A UK guide to writing a business-wide financial crime risk assessment under MLR 2017 reg 18, the FCA Financial Crime Guide, SYSC 6.3 and JMLSG.

A financial crime risk assessment is the document that tells you, your board and your supervisor where your firm is most likely to be used to launder money, finance terrorism or otherwise further financial crime. It is not a compliance formality. Regulation 18 of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 requires a relevant person to take appropriate steps to identify and assess the risks of money laundering and terrorist financing to which its business is subject, taking account of the size and nature of the business. Everything else in your anti-money laundering programme, from customer due diligence to transaction monitoring, is meant to flow from it.
The regulator treats it the same way. The FCA's Financial Crime Guide states that the assessment of financial crime risk is at the core of a firm's AML, counter-terrorist financing and proliferation financing effort and is essential to developing effective policies and procedures. SYSC 6.3 requires firms to have systems and controls that enable them to identify, assess, monitor and manage money laundering risk, and those systems and controls must be comprehensive and proportionate to the nature, scale and complexity of the firm's activities.
This guide sets out how to build a business-wide risk assessment that holds up: the five risk-factor categories you must cover, the inherent-risk to residual-risk method, how to score control effectiveness, and the governance and refresh cycle that keeps the document current. Every rule and expectation cited here comes from MLR 2017, the FCA Financial Crime Guide and SYSC 6.3, JMLSG Guidance Part I, and the UK National Risk Assessment.
Start with the legal duty. Regulation 18 of the Money Laundering Regulations 2017 requires a relevant person to identify and assess the risks of money laundering and terrorist financing to which its business is subject. In doing so, the firm must take into account information made available by its supervisory authority and risk factors relating to its customers, the countries or geographic areas in which it operates, its products or services, its transactions and its delivery channels. The firm must also keep an up-to-date written record of the steps it has taken to compile the assessment, and provide the assessment, the information it was based on and that record to its supervisory authority on request.
The FCA's Financial Crime Guide reinforces the same duty for authorised firms. FCG 3.2.3 confirms that a firm is required by Regulation 18 to undertake a risk assessment, that firms must put in place systems and controls to identify, assess, monitor and manage money laundering, terrorist financing and proliferation financing risk, and that firms must regularly review their risk assessment to ensure it remains current. FCG 2.2.4 adds that a thorough understanding of financial crime risks is key if a firm is to apply proportionate and effective systems and controls, so it can target resources on the areas of greatest risk.
SYSC 6.3 puts this on a systems-and-controls footing. It requires firms to establish systems and controls that enable them to identify, assess, monitor and manage money laundering risk, defined as the risk that a firm may be used to further money laundering. The rules require those controls to be comprehensive and proportionate, that overall responsibility for anti-money laundering systems and controls is allocated to a director or senior manager, and that the firm carries out a regular assessment of the adequacy of those systems and controls. JMLSG Guidance Part I sits alongside these instruments as the industry guidance a firm is expected to have regard to when designing its risk-based approach.
Regulation 18 names five families of risk factor, and both the FCA Financial Crime Guide and JMLSG Part I organise their guidance around the same categories. A comprehensive assessment considers all five rather than leaning on one. The FCG is explicit that it is not normally enough to consider just one factor, and it should draw on a wide range of relevant information rather than a single source.
For each category you identify the specific ways your firm is exposed, then assess how likely and how serious that exposure is. JMLSG describes risk variables that can raise or lower the risk within a category, such as the purpose of an account or relationship, the level of assets a customer will deposit, the size of transactions, and the regularity or duration of the business relationship. These variables, singly or in combination, may increase or decrease the potential risk and therefore the level of due diligence you apply.
