When should firms review their AML risk assessment and policies?

Two professionals discussing documents in an office, representing AML risk assessment and policy review in an accountancy firm.

Accountancy firms need to keep their firm-wide risk assessment (FWRA) and AML policies aligned with the way the business actually operates. 

This means setting a sensible review cycle and knowing when changes in the practice, such as client base or services, require a review before the planned date.

The size and structure of the practice affect how this responsibility is organised. A sole practitioner can often use a brief, clearly reasoned record, while a growing firm might need more formal ownership and follow-up actions. 

In any case, the firm’s AML documents should reflect current risks and support consistent controls.

Key takeaways

  • Most small firms should treat an annual FWRA as a practical baseline.
  • A review could be needed sooner when a material development alters the practice’s overall AML exposure.
  • New services, delivery methods, or client concentrations should be considered before they become embedded in the practice.
  • External risk information also needs active consideration, even when it does not lead to a policy change.
  • Senior approval and dated action records help show that the review produced a documented decision.

Review frequency for firm-wide AML documents

The Money Laundering Regulations require firm-wide risk assessments to be kept up to date. They also state that firms must review and update their AML policies, procedures, and wider control framework regularly, so the FWRA and supporting arrangements continue to reflect how the practice operates.

CCAB guidance links review frequency to the risks the firm faces and the stability of its business environment. As such, a straightforward practice operating in settled conditions can justify a different timetable from one that is evolving or harder to oversee.

ICAEW suggests a similar approach. It says that an annual programme of senior-management review is likely to be appropriate for most firms.

Crucially, the review should still take place even when the practice has not changed substantially. The compliance calendar can record the review date and name the person responsible for monitoring any triggers that arise between scheduled reviews.

Changes that trigger an earlier AML review

The following developments can justify an unscheduled review of a firm’s AML risk assessment and policies.

Regulatory and external risk changes

External compliance developments, including thematic findings and risk publications relevant to the practice’s business model or risk exposure, can affect assumptions in the existing assessment.

Recent examples include the UK’s 2025 National Risk Assessment and HMRC’s accountancy-sector risk guidance, updated in January 2026. As confirmed by HMRC, accountancy firms must take its assessment into account when preparing their own FWRA. 

Regulatory amendments can have the same effect if they change what the practice needs to consider in its AML arrangements.

Publication of new material, therefore, requires active consideration, although it does not automatically require every policy to change. The firm must decide whether the information alters its risk profile and if action is needed before the next planned review.

Changes to services, clients, or delivery model

Moving into a materially different or more complex service line can create AML risks beyond those arising from routine accounts preparation. These risks need to be assessed before the service is introduced, so that suitable controls form part of the new process.

A material change in how the practice delivers or supports its services risks introducing AML vulnerabilities or weakening established oversight. CCAB confirms that such changes should be reflected in the firm-wide assessment, with their risks considered before implementation.

For example, a sustained move towards a client base with greater complexity or higher risk could alter the practice’s overall level of financial crime exposure. Similarly, a major structural or growth-related change can also affect who performs controls and how consistently they operate.

Compliance evidence can reveal that a money laundering risk has been misunderstood or a mitigation is ineffective, providing another trigger for review. 

CCAB supports event-driven reviews when events affect the firm’s risks, while ICAEW describes compliance reviews as a means of testing whether policies operate as intended.

One new client or an ordinary client-level change will not usually justify revising the firm’s overall assessment. Yet, the issue is whether the development materially changes the practice’s aggregate risk picture or exposes a gap in its AML controls.

What the AML review needs to test and update

A meaningful review compares the documented description of the practice with how it operates today. It should reconsider the practice’s client and business profile, together with its geographic and transactional exposure. These are the core regulatory risk factors.

HMRC recognises that an assessment can vary in format and level of detail according to the scale and operating model of the business. A micro-practice, for instance, can often use a concise narrative assessment, provided it shows that risks relevant to its actual business were considered.

If the review identifies a changed risk profile or controls that are no longer fit for purpose, firms should amend the FWRA and align their wider AML framework, forms, workflow systems, and day-to-day practice with it.

Practical takeaway: Simply changing the date on a template is not a substantive review.

Documenting and approving the AML review

The AML record should identify the review by date and who carried it out, and state the evidence considered. 

It also needs to explain what prompted the review, how the conclusion was reached, and what changed as a result. Firms must assign each action to an owner and deadline, with any relevant policy changes circulated to staff.

Regulations 19 and 19A require written records of the AML framework and of how review changes were implemented and communicated. Senior management responsibilities should include approving that framework, including its measures on proliferation financing.

A concise review document is sufficient for a small practice if it clearly records how the review was carried out and acted on. Previous versions and decisions to retain existing wording should be kept.

In summary

A firm-wide AML review should happen on a planned cycle or whenever a material change means the current assessment may no longer reflect the practice. 

An annual review is the sensible baseline for many small practices, provided someone is also watching for AML developments that could bring the review forward.

It is therefore good practice to record the timing decision clearly. 

If nothing material has changed, the firm should say why the current FWRA still fits. Conversely, in instances where the risk outlook has shifted, the firm needs to update the assessment and make any related procedural changes.

Kane Pepi, Founder of Evidentia Compliance
Kane Pepi Founder, Evidentia Compliance

Kane Pepi is the founder of Evidentia Compliance, with a strong academic background in accounting, finance, and financial crime, and peer-reviewed research in money laundering and terrorist financing.

His work focuses on making AML compliance more practical for small regulated firms that face rising supervisory expectations and limited compliance capacity.

AMLWATCH BY EVIDENTIA
AML compliance updates and regulatory guidance for the accountancy sector

Stay informed on AML supervision, FCA developments, enforcement trends, and common compliance weaknesses affecting UK accountancy firms. AMLWATCH by Evidentia is written for small practices that need AML insight without the regulatory jargon.

    FAQs

    How often should a small accountancy firm review its firm-wide AML risk assessment?

    An annual review is a common starting point for many small firms. The timing should reflect the nature of the firm’s work and how much its business changes during the year. A review might need to happen sooner if a significant change affects the firm’s services, client base, or exposure to money laundering risk.

    What type of change could bring an AML review forward?

    A firm should consider an earlier review when a change could alter its overall risk position. Examples include moving into higher-complexity work or receiving new sector risk information that is relevant to the practice. Firms must evaluate whether the change affects the assumptions already documented or shows that existing controls may need attention.

    Does one higher-risk client require the firm-wide AML assessment to be updated?

    Usually, one client is dealt with through the firm’s client-level AML procedures. The firm-wide assessment might need review if the client signals a wider change, such as a growing concentration of higher-risk work. It can also be relevant if the engagement exposes a weakness that could affect how the firm manages similar risks across the practice.

    Can a micro accountancy firm keep its AML risk assessment short?

    A short assessment can be suitable if it clearly reflects the firm’s actual work and explains the main risks it faces. It should cover the features that influence the practice’s exposure, such as the types of clients and services involved. A brief document still needs enough detail to show how the firm reached its conclusions.

    What should be recorded when an AML review leads to no changes?

    The AML review record should confirm when the assessment was considered, who carried out and approved the review, and what information was taken into account. The note should also explain why the assessment remains suitable. This creates a clear record that the firm reached an active decision, even though no amendments were needed.

    Who should approve changes following a firm-wide AML review?

    Senior management should approve the firm’s AML framework and any changes arising from the review. The firm should also record who will complete any follow-up action and by when. When the review changes a policy or procedure, the people affected should be told what has changed so that everyday practice remains consistent with the updated position.

    References and Source Material

    Leave a Reply

    Your email address will not be published. Required fields are marked *