The business-wide risk assessment (BWRA) is the foundational document in every payment institution's anti-money laundering and counter-terrorist financing framework. Under Regulation 18 of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs 2017), every relevant person — including authorised payment institutions and registered small payment institutions — must carry out an assessment of the money laundering and terrorist financing risks to which its business is subject. The BWRA is the document that the FCA will review first and most closely during any AML-focused supervisory engagement, and deficiencies in the BWRA are the single most common finding in FCA enforcement and supervisory actions against payment firms.
What Is a Business-Wide Risk Assessment?
The BWRA is a documented assessment of the money laundering and terrorist financing risks to which a firm is exposed, taking into account the nature, scale and complexity of its activities. It is not a customer-level or transaction-level assessment — those are separate obligations under the CDD requirements of the MLRs. Instead, the BWRA provides the strategic, firm-level view of risk that informs the design and calibration of all downstream AML controls.
The purpose of the BWRA is to ensure that the firm understands its risk profile and allocates compliance resources proportionately. A firm with a low-risk profile should not be operating the same intensity of controls as a firm with a high-risk profile — but equally, a firm with objectively high-risk characteristics cannot justify light-touch controls simply because it has not experienced detected financial crime to date.
Step 1: Define the Scope and Methodology
The BWRA should begin with a clear statement of scope — which entities, business lines, products and jurisdictions are covered — and the methodology used to assess risk. The methodology should define: the risk categories assessed (customer, product, transaction, delivery channel, geographic); the risk factors considered within each category; the rating scale (typically low, medium, high, with some firms using a numerical scoring system); the basis for assigning ratings (quantitative data, qualitative judgment or both); and how inherent risk, controls effectiveness and residual risk are distinguished.
The FCA does not prescribe a specific methodology. Firms have flexibility to design an approach that is proportionate to their business. However, the methodology must be documented, consistently applied and capable of producing meaningful risk differentiation — a BWRA where every category is rated 'medium' provides no useful information and will attract supervisory criticism.
Step 2: Identify and Assess Risk Factors
The core of the BWRA is the identification and assessment of specific risk factors across each risk category:
Customer risk. Assess the ML/TF risk profile of the firm's customer base by segment. Relevant factors include: customer type (individual, corporate, trust, PEP); geographic location of customers; industry or sector of corporate customers; source of funds and wealth; customer behaviour patterns; and the proportion of customers presenting higher-risk indicators.
Product and service risk. Assess the inherent risk of each product or service offered. Higher-risk features include: cash-based services; anonymous or semi-anonymous products; high-value single transactions; rapid movement of funds across borders; and products that facilitate complex or opaque transaction chains.
Transaction risk. Assess the volume, value and pattern of transactions. Consider: average transaction values; frequency and velocity of transactions; proportion of cross-border versus domestic; proportion of transactions involving higher-risk jurisdictions; and presence of unusual or complex transaction patterns.
Delivery channel risk. Assess how products and services are delivered. Non-face-to-face onboarding, agent distribution networks and digital-only channels present different risk profiles from branch-based, in-person delivery.
Geographic risk. Assess the jurisdictional exposure of the firm's operations, customer base and payment flows. Reference sources include: FATF grey and black lists; national risk assessments; Transparency International Corruption Perceptions Index; Basel AML Index; and the firm's own data on jurisdictional transaction flows.
Step 3: Assess Controls and Determine Residual Risk
For each risk category, the BWRA should assess the effectiveness of the firm's existing controls in mitigating the identified inherent risks. Controls include: CDD and enhanced due diligence procedures; transaction monitoring systems and rules; sanctions screening; staff training; suspicious activity reporting processes; and governance and oversight. The residual risk — the risk remaining after controls are applied — should be documented for each category. Where residual risk exceeds the firm's risk appetite, the BWRA should identify the specific additional measures required.
Step 4: Document, Approve and Communicate
The completed BWRA must be formally approved by the firm's senior management — the FCA expects board-level or equivalent sign-off. The document should be communicated to relevant staff, particularly the compliance team, MLRO and senior managers responsible for business areas identified as higher risk. The BWRA should be treated as a controlled document with version history, review dates and clear ownership.
Step 5: Review and Update
The BWRA is a living document. Regulation 18(2) of the MLRs requires firms to keep the assessment up to date. The FCA expects review at least annually and more frequently if triggered by material changes — such as new products or services, entry into new markets, significant changes in customer base, regulatory developments or identified compliance failures. Each review should be documented, including the changes made and the rationale.
Common FCA Findings and Deficiencies
The FCA has published extensive guidance on BWRA expectations and has highlighted common deficiencies in enforcement notices, Dear CEO letters and thematic reviews. The most frequent problems include: generic risk assessments copied from templates without firm-specific analysis; failure to use the firm's own transaction data and management information; absence of quantitative analysis (relying entirely on subjective qualitative judgment); risk ratings that bear no relationship to the firm's actual risk profile; no documented link between the BWRA and the firm's operational AML policies and controls; failure to update the BWRA following material business changes; and approval by junior staff rather than senior management or the board.
Regulatory Counsel advises payment institutions and EMIs on AML framework design, business-wide risk assessments, FCA supervisory preparation and remediation. Contact us for a free initial consultation. See our financial crime services page for more.
Frequently Asked Questions
At least annually, and more frequently if triggered by material changes such as new products, markets, significant customer base shifts or regulatory developments.
Generic risk assessments copied from templates without firm-specific data or analysis. The FCA expects the BWRA to reflect the firm's actual business, customers and transaction patterns.
No. Firms have flexibility to design a proportionate approach. However, the methodology must be documented, consistently applied and produce meaningful risk differentiation.
The FCA expects board-level or equivalent senior management approval. BWRAs approved by junior staff attract supervisory criticism.