An Organisation for all
Accountants in Practice

Money Laundering : Risk Assessments


How to use a risk-based approach to carry out a risk assessment of your business.


Businesses regulated by the Money Laundering Regulations must assess the risk that they could be used for money laundering, including terrorist financing.

You can decide which areas of your business are at risk and put in place measures to prevent money laundering occurring by using what’s known as a ‘risk-based’ approach.

This guide gives an overview of the risk-based approach and helps you to carry out a risk assessment of your business. It also outlines your day-to-day responsibilities under the Money Laundering Regulations.

The risk-based approach

Businesses that are covered by the Money Laundering Regulations have to use a risk-based approach to prevent money laundering. This involves following a number of steps.

You have to:

identify the money laundering risks that are relevant to your business

carry out a detailed risk assessment of your business, focusing on customer behaviour, delivery  channels and so on

design and put in place controls to manage and reduce the impact of these risks

monitor the controls and improve their efficiency

keep records of what you did and why you did it

Advantages of the risk-based approach

You’re able to decide on the most cost-effective way to control the risks of money laundering when you follow the steps involved in the risk-based approach. This allows you to focus your efforts and resources where the risks are highest.

How to carry out a risk assessment

You can decide for yourself how to carry out your risk assessment. It might be quite simple or very sophisticated depending on:

the size and structure of your business

the range of activities your business carries out and the nature of the products and services it supplies

When you assess the risks of money laundering that apply to your business you need to consider:

the types of customer you have

where you and your customers are based

your customers’ behaviour

how customers come to your business

the products you sell or the services you offer

your delivery channels and payment processes, for example cash over the counter, cheques, electronic transfers or wire transfers

where your customers’ funds come from or go to

Customers that might pose a risk

Your business might be at risk of money laundering from:

new customers carrying out large, one-off transactions

a customer who’s been introduced to you - because the person who introduced them to you may not have carried out ‘due diligence’ thoroughly

customers who aren’t local to your business

customers involved in a business that handles large amounts of cash

businesses with a complicated ownership structure that could conceal underlying beneficiaries

a customer - or group of customers - who makes regular transactions with the same individual or group of individuals

Customer behaviours that might suggest a risk

Behaviour that may indicate a potential risk could be when a customer:

doesn’t want to give you identification, or gives you identification that isn’t satisfactory

doesn’t want to reveal the name of a person they represent

agrees to bear very high or uncommercial penalties or charges

enters into transactions that don’t make commercial sense

is involved in transactions where you can’t easily check where funds have come from

When to check source of funds in one-off transactions below £15,000

The way customers present themselves and the source of their funds are key indicators of potential risk.

You should be able to show, through your risk-based approach, that you’ve taken all reasonable steps to satisfy yourself that the transaction isn’t suspicious, including, where appropriate, identifying the source of funds.

This is best done through independent documents or data provided by the customer, for example, a payslip or bank statement. The documentation required and the level of checks will depend on the risks to your business.

Where a person is sending money for someone else and information such as a wage slip or bank statement isn’t available you should consider obtaining and keeping a signed certificate/declaration by the customer about the source of funds – checked against a proof of ID document, such as a passport.

Example 1 - A customer claims they are transmitting money on behalf of a group of friends. You should consider writing down details of the names and addresses of the friends and the amounts to be transmitted.

Where you have to accept a declaration it’s sensible to include details of something that can itself be checked. This could be contact details for each person named in the declaration, but every case will be different.

Example 2 - A customer claims the cash is from the sale of a car. You should include details of the car, its registration number and the date of sale. This will provide you with protection, as you’ll be able to show that you have undertaken sufficient checks and will allow law enforcement agencies who can use such details to follow up on transactions after the event if they need to.

The essential point is that the customer has provided you with information that can be checked. Whether you do any additional checks on that information will depend on your view of the risk.

HM Revenue and Customs (HMRC) expects that businesses have an operating risk based system in place, which is fully documented. If a business doesn’t apply its own risk based approach to ‘source of funds’ checks, then HMRC will expect that you seek additional verification on payments below £15,000 when:

the customer has presented cash in payment for the transaction, which is five times the size of an average transaction for your business

the customer has paid for the transaction by cheque or debit card, which is ten times the size of an average transaction

‘Average transaction’ means the total value divided by the number of transactions over a given period. ‘Your business’ means calculated by each branch (where your business has more than one premises including the premises of any agents who act on your behalf).

Example 3 - You have transmitted £100,000 over 100 transactions in the given period, so the average value of your transactions is £1,000. You should check the source of funds on any cash transaction for £5,000 or more and any non-cash transaction for £10,000 or more.

The length of time you use to decide the size of an average transaction for your business isn’t fixed, although it should be at least one month. Ideally, the average transaction value will relate to a single set of premises. If you have more than one set of premises within your registration you may decide to fix the transaction level either by individual location or by reference to all the transactions across the whole of your business, being aware of the transaction levels between different locations.

You may limit the source of funds checks to the top 5% of transactions by value if the number of transactions to be checked exceeds 5% of your total transactions

Where funds have come from a bank account, you can take some re-assurance that the customer’s identity and personal details may have been checked by another regulated business in the UK or another country which is prepared to provide the customer with account facilities. However, you shouldn’t be satisfied just because the money has come from the customer’s bank account that the source of funds is lawful.

You should take a risk based approach, so that you’re content with and establish how the money got into the bank and where the money came from, such as:


a cheque from a family member

payment from the sale of personal items

An indication of higher risk might be if funds in the bank account had been paid in cash shortly before the transaction. Just because the funds have been through a bank doesn’t mean that you can always assume that you don’t need to check the source for them, especially if they seem unusual.

You must send a Suspicious Activity Report (SAR) to the National Crime Agency if you have any suspicion that the transaction relates to money laundering and/or terrorist financing, and get consent from them to continue with the transaction. You should always report before a transaction is made where possible. If your suspicion is raised after the transaction is completed you must send a SAR at the earliest opportunity.

Risks associated with your products and services

Depending on your business type there may be a risk:

that inappropriate assets could be placed in your business, or moved from or through it

from a product or service which allows the ownership of assets to be disguised

when you supply services without meeting your customer face to face

The types of risk you need to identify will depend on the nature of your business. For example, ‘High

Value Dealers’ need to be aware of the risk associated with cash sales of high value goods that can be either:

sold through the black market - these are generally luxury items

returned to the retailer in exchange for a legitimate cheque from them

Get more information

You can get more guidance on carrying out your risk assessment from the HMRC leaflets for:

Money Service Businesses

High Value Dealers

Trust or Company Service Providers

What to do when you’ve carried out your risk assessment

Once you’ve completed your risk assessment you need to:

put in place controls and systems to reduce any risks of money laundering that you identified

monitor your business on an ongoing basis to make sure your controls are effective

identify and report any suspicious transactions or activities

Published April 2016