The table below maps each category to example indicators drawn from the risk factors listed in Regulation 18 and the self-assessment questions in the FCG. Use it as a prompt list, not a limit; your own products, customers and markets will suggest others.
| Risk-factor category | What it covers | Example indicators to assess |
|---|---|---|
| Customer | The types of customer and beneficial owner you serve | Politically exposed persons, complex ownership structures, cash-intensive businesses, non-resident customers |
| Product or service | The products, services and business lines you offer | Products allowing third-party or anonymous funding, private banking, trade finance, cryptoasset services |
| Geographic | The countries or areas you operate in or connect to | Higher-risk jurisdictions flagged by FATF, sanctioned territories, countries with weak AML regimes |
| Delivery channel | How you onboard customers and deliver services | Non-face-to-face onboarding, reliance on intermediaries or agents, internet and telephone channels |
| Transaction | The pattern, size and complexity of activity | Large or unusually structured transactions, high volumes, rapid movement of funds, links to high-risk parties |
A business-wide risk assessment works in three linked stages. First you assess inherent risk, meaning the level of financial crime risk in each area before you take account of any controls. Then you assess how effective your controls are at mitigating that risk. Finally you arrive at residual risk, the exposure that remains once controls are applied. The FCA has publicly confirmed this three-part structure in its November 2025 findings on firms' risk assessment processes and controls, which describe good assessments as identifying inherent risks, control effectiveness and residual risk.
Assess inherent risk using both qualitative judgement and quantitative data. The FCA's findings treat assessments that combine quantitative and qualitative analysis, and that weight factors and sub-factors, as good practice, while assessments that rely on qualitative opinion alone, or that conclude an area is low risk without supporting evidence, are examples of poor practice. In practice this means using metrics such as customer counts by risk band, transaction volumes and values, and product exposure, alongside informed judgement about how each risk factor plays out in your firm.
The output is a residual-risk rating for each area that you can defend. The FCA warns against inappropriate risk classification systems, giving the example of a system so constructed that it is almost impossible for a relationship to be classified as high risk, or higher-risk countries being allocated low-risk scores to avoid enhanced due diligence. Your residual ratings should drive real decisions: the level of customer due diligence, whether to accept or maintain a relationship, and where to concentrate monitoring and resource.
Combining an inherent-risk rating with an assessment of control effectiveness produces the residual-risk cell that should drive due diligence and monitoring decisions.
High inherent risk / Weak controls
9
High inherent risk / Adequate controls
6
High inherent risk / Strong controls
4
Medium inherent risk / Weak controls
6
Medium inherent risk / Adequate controls
4
Medium inherent risk / Strong controls
2
The middle stage is where many assessments are weakest, because it is tempting to assume that a documented control is an effective one. It is not the same thing. To rate control effectiveness you need evidence that a control exists, that it is designed to address the specific risk, and that it operates as intended. The FCA's findings treat a conclusion that controls are effective, reached without supporting evidence, as poor practice, and expect firms to test controls, including when they enhance or automate processes.
A workable approach is to rate each control on a simple scale, for example strong, adequate or weak, using inputs such as control testing results, internal audit and compliance monitoring outcomes, transaction monitoring alert performance, and management information. The FCG lists useful management information for this purpose, including an overview of the effectiveness of the firm's financial crime systems and controls, the number and nature of high-risk relationships, the number of transaction monitoring alerts, and information about suspicious activity reports considered or submitted.
Feed the resulting control-effectiveness rating into the residual-risk matrix. A high inherent risk paired with weak controls is your highest-priority residual risk and should trigger a documented remediation action with a named owner and a deadline. The FCA's findings identify formally tracking actions and assigning owners to mitigation initiatives as good practice, so treat the assessment as the start of a control-improvement cycle rather than a static report. Nasara Connect's control platform lets you record inherent scores, control tests and residual ratings against each risk factor so the working is transparent and audit-ready.
A risk assessment carries weight only if the right people own it. The FCG expects senior management to take clear responsibility for managing financial crime risks and to be actively engaged in the firm's approach, and SYSC 6.3 requires overall responsibility for anti-money laundering systems and controls to be allocated to a director or senior manager. In practice the assessment should be reviewed and approved by senior management or a relevant committee, with that approval and the supporting rationale documented. The FCA's findings cite sharing the assessment with senior management and committees for review and approval, and formally logging and approving methodology changes, as good practice.
Use a wide range of internal and external sources so the assessment is more than an internal opinion. The FCG points firms towards the National Risk Assessment, FATF mutual evaluations and typology reports, National Crime Agency alerts, press reports, court judgements and reports by non-governmental organisations. The UK National Risk Assessment of money laundering and terrorist financing, published by HM Treasury in December 2020, sets out the key money laundering and terrorist financing risks for the UK and is a primary external input that firms are expected to reflect in their own assessments.
