Strategic Priorities, Strategic Opportunity: Can the BWRA Catch Up?

Written By Stefania Cirignano

The UK’s 2025 National Risk Assessment (NRA) and, more importantly, the newly issued System Priorities for Economic Crime mark a real step forward in the fight against money laundering and terrorist financing. 

For the first time, the regulated sector has been given a clear, annually updated set of priorities, jointly developed by the NCA, FCA, Home Office and others, pointing to where collective effort and resource allocation will have the most systemic impact. 

It’s easy to be sceptical. We have been consistently critical of the limitations of how most firms approach the BWRA, often treating it as a static, backward-looking exercise disconnected from actual threats and risk events. Too many assessments reduce risk to categories and scores, without ever engaging with how criminals really operate. But we will say this: the new System Priorities present a genuine opportunity. For firms willing to rethink their approach, they offer a clear basis for aligning risk assessment with the threats that matter most. 

Finally, Clarity on What Matters Most 

Rather than rehashing broad sectoral risk ratings, the new priorities identify concrete criminal behaviours and typologies that are actively harming the UK financial system today: 

  • The laundering of illicit funds through UK corporate structures linked to Russia, China, Albania and others 

  • Sanctions evasion enabled by UK-based lawyers, accountants and company formation agents 

  • International fraud networks targeting UK victims using mule accounts and online platforms 

  • Abuse of cryptoassets to move criminal proceeds and finance terrorism 

These are not abstract compliance risks. They are actionable priorities, with real-world indicators and suggested responses. 

If you are a law firm, professional services provider, fintech, bank, or cryptoasset business, the message is clear: this is where the system needs you to focus. But it is not just about the sectors directly exposed, it is also about those enabling or servicing these parties, whether knowingly or through insufficient oversight. The expectation is shifting from passive awareness to proactive identification and disruption. 

It’s also a genuine opportunity to re-align internal resources to where they will have the greatest impact. Not just in ticking regulatory boxes, but in actively disrupting the mechanisms criminals rely on. 

So What’s the Problem? 

The problem is that most organisations are still working from a BWRA model that is not built to respond to system-wide threat intelligence

Here’s what I mean: 

  • Many BWRAs are built around fixed risk factors: customer types, product sets, jurisdictions.  

  • They often assess “inherent risk” without clearly articulating the specific threats that risk stems from or how it crystallises into an actual event. 

  • They summarise control frameworks but rarely test how effective those controls are against actual, evolving risks. 

Even with national priorities in hand, most BWRAs are structurally incapable of absorbing that insight and turning it into action

Take just one example: 

  • Strategic priority: Combatting the use of UK corporate structures by OCGs from Russia and China. 

  • Common BWRA approach: Assign a medium-high jurisdiction risk score to those countries, note that “company formation services are offered,” and move on. 

  • What’s missing? A scenario-based analysis of how these structures are used, what red flags exist, and critically whether their controls would catch them. 

Why This Matters Now 

With the introduction of annual System Priorities, threat intelligence is no longer a static reference point, it’s a living directive

But if the BWRA remains static, cyclical, and category-driven, firms will remain misaligned. Resources won’t shift. Controls won’t be appropriately tested. And strategic intent will be lost in operational inertia. 

That’s not just a compliance risk. It’s a missed opportunity to contribute meaningfully to national economic crime objectives.  Worse still, it is a waste of resource, whether that is teams churning out BWRAs that say nothing new, or control frameworks being maintained without any risk-informed evidence they work. Without change, we risk spending more while achieving less. 

A Way Forward 

To meet this moment, firms need a BWRA approach that: 

  • Starts with threats, not categories 

  • Translates those into plausible risk events tailored to the firm’s actual business model 

  • Assesses vulnerabilities and control effectiveness in that context 

  • Refreshes regularly based on emerging national intelligence (as well as the firm’s own internal insights), not a five-year cycle 

We are developing an alternative approach to BWRA grounded in this thinking. But the bigger message is this: 

  • The 2025 priorities show us where it matters. The question is, can our risk assessment frameworks keep up? 

This is a moment for the industry to evolve. Not just to comply, but to contribute. 

Stefania Cirignano
Next

BNPL Regulation: What Firms Need to Know as the FCA Tightens Oversight