Firm-wide risk assessment for UK accountants: a complete guide
Every UK accountancy practice supervised for AML must complete a firm-wide risk assessment — a documented analysis of the money laundering and terrorist financing risks the practice faces, based on its client base, services, and geography. This guide explains what the assessment must cover, how to complete it, and how to keep it current so it holds up to HMRC scrutiny.
TL;DR — Quick Summary
- •Required by Regulation 18 of the MLR 2017 for all supervised accountancy practices — regardless of size
- •Must cover four risk factors: client types, services provided, geographic exposure, and delivery channels
- •Must be reviewed at least annually or whenever the practice changes significantly
- •A generic or outdated assessment is one of the most common HMRC inspection findings
- •The assessment directly informs your AML policy and individual client CDD decisions
Answer-first summary
What is a firm-wide risk assessment and who needs one?
A firm-wide risk assessment is a documented analysis of the money laundering and terrorist financing risks a UK accountancy practice faces, assessed across four factors: the types of clients served, the services provided, the geographic exposure of clients, and the delivery channels used to interact with clients. Every accountancy practice subject to AML supervision — whether supervised by HMRC or a recognised professional body — must complete one under Regulation 18 of the Money Laundering Regulations 2017. The assessment must be kept current, dated, and available for inspection. It is not a one-time exercise: it must be reviewed at least annually and updated whenever the practice changes.
- Required by Regulation 18 of the MLR 2017 — no exemption for sole practitioners or small practices
- Must assess four risk factors: client types, services, geography, and delivery channels
- Must be documented in a format that can be shown to HMRC during a supervision visit
- Must be reviewed at least annually and updated when the practice changes
- Informs the calibration of your AML policy and individual client CDD procedures
The four risk factors
Regulation 18 requires practices to assess their exposure across four dimensions. Each factor must be considered individually and in combination to arrive at a credible overall risk rating.
Client risk
The types of clients you serve: sectors, complexity, beneficial ownership structures, PEP exposure, and jurisdictions of residence or incorporation. A practice serving predominantly owner-managed businesses in the UK carries lower inherent client risk than one serving international high-net-worth individuals or complex trust structures.
Service risk
The services you provide. Trust and company formation carry higher inherent risk than bookkeeping or payroll. Tax advice on offshore structures sits between the two. The MLR 2017 and FATF guidance both identify specific service types as higher-risk — your assessment should reflect which of those you offer.
Geographic risk
The countries and regions your clients operate in or are incorporated in. FATF high-risk jurisdictions, countries subject to UK sanctions regimes, and offshore financial centres all increase geographic risk. Your assessment must cross-reference your client base against current FATF and UK government high-risk country lists.
Delivery channel risk
How you interact with clients. Fully remote or non-face-to-face client relationships carry higher inherent risk than in-person relationships, because opportunities for identity fraud are greater. Note what proportion of your client base you have never met in person, and whether you use any non-standard onboarding channels.
How to complete the assessment
Follow these six steps to produce a risk assessment that meets the Regulation 18 requirement and will hold up to HMRC scrutiny.
Identify and list your client types
Categorise your clients by sector, entity type (sole trader, limited company, trust, partnership), and any specific risk characteristics — including whether you serve any sectors identified as higher-risk in HMRC or FATF guidance.
Review the services you provide
Note which services are higher-risk (trust and company formation, tax advice on offshore structures) versus lower-risk (statutory accounts preparation, payroll, VAT returns). The MLR 2017 Schedule 1 and associated FATF guidance provide the reference list.
Map your geographic exposure
List the countries where your clients operate or are incorporated. Cross-reference against the current FATF high-risk list and the UK government's financial sanctions regime. Document any clients with connections to high-risk jurisdictions even if the primary work is UK-based.
Assess your delivery channels
Record what proportion of your clients are fully remote, how you verify identity at onboarding, and whether you use any non-face-to-face channels for document collection. A high proportion of remote clients increases inherent risk and should be reflected in your CDD procedures.
Assign an overall risk rating
Using your analysis of the four factors, assign an overall risk rating: Low, Medium, or High. Use your professional judgement and document the rationale clearly. A practice with a high proportion of remote clients in a regulated sector should not arrive at a Low rating without explaining why.
Document the outcome
Write up the assessment in a format that can be shown to HMRC. Date it, sign it, and set a review date — no more than twelve months away. Keep previous versions so you can show how your assessment has evolved as your practice has changed.
What does a firm-wide risk assessment look like?
The MLR 2017 does not prescribe a specific format. What matters is that the assessment is documented, dated, signed, and genuinely reflects your practice. The structure below is a practical guide — the content must be specific to your firm.
Typical document structure
- Firm name
- Full legal name of the practice
- Date
- Date the assessment was completed or last reviewed
- Prepared by
- Name and role of the person completing the assessment (usually the MLRO)
- Client risk factor
- Summary of client types, sectors, beneficial ownership characteristics, PEP exposure
- Service risk factor
- List of services provided with risk classification for each
- Geographic risk factor
- Countries of client operation/incorporation; FATF high-risk flags
- Delivery channel risk factor
- Remote vs in-person; non-standard onboarding channels
- Overall risk rating
- Low / Medium / High — with documented rationale
- Key findings
- The material risk areas identified by the assessment
- Recommended controls
- How the identified risks are mitigated in CDD procedures and the AML policy
- Review date
- No more than twelve months from the date of the assessment
This is a structural guide — the content must reflect your specific practice. A generic template completed without genuine analysis of your client base will not satisfy the Regulation 18 requirement.
