Back to Resources

AML Risk Assessment Template

Raymond Shuai July 2025 Excel · 4 sheets MLR 2017 · AML · BWRA
FCA & Regulatory
Share
A structured business-wide risk assessment for AML and financial crime — covering customer risk, product risk, channel risk and geographic exposure, with a residual risk scoring matrix.

About This Template

The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) require all regulated firms in the UK to conduct and document a Business-Wide Risk Assessment (BWRA). This is not a tick-box exercise: the FCA expects firms to be able to demonstrate that they have genuinely assessed their exposure to money laundering and terrorist financing risk, that they have implemented controls proportionate to that risk, and that they review and update the assessment at least annually and whenever there is a material change to the business.

For growing fintechs, the BWRA is often one of the first serious pieces of compliance documentation the MLRO produces. It underpins customer due diligence policies, transaction monitoring calibration, and the firm's overall AML framework. A poorly constructed BWRA — one that is generic, unquantified, or not tailored to the firm's actual products and customer base — is a common trigger for FCA supervisory scrutiny.

Legal note: This template is a framework tool only. It does not constitute legal or compliance advice. Your BWRA must be tailored to your firm's specific business model, customer base, products, and geographic exposure. It should be reviewed by your MLRO and, where appropriate, external AML counsel before being relied upon as your firm's BWRA documentation.

The template provides a structured, scored approach to the BWRA across four risk dimensions — customer, product/service, channel, and geographic — together with a customer risk matrix and a SAR log framework.

What's Included

Sheet 1 — Instructions

An overview of the BWRA requirement under MLR 2017 Regulation 18, the scoring methodology used in the template (1 = Low to 5 = Very High), and guidance on how to interpret residual risk scores. Includes a summary of the FCA's expectations for a well-documented BWRA and a note on the frequency of review.

Sheet 2 — Business-Wide Risk Assessment

The core risk assessment sheet, structured across four risk categories:

  • Customer Risk: Proportion of individual vs corporate customers, high-net-worth individuals, PEPs and sanctions-exposed customers, and customers from high-risk jurisdictions.
  • Product/Service Risk: Cash handling, cross-border payments, crypto/digital assets, high-value transactions, and anonymised transaction products.
  • Channel Risk: Face-to-face onboarding, digital/remote onboarding, introduced business, and third-party agent relationships.
  • Geographic Risk: Proportion of business from UK domestic, EU, US, and high-risk jurisdictions.

For each risk factor, you score the Inherent Risk (the risk before controls) and the Control Quality (the effectiveness of your controls). The Residual Risk is calculated automatically as a function of these inputs. The overall BWRA score is a weighted average across all four categories, producing an overall rating of Low, Medium, or High.

Sheet 3 — Customer Risk Matrix

A structured matrix for assessing risk at the customer level. Pre-populated with the standard risk factors applied in customer due diligence: PEP status, sanctions exposure, high-risk country of residence or operation, cash-intensive business type, complex ownership structure, and correspondent banking relationships. Each factor has a risk score, and the combined score determines the CDD level required — Standard, Enhanced, or Simplified.

Sheet 4 — SAR Log

A confidential log for Suspicious Activity Reports. Pre-populated with the required fields: SAR reference, date, reporter, subject, reason for filing, NCA reference number, action taken, and status. Ten blank rows are provided. Important: the existence and contents of SAR filings are subject to the tipping-off provisions in the Proceeds of Crime Act 2002 and must be handled with strict confidentiality.

How to Use This Template

  1. Begin with your customer profile. Review your actual customer data to determine the proportions in each customer category. Do not estimate — use real data from your CRM or onboarding platform. The BWRA will be unconvincing if the customer risk inputs are generic rather than data-driven.
  2. Score Inherent Risk honestly. The inherent risk score reflects the risk posed by the factor before any controls are applied. Use the 1-5 scale: 1 = Low (rare, limited exposure), 2 = Medium-Low, 3 = Medium-High, 4 = High (frequent or material exposure), 5 = Very High (dominant or systemic exposure). Underselling inherent risk is a common and easily spotted mistake.
  3. Score Control Quality critically. The control quality score reflects how effectively your controls mitigate the inherent risk. Use the same 1-5 scale: 1 = Very weak or absent controls, 5 = Strong, tested, and well-documented controls. Be honest — over-rating your controls produces a residual risk figure that understates your actual exposure and will not withstand FCA scrutiny.
  4. Review the overall BWRA rating. The weighted average produces an overall rating. If the rating is Medium or High, the BWRA narrative should include a clear remediation plan with timelines and ownership for improving the weakest control areas.
  5. Calibrate your CDD policy against the customer risk matrix. Use the customer risk matrix to validate that your customer risk scoring policy is aligned with the factors identified in the BWRA. If the BWRA identifies geographic risk as High, your customer risk matrix should reflect that in the weighting applied to high-risk jurisdictions.
  6. Maintain the SAR log with strict access controls. The SAR log should be accessible only to the MLRO and designated deputies. Implement access restrictions in the workbook or store the SAR log separately from the BWRA documentation that is shared more widely.
Review cadence: The BWRA must be reviewed at least annually and whenever there is a material change to your business — including new products, new customer segments, geographic expansion, or significant changes in your transaction volumes or customer risk profile. Document the review date and any changes made.

