Top Data Sources for a Robust Business-Wide Financial Crime Risk Assessment (BWRA)

When building a Business-Wide Risk Assessment (BWRA)*, Firm-Wide Risk Assessment (FWRA), or Risk & Control Self-Assessment (RCSA) or AML Risk Assessment, one of the most common weaknesses regulators flag is a failure to base the assessment on credible, data-driven sources.

The FCA, and JMLSG all stress that firms must evidence their AML/financial crime risk assessments using authoritative internal and external data sources. This blog sets out the top AML data sources every compliance officer, MLRO, and AML risk professional should use in 2025.

*Also referred to as Firm-Wide or Enterprise-Wide AML/Financial Crime Risk Assessment

Why Data Sources Matter in AML Risk Assessments

• Regulators expect defensible methodology, not assumptions.
• Using the right data sources helps firms evidence the AML risks they face and calculate their inherent Financial Crime and AML risks.
• A well-documented BWRA/FWRA forms the foundation of your firms AML Framework, REP-CRIM reporting, MLRO Reports, and regulatory audits.

🔹 1. Core Legal & Regulatory Frameworks

Why this matters: These are the mandatory foundations of your BWRA/FWRA. They establish the legal duty, FCA expectations, and industry guidance for structuring and evidencing your firm’s financial crime risk assessment.

UK Money Laundering Regulations 2017 (as amended) 📎 MLR 2017 – Legislation.gov.uk Regulation 18 sets the legal requirement to conduct and maintain a documented Business Wide Risk Assessment(BWRA). This regulation is the baseline expectation for all AML frameworks in the UK.

FCA Financial Crime Guide (FCG) 📎 FCA Financial Crime Guide Practical guidance published by the FCA covering money laundering, sanctions, fraud, bribery and corruption. It sets out supervisory expectations on systems and controls and is one of the first documents the FCA will refer to when reviewing a firm’s AML framework.

JMLSG Guidance – Risk-Based Approach 📎 JMLSG Guidance – Part I, Chapter 4 Provides detailed guidance on applying a risk-based approach in practice. Chapter 4 sets out what factors firms must assess — including customer types, products, services, delivery channels, and geographic risk.

🔹 2. International AML Standards & Typologies

Why this matters: Financial crime and Money Laundering is borderless. Firms are expected to show awareness of global typologies and cross-border risks, especially if they operate internationally, receive cross border payments or serve customers in high-risk jurisdictions.

FATF Risk-Based Approach (RBA) & Typology Reports 📎 FATF RBA Library FATF sets the global AML/CFT standard. Its RBA papers outline principles for building risk assessments, while typology reports highlight emerging criminal methods — from trade-based laundering to virtual assets.

EU Supranational Risk Assessment (SNRA) 📎 EU SNRA Highlights money laundering (ML) and terrorist financing (TF) threats that span multiple EU jurisdictions. These assessments are particularly valuable for firms with EU operations, cross-border flows, or correspondent banking relationships

Europol Threat Assessments 📎 Europol Publications Provides intelligence on topics like serious organised crime, cross-border laundering networks, mule account activity, and cyber-enabled threats. Europol’s reports help firms anticipate emerging typologies and strengthen their AML risk assessments with law-enforcement-driven insights and money laundering typologises.

🔹 3. UK National Risk & Intelligence Sources

Why this section matters: UK regulators expect firms to align their risk assessments with national intelligence and priorities. This ensures the BWRA reflects both systemic threats and the UK government’s official risk picture.

UK National Risk Assessment (NRA) 2025 📎 NRA 2025 /📎 NRA 2020 Regulators expect firms to align their AML assessments with national intelligence and government priorities. Referencing these sources shows that your BWRA reflects the UK’s evolving ML/TF threat picture. With the release of the 2025 National Risk Assessment (NRA) in July, firms must be able to demonstrate how their exposure has shifted since the 2020 NRA. Comparing the two evidences awareness of sectoral changes — for example, highlighting how risks in particular industries have increased or reduced.

Economic Crime System Priorities (2025) 📎 System Priorities Sets out nine national priorities for tackling economic crime. These priorities help firms align their frameworks with the UK’s system-wide strategy, ensuring resources are deployed in a proportionate, risk-based, and cost-effective manner.

JMLIT Alerts & Threat Assessments 📎NECC – JMLIT Provides typology alerts, sector-specific threats, and intelligence-led guidance — helping firms stay ahead of emerging risks and directly informing the AML risks they must identify, assess, and manage.

🔹 4. FCA Supervisory Insights

Why this matters: These insights come directly from the FCA and highlight what the regulator looks for in AML frameworks. They provide clear signals of priority areas, common weaknesses, and examples of poor practice. For a BWRA, this means firms can benchmark their approach against regulatory expectations, ensuring the assessment addresses known weaknesses and avoids the pitfalls that have led to enforcement in other firms.

