Five key takeaways from the 2025 national risk assessment

The latest updates to the UK national risk assessments (NRA) mark a real shift to reflect the increased threats posed by geopolitical conflict, emerging technologies and weak defences in businesses, and legal firms are in the spotlight.

Why this NRA is different

Published by HM Treasury and the Home Office, the updated NRA draws on regulatory data, intelligence reports and feedback from industry supervisors and reflects five years of learning.

One of the key differences is how much more attention is given to cross-border risk, high-risk jurisdictions and UK legal professionals, unknowingly or not, moving and obscuring illicit wealth.

The war in Ukraine and the sanctions imposed on Russia have been cited as a key reason for the increased focus on this area.

Section 3.3 of the NRA states: “In the wake of Russia’s invasion of Ukraine, we are seeing increased convergence between money laundering with kleptocracy and sanctions evasion.”

The new NRA isn’t just a policy document. It’s a blueprint regulators will use to assess compliance.

Here are five key areas where it could affect you.

1. Your risk profile may have changed

Legal firms, particularly trust and company service providers (TCSPs) that offer services involving company formation, trusts, property or cross-border clients, remain in the high-risk category for money laundering.

The risk of terrorist financing for TCSPs has been increased from low to medium due to “an increased understanding of how the TCSP sector is exposed to organisational terrorist financing risks” (NRA 2025, section 5.240).

Criminals continue to exploit legitimate professionals to make transactions look credible, hide beneficial ownership or bypass sanctions.

Legal privilege can be misused to delay or block detection.

2. Russia, sanctions and cross-border flows

The update puts increased weight on international threats.

If your firm has any exposure to foreign clients, offshore structures or overseas transactions, these risks apply to you.

Sanctions have forced many criminals to seek more creative methods of access and asset movement, often via UK intermediaries.

Legal professionals involved in conveyancing, corporate law or private client services are at risk of being used as unwitting enablers.

The NRA states: “Conveyancers who deal with prime or super-prime property purchases are more likely to be exposed to higher risk persons such as politically exposed persons (PEP), and overseas buyers where it may be more difficult to assess source of wealth” (section 5.203).

3. Technology and deception are evolving

While cross-border risk has increased, so has the sophistication of fraud.

If you’re still relying on paper forms, manual checks or ad hoc processes, these emerging threats could slip through the cracks.

The NRA highlights new threats including:

• deepfakes and synthetic identities
• AI-generated documents that appear genuine
• decentralised finance platforms
• criminal use of encrypted messaging to bypass monitoring
• exploitation of legal privilege or client accounts to shield activity

The NRA states: “Engagement between the private sector and law enforcement suggests that there has been use of AI for synthetic bank account creation, fraud and impersonation, phishing and onboarding of money mules” (section 6.1).

4. Incomplete risk assessments are still letting firms down

The NRA singles out business-wide risk assessments as one of the most common areas of weakness for many regulated businesses, in particular TCSPs and conveyancing.

If your risk assessment doesn’t reflect how your legal services are delivered, such as who your clients are, what jurisdictions they operate in and what types of transactions you handle, then you’re at risk of enforcement action.

“Supervisors continue to report that inadequate due diligence and risk assessments remain the most common compliance failings” (section 5.242).

5. Your anti-money laundering (AML) regulator will expect more

Regulators are using the updated NRA to shape their inspection frameworks.

You can expect your next audit to scrutinise how you’ve responded to the updated risks.

This means updating your risk assessment to reflect geopolitical issues, sanctions and technological threats as well as ensuring it reflects your actual legal services.

It also means demonstrating that your staff understand these changes and can act on them.

The NRA states: “The HM Treasury 2023/24 report showed an increase in the number and total value of fines issued by professional body supervisors (PBS), with 240 fines issued” (section 5.200).

Five key next steps

1. Read the 2025 NRA – focus on the sections relating to legal professionals and cross-border risks
2. Review your risk assessments and policies, controls and procedures (PCP) – use a structured platform to ensure your documentation is current and credible
3. Tailor your client risk assessments – reflect services, jurisdictions and transaction types relevant to your firm
4. Train your team – practical training on the landscape, your processes and what to do if they have suspicions about a client are crucial
5. Document everything – AML is about what you show as much as what you do