Executive summary with overall rating. Scope. Client risk analysis. Service/product risk. Geographic risk. Delivery channel risk. Proliferation financing risk (post-2022). Sanctions exposure. Mitigations and controls. Residual risk rating after mitigations. Action plan with owners and timelines. Senior management approval signature. Review schedule with next mandatory review date and trigger events. The assessment must be specific to the firm — generic templates fail inspection.
Answer-first summary
Who must approve the firm-wide risk assessment?
Senior management — partner, MLCO, managing director, or equivalent. The signature is the firm's commitment to the assessment as its operating reality. Sign-off by a junior staff member or an external consultant alone does not satisfy the regulatory expectation. The approver must be in a position to commit firm resources to the action plan and to overrule commercial pressure against necessary controls.
Answer-first summary
What's the link between the firm-wide and client-level risk assessment?
The firm-wide assessment identifies risk dimensions and rates them. The client-level risk assessment applies that framework to each individual client — generating a per-client risk rating that drives the CDD tier selection (Standard, EDD, SDD) and ongoing-monitoring cadence. A risk assessment that doesn't translate into client-level decisions is a documentary exercise. Supervisors look for the linkage as evidence the framework is operational.
Answer-first summary
What happens if my firm-wide risk assessment is missing or stale?
It is the most common supervisory finding. Sanctions vary by supervisor — HMRC may impose civil penalties under MLR 2017; the SRA may fine individuals up to £25,000 and firms substantially more; professional bodies escalate through warnings, fines, and disciplinary tribunal referral. Beyond the penalty itself, a missing or stale risk assessment is taken by supervisors as evidence that the wider AML programme is also weak — triggering deeper inspection.