FCA Thematic Reviews 📎 FCA Thematic Reviews The FCA uses thematic reviews to identify common weaknesses and share industry-wide lessons. They provide valuable insight into how different sectors approach AML controls, governance, and AML risk assessments, and are often referenced during supervisory visits. For example: TR14/16 – Small Banks which remains highly relevant today for firms. The review highlighted issues such as inadequate risk assessments, weak sanctions screening, and insufficient oversight by senior management. Firms can use these findings to stress-test their own BWRAs, ensuring they address the same vulnerabilities before they are raised by the regulator.

FCA Dear CEO Letters 📎 FCA Dear CEO Letters Formal communications outlining supervisory concerns and expectations. The Annex 1 – Dear CEO Letter on Financial Crime Systems and Controls (2024) specifically highlights AML control weaknesses and sets the benchmark for what “good” looks like.

FCA Enforcement Actions & Final Notices 📎 FCA Enforcement Case studies in ineffective controls and oversight. These notices show where BWRAs have been poorly executed or disconnected from real control effectiveness.

🔹 5. Sanctions Compliance & Financial Crime Trends

Why this matters: Sanctions are among the fastest-moving risks facing firms. They change rapidly in response to geopolitical events and regulatory updates. Your BWRA must evidence how these risks are identified, assessed, and managed using both authoritative external guidance and your own internal management information (MI). Regulators expect firms not only to document sanctions exposure and fraud typologies but to show how this intelligence drives control design.

OFSI Enforcement & Threat Assessments 📎 OFSI Enforcement OFSI guidance provides practical direction on sanctions screening, asset freezes, and reporting obligations. When combined with sanctions threat assessment reports, it helps firms evaluate the scale and nature of the risks they face and prioritise controls accordingly. Referencing these sources in your BWRA also shows that sanctions exposure is being treated as a live, dynamic risk. Enforcement outcomes and fines issued by OFSI reinforce why this matters — they highlight the consequences of weak sanctions controls and provide real-world examples firms can use to stress-test their own frameworks.

NCA SARs in Action & Fraud Data 📎 SARs in Action SARs in Action provides case studies and typology analysis drawn from real suspicious activity reports. Combined with your own SAR data, declined customers, and fraud data, these insights give a real-time view of how risks materialise in practice. This allows your BWRA to highlight control gaps and emerging threats that may not yet be captured in regulatory guidance.

📈 Use your own SAR and fraud reporting trends as a primary input into your FWRA/RCSA.

🔹 6. Sector-Specific Industry Alerts

Why this matters: No two sectors face the same risks. Sector body updates and typology alerts help tailor your BWRA to reflect industry-specific vulnerabilities, whether in payments, banking, or legal service Industry bodies such as:

• Law Society
• UK Finance
• CIFAS
• The Payments Association

These often publish typology alerts, risk assessments, and sector guidance that can strengthen your BWRA narrative.

How to Use These Sources in a BWRA / FWRA / AML Risk Assessment

1. Map external data (NRA, FATF, FCA) into your inherent risk framework.
2. Add internal MI (SARs, TM alerts, rejected clients, audit findings) to document the AML risks your firm faces .
3. Overlay control testing Assess risks through a structured Risk and Controls methodology, clearly stating how effective your controls are in mitigating each risk. Effectiveness should be scored based on whether the controls have been independently tested, monitored, or remain untested
4. Track evolution over time — demonstrate how risks and controls change.

This makes your BWRA or FWRA or AML risk assessment dynamic, defensible, and regulator-ready.

FAQs on AML Data Sources

Q1: What are the essential data sources for a BWRA?
A: UK MLR 2017, FCA FCG, JMLSG Guidance, UK NRA, FATF Typologies, FCA Dear CEO Letters, Enforcement Notices, OFSI Guidance, and internal SAR/fraud MI.

Q2: How often should a BWRA be refreshed?
A: At least annually, or whenever there are material changes (new NRA, updated FATF guidance, product launches, new jurisdictions).

Q3: What’s the difference between a BWRA and an RCSA?
A: A BWRA identifies firm-wide inherent risks, while an RCSA tests control effectiveness. Both should be linked to provide a full risk picture.

Final Word

Using these authoritative AML data sources ensures your BWRA/FWRA/RCSA is compliant, evidence-based, and future-proof.

Platforms like LensIQ embed these sources dynamically, linking risk → control → evidence into a single source of truth — making your AML framework audit-ready at any moment.

Ready to discuss how the LensIQ platform can help your organisation put an agile, intelligent risk assessment solution in place – click here to contact our team today, or alternatively you can sign up for a 7-day free trial below.