Finally, keep it current. Regulation 18 requires the record to be up to date, the FCG treats risk assessment as a continuous process rather than a one-off exercise and lists a one-off assessment as poor practice, and the FCA's 2025 findings point to a formal annual review supplemented by triggered updates. Refresh the assessment on a set cycle and whenever something material changes, such as a new product, a new market, a change in customer base or a new external threat, and record what changed and why.
The FCA's published good and poor practice gives a clear picture of what goes wrong. Generic assessments that ignore the specifics of money laundering, sanctions and terrorist financing are a common failing, as are assessments that rely only on qualitative opinion without quantitative data. Conclusions of low risk or effective controls that lack supporting evidence, and customer risk assessments that are not updated as the business grows, are also flagged as poor practice.
The FCG adds its own list of pitfalls: treating risk assessment as a one-off exercise, understanding risk in a piecemeal and uncoordinated way, and producing assessments that are incomplete. It also warns against risk classification systems that make it almost impossible to rate a relationship as high risk, and against allocating low-risk scores to higher-risk countries in order to avoid enhanced due diligence.
The remedy is discipline in three areas: cover all five risk-factor categories, base each rating on evidence you could show a supervisor, and connect the residual ratings to real decisions and actions. An assessment that does those three things will satisfy Regulation 18, align with the FCG and SYSC 6.3, and give your board a genuine view of where the firm is exposed.
A financial crime risk assessment is only as good as the decisions it drives. Cover the five risk-factor categories from Regulation 18, work methodically from inherent risk through control effectiveness to residual risk, and back every rating with evidence a supervisor could examine. Give it clear senior ownership, draw on external sources such as the National Risk Assessment and FATF reports, and keep it current through a defined refresh cycle. Done this way, the assessment satisfies MLR 2017, aligns with the FCA Financial Crime Guide and SYSC 6.3, and tells your board something it can act on.
If you want the working to be transparent rather than buried in a spreadsheet, the right tooling helps. Nasara Connect gives regulated firms a structured way to score inherent risk, test controls, record residual ratings and evidence senior sign-off against the exact rules and guidance. To see how it fits your firm, request a demo and walk through a live business-wide risk assessment with our team.
It is a business-wide assessment that identifies and assesses the money laundering and terrorist financing risks a firm is exposed to. Regulation 18 of the Money Laundering Regulations 2017 requires it, and it covers risk factors relating to customers, geography, products or services, delivery channels and transactions. It underpins the firm's wider anti-money laundering systems and controls.
Regulation 18 of MLR 2017 names five categories: customers; the countries or geographic areas in which the firm operates; its products or services; its transactions; and its delivery channels. The FCA Financial Crime Guide and JMLSG Part I organise their guidance around the same categories, and a comprehensive assessment considers all five rather than relying on one.
Inherent risk is the level of financial crime risk in an area before any controls are taken into account. Residual risk is the exposure that remains once you apply controls and account for how effective they are. The FCA's November 2025 findings describe good assessments as identifying inherent risk, control effectiveness and residual risk in that sequence.
It must be kept up to date. Regulation 18 requires an up-to-date record, the FCA Financial Crime Guide treats risk assessment as a continuous process and lists a one-off exercise as poor practice, and the FCA's 2025 findings point to a formal annual review supplemented by triggered updates when a material change or new threat arises.
Senior management should own it. The FCA Financial Crime Guide expects senior management to take clear responsibility for financial crime risks and be actively engaged, and SYSC 6.3 requires overall responsibility for anti-money laundering systems and controls to be allocated to a director or senior manager. The assessment should be reviewed and approved at that level, with the rationale documented.
The FCA Financial Crime Guide points firms towards the UK National Risk Assessment, FATF mutual evaluations and typology reports, National Crime Agency alerts, press reports, court judgements and reports by non-governmental organisations. The HM Treasury National Risk Assessment 2020 is a key external input firms are expected to reflect in their own assessments.
Nasara Control helps UK firms send and control payments with lower fees, better rates and full visibility.
Practical guides and updates for UK firms, straight to your inbox.