Keeping the assessment current
An annual review is the minimum standard. The following three events should trigger an immediate review and update — do not wait for the next scheduled review date.
Significant change in client base
A new sector, a large new client in a higher-risk category, or a significant increase in international clients all require you to revisit and update the assessment before the next scheduled review.
New higher-risk service added
If you begin offering trust and company formation, tax advice on offshore structures, or any other service newly identified as higher-risk in HMRC or FATF guidance, update your assessment immediately.
HMRC or professional body issues new guidance
When HMRC publishes updated sector-specific guidance or when your professional body (ICAEW, ACCA, or CIMA) updates its AML resources, review your assessment against the changes and update it where necessary.
Linking the risk assessment to CDD
The firm-wide risk assessment is not a standalone document — it is the foundation for your CDD procedures. The overall risk rating and the specific risk factors identified in the assessment inform how you calibrate due diligence for individual clients.
A practice that identifies a significant proportion of higher-risk clients in its firm-wide assessment should be applying Enhanced Due Diligence to those clients — and that calibration should be visible in both the AML policy and individual client records. A disconnect between the firm-wide assessment and what is actually happening at the client level is a common HMRC finding.
Conversely, where the firm-wide assessment identifies genuinely lower risk characteristics — a small practice serving only local, well-known owner-managed businesses, with no international exposure and no higher-risk services — Simplified CDD may be appropriate for certain clients. The risk assessment is what justifies that decision.
See also: Certivus risk assessment module and CDD explained: Standard, Simplified, and Enhanced.
Compliance notice: This guide reflects the obligations set out in Regulation 18 of The Money Laundering Regulations 2017 and associated HMRC guidance. Certivus supports the risk assessment process but does not provide legal or compliance advice. The risk judgements in your firm-wide risk assessment are yours to make. If you are unsure whether your assessment meets your regulatory obligations, consult your professional body (ICAEW, ACCA, or CIMA) or a qualified compliance professional.
Firm-wide risk assessment questions answered
What is a firm-wide risk assessment?
A firm-wide risk assessment is a documented analysis of the money laundering and terrorist financing risks a regulated practice faces, based on its client base, services, geographic exposure, and delivery channels. It is required under Regulation 18 of the Money Laundering Regulations 2017 for all businesses subject to AML supervision, including accountancy practices supervised by HMRC. The assessment forms the foundation for the practice's AML controls — it informs CDD risk ratings, monitoring intensity, and the procedures set out in the AML policy.
Who needs to complete a firm-wide risk assessment?
Every UK accountancy practice that is subject to AML supervision must complete a firm-wide risk assessment. This includes practices supervised by HMRC (the majority of non-professional-body-supervised accountants), as well as those supervised by ICAEW, ACCA, CIMA, and other recognised supervisory bodies. There is no minimum size threshold — sole practitioners are subject to the same obligation as larger firms. The assessment is not optional, and HMRC inspectors specifically check for it during supervision visits.
How often must the firm-wide risk assessment be updated?
The Money Laundering Regulations 2017 require the assessment to be kept current — which in practice means reviewing it at least annually and updating it whenever the practice changes in a way that affects its risk profile. HMRC guidance specifically states that a risk assessment that has not been reviewed in over twelve months is unlikely to be considered adequate. Triggers for immediate review include taking on a new higher-risk client category, adding a higher-risk service, or receiving updated sector-specific guidance from HMRC or a professional body.
What does HMRC look for in the firm-wide risk assessment?
HMRC inspectors assess whether the risk assessment genuinely reflects the practice's circumstances — not whether it is lengthy or formatted in a particular way. Common findings include: an assessment that has not been dated or reviewed since initial registration; an assessment that lists generic risk factors without applying them to the actual client base and services of that practice; the absence of any geographic risk analysis; and an assessment that assigns a Low overall risk rating without documented rationale. HMRC also checks whether the risk assessment links to the practice's AML policy and CDD procedures, as these should be calibrated to the risk level identified.
Does Certivus help with firm-wide risk assessments?
Certivus includes a risk assessment module that guides practices through the four risk factors required by the MLR 2017, generates a documented output that can be shown to HMRC, and sets automatic review reminders. The module captures client type, service, geographic, and delivery channel data and produces a dated assessment document. Certivus does not provide compliance advice — the risk judgements are made by the practice — but it ensures the documentation is complete, retrievable, and reviewable.
What happens if HMRC finds the risk assessment inadequate?
If HMRC determines that a practice's firm-wide risk assessment is inadequate — for example, because it is generic, undated, or does not reflect the actual practice — the typical response is a requirement to remediate within a specified timeframe, followed by a follow-up review. Where the failure is more serious or part of a pattern of non-compliance, HMRC can impose civil penalties under Regulation 86 of the MLR 2017. Repeated or systemic failures can result in referral for further enforcement action. The best response to an inadequate risk assessment finding is to address it promptly and document the remediation steps taken.
Related reading
What is AML compliance for accountants?
A complete overview of AML obligations for UK accountancy practices.
Certivus risk assessment module
Complete and document your firm-wide risk assessment inside Certivus, with automatic review reminders.
Free AML policy template
A customisable AML policy template — calibrated to your firm-wide risk rating.
HMRC audit checklist
Prepare for an HMRC AML supervision visit with a step-by-step inspection checklist.
Complete your firm-wide risk assessment in Certivus
Certivus guides you through all four risk factors, generates a dated and signed assessment document, and sets an automatic annual review reminder — so your assessment is always inspection-ready.