Risk assessments: anti-money laundering
Regulation 18 of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) requires law firms to carry out a written risk assessment to identify and assess the risk of money laundering that they face.
Carrying out a risk assessment will help you to:
- develop policies, procedures and controls to reduce the risk of money laundering
- apply a risk-based approach to detecting and preventing money laundering
- understand the level of risk associated with certain business relationships and transactions
- make appropriate risk-based decisions about clients and retainers
It’s important that you keep your risk assessment under review as the Solicitors Regulation Authority (SRA) may ask to see your assessment – especially if something goes wrong with compliance at your firm.
More detailed information can be found in chapter 2 of the anti-money laundering guidance for the legal sector.
Practice-wide risk assessment
There are no set rules that indicate your firm is at high risk of exposure to money laundering activity.
The conclusions of your practice-wide risk assessment are a matter of judgement and should reflect the nature of your work and clients.
However, your practice-wide risk assessment should consider:
- the UK's national risk assessment (NRA), updated in December 2020
- the National Crime Agency's national strategic assessment, updated in July 2023 to identify the threats posed by:
- proliferation financing
- sanctions against Russia and Russian-linked individuals
- increasing levels of cybercrime, including theft, malware and ransomware
- the use of money mules
- Chinese underground banking networks
- international controller networks that exchange cash for cryptoassets
- vulnerabilities in the creation and oversight of UK corporate structures
- the SRA’s sectoral risk assessment, updated in July 2023 to:
- remove legal cannabis and COVID-19 as key risks
- update on proliferation financing and financial sanctions risk
It should also:
- clearly state what you do when you identify a high-risk client or matter
- reference your firm’s policies, controls and procedures
- list the steps your firm has taken to reduce the money laundering risk it faces
The MLR 2017 outlines what you should consider in your risk assessment, including:
- the clients you act for
- whether you work in or with countries that, for example, have significant levels of corruption or are subject to sanctions
- whether you offer services in practice areas deemed ‘high risk’ due to holding client money
- the characteristics of transactions, including the source of funds and whether a transaction is outside your firm’s normal area of work
- your firm's delivery services, including the use of agents and intermediaries or online services
See section 2.3 of the guidance for the legal sector for a full list of factors your risk assessment should consider.
It’s important that your risk assessment is written down and kept up to date.
Your risk assessment can be formatted in multiple ways, including in paragraphs, as a table or a matrix with risk ratings.
Make sure that when you complete your risk assessment you:
- keep a record of the sources you use
- review it regularly, reflecting changes in your circumstances or to the SRA's risk assessment. You should keep a note of when you carry out these reviews
High-risk regulated activities
In your risk assessment, you should assess what proportion of your work is made up of regulated activities, especially those identified as 'high risk' by the NRA.
The NRA specifies the following services as most likely to be abused by money launderers:
- trust and company formation
- client account services
To reduce risks when working in these areas, you must:
- comply with the guidance for the legal sector
- pay attention to warning signs of money laundering
You should document what measures are in place to mitigate these risks, and adjust your policies, controls and procedures accordingly.
If you’re involved with clients or matters based in ‘high-risk’ jurisdictions, your risk assessment should reflect this.
At a minimum, you’ll need to consider how you deal with clients and matters that involve those listed on the list of high-risk third countries.
You may also wish to keep up to date with:
- Financial Action Task Force (FATF) list – high-risk countries with deficiencies in their AML/counter-terrorist financing regimes
- EU tax havens list – tax governance shortcomings
Client and matter risk assessment
As well as a practice-wide risk assessment, you need to undertake a risk assessment at client and matter level.
This will inform the way you conduct your customer due diligence and ongoing monitoring.
You can use the SRA client and matter risk template as a base to develop a risk assessment tailored to your firm.
The factors listed in the SRA template are not exhaustive.
There may be other risk factors you should consider depending on the nature of the client or matter and your firm’s risk appetite.
Your processes for carrying out the client and matter level risk assessment should be set out in your practice-wide risk assessment. See section 2.5 of the guidance for the legal sector.
Protect yourself and your firm from money laundering
Complete our online AML courses, led by a leading expert in risk management. Modules include:
- AML and suspicious activity (30 minutes)
- money laundering offences (30 minutes)
- risk assessment and client due diligence (1 hour)
Call our AML helpline for support on issues such as due diligence, source of funds, sanctions and the high-risk jurisdictions list
Join the Risk and Compliance Service to stay up to date with your regulatory obligations.