Regulators expect the answer to that question to be something like … ‘ we have completed a robust, business-wide review of the financial crime risks that we face and have controls in place to mitigate those risks. This review is reflected in our financial crime framework in the following ways...’

‍
In more than thirty years of working in financial crime prevention, including five years as an FCA Skilled Person, I have rarely seen an impressive or useful business-wide compliance risk assessment (BWCRA) – or one in which the firm itself has complete confidence. The challenges involved in completing the BWCRA come up in pretty much every client meeting and industry event we attend.

‍
In our view, and the view of many regulators worldwide, the assessment of financial crime risk should be at the very core of the firm’s anti-money laundering (AML), counter-terrorist financing (CTF) and proliferation financing (PF) effort, and is essential to the development of effective AML/CTF/PF policies and procedures.

‍

So, how do you complete the BWCRA?

‍
There is very little by way of guidance for firms. Neither the FCA Guide for firms, nor the JMLSG Guidance provide too many clues about how the BWCRA should be completed. There is no right or wrong way to do it, but regulators will expect to see that a genuine effort has been made to systematically identify all financial crime risks, and to identify and to assess controls designed to mitigate those risks.

‍

A BWCRA should:

1. Be comprehensive and consider a wide range of factors – it is not normally enough to consider just one factor.
2. Draw on a wide range of relevant information, such as the UK National Risk Assessment (which was published on the 17th July 2025), FATF mutual evaluations and typology reports, NCA alerts, press reports, court judgements, reports by non-governmental organisations and commercial due diligence providers – it is not normally enough to consider just one source.
3. Be proportionate to the nature, scale and complexity of the firm’s activities.

Common Pitfalls

In our experience of reviewing and conducting BWCRAs, we have found:

• Over-complicated methodologies don’t work.
• Data quality / availability can be a major limiting factor.
• Control effectiveness assessments are often based on subject matter expert opinion – as opposed to more objective evidence such as compliance monitoring, audit reports etc.
• BWCRA methodologies are often poorly designed and documented.
• Decisions / rationale are often not recorded so audit trails can be weak.
• The BWCRA does not always lead to remedial actions.
• The BWCRA can be regarded as a tick-box exercise, rather than a valuable deep-dive into the risks faced by the business, across the first and second lines of defence.

What should you do with the Customer Risk Assessment (CRA)?

‍

‍

‍

Firms have a legal obligation to complete a BWCRA. They have no choice and that’s unlikely to change in the foreseeable future. So, our advice is to embrace the need to do the BWCRA and regard it as the most valuable tool in the MLRO’s toolkit.

‍
Firms should use the BWCRA to...

• Understand the impacts of changes to the operating model on the risk profile of the business.
• Reflect market practices, enhance the quality of internal decision-making, and help to enhance the Financial Crime compliance risk awareness culture.
• Inform the Financial Crime Compliance Monitoring and Testing Programme.
• Identify gaps or opportunities for improvement in Financial Crime compliance policies, procedures and processes.
• Make informed decisions about risk appetite and implementation of control efforts, allocation of resources and technology spend.
• Assist management in understanding how the structure of a business unit or business line’s Financial Crime compliance programme aligns with its risk profile.
• Develop risk mitigation strategies including applicable internal controls and thereby lower a business unit or business line’s residual risk exposure.
• Ensure senior management are made aware of the key compliance risks, control gaps and remediation efforts.
• Assist senior management with strategic decisions in relation to commercial exits and disposals.
• Ensure internal and external stakeholders are made aware of the key compliance risks, control gaps and remediation efforts across the Bank.
• Assist management in ensuring that resources and priorities in the first and second lines of defence are aligned with its compliance risks.

Our BWCRA services & Approach

‍

‍

Our approach
‍

1. Keep the BWCRA clear, coherent, and tailored to the approach of the client’s business model and risk profile, whilst meeting regulatory expectations.
2. We work with the firm’s BWCRA owner to transfer knowledge – so the assessment is well understood and repeatable.
3. Gather input to the BWCRA from across all three lines of defence. We analyse the results and help answer the ‘so what?’ questions.
4. We help our clients to establish clear risk ownership and importantly, make the BWCRA actionable.
5. We leverage data to identify financial crime risk.

‍

At DCM, we have the experience, credentials and tools to complete the BWCRA for any regulated firm, at pace, and right first time.

‍

‍

Assurance Partner

Full spectrum financial crime expertise

‍

Access services like:

• Business-wide Compliance Risk Assessments (Standalone Delivery or Assurance)
• AML Maturity Assessments and Health Checks
• Consultation on specific FinCrime Typologies
• Transaction Monitoring: Tuning & Optimisation
• Support Before, During and After Regulatory Interventions
• Complex Remediation & Thematic reviews.

Standing out through expertise

Our Assurance and Advisory division is led by Peter Brooke. A former approved FCA Skilled Person leading a taskforce of experts to fix your Financial Crime challenges effectively and future proof your organisation with expert capability and reliable and robust delivery.

‍
How we make a difference

What’s been really valuable for our clients is the regulatory insight and best practices we can demonstrate when testing and monitoring controls (including AML, CTF, Sanctions and Fraud), conducting risk assessments, enhancing frameworks and delivering maturity assessments.
‍

On-demand Support

Whether it's a brief touchpoint that’s needed, maybe you're just seeking best practice guidance, or interested in some tactical fixes, we are here to support.