Frequently Asked Questions

How often should I update my Business-Wide Risk Assessment? +

MLR 2017 Regulation 18 requires the BWRA to be kept up to date. In practice this means a formal review at least annually, with interim updates triggered by material changes to your business model, customer base, products, geographic footprint, or transaction volumes. The FCA also expects firms to take account of updated national risk assessments — including the UK National Risk Assessment — when reviewing their BWRA. Date-stamp each review and keep a version history so you can demonstrate the assessment has been maintained over time.

What triggers enhanced due diligence? +

Enhanced due diligence (EDD) is required when a customer presents a higher risk of money laundering or terrorist financing. MLR 2017 Regulation 33 sets out specific circumstances that always require EDD: customers who are Politically Exposed Persons (PEPs) or family members/close associates of PEPs; transactions involving high-risk third countries listed by the Financial Action Task Force (FATF) or designated by the EU/UK; correspondent banking relationships; and any other situations where the firm identifies a higher risk. Beyond these mandatory triggers, your customer risk matrix should define the score threshold above which EDD is applied to any customer.

What is the difference between a SAR and a Defence Against Money Laundering (DAML)? +

A Suspicious Activity Report (SAR) is a report made to the National Crime Agency (NCA) under Part 7 of the Proceeds of Crime Act 2002 where you know or suspect that someone is engaged in money laundering. A Defence Against Money Laundering (DAML) is a specific type of SAR where you are seeking consent from the NCA to proceed with a transaction or activity that you suspect involves criminal property — without that consent, proceeding would expose you to money laundering liability. Standard SARs report past activity or suspicion; DAMLs seek a defence before proceeding with a specific transaction. The NCA must respond to a DAML within 7 working days (extendable to 31 days).

Should crypto and digital asset firms treat all customers as high risk? +

No — a blanket high-risk classification for all customers in any sector is not appropriate under a risk-based approach, and the FCA has been clear that it does not expect this. Crypto and digital asset firms do have specific risk factors that are relevant — including the pseudonymous nature of blockchain transactions, the cross-border nature of the asset class, and the use of privacy-enhancing technologies — and these should be reflected in the BWRA as elevated inherent risk factors. However, the level of CDD applied to individual customers should be based on their specific risk profile, not their sector alone. Customers who are low-risk on all other dimensions should not automatically receive EDD treatment simply because they are using a crypto service.

Can the BWRA and customer risk matrix be shared with auditors or the FCA? +

Yes — the BWRA is a document that should be available to your external auditors as part of their compliance review, and the FCA may request it as part of a supervisory review or enforcement action. The SAR log, however, must be treated with strict confidentiality. The tipping-off provisions of POCA 2002 prohibit disclosure of the fact that a SAR has been made or of any information that might prejudice an investigation. The SAR log should be stored separately from the BWRA and should not be shared with external parties without specific legal advice.

What weighting should I apply to each risk category in the overall BWRA score? +

The MLR 2017 does not prescribe specific weightings — the weighting should reflect your firm's actual risk profile. A payments firm with a high proportion of cross-border transactions might weight geographic and product risk more heavily. A business that relies primarily on digital onboarding should weight channel risk accordingly. Document your rationale for the weightings you choose and be prepared to explain them to the FCA. The weightings used in this template are indicative starting points; adjust them to reflect your specific business model.

Work Together

Build an AML framework that
stands up to FCA scrutiny.

From business-wide risk assessments to transaction monitoring calibration and MLRO support, CrunchSpark helps FCA-regulated fintechs build robust AML compliance infrastructure.

Book a Free Discovery Call →