AML – compliance isn’t an optional extra

firm wide risk assessement, client and matter risk assessment, AML

It often seems to us at Infolegal that a disproportionate amount of our time is spent considering issues relating to anti-money laundering (AML) and advising law firms that they must constantly be aware of the need to have in place appropriate processes, procedures and policies and put in place adequate risk assessments.  That said, however, AML is undoubtedly the most important regulatory issue that law firms currently face and the Solicitors Regulation Authority (SRA) has made it quite clear on numerous occasions that it will not tolerate those firms paying mere lip service to AML requirements.   For that reason alone, we make no apology for looking at AML issues yet again.

In fact, we would stress to all firms, especially those who undertake work that comes within the scope of the Money Laundering Regulations 2017 (MLR 17), that they MUST make sure that their AML processes are adequate to meet ALL of their obligations in that regard.  If the firm is found by the SRA not to have processes and procedures in place, or to have processes and procedures that are deemed by the SRA to be inadequate, then the SRA will take action against the firm.

If the SRA deems that the firm’s processes, or the lack of them, present a risk to the public, they may well take steps to address that risk by imposing the sort of practising conditions upon the firm that would mean that it would, in effect, be unable to carry out work within the scope of the MLR 17.  For many firms that would essentially mean ceasing to practise.

From a practical point of view, therefore, it means that all law firms must ensure that they have:

  • adequate and up-to-date Firm Wide Risk Assessment (FWRA) and that the risks that have been identified are fed into the firm’s AML policy and its overall approach to risk management. These need to include processes to cover proliferation finance risk assessments and the increased risks from breaches of sanctions controls which have now been made an issue of strict liability;
  • an adequate and up-to-date policy that not only addresses these various issues but which is a genuine reflection of what the firm does, and not an aspirational document setting out what the firm might wish to do at some point in the future;
  • processes and procedures which are understood and observed by all relevant personnel in the firm and which address the mitigation of AML risks;
  • adequate client and matter risk assessments (CMRA) in relation to all clients and matters that come within the scope of the MLR 17 and that those CMRAs are kept up-to-date as matters progress;
  • appropriate processes to address the identification of politically exposed persons (PEPs) and taking steps to ensure that all relevant personnel know how to make checks and deal with the results of those checks;
  • appropriate processes for dealing with sanctions reporting;
  • processes for reporting suspected AML issues as and when they arise and an understanding by all relevant personnel of what they should do to make a report and what they should not do to avoid tipping off.

A crucial point for firms to understand here is that it is not sufficient if understanding of the various issues involved resides in the MLRO, MLCO or partners.  Everyone within the firm undