Navigating AML Risk Assessments by Kevin Kerrigan
- Business risk assessments
- Client risk assessments
- How accountants can leverage technology with intelligent risk assessments
From the first introduction, or meeting with a potential new client the risk assessment has naturally commenced. Within the first few minutes, an accountant will quickly establish if the client is credible; if they have a legitimate and healthy business; if they are likely to be troublesome; and if they will be able to pay on time.
Accountants are typically good gatekeepers, equipped with professional intuition (or scepticism) that can help avoid taking on bad clients. However, without a structured and documented risk framework, it is difficult to be consistent and impossible to evidence that you have met your AML obligations. Within the context of AML monitoring visits, the rule of “if it wasn’t written down, it never happened” is applied.
AML compliance obligations can often seem disproportionate, especially within the context of what can appear to be a low-risk practice with low-risk clients. Establishing an AML risk framework does not have to be a complex or costly process and can deliver a multitude of benefits.
- It is a legal requirement with potential fines or imprisonment (up to 5 years).
- Be prepared for your next AML monitoring visit. It is a key element requested during AML thematic reviews and monitoring visits.
- They can help identify and avoid (or remove) potentially problematic clients.
- Mitigate reputational risks for your business (non-compliance or an unidentified case of money-laundering).
- Ethical responsibility to counter money-laundering or illicit activities.
The purpose of the Business Risk Assessment is to identify, assess and determine mitigating measures for AML risk across the entire practice, considering both internal and external factors.
The structure of the Business Risk Assessment is effectively set out in legislation and must consider the following risk factors:
- Types of customers that you have
- Products and services that you provide
- Countries or geographical areas in which you operate
- Type of transactions you conduct
- Delivery channels you use
You need to consider the latest National Risk Assessment for Money laundering and Terrorist Financing. The latest National Risk Assessments highlighted AML vulnerabilities in the Accountancy sector for practices that deliver the following services:
- Company and trust formations;
- Insolvency services;
- Providing financial advice;
- Providing tax advice;
- Handling client money;
- Managing client assets and financial accounts;
- Investment business services;
- Auditing financial statement; and
- Company secretarial services.
With regards to Geographical Risk Factors, you need to consider if your clients have associations or links with any of the Financial Action Task Force (FATF) list of high-risk jurisdictions and those under increased monitoring. The list is updated three times a year following the FATF plenary meetings.
The latest list was published on 23 February 2024 and included the following countries: Democratic People’s Republic of Korea, Iran, Myanmar, Bulgaria, Burkina Faso, Cameroon, Democratic Republic of the Congo, Croatia, Haiti, Jamaica, Kenya, Mali, Mozambique, Namibia, Nigeria, Philippines, Senegal, South Africa, South Sudan, Syria, Tanzania, Türkiye, Vietnam, Yemen.
Similar to the Business Risk Assessment you need a structured set of questions to assess each client under the different risk categories.
Geographic Risk Assessment
When assessing geographic risk, consider the following:
- Proximity to Your Firm:
Is the client based within close proximity of your business? Have they come to your firm from the other side of the country because you will not be familiar with them or their associates? - International Links:
Is the client based, or have links outside of your country/jurisdiction? International transactions introduce additional complexities and potential risks. Consider factors such as cross-border regulations, cultural differences, and exposure to diverse financial systems. - Sanctioned Jurisdictions:
Does the client have any association with jurisdictions subject to sanctions? Transactions involving sanctioned countries or individuals pose elevated risks. Stay informed about global sanctions lists and monitor client activities accordingly. - Weak AML Controls:
Does the client transact with customers in countries listed as having weak AML and terrorist financing controls? Some regions may lack robust AML frameworks, making transactions riskier. Evaluate the adequacy of due diligence and monitoring in such cases.
Service Risk Assessment
Evaluate the specific services that you are providing to your client:
- Client Money Account Usage:
Will you be providing client money account services? Handling client funds introduces inherent risks, especially if misused for illicit purposes. Implement strong controls and monitoring for such accounts. - Trust or Company Services:
Will you be providing trust or company services for the client (e.g., company formation or use of your address for correspondence)? These services may carry specific risks related to legal structures, beneficial ownership, and potential misuse. Conduct thorough due diligence on clients seeking such services.
Industry and Delivery Channel Risks
- Industry-Specific Risks:
Consider the industry in which the client operates. Certain sectors, such as financial services, real estate, and gambling, are inherently higher risk due to their susceptibility to money laundering. - Delivery Channels:
Assess the channels through which the client conducts transactions (e.g., online, in-person, third-party intermediaries). Different channels have varying risk profiles. For instance, online channels may be susceptible to cyber-related risks, while face-to-face interactions allow for better scrutiny. Take appropriate measures to verify a clients identity based on your delivery channel.
In many ways, a Business Risk Assessment is an abstraction and aggregation of the individual client risk assessments and reflects the overall risk exposure and mitigating actions undertaken by the practice. It is an obvious evolution to feed real-time information into the Business Risk Assessment based on the data that is maintained in each AML client file.
Intelligent risk assessments provide inline guidance of the risks a practice faces and proposes mitigating actions. In addition, summary risk profiles can be automatically generated for practices based on real-time information. This significantly reduces the time taken to conduct business and client risk assessments. It also provides an efficient approach to provide a good first impression at your next AML monitoring visit or thematic review.
Intelligent risk assessments can also leverage external data (PEPs / Sanctions or CRO changes) to identify events that may impact a client’s risk profile. Scheduled reviews can help you document ongoing monitoring reviews and augmented processes can flag important risk events.
Adopting technology does not have to be a complex or costly project. There are different approaches that are accessible to both sole practitioners and SME practices. Regardless of your approach to risk assessments, our advice would be to keep it simple and be consistent.

- Annual Business Risk Reviews: Conduct Business Risk Assessments annually or when there are material changes to your business. After conducting a Business Risk Assessment, review your AML Policies, Controls and Procedures to see if they remain fit for purpose.
- Initial and Ongoing Monitoring: Conduct Client Risk Assessments before onboarding a new client to identify risk and determine appropriate levels of due diligence. Risk assessments are not static; they are fluid and clients require ongoing monitoring.
- Maintain Records:
Initial and ongoing monitoring needs to be documented and evidenced. If you do not record it, it never happened. - Digital Templates:
Using templates is completely acceptable once they are tailored and provide a true reflection of your business context. Digital services can automate and streamline risk assessments by aggregating and providing real time insights across you client base. - Make a good first impression:
Along with the Policies, Controls and Procedures manual, the Business Risk Assessment is one of the first documents that an external reviewer will request at an AML monitoring visit. Provide a concise summary of your risk profile and highlight how effective you are regarding your AML obligations.
Make anti-money laundering compliance easy with AML HQ
Our comprehensive platform includes all the tools accountants, bookkeepers, and tax advisory firms require to meet regulations and quickly onboard customers.

Founder and COO of AML HQ
Get in touch if you would like a free AML-health check or to learn more about how technology can help you meet your AML obligations.