Blog What the 2025 National Risk Assessment means for your firm

The opinions expressed here are those of the authors. They do not necessarily reflect the views or positions of UK Finance or its members.

The latest edition, the 2025 NRA, is the fourth in the series and sets out the key national threats, sector vulnerabilities, and trends shaping the UK's financial crime landscape.

In its own words, it is "a vital tool in our ongoing work to understand and disrupt the evolving threat posed by criminals and terrorists who try to move their illicit money through our financial system".

It examines how threats have evolved and highlights the actions taken to address risks identified in the last NRA, back in 2020.

It's an interesting read, for sure, but more than that, it's there to inform regulated firms' own Business Wide Risk Assessments, required under Section 18 of the Money Laundering Regulations.

Here are some helpful steps to use the NRA to genuinely protect your business.

1. Focus on the relevant parts.
   • The NRA covers all regulated sectors from banking to real estate, but you only need to focus on what's relevant for your firm. The NRA is broken into money laundering and terrorist financing threats with example typologies, and even more helpful, provides risks broken down by sector (retail banking, accountancy, legal, crypto etc).
2. Compare the NRA findings to your business model.
   • If the NRA says your sector is high risk, your risk assessment and your control framework should reflect this. That doesn't mean that all of your business and transactions are high risk, but that the default position for due diligence should be higher.
   • For example, if mortgages are part of your business, consider the property-related vulnerabilities identified in the NRA.
3. Map the NRA risk factors to your firm
   • Take the identified vulnerabilities and typologies and match them to your:
     • Customers (PEPs, overseas clients etc)
     • Products and services (mortgages, savings, correspondent banking)
     • Delivery channels (face-to-face, online, telephony)
     • Geographic exposure (links to high-risk jurisdictions)
4. Rate the risk
   • Where the NRA shows that risks are increasing at a national level, update your risk score and narrative to reflect that.
5. Document, document, document!
   • Explain clearly the links to the NRA, and explain how your policies, processes and controls are being amended to reflect the changes.
6. Don't stop there…
   • A bit like painting the Forth Bridge, maintaining your risk assessment never stops. It should be reviewed at least annually, but, if possible, it should be revisited after any significant updates (such as the NRA or a sectoral risk assessment from your supervisor) or events (new threats identified by law enforcement or material changes in your business' products, services delivery channel or client profile).

The National Risk Assessment is a blueprint for the money laundering and terrorist financing threats faced by your firm. If you use it wisely and map it effectively to your own risk assessment, not only will you meet your regulatory obligations, but you'll be proactively protecting your firm from evolving financial crime threats.

Claire Rees, Financial Crime Regulatory Specialist at Jade ThirdEye, has over 25 years' experience working in Risk Management roles in financial services. Find out more at https://www.jadethirdeye.com