Firm-wide risk assessment vs client risk assessment: Key differences

Accountancy professional reviewing client records for firm-wide and client AML risk assessment

Last updated: June 11, 2026

A firm-wide risk assessment and a client risk assessment are both part of anti-money laundering compliance, but they serve different purposes.

The firm-wide risk assessment takes a practice-wide view, and it helps the firm understand where its money laundering, terrorist financing, and proliferation financing risks are likely to arise. 

The client risk assessment brings that wider view down to the client file, so the firm can decide what level of AML control is proportionate.

Key takeaways

The simplest way to separate a firm-wide and client risk assessment is to identify the level of decision each supports:

  • The firm-wide risk assessment takes the practice-level view. It considers how the firm’s work, client base, and delivery model contribute to risk.
  • The client risk assessment focuses on one specific client or engagement. It records the risk presented by that relationship and the work being provided.

The distinction is especially relevant in a small accountancy firm because the same person may be responsible for both assessments. 

The practical risk is that the two records become interchangeable, which can blur the difference between firm-level risk and client-level judgement. Therefore, each assessment still needs to keep its own purpose.

The key takeaway is that a client assessment cannot replace the firm-wide assessment. The firm still needs one record to explain its overall risk view and another to show the judgement made on the individual file.

What the firm-wide risk assessment does

The firm-wide risk assessment helps the practice understand where its overall financial crime exposure comes from.

It looks at the features of the firm’s work that shape its risk profile. In practice, this means identifying which services, client types, and delivery methods carry more or less risk.

For example, a small firm that mainly prepares accounts and tax returns for local businesses will have a different risk profile from a practice acting for clients with more complex ownership structures. 

As such, the firm-wide risk assessment should reflect the firm’s real work, rather than a generic view of the accountancy sector. Once that wider risk view is clear, it can guide the firm’s controls. 

In addition, the assessment may affect how the firm onboards clients, carries out due diligence, and reviews or escalates higher-risk files. It should also help the firm explain why those controls are proportionate to the risks identified.

Further reading: How to build a firm-wide risk assessment as a small accountancy firm

What the client risk assessment does

The client risk assessment helps the firm decide the risk level of a specific case, which then sets the level of due diligence it applies.

For instance, the firm may need to confirm who the client is, understand ownership, and decide whether enhanced due diligence is needed.

This assessment is not the same as identity verification, which simply confirms who the client is. In contrast, the risk assessment determines the proportionate level of due diligence and ongoing monitoring required. 

A client may present a higher risk when several details about the relationship raise the same concern. An established local company, for example, may be straightforward if ownership and records are clear, and the work is routine. 

Yet, the AML position can change if the company’s cash activity or transaction patterns become harder to explain.

In that situation, the client assessment should show how the firm reached its AML conclusion. If the client is treated as low risk, the file should explain why routine due diligence and monitoring are enough.

How the two AML assessments should connect

The firm-wide assessment turns expected risk areas into file-handling priorities.

If the accountancy practice works with higher-risk client types or delivery methods, such as cash-intensive businesses or remotely onboarded clients, those risks should be recognised at the firm level. This gives the practice a basis for designing its client risk assessment process.

In other words, the firm-wide assessment should identify the risks most likely to affect the firm’s checks and escalation decisions.

This practice-level view should then influence the questions asked on client files. Where remote onboarding is a higher-risk feature, the client file should show how that risk was managed.

The client assessment applies the AML basis to the file

The client file should show which firm-wide risk factors are present, absent, or controlled.

A firm may decide at the firm level that cash-intensive clients need closer consideration because key evidence can be harder to assess. This means that when the firm takes on a cash-based retail client, the client assessment should consider whether the business profile and records support the explanations provided.

Importantly, however, this does not automatically make the client high risk. On the contrary, the firm may still record the file as manageable if the evidence supports the explanation and the service scope is limited. The rationale recorded reflects the file evidence for the client-level judgement.

Practical takeaway: Traceability helps avoid a common weakness in small firms, where a firm-wide assessment is not reflected in client files. The file should therefore link back to the firm-wide risks without being merged with them.

