Compliance Risk Assessment: A Practical Guide for UK Firms

A compliance risk assessment is the structured process by which a firm identifies the regulatory obligations relevant to its activities, evaluates the likelihood and impact of failing to meet them, and implements controls to reduce residual exposure to an acceptable level. In the UK, the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 make a documented, risk-based approach a legal obligation — not an optional best practice. Firms that treat it as a one-off exercise or a box-ticking formality face enforcement action, financial penalties, and, under SM&CR, personal liability for senior managers who approved inadequate frameworks.

This article is for informational purposes only and does not constitute legal, financial, or regulatory advice. Firms should seek independent legal counsel to assess their specific obligations.

What is a compliance risk assessment?

A compliance risk assessment is a formal evaluation that maps an organisation's regulatory exposure, scores each identified risk, and produces a documented plan for reducing that exposure through targeted controls. It is distinct from a general enterprise risk assessment: it focuses specifically on the risk of violating laws, regulations, rules, codes of conduct, or internal policies — and the consequential harm that flows from those violations, including regulatory sanctions, reputational damage, and financial loss.

In regulated UK sectors, two separate but interlinked assessments are required as of March 2026:

• Business-Wide Risk Assessment (BWRA): A firm-level view of all material compliance risks, covering the products and services offered, the customer base, geographies, delivery channels, and the firm's vulnerability to money laundering, terrorist financing, and other regulatory breaches. The FCA expects this to be a living document, reviewed formally at least annually and updated whenever material changes occur.
• Customer Risk Assessment (CRA): A transaction- or relationship-level assessment applied to individual customers or prospects, rating them against factors such as PEP status, source of funds, country risk, and business type.

Organisations that conduct both quantitative and qualitative assessments — using weighted risk factors rather than binary pass/fail scores — consistently demonstrate lower residual risk and stronger regulator relationships, according to findings the FCA published in November 2025 following its multi-firm review of risk assessment processes.

The FCA's multi-firm review, published in November 2025, identified a clear divergence between firms with mature compliance risk management and those operating inadequate frameworks. Good practice included documented senior management sign-off, weighted risk scoring, and integration across business lines. Poor practice included static assessments that had not been updated in years, a narrow focus on a single risk type, and no evidence of board or senior manager engagement.

For a broader view of how risk assessment fits within a firm's overall governance structure, see our guide to governance, risk management and compliance (GRC).

Five steps to build a robust compliance risk management framework

A robust compliance risk management framework follows five sequential steps: scope definition, risk identification, risk evaluation, control design and implementation, and monitoring with periodic review. Skipping any step — particularly the monitoring and review phase — is among the most common failures identified by the FCA.

Step 1: Define scope and regulatory universe

Before assessing any risk, the firm must establish which regulations apply to it. In the UK, the regulatory universe for a financial services firm typically includes the Money Laundering Regulations 2017, the Proceeds of Crime Act 2002 (POCA 2002), FCA Handbook rules — including SYSC 6.3.1, which requires firms to establish and maintain appropriate systems and controls against the risk of being used to further financial crime — and the FATF 40 Recommendations, which inform the UK's national risk assessment framework.

Scope definition must also identify the business units, products, geographies, customer segments, and third parties in scope. Firms with correspondent banking relationships, high-volume cash transactions, or cross-border payment flows will have a materially larger scope than a domestic retail lender.

Step 2: Identify compliance risks

Risk identification draws on multiple sources: regulatory publications and Dear CEO letters, horizon scanning for forthcoming legislation, internal incident logs, findings from previous audits, staff interviews, and benchmarking against industry typologies published by the National Crime Agency (NCA) and the Joint Money Laundering Steering Group (JMLSG). The JMLSG Guidance provides sector-specific typologies and risk indicators that regulated firms are expected to apply.

Each identified risk should be recorded in a risk register with a unique identifier, a plain-English description, the regulatory obligation it relates to, and the business area it affects. Risks left undescribed are risks that go unmanaged.

Step 3: Evaluate likelihood and impact

Risk evaluation assigns two scores to each identified risk — likelihood of the risk materialising and impact if it does — producing an inherent risk rating before any controls are applied. Controls are then assessed for their effectiveness, yielding a residual risk rating.

