ICAEW.com works better with JavaScript enabled.

AML firm-wide risk assessments: what does good look like?

Author: Professional Standards Department

Published: 07 Sep 2023

Firm-wide risk assessments (FWRAs) lay the foundation for effective anti-money laundering (AML) policies and procedures. In a recent webinar, ICAEW’s AML team talked about what a good assessment looks like and offered some insights into the most common failings found during monitoring visits.

FWRAs allow you to stand back and take a holistic view of the money laundering risks within your firm and allow you to focus resources on the areas of greatest risk. Based on your findings, you can then develop effective policies and procedures to mitigate the risks you’ve identified.

“The assessment really helps firms understand and think about where their AML risks lie,” explains Karen Cook, Quality Assurance Reviewer at ICAEW. “And it’s only by having that understanding that firms can address their response to those risks.”

The requirement to produce FWRAs was introduced in 2017. Six years on, the evidence suggests that ICAEW-supervised firms are recognising the importance of these assessments and are improving how they approach and perform them.

Statistics gathered for ICAEW’s 2023 AML supervision report[1] show that issues with FWRAs have fallen from the fourth most common finding last year to the seventh this year. “There is also a notable change in what reviewers are seeing,” says Michelle Giddings, ICAEW’s Head of AML. “Previously, findings tended to be that firms hadn’t done a firm-wide risk assessment, now it’s more that it can be improved.”

“We’re now getting beyond the phase where an assessment isn’t being completed and more into the territory that it’s not being completed in the right way,” confirms Kevin Sharman, Quality Assurance Manager at ICAEW. “Most firms are now aware of the requirement, and most are actioning it.”

He also stresses that although reviewers are still finding deficiencies on visits, they’re also seeing examples of well-executed and thoughtful FWRAs. 

Cornerstone of procedures

The FWRA is the cornerstone of all your AML procedures, including your customer due diligence (CDD), even though the regulatory requirement for CDD predated it.

“The order in which the requirements were introduced can confuse some firms,” explains Sandy Price, AML Manager at ICAEW. “But the fundamental principle is that unless you first identify and understand the potential risks within your firm, you can’t mitigate those risks.”

An effective FWRA enables you to decide on the extent of CDD to perform based on your risks, and it should be directing your staff training needs. 
There are three distinct stages in a FWRA:

  • identifying the risks your firm faces; 
  • assessing each risk by considering the likelihood of it arising and potential impact; and
  • implementing appropriate policies and procedures to mitigate the risks. 

“Identification of the risks is just the first stage,” emphasises Sandy. “Assessment and mitigation are critical parts of the overall process.”

[1] The 2022/23 AML supervision report will be published in autumn 2023.

Identifying the risks

Top of the hierarchy in terms of understanding AML risk is the government’s National Risk Assessment (NRA), which was last published in 2020 and highlights all UK risks. It also provides a sectoral breakdown of risks, including for accountancy.

“That’s our reference point as an AML supervisor,” explains Sandy. “It’s currently being reviewed and an updated version should be published in the next year or so.”

The Accountancy AML Supervisors Group (AASG) Risk Outlook is based on the NRA findings, but it focuses solely on the sector. It breaks down the risks faced by accountancy firms into five categories:

  • client
  • services
  • geography
  • transactions
  • delivery.

“This is probably the starting point and best source of information for your firm-wide risk assessment,” says Sandy. “It really does detail all the potential money laundering risks our firms face.”

“Then there are the risk bulletins ICAEW sends out to all money laundering reporting officers and compliance principals in firms we supervise, which include information on risk alerts, and how these might impact your clients and CDD.”

No one-size-fits-all solution

Firms use a range of approaches when completing FWRAs, including checklists, templates and freeform written documents.

“It’s important to recognise that one size doesn’t ft all,” says Karen. “It’s very dependent on the size and nature of the firm.”

“Checklists can be useful as part of the first stage of the process in that they help you identify the risks your firm faces,” says Michelle. “But that then feeds into the assessment that follows, so we’d expect another document to sit alongside the checklist.”

Templates can also be a helpful tool, especially for smaller firms. To encourage firms to provide more in-depth information and analysis, ICAEW has recently refreshed its firm-wide risk assessment template.

“If you choose to use a template, it mustn’t be too generic,” warns Michelle. “You need to include specific details of your client base and services, and a proper analysis of the risks.”

Another option is to write your own assessment. “We know firms can feel nervous about this approach because they fear they could miss something and get penalised for it,” Michelle acknowledges. “But done properly and rigorously, they do work well, and we see really good examples of the freeform approach.”

Show your working

So, what are reviewers looking for in a good FWRA? “I think the advice to ‘show your working’ in school exams is a good analogy,” says Kevin. “That’s what we’d like to see: clear consideration of AML risk factors, and clear conclusions on each of these and on the overall AML risk.”

It’s also important to show that the assessment is being updated and revisited. “We do see some that are out-of-date,” says Kevin. “It could be that a firm’s undertaken some significant acquisition activity, bringing in new service lines or clients, but then they’ve not reflected this in the firm-wide risk assessment.”

“We don’t think you should do the whole exercise every year,” says Sandy. “But we recommend you review and refresh it annually to check whether there have been any significant changes in your client base or services, or whether there are any emerging risks.”

“A review of the assessment should be something you have a marker in your diary to do on an annual basis when you do your compliance reviews,” suggests Karen. “But that doesn’t negate the fact that if there is a significant change in the intervening period, you should still revisit it at that stage. Firms change and risks change; they don’t just stay the same.” 
Mind the gap

Gaps in FWRAs are a common finding during review visits. “Sometimes it doesn’t cover all areas,” says Karen. “It might look at the client base and services but then not go any further to consider geography or transactions. And it may not go into the level of granularity that is useful for the firm.”

“Something we might see, for example, is where firms are doing lots of payrolls but they aren’t mentioning that in the assessment,” she explains. “Because they haven’t thought about the risks from a money laundering perspective, they haven’t thought about how to mitigate those risks and whether they need to enhance procedures. That kind of gap is something I see quite often on visits.”

“We also see cases where the firm’s conclusions are unclear or not present,” says Kevin. “And sometimes the conclusion reached isn’t consistent with the analysis undertaken, without any explanation of why that is.”

Misuse of templates and checklists is another problem. These may be out-of-date, so not covering all the risks. “Or what we sometimes see,” says Karen, “is firms have found an example or template on the internet and then tried to shoehorn their own firm into that example, which doesn’t really meet the purpose or give the benefits of the assessment itself.”

“A good firm-wide risk assessment is where the firm has stood back and taken a holistic view,” she stresses. “It’s not a tick-box exercise. It involves thinking about the circumstances of the firm and applying that in-depth knowledge and understanding to derive the assessment.”

“A lot of the principles behind firm-wide risk assessments apply to risk management more generally,” adds Kevin. “It’s not necessarily about eliminating all AML risks, because that is really difficult. Rather it’s about reducing them to as low a level as is acceptable to the firm.”


Keep updated

Be the first to know when articles like this are released by following us on LinkedIn and subscribing to our monthly newsletter, Regulatory & Conduct News.

Silver cone