Why enforcement still isn’t learning the right lessons about the BWRA

Written By Stefania Cirignano
Image of woman's eye with title overlaid. Title reads "Risk Assessment Reframed - Why enforcement still isn't learning the right lessons about the BWRA"

Over the past decade, UK regulators have issued a steady stream of enforcement notices criticising firms’ financial crime frameworks. Weak customer due diligence. Poor transaction monitoring. Inadequate governance. Ineffective escalation. Insufficient oversight. The list is long, familiar, and at this point well rehearsed.

Yet when I recently undertook a systematic review of FCA financial crime enforcement action over the last ten years, one finding stood out above all others: despite the centrality of the Business-Wide Risk Assessment (BWRA) to the risk-based approach, it is explicitly criticised in just two cases [1].

That is not a typo. Out of 30 financial-crime-related enforcement notices issued since 2014 (17 of which involved breaches of Principle 3 (risk management and control)) the BWRA appears directly in only two final notices. In one, it was described as “high-level and lacking sophistication”. In the other, it did not exist at all.

Everything else, the control failures, the missed risks, the poor outcomes, is treated as though it materialised independently.

If we are serious about learning from failure, that should give us pause.

The BWRA is supposed to be causal, not ceremonial

The BWRA is not a compliance artefact. It is not a box-ticking exercise. And it is not meant to be a static document updated once a year and quietly filed away.

At least in theory, it is the mechanism through which a firm:

  • identifies where it is vulnerable to financial crime,

  • analyses how those risks crystallise in practice,

  • evaluates which risks matter most,

  • and directs the design and calibration of controls accordingly.

That is not my interpretation, it is embedded in regulation, in FATF standards, and in the logic of the risk-based approach itself. If customer due diligence is weak, or transaction monitoring is mis-calibrated, or governance arrangements are ineffective, then the obvious question is what the BWRA failed to identify, analyse, or prioritise.

Yet enforcement action rarely asks (let alone answers) that question.

Instead, the BWRA sits in the background, implied rather than examined, while attention is focused almost exclusively on downstream failures in controls.

What the enforcement record actually shows

The research analysed a decade of FCA financial crime enforcement through the lens of ISO 31000, the international standard for risk management. That framework distinguishes between:

  • risk identification (what can go wrong),

  • risk analysis (how and why it goes wrong),

  • risk evaluation (what matters most),

  • risk treatment (controls),

  • and risk governance (oversight, monitoring, escalation).

When viewed this way, a striking pattern emerges.

Most enforcement action clusters around risk treatment, particularly customer due diligence and transaction monitoring. Firms failed to obtain adequate information. Failed to risk-rate customers properly. Failed to calibrate monitoring systems. Failed to respond to what the systems were telling them.

But very little attention is paid to the upstream steps that should have shaped those controls in the first place.

In several cases, the FCA implicitly criticised firms’ understanding of risk, for example, noting insufficient understanding of unmonitored transactions or poorly informed sanctions risk decisions. Yet even here, the BWRA itself was not unpacked. The causal chain was left unexplored.

The result is an enforcement narrative that tells firms what failed, but rarely why.

Why this matters: controls don’t fail in isolation

Controls do not fail randomly. They fail because they are:

  • designed against the wrong risks,

  • calibrated to the wrong assumptions,

  • or prioritised incorrectly.

All three are BWRA failures.

If a firm applies standard CDD to a customer segment that actually presents elevated exposure, that is not merely a CDD problem. It is a failure to identify and analyse the underlying risk event. If transaction monitoring thresholds are set too high to detect known typologies, that reflects a failure to translate risk understanding into control design.

By treating these as isolated control issues, enforcement action risks obscuring the structural weaknesses that caused them, and, in doing so, limits the industry’s ability to learn.

The guidance problem: aligned, but skewed

Industry guidance does not fully solve this problem.

The JMLSG Guidance Notes are broadly aligned with regulatory expectations, but they are heavily weighted towards customer risk assessment and CDD, with far less attention given to:

  • risk identification as a discipline in its own right,

  • the distinction between analysis and evaluation,

  • transaction-level risk assessment,

  • or the iterative recalibration of controls based on emerging risk intelligence.

In effect, guidance reinforces the same narrow focus seen in enforcement action: controls first, risk second.

This may help firms demonstrate technical compliance, but it does little to support genuine risk management, particularly when financial crime threats are evolving faster than static taxonomies and periodic reviews can keep up.

Learning from failure means interrogating the BWRA

If we want enforcement action to drive improvement rather than repetition, something needs to change.

Specifically:

  • Enforcement notices should articulate where in the risk assessment process the failure occurred, not just which control broke.

  • Firms should be challenged on how their BWRA informed — or failed to inform — specific design decisions in CDD and transaction monitoring.

  • Supervisors should be clearer about how their own assessment of a firm’s risk profile diverged from the firm’s self-assessment, and why that mattered.

None of this requires new rules. It requires a shift in emphasis, from outcomes alone to causality.

From compliance to comprehension

The uncomfortable truth is that many BWRAs are still written to satisfy an obligation, not to answer hard questions. They catalogue risk factors but stop short of articulating risk events. They score risks without explaining mechanisms. And they struggle to bridge the gap between firm-wide exposure and operational reality.

The research was not intended as an academic critique for its own sake. It was motivated by a simple observation: firms are investing more than ever in financial crime controls, yet outcomes remain stubbornly poor.

If we want that to change, the BWRA needs to reclaim its role as the engine of the risk-based approach, not its appendix.

Because until we properly understand how risk was misunderstood, we will keep fixing the symptoms while leaving the cause untouched.

[1] Russell, M. (2025). What are the key components of an effective methodology for conducting business-wide risk assessments for money laundering? Journal of Financial Compliance, 9(2), 168–183.

Stefania Cirignano
Next

One risk becomes many: The case for a holistic, behaviour-led BWRA