Getting your financial crime risk assessment right

“The biggest misconception is that the financial crime risk assessment is only a burden for the firm,” says Nicky, who has 25 years’ experience in financial services compliance. “Yes, it can be time-consuming to set up and maintain properly, but getting it right brings enormous benefits.”

Without properly identifying and quantifying financial crime risks, how can any firm allocate resources efficiently? Without a robust assessment, you could waste money on processes that don’t address your actual risks whilst leaving real vulnerabilities exposed.

Claire, who has worked in financial crime roles since 2001, agrees. “One of the biggest challenges in my experience is also one of the most important: the risk assessment. The FCA’s recent review shows this isn’t just our observation—it’s an industry-wide issue.”

The regulatory landscape differs across our three markets, though the underlying principles of effective risk management remain consistent.

In the UK, the Money Laundering Regulations are explicit. Firms must identify and assess money laundering and terrorist financing risks, considering factors relating to customers, geographic areas, products, services, transactions and delivery channels. The assessment must be kept up to date and provided to supervisory authorities on request.

In Australia and New Zealand, the statutory requirements under the AML/CTF Act 2006 (Australia) and the AML/CFT Act 2009 (New Zealand) similarly require reporting entities to identify and assess money laundering and terrorism financing risks. The core principle remains the same: understand your risks so you can manage them effectively.

However, the scope differs. In the UK, the FCA’s Financial Crime Guide explicitly states that firms should assess risks in the context of all types of financial crime, including fraud, data security, bribery and corruption. In Australia and New Zealand, the statutory focus is specifically on ML/TF risk assessment, though financial institutions typically assess broader financial crime risks as part of sound operational and reputational risk management.

But here’s where firms often stumble. “I see vastly varying approaches to financial crime risk assessments,” Nicky explains. “The most common misconception comes from what the risk assessment needs to cover. Many firms focus almost exclusively on money laundering and terrorist financing, but the FCA’s guidance is clear that risk must be considered in the context of all types of financial crime—including fraud, data security, bribery and corruption.”

The UK’s FCA Financial Crime Guide reinforces this: a thorough understanding of financial crime risks is key to applying proportionate and effective systems and controls. Risk assessments should be comprehensive, draw on a wide range of relevant information, and be proportionate to the nature, scale and complexity of the firm’s activities.

Whilst regulatory requirements differ, effective financial institutions recognise that risks don’t respect regulatory boundaries. Fraud generates proceeds that require laundering. Cyber breaches create vulnerabilities criminals exploit. Bribery and corruption schemes often involve money laundering. Whatever your jurisdiction, understanding how different types of financial crime intersect strengthens your ability to detect and prevent them.

Starting a risk assessment can feel overwhelming. Where do you begin?

“The starting point is to look at the business profile,” Nicky advises. “Not just what you think you do or the story you tell others but what do you actually do? What is the business model, how is the firm structured, what products and services do you offer, to whom and through what distribution routes?”

This honest assessment gives you a solid basis to identify all key risk areas. One of the most common mistakes? “Firms that have a checklist approach, using the key areas highlighted in regulatory guidance and working through them methodically without really thinking about them in the context of the business and how it works.”

An effective risk assessment is more than a regulatory box to tick. “It’s a holistic, living, breathing thing that drives a robust control framework,” says Nicky. “But there’s more to it than that. One of my pet peeves in both financial crime and CASS is that firms will spend a huge amount of time and resources carrying out risk assessments and risk mapping but then don’t use that effort to drive business decisions and continuous control improvement.”

A truly effective assessment should:

Ask the criminal’s question. Rather than working through thematic areas drawn from guidance, think about how a criminal might use your business, products or services to further their goals. Where are the vulnerabilities that could expose you to criminal activity?

Drive decision-making. The assessment should underpin commercial decisions, resource allocation and strategic planning. It’s not a document that lives in a drawer but a tool that shapes how you run your business.

Consider control effectiveness. Assess not just the risks you face, but how well your current controls manage those risks.

“I often see firms approach the financial crime risk assessment as a job for the financial crime team only,” Nicky observes. “Yes, it might be the financial crime team that drives the risk assessment, but the overall process needs to involve people from throughout the business.”

The people closest to clients, products and services should help with risk identification. The governing body must support and champion the process. The assessment should align with the broader risk appetite of the firm.

“Senior management won’t necessarily play an active role in the development of the risk assessment, but they should foster a culture of compliance and engagement in the process,” Nicky explains. “The risk assessment should be reviewed and critically evaluated by senior management, giving challenge to the assumptions, data and methodology used. Records should be kept of the discussion and challenge.”

Based on their extensive experience, Claire and Nicky highlight several recurring mistakes:

Too high-level. The assessment isn’t detailed enough or firm-specific enough to be useful.

Qualitative focus without quantitative data. Numbers matter. Transaction volumes, customer counts and geographic distribution provide crucial context.

Fails to keep pace. The assessment doesn’t evolve as the business grows or the threat landscape changes.

