When should firms review their AML risk assessment and policies?
Accountancy firms need to keep their firm-wide risk assessment (FWRA) and AML policies aligned with the way the business actually operates.
This means setting a sensible review cycle and knowing when changes in the practice, such as client base or services, require a review before the planned date.
The size and structure of the practice affect how this responsibility is organised. A sole practitioner can often use a brief, clearly reasoned record, while a growing firm might need more formal ownership and follow-up actions.
In any case, the firm’s AML documents should reflect current risks and support consistent controls.
Key takeaways
- Most small firms should treat an annual FWRA as a practical baseline.
- A review could be needed sooner when a material development alters the practice’s overall AML exposure.
- New services, delivery methods, or client concentrations should be considered before they become embedded in the practice.
- External risk information also needs active consideration, even when it does not lead to a policy change.
- Senior approval and dated action records help show that the review produced a documented decision.
Review frequency for firm-wide AML documents
The Money Laundering Regulations require firm-wide risk assessments to be kept up to date. They also state that firms must review and update their AML policies, procedures, and wider control framework regularly, so the FWRA and supporting arrangements continue to reflect how the practice operates.
CCAB guidance links review frequency to the risks the firm faces and the stability of its business environment. As such, a straightforward practice operating in settled conditions can justify a different timetable from one that is evolving or harder to oversee.
ICAEW suggests a similar approach. It says that an annual programme of senior-management review is likely to be appropriate for most firms.
Crucially, the review should still take place even when the practice has not changed substantially. The compliance calendar can record the review date and name the person responsible for monitoring any triggers that arise between scheduled reviews.
Changes that trigger an earlier AML review
The following developments can justify an unscheduled review of a firm’s AML risk assessment and policies.
Regulatory and external risk changes
External compliance developments, including thematic findings and risk publications relevant to the practice’s business model or risk exposure, can affect assumptions in the existing assessment.
Recent examples include the UK’s 2025 National Risk Assessment and HMRC’s accountancy-sector risk guidance, updated in January 2026. As confirmed by HMRC, accountancy firms must take its assessment into account when preparing their own FWRA.
Regulatory amendments can have the same effect if they change what the practice needs to consider in its AML arrangements.
Publication of new material, therefore, requires active consideration, although it does not automatically require every policy to change. The firm must decide whether the information alters its risk profile and if action is needed before the next planned review.
Changes to services, clients, or delivery model
Moving into a materially different or more complex service line can create AML risks beyond those arising from routine accounts preparation. These risks need to be assessed before the service is introduced, so that suitable controls form part of the new process.
A material change in how the practice delivers or supports its services risks introducing AML vulnerabilities or weakening established oversight. CCAB confirms that such changes should be reflected in the firm-wide assessment, with their risks considered before implementation.
For example, a sustained move towards a client base with greater complexity or higher risk could alter the practice’s overall level of financial crime exposure. Similarly, a major structural or growth-related change can also affect who performs controls and how consistently they operate.
Compliance evidence can reveal that a money laundering risk has been misunderstood or a mitigation is ineffective, providing another trigger for review.
CCAB supports event-driven reviews when events affect the firm’s risks, while ICAEW describes compliance reviews as a means of testing whether policies operate as intended.
One new client or an ordinary client-level change will not usually justify revising the firm’s overall assessment. Yet, the issue is whether the development materially changes the practice’s aggregate risk picture or exposes a gap in its AML controls.
What the AML review needs to test and update
A meaningful review compares the documented description of the practice with how it operates today. It should reconsider the practice’s client and business profile, together with its geographic and transactional exposure. These are the core regulatory risk factors.
HMRC recognises that an assessment can vary in format and level of detail according to the scale and operating model of the business. A micro-practice, for instance, can often use a concise narrative assessment, provided it shows that risks relevant to its actual business were considered.
If the review identifies a changed risk profile or controls that are no longer fit for purpose, firms should amend the FWRA and align their wider AML framework, forms, workflow systems, and day-to-day practice with it.
Practical takeaway: Simply changing the date on a template is not a substantive review.
Documenting and approving the AML review
The AML record should identify the review by date and who carried it out, and state the evidence considered.
It also needs to explain what prompted the review, how the conclusion was reached, and what changed as a result. Firms must assign each action to an owner and deadline, with any relevant policy changes circulated to staff.
Regulations 19 and 19A require written records of the AML framework and of how review changes were implemented and communicated. Senior management responsibilities should include approving that framework, including its measures on proliferation financing.
A concise review document is sufficient for a small practice if it clearly records how the review was carried out and acted on. Previous versions and decisions to retain existing wording should be kept.
In summary
A firm-wide AML review should happen on a planned cycle or whenever a material change means the current assessment may no longer reflect the practice.
An annual review is the sensible baseline for many small practices, provided someone is also watching for AML developments that could bring the review forward.
It is therefore good practice to record the timing decision clearly.
If nothing material has changed, the firm should say why the current FWRA still fits. Conversely, in instances where the risk outlook has shifted, the firm needs to update the assessment and make any related procedural changes.
FAQs
An annual review is a common starting point for many small firms. The timing should reflect the nature of the firm’s work and how much its business changes during the year. A review might need to happen sooner if a significant change affects the firm’s services, client base, or exposure to money laundering risk.
A firm should consider an earlier review when a change could alter its overall risk position. Examples include moving into higher-complexity work or receiving new sector risk information that is relevant to the practice. Firms must evaluate whether the change affects the assumptions already documented or shows that existing controls may need attention.
Usually, one client is dealt with through the firm’s client-level AML procedures. The firm-wide assessment might need review if the client signals a wider change, such as a growing concentration of higher-risk work. It can also be relevant if the engagement exposes a weakness that could affect how the firm manages similar risks across the practice.
A short assessment can be suitable if it clearly reflects the firm’s actual work and explains the main risks it faces. It should cover the features that influence the practice’s exposure, such as the types of clients and services involved. A brief document still needs enough detail to show how the firm reached its conclusions.
The AML review record should confirm when the assessment was considered, who carried out and approved the review, and what information was taken into account. The note should also explain why the assessment remains suitable. This creates a clear record that the firm reached an active decision, even though no amendments were needed.
Senior management should approve the firm’s AML framework and any changes arising from the review. The firm should also record who will complete any follow-up action and by when. When the review changes a policy or procedure, the people affected should be told what has changed so that everyday practice remains consistent with the updated position.
References and Source Material
- HMRC, Risks common to accountancy service providers
- HMRC, Risk assess your business for money laundering supervision
- Money Laundering Regulations 2017
- CCAB, Anti-Money Laundering and Counter-Terrorist Financing Guidance for the Accountancy Sector
- HM Treasury, National Risk Assessment of Money Laundering and Terrorist Financing 2025
- ICAEW, Firm-wide risk assessments Q&A
- ICAEW, Firm-wide risk assessment methodology

