The New National Risk Assessment Is Out. Will Anything Actually Change?

Written By Stefania Cirignano

Another five years. Another 200-page document. Another tick-box update to the business-wide risk assessment. 

If that sounds cynical, it’s because the evidence suggests it’s true. 

The UK’s 2025 National Risk Assessment (NRA) was published yesterday with little fanfare. It confirms what many of us working in financial crime already know: the threat landscape continues to evolve. Crypto laundering is increasingly sophisticated. AI is becoming a double-edged sword. Payment firms and EMIs are now firmly in the crosshairs. And the abuse of professional services, especially by complicit actors, is no longer theoretical. 

Yet the bigger question remains: Will firms meaningfully update their business-wide risk assessments (BWRAs) in response to any of this? And if not, why do we keep doing this dance? 

What’s Changed Since 2020? 

The 2025 NRA introduces several important updates: 

  • Cryptoasset risk is now fully mainstream. Where once this was an emerging concern, crypto is now deeply embedded in laundering typologies. OTC brokers, privacy wallets, and cross-chain bridges are the new normal. 

  • Payment firms are facing heightened scrutiny. EMIs and PSPs are flagged for their scale, speed, and visibility gaps. They're enabling criminals to ‘hide in plain sight’ among legitimate volumes. 

  • Artificial Intelligence is now a live risk factor. While AI holds promise for detection, it also empowers fraud, evasion, and laundering at scale. 

  • Cash hasn’t gone away. Operation Machinize saw 380 barbershops and cash-intensive businesses raided this year. Despite years of risk awareness, traditional laundering channels continue to flourish. 

  • Professional enablers are back in focus, this time with teeth. A cross-system strategy is targeting complicit legal and accountancy actors, and enforcement powers are expanding. 

There are also structural reforms: new data laws, enhanced SARs systems, and a shift to publishing annual threat priorities under a “System Prioritisation” banner. The machinery is moving. 

But what about the risk assessments inside regulated firms? 

The Real Risk Is What Happens Next 

The NRA does something important: it outlines the latest understanding of the UK’s threat landscape, the external criminal behaviours and predicate offences that generate illicit finance. But most BWRAs stop short of analysing how those threats translate into risks for their own business models, operations, customer profiles, and control environments. 

Instead, they list categories, quote sectoral ratings, and describe controls. What’s often missing is the connective tissue: how specific threat behaviours could lead to well-defined risk events within a firm, and whether existing controls are designed, and operating, to interrupt them. Without that, risk assessments struggle to drive meaningful change. 

  • If crypto OTC brokers are facilitating hundreds of millions in laundering annually, how many compliance teams have modelled those behaviours as threat scenarios, rather than listing “cryptoassets” as a generalised risk factor? 

  • If sanctioned Russian individuals are exploiting UK law firms and professional services to obscure assets, how many legal sector BWRAs explicitly test control effectiveness against this threat, rather than simply noting “high-risk clients” or “complex structures” in a list of risk factors? 

We’ve turned national intelligence into a performative exercise in regulatory box-ticking. 

We Need a Different Approach to Risk Assessment 

It’s time to move on from the idea that just quoting the NRA (or just including it within your list of sources) makes your risk assessment compliant. It doesn’t. And more importantly, it doesn’t make it useful

Here’s what a more effective approach could look like: 

  • Start with risk events, not categories. Define plausible scenarios in which money laundering could occur based on how your services, products, and customers might be misused. 

  • Map threat behaviour to specific exposure points. Understand where in your business model those threats could materialise, and how they would interact with your controls. 

  • Use the NRA as input, not output. Draw from national threat intelligence to inform your risk events and relevant scenarios, not to justify existing scoring tables. 

  • Clearly distinguish between threats, vulnerabilities, risk and control effectiveness. Too many assessments blur these concepts, treating inherent risk as a starting point rather than an output of structured analysis. A clear understanding of each component is essential to accurately assess the risk event and to identify the points where threats can be prevented or detected through effective controls. 

This isn’t regulatory idealism. It’s operational realism. It’s how you move from managing reputation and compliance risk to managing financial crime risk. 

A Call to Action 

The publication of the 2025 NRA should be a moment for introspection. Not just in MLRO functions, but in risk, audit, compliance, and the boardroom. 

Ask yourself: 

  • Has our understanding of financial crime risk meaningfully changed since 2020? 

  • And if it has, has our assessment process changed with it? 

If the answer is no, the 2025 NRA isn’t a resource, it is a missed opportunity. 

Here at Avyse, we are thinking differently. An approach grounded in threat intelligence, risk events, isolating controls and genuine assurance. If that resonates, or makes you uncomfortable, we’d love to talk. 

Because quoting the NRA isn’t risk assessment. It is risk avoidance. 

Stefania Cirignano
Next

The Real Lesson from the Monzo Fine? Our Industry’s Approach to Money Laundering Risk Assessment Is Broken