Mandatory Updates: What Your Firm’s AML Risk Assessments Must Include Now

Your AML risk assessments form the backbone of your firm’s entire anti-money laundering framework. When regulators review your systems, they start there. Compliance is a dynamic process that must evolve alongside legislative reform, supervisory expectations and emerging financial crime threats. The pace of regulatory change means you must proactively integrate new money laundering rules into your assessment framework.

Recent legislative reform, supervisory scrutiny and geopolitical volatility have materially shifted the UK risk landscape. If your AML risk assessments don’t reflect these developments, your firm faces unnecessary risk exposure, and you don’t want to be caught on the back foot with clients or HMRC.

Integrating New Legislative and Regulatory Mandates

You must now ensure that both your firm-wide and client-level documentation explicitly reflects the latest new anti-money laundering regulations and associated guidance.

The impact of the Economic Crime and Corporate Transparency Act (ECCTA) on risk profiles

The Economic Crime and Corporate Transparency Act (ECCTA) represents a significant shift in corporate oversight. Its focus on identity verification, more stringent transparency and expanded Companies House powers changes the underlying risk profile for UK entities. These reforms introduce a number of practical implications for your AML risk assessments:

• Increased scrutiny of directors and People with Significant Control (PSCs)
• Greater reliance on verified identity data
• Less tolerance for opaque ownership structures
• More data-sharing between authorities.

The new rules against money laundering should change the way you view clients. You need to think about whether your due diligence processes are good enough to meet the needs of identity verification, and the fact that there’s a greater chance of investigation. You may have previously taken Companies House data at face value, but now you need to reassess how that information fits into your broader risk rating methodology.

Responding to the National Risk Assessment (NRA) and supervisory body guidance

Your firm-wide AML risk assessments must explicitly reference and respond to the latest UK National Risk Assessment (NRA). The NRA identifies priority threats, typologies and sector-specific vulnerabilities. Supervisory bodies expect your firm to demonstrate that you have reviewed the most recent NRA findings, identified which risks apply to your service offering and incorporated those risks into documented mitigation strategies. It’s not enough to state that you’re aware of emerging threats. Your documentation must show how you’ve integrated them into your risk model.

The same applies to guidance issued by your professional body supervisor. If supervisory updates reflect new money laundering rules or stricter expectations around documentation, your internal framework must follow suit.

Updating geographic risk factors and sanctions screening protocols

Geopolitical instability and ever-evolving sanctions regimes require continuous monitoring by your firm. Jurisdictions move on and off high-risk lists. As sanctions expand rapidly, your risk assessments must reflect current Financial Action Task Force (FATF) high-risk and monitored jurisdictions, as well as updated UK financial sanctions lists.

You also need to evaluate whether your sanctions screening tools are adequate for the new anti-money laundering regulations. Manual processes that once sufficed, for example, may no longer meet supervisory expectations. If your geographic risk section has not been reviewed in the past 12 months, it’s time to update it. Remember that sanctions decisions need to be recorded with clear audit trails, and clients’ risk profiles require ongoing monitoring in order to stand up to scrutiny.

Technical Deep Dive: Auditing the Firm-Wide AML Risk Assessment

Once you’ve accounted for legislative reform and external risk factors, the next action is a structured internal audit of your firm’s risk assessments. This is often where practices fall short, as templates are only completed once and aren’t stress-tested enough.

Re-evaluating service-specific risk and delivery channels

A blanket risk profile for all your clients undermines trust because not all your services carry the same risk. It’s best to segment your exposure by service type, including:

• Tax advisory and complex structuring
• Corporate restructuring and M&A support
• Payroll and bookkeeping
• Company formation services.

High-value tax planning and cross-border advisory services now have more exposure under the new money laundering rules, particularly where beneficial ownership structures intersect with high-risk jurisdictions.

You must also evaluate your delivery channels. Remote onboarding, digital document exchange and non-face-to-face relationships increase the chances of impersonation and identity fraud risk. Your risk assessments should distinguish between face-to-face onboarding, remote onboarding with digital verification, and introduced business, as each channel requires different mitigating controls.

Assessing technology risk: cryptocurrencies, AI, and digital verification tools

Clients are increasingly operating within digital asset ecosystems. Cryptocurrency exposure, decentralised finance and digital payment platforms create new risks. Your firm-wide AML risk assessments must now consider:

• Clients transacting in cryptoassets
• Use of AI-driven financial tools
• Activity in digital marketplaces
• The use of automated identity verification systems.

You should assess whether your internal knowledge base, screening processes and monitoring controls sufficiently address digital asset risk. For example, if your team lacks training in identifying crypto-related red flags, your documented controls may not withstand supervisory scrutiny.

Internal controls and training: the human element of risk

Even the most well-considered documentation will fail if it’s not implemented effectively. Your risk assessments must evaluate the frequency and quality of staff AML training, escalation procedures for suspicious activity, internal file review processes and senior management oversight. Supervisors are increasingly examining a firm’s compliance culture – evidence of staff training, automated audit trails, and clear rationales for risk decisions. You’ll need to show that your AML training reflects the current threat patterns and legislative reform.

Translating Risk into Action: Client-Specific Assessments

While your firm-wide framework sets the direction, your client-specific assessments operationalise it. If your broader AML risk assessments identify significant exposure in particular service areas or jurisdictions, that must be integrated into client files.

Documenting the rationale for risk ratings and mitigation

Stating that a client is “high risk” is insufficient. You must clearly document:

• The specific risk factors you’ve identified
• Why those factors elevate the rating
• Which mitigating measures you’ve applied
• How enhanced due diligence addresses the identified risks.

Supervisors expect to see a clear, structured explanation of how you reached that conclusion and what you did about it. For example, “international links” is vague. “Beneficial owner resident in a FATF grey-listed jurisdiction” is specific and defensible. Under the new anti-money laundering regulations, you need to document evidence of your professional judgment and mitigation. Each client-specific assessment should align logically with your firm-wide risk model.

Establishing a regular review schedule for all client files

A client initially rated low risk may expand internationally, introduce new stakeholders or adopt cryptocurrency payment methods. Your compliance framework should set a structured review timetable in light of this. Higher-risk clients should be reviewed more often, medium-risk clients should be subject to periodic reassessment and low-risk clients should be reviewed at defined intervals. This schedule needs to be documented within your risk assessments, and you must ensure it reflects the new rules.

Leveraging expert documentation and training

Creating your own AML risk assessments from scratch is time-consuming and exposes you to interpretive risk. ICPA supports independent practices with a comprehensive AML Procedures Pack that includes firm-wide risk assessment tools and templates, client due diligence templates and engagement letters for non-audit assignments. ICPA members also have access to quarterly AML updates and training that ensure your internal processes align with supervisory expectations and evolving financial crime risks.

A Static Risk Assessment Is a Non-Compliant One

As an accountant, your professional obligation extends beyond initial client onboarding: you must maintain living AML risk assessments that reflect current legislation, supervisory guidance and real-world risk exposure. If you haven’t reviewed your assessments in light of recent reforms, now is the time to secure your practice against avoidable non-compliance.