You are here:
  1. Home
  2. Support services
  3. Advice
  4. Articles
  5. AML compliance for small firms - conducting a risk assessment, part one

AML compliance for small firms - conducting a risk assessment, part one

12 February 2018

The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (the Money Laundering Regulations), which came into effect on 26 June 2017, have posed a challenge for firms of all sizes.

This three-part series looks at the Money Laundering Regulations from the perspective of small firms and provides tips on effective compliance. More detailed information can be found in the draft legal sector AML guidance.

What type of work is 'regulated'?

The Money Laundering Regulations apply to firms engaged in the following transactions:

  • Buying and selling of real property or business entities
  • Managing client money, securities or other assets
  • Opening or managing bank, savings or securities accounts
  • Organising contributions necessary for the creation, operation or management of companies
  • Creating, operating or managing trusts, companies, foundations or similar structures.
    • Payment of costs to lawyers, provision of legal advice, participation in litigation and will-writing are not covered, reflecting the lower risk of exposure to money laundering from these activities.

      If your firm does a mixture of regulated and unregulated work, the Money Laundering Regulations will apply to the regulated aspects only. Your internal risk assessment should state that only some of your work is regulated, but the type and frequency of this work may still lead you to conclude your firm is at a high risk of being targeted by criminals.

      back to top

      Conducting a risk assessment

      A key feature of the Money Laundering Regulations is the ‘risk-based approach’ to preventing and detecting money laundering, and the specific requirement to undertake and maintain a documented practice-wide risk assessment.

      There are no black and white rules that explain when you might decide your firm is at high risk of exposure to money laundering activity. The conclusions of your practice-wide risk assessment are a matter of judgment. The type of work you do, how often you engage in regulated activities, whether you occasionally work with PEPs or operate in high risk jurisdictions are all factors that will play a part in setting your risk rating. It is important to be self-critical during this exercise – regulators can request to see your risk assessment, especially if something goes wrong with compliance at your firm.

      Regardless of the size of your practice or the amount of regulated work you undertake, you need to ensure your practice-wide risk assessment is written down and considers as a minimum the information contained in the UK's latest national risk assessment and the SRA’s 2017/18 risk outlook. View a summary of the conclusions of the national risk assessment.

      The SRA will publish its risk assessment of the legal sector in spring 2018. Once the SRA’s new risk assessment is available, you will need to review it and update your practice wide risk assessment to take it into account.

      Make sure when you complete your practice-wide risk assessment that you keep a record of the sources you use, and review your risk assessment regularly, reflecting changes in your circumstances or the sector-wide risk assessments. You should also keep note of when you carry out these reviews.

      In addition to the practice-wide risk assessment you need to undertake a money laundering risk assessment at client level and matter level, which will inform the way in which you conduct your customer due diligence and ongoing monitoring (Part 3 of the article series). Your processes for carrying out the client and matter level risk assessment should be set out in your practice-wide risk assessment.

      Your risk assessment should list the steps you take to mitigate the money laundering risk in the work your firm engages in. You should reference your policies, controls and procedures, and state clearly what you do when you identify a high-risk client or matter.

      The conclusions of your risk assessment should feature in your policies, controls and procedures (Part 2).

      back to top

      High-risk jurisdictions

      Your practice-wide risk assessment should reflect your involvement in jurisdictions classified as 'high risk' by an authoritative agency.

      You should keep up to date with 'high risk' lists. Three authoritative sources of information are:

      back to top


      Useful sources of further advice include:

      The Law Society also hosts a series of AML workshops around the country, which include a presentation on current issues in AML and useful case studies on best practice. Book your place now.

back to top