One-size-fits-all risk tolerance. Zero tolerance for sanctions breaches is realistic, but applying the same standard across all risk types isn’t practical.

“The most common issue I see is the firm’s ability to understand the risk its customer base brings,” says Nicky. “Customer risk assessment can be a complex process with lots of considerations, but many firms over-simplify it, which results in a risk assessment based on partial evidence.”

A full review should happen at least annually. But that’s not enough on its own.

“More general maintenance throughout the year is also needed for any new products, services, client types or geographies,” Nicky advises. “But it should also be revisited to underpin decision-making in the business, particularly around team structures, operational processes and resourcing questions.”

What should trigger an immediate update? New products or services, entry into new markets, significant changes to your customer base, or emerging criminal typologies that affect your sector.

Are regulators becoming more flexible in their expectations? “I wouldn’t say they’re ever going to be what we might call ‘flexible,’” Nicky responds candidly. “Obviously, a financial crime risk assessment and control framework is firm-specific and there can’t be a standard or one-size-fits-all approach, but the FCA is clear in their expectations.”

What has changed is the approach. “We’re seeing a more no-nonsense stance from regulators. They’re working to hold firms to account quicker and more decisively than ever before.” In the UK, the FCA is conducting more no-notice visits to review risk assessments and control frameworks, and acting swiftly when they find problems, including using VREQs to stop firms taking on new business until issues are addressed.

The message is clear: there are no excuses for non-compliance. The FCA has been emphasising the need for robust risk assessments for years. If firms still haven’t addressed this, the regulator isn’t prepared to make allowances.

Recent regulatory publications and enforcement actions provide stark lessons about the consequences of inadequate risk assessments. While the examples below focus on UK cases, the underlying issues and the principles for avoiding them are relevant across all three markets.

Risk assessment processes and controls in firms (FCA findings). The review found significant gaps across the UK sector, with firms struggling to translate regulatory requirements into effective practice.

Challenger banks. Rapid growth can mean risk assessments and control frameworks struggle to keep pace, whilst swift onboarding processes can create vulnerabilities. The lesson: make sure your risk assessment evolves with your business, and understand how your technology solutions actually work.

Corporate finance firms. 11% had no documented financial crime risk assessment at all, often because they didn’t think it was necessary given their business model. The lesson: a risk assessment is needed for all types of firm, even if you think your risk is low.

The financial cost of getting this wrong is substantial. Recent UK enforcement actions include:

• Nationwide: £44 million fine for ineffective customer risk assessments and due diligence
• Monzo: £21 million fine when controls failed to keep pace with rapid growth
• Barclays: £42 million fine for inadequate onboarding and oversight procedures

“In all three of these cases, if the financial crime risk assessment arrangements within each firm had been effective, they would have been able to identify risks that weren’t being managed properly and target resources appropriately,” Claire notes.

How should firms balance judgement against models?

“Quantitative data can help with the identification of key risk areas,” Nicky explains. “For example, transaction volumes for different products or services can help you gain clarity around where some of the biggest risk areas are. Qualitative factors then provide the nuance and context to help understand the risks.”

The best approach uses both. Numbers identify where risks concentrate, whilst human judgement assesses the nature and severity of those risks within your specific context.

Good governance means embedding risk awareness into the culture of the firm. Senior management set the tone, but they also need to understand the risks and how they’re managed so they can provide meaningful challenge.

“The risk assessment should underpin decisions about resource allocation, ensuring the firm uses its resources in the most efficient and effective way possible to manage its financial crime risk,” says Nicky. “Senior management should regularly be provided with management information that enables them to understand the effectiveness of the controls in place and how well the firm is managing the identified risks.”

Financial crime risk assessments shouldn’t be seen as regulatory burdens. When done well, they become strategic tools that help you allocate resources effectively, identify vulnerabilities before they’re exploited, and build confidence with regulators and stakeholders.

The key is to move beyond checklist compliance. Understand your actual business—not the version you present externally, but how you really operate. Involve people across the organisation. Think like a criminal trying to exploit your systems. Keep the assessment current as your business and the threat landscape evolve.

Whether your regulatory framework requires assessment of all financial crime types or focuses specifically on ML/TF, the underlying principle remains constant: you can’t manage risks you haven’t identified. And whilst regulatory requirements may differ across jurisdictions, criminals don’t limit their activities based on what’s explicitly mandated in law.

“The firms that get this right aren’t just meeting regulatory requirements,” Claire reflects. “They’re building stronger, more resilient businesses that can detect and prevent financial crime effectively whilst using their resources efficiently. That’s the goal we should all be working towards.”

Claire Rees is Financial Crime Regulatory Specialist at ThirdEye, with over 20 years’ experience in financial crime roles across building societies and mortgage companies.

Nicky Green is Advisory Director at Square 4, with 25 years in financial services compliance and 18 years specialising in financial crime and CASS compliance.

ThirdEye partners with financial crime teams across the UK, Australia and New Zealand to detect and prevent financial crime through flexible software and local support.

Square 4 provides interim resource, managed services, tech solutions and advisory services to help regulated firms grow and thrive compliantly.