Client findings can update the AML firm-wide view

The firm-client assessment relationship also works in reverse. This is because the client assessment may show that the firm-wide assessment has become out of date.

If the practice’s client mix or new service lines shift materially, for example, towards overseas ownership or non-face-to-face clients, the firm-wide assessment may need updating. The same applies if client file reviews show a recurring pattern of concern.

While the firm-wide assessment does not need to be rewritten after every new client, recurring file issues should feed back into it when they indicate that the firm’s risk profile has changed.

Regulatory changes may also require firms to revisit their AML controls and risk assessment approach. Our guide to the 2026 AML Amendment Regulations explains the rule changes accountancy firms may need to factor into their AML procedures.

Which AML assessment should be used when

IssueAssessment to use
What are the main AML risks in the practice?Firm-wide risk assessment
What risk level is this client?Client risk assessment
What customer due diligence is needed?Client risk assessment, informed by the firm-wide risk assessment
Do the firm’s controls match the work it does?Firm-wide risk assessment
Has a client become higher risk?Client risk assessment, with a possible firm-wide review if a wider pattern is emerging
Are onboarding questions covering the right risks?Firm-wide risk assessment, tested against client files

While the above table is mainly a routing check, it helps prevent firm-wide reasoning from being pushed onto client files. It also ensures that client-specific judgements are not treated as a substitute for the firm-wide view.

In summary

The firm-wide risk assessment gives the practice its AML risk map, while the client risk assessment uses that map on individual client files.

Small accountancy firms need both assessments, and although they can be concise, they must reflect the firm’s current work and connect with each other. 

The final check is whether the firm-wide risks can be traced through to the relevant client file.

Kane Pepi, Founder of Evidentia Compliance
Kane Pepi Founder, Evidentia Compliance

Kane Pepi is the founder of Evidentia Compliance, with a strong academic background in accounting, finance, and financial crime, and peer-reviewed research in money laundering and terrorist financing.

His work focuses on making AML compliance more practical for small regulated firms that face rising supervisory expectations and limited compliance capacity.

AMLWATCH BY EVIDENTIA
AML compliance updates and regulatory guidance for the accountancy sector

Stay informed on AML supervision, FCA developments, enforcement trends, and common compliance weaknesses affecting UK accountancy firms. AMLWATCH by Evidentia is written for small practices that need AML insight without the regulatory jargon.

    FAQs

    Do accountancy firms need both a firm-wide risk assessment and client risk assessments?

    Yes. The two assessments answer different AML questions. The firm-wide assessment looks at the risks created by the firm’s services, clients and way of working. A client risk assessment then applies that wider understanding to one client or engagement, so the file shows why the chosen level of due diligence is suitable.

    Can the same person prepare both AML assessments in a small firm?

    Yes. One person may prepare both records, but the two judgments must be kept separate. The firm-wide assessment should outline the firm’s overall exposure, while the client assessment should explain the risk decision for the individual client file.

    Is checking a client’s ID the same as completing a client risk assessment?

    No. Checking identity documents only confirms who the client is. A client risk assessment evaluates the broader AML position for that relationship, including the nature of the client, ownership, and business activity.

    How should firm-wide AML risks affect client risk assessments?

    The firm-wide assessment should determine what the firm looks for in client files. The client assessment should then apply those firm-wide risk factors to the specific relationship, showing which risks are present, how they were considered, and why the final risk conclusion was reached.

    When should a firm-wide AML risk assessment be reviewed?

    A review may be needed when the firm’s overall risk picture changes. This could happen if the firm starts serving different types of clients, offers a new service, or sees the same concern appearing across several client files. A single new client will not always mean the whole assessment needs changing.

    What can cause a client’s AML risk level to change?

    A client’s risk level can change when new information affects the firm’s understanding of the relationship. For example, ownership may become less clear, or records may no longer support the business explanation. The client assessment should then be reconsidered in light of the new information.

    References and Source Material

    Leave a Reply

    Your email address will not be published. Required fields are marked *