The table below illustrates a standard three-tier scoring framework aligned with FCA expectations:

Firms using purely qualitative labels ("low / medium / high") without weighted scores give senior management and regulators no basis for comparing risks across business lines. Weighted, numerical scoring — even on a simple 1–3 scale — produces defensible, comparable results.

Step 4: Design and implement controls

Controls should be proportionate to the residual risk score. High residual risks require preventive controls (blocking or deterring the breach before it occurs), detective controls (identifying a breach quickly after it occurs), and corrective controls (restoring compliance and remediating harm). Medium risks may be managed with detective and corrective controls alone, with documented rationale for that decision.

For document-intensive compliance workflows — such as customer due diligence, right-to-work checks, or supplier onboarding — automated document verification reduces the reliance on manual review, which is one of the most common sources of control failure. Automation does not replace compliance judgement; it ensures that the raw data on which that judgement depends is accurate, current, and consistently captured.

Step 5: Monitor, test, and review

The compliance risk management cycle closes with ongoing monitoring and formal periodic review. The FCA expects the BWRA to be reviewed at least annually, with the review documented and signed off by senior management. Reviews should also be triggered by material events: a new product launch, entry into a new market, a significant regulatory development, or an internal incident.

Monitoring mechanisms include management information reports, key risk indicators (KRIs), transaction monitoring alerts, file reviews, and thematic internal audits. The results should feed back into the risk register, updating likelihood and control effectiveness scores.

Firms with annual formal review cycles and documented board sign-off have consistently fared better in FCA supervisory visits than those relying on informal or ad hoc updates — a finding explicitly noted in the FCA's November 2025 multi-firm review.

UK regulatory requirements: FCA, JMLSG, and the Money Laundering Regulations 2017

UK firms operating in regulated sectors face a layered set of compliance obligations, each with its own documentation and governance requirements. As of March 2026, the principal legal and regulatory sources are:

Money Laundering Regulations 2017 (MLRs 2017): Regulation 18 of the MLRs 2017 requires relevant persons to take appropriate steps to identify and assess the risks of money laundering and terrorist financing to which their business is subject, having regard to risk factors including customers, countries or geographic areas, products, services, transactions, and delivery channels. The assessment must be kept up to date and made available to the relevant supervisory authority on request.

FCA SYSC 6.3.1: Under the FCA Handbook, senior management at regulated firms must take reasonable care to establish and maintain appropriate systems and controls for compliance with applicable requirements relating to financial crime. SYSC 6.3.1R is a binding rule — not guidance — and the FCA has used it as the basis for enforcement action against firms where the compliance framework was found to be inadequate.

SM&CR: The Senior Managers and Certification Regime means that the senior manager with responsibility for anti-financial crime — typically the MLRO or a designated executive — is personally accountable for the adequacy of the firm's compliance risk framework. If an FCA investigation finds that oversight was wanting and the senior manager failed to take reasonable steps to prevent the breach, they face individual sanctions including fines, prohibition orders, and reputational damage.

JMLSG Guidance: The JMLSG's sector-specific guidance, approved by HM Treasury, provides detailed methodologies for risk-based compliance in banking, asset management, payments, and other subsectors. The JMLSG guidance is not legally binding, but the FCA expects firms to follow it unless they can demonstrate a well-reasoned alternative approach.

POCA 2002 and the National Crime Agency (NCA): The Proceeds of Crime Act 2002 creates criminal offences for facilitating money laundering and failing to make Suspicious Activity Reports (SARs). The NCA — which operates the UK Financial Intelligence Unit — publishes annual SAR statistics and typology reports that should inform every firm's compliance risk identification process.

For UK-based firms with EU operations or customers, the obligations under AMLD6 (Directive 2024/1640) must also be considered. Our detailed guide to AMLD6 and its implications for obliged entities covers the expanded scope, new penalties, and the role of AMLA as the EU-level supervisor.

The FATF Mutual Evaluation of the UK, most recently updated in 2022 and monitored on an ongoing basis, assessed the UK as having significant technical compliance with the FATF 40 Recommendations but identified persistent gaps in beneficial ownership transparency and the oversight of certain designated non-financial businesses and professions (DNFBPs) — both of which directly inform the risk factors UK firms must address in their BWRA.

Common failures in compliance risk management

The most frequent compliance risk management failures are static assessments, absent senior management approval, departmental silos, and narrow risk focus. These are not theoretical concerns: the FCA's November 2025 multi-firm review documented all four as widespread.

Static, outdated assessments are the single most cited failure. A BWRA prepared three years ago and filed without amendment does not reflect the firm's current risk profile. Regulatory expectations have changed, new products have launched, the customer base has evolved, and new typologies have emerged. Regulators do not accept historical documentation as evidence of current compliance.

No documented senior management approval is a governance failure with direct SM&CR consequences. The FCA requires evidence that the senior manager responsible for financial crime has reviewed and approved the risk assessment. A risk assessment that sits in a compliance team folder without board or ExCo visibility is not a governed document — it is a liability. A survey by a major compliance membership body found that 81% of compliance officers report that their board does not fully understand the complexity of the regulatory obligations their firm faces. This gap between the compliance function and senior leadership is not merely a cultural problem; under SM&CR, it creates personal exposure for the responsible senior manager.

Departmental silos produce fragmented risk pictures. When the AML team does not share intelligence with the fraud team, and the credit risk team does not communicate with the sanctions team, material risk concentrations go undetected. Effective compliance risk management requires cross-functional risk registers, shared data, and governance forums that bring together representatives from all relevant functions.

Narrow risk focus means that a firm assesses money laundering risk in isolation without considering sanctions, bribery and corruption, data protection, market conduct, or consumer duty obligations. The FCA expects the BWRA to address all material compliance risks — not only those directly related to financial crime.

The board-as-checkbox problem, frequently discussed on compliance forums and in practitioner communities, arises when senior leadership treats the annual compliance risk review as a formality rather than a strategic input. The practical consequence is under-resourced compliance functions, delayed remediation of identified gaps, and a culture in which staff do not escalate concerns because they believe the board will not act. Under SM&CR, this is not a cultural inconvenience — it is a documented risk factor that regulators will consider when determining whether a senior manager took "reasonable steps."

The solution is not to present a longer risk register at board meetings. It is to translate compliance risk scores into financial terms — potential fines, remediation costs, revenue at risk — so that board members who are not compliance specialists can engage meaningfully with the information. Reviewing your overall compliance infrastructure periodically, including how data flows between systems, is a foundational step in breaking down the silos that produce these failures.

How technology strengthens your compliance risk assessment

Technology does not replace the judgement required for compliance risk management, but it eliminates the manual bottlenecks that cause assessments to become outdated, inconsistent, and unauditable.

Automated document verification addresses one of the most persistent control weaknesses: the reliance on manual review of customer documents during onboarding and periodic review. Manual review is slow, inconsistently applied across teams, and produces no structured audit trail. Automated verification — applied to identity documents, proof of address, company registration certificates, and financial statements — produces a consistent, timestamped record of what was checked, when, and what was found. This directly supports the CRA by ensuring that the data feeding the risk score is accurate.

Risk scoring engines allow firms to implement the weighted, quantitative scoring methodology that the FCA expects, applied consistently across thousands of customers or transactions rather than relying on individual analyst discretion. The engine applies the same criteria to every record, flags outliers for human review, and produces MI that feeds directly into the BWRA.

Workflow and case management tools ensure that identified risks are assigned to named owners, tracked to resolution, and escalated automatically when deadlines are missed. This addresses the "no documented senior management approval" failure: the system creates an audit trail showing exactly who reviewed what, and when.

Regulatory change management platforms monitor legislative and regulatory developments — FCA Dear CEO letters, JMLSG guidance updates, FATF mutual evaluation reports — and alert compliance teams to changes that require the BWRA to be updated. This addresses the static assessment problem by making horizon scanning systematic rather than ad hoc.

For firms assessing the cost of upgrading their compliance technology stack, our pricing page provides a transparent view of what automated verification tools cost, allowing a direct comparison with the cost of manual review and the potential cost of regulatory sanctions.

Firms considering whether to build or buy compliance technology should also read our foundational guide to document compliance, which covers the document types, validation requirements, and retention obligations that any technology solution must address.

Firms that have invested in integrated compliance technology — combining automated document verification, risk scoring, and workflow management — report a 40–60% reduction in the time required to complete periodic customer reviews, according to industry benchmarking data, while simultaneously improving the consistency and auditability of their risk assessments.

For a comprehensive view of CheckFile's approach to document security and compliance infrastructure, the platform is designed to integrate with existing compliance frameworks rather than replace the human judgement at their centre.

FAQ

What is the difference between a compliance risk assessment and a business-wide risk assessment?

A compliance risk assessment is the general term for any structured evaluation of an organisation's exposure to regulatory breach and its consequences. A Business-Wide Risk Assessment (BWRA) is the specific type of compliance risk assessment required by the FCA and the Money Laundering Regulations 2017 for firms in scope of those regulations. The BWRA must cover all material compliance risks at the firm level — including money laundering, terrorist financing, sanctions, bribery, and conduct risks — and must be documented, kept current, and made available to the FCA on request. The BWRA sits above the Customer Risk Assessment (CRA), which applies the firm's risk methodology to individual customer relationships.

How often should a compliance risk assessment be reviewed?

The FCA expects the BWRA to be reviewed formally at least once per year, with the review documented and approved by the responsible senior manager. In practice, a review should also be triggered by any of the following: launch of a new product or service, entry into a new geography or customer segment, a significant internal incident (fraud, regulatory breach, SAR filing trend), a material change in the regulatory framework, or new typology guidance from the NCA, JMLSG, or FATF. Annual review is a minimum, not a target — mature compliance functions embed continuous monitoring so that the formal annual review confirms a position already well understood by management.

What happens if the board treats compliance risk assessment as a checkbox exercise?

The consequences of board-level disengagement from compliance risk assessment are both regulatory and personal. Under the Senior Managers and Certification Regime (SM&CR), the senior manager allocated responsibility for financial crime prevention is personally accountable for the adequacy of the firm's systems and controls. If the FCA investigates a breach and finds evidence that the risk assessment was not reviewed, not updated, or not presented to senior management in a meaningful way, the responsible senior manager cannot rely on ignorance as a defence. The FCA has the power to fine, suspend, or prohibit individual senior managers from performing regulated functions. Beyond SM&CR, a firm whose board treats compliance as a checkbox is also more likely to have under-resourced compliance functions, delayed remediation, and a culture of non-escalation — all of which compound regulatory exposure over time. The practical remedy is to translate risk register entries into financial metrics — estimated fine exposure, revenue at risk, remediation cost — so that board members engage with compliance data on the same terms they use for every other business risk.

What are the consequences of an inadequate compliance risk assessment in the UK?

The consequences operate at three levels. First, regulatory: the FCA can impose unlimited financial penalties for breaches of the Money Laundering Regulations 2017 and FCA Handbook rules. Between 2020 and 2025, the FCA issued penalties totalling over £500 million against firms whose AML controls — including their risk assessments — were found to be inadequate. Second, criminal: under POCA 2002, individuals and firms can face prosecution for money laundering offences if inadequate controls allowed the firm to be used to facilitate financial crime. Third, reputational: regulatory censure, enforcement notices, and public statements cause direct harm to customer trust, correspondent banking relationships, and the firm's ability to operate in certain markets.

Does a small firm need a formal compliance risk assessment?

Yes. The Money Laundering Regulations 2017 apply to all relevant persons — which includes banks, building societies, payment institutions, e-money institutions, credit brokers, accountants, solicitors, estate agents, and many other categories — regardless of size. The proportionality principle means that a small firm's BWRA will be less complex than that of a global bank, but it must still be documented, risk-based, and up to date. The FCA has taken enforcement action against small firms as well as large ones. Regulators have made clear that size reduces the complexity of the required framework, not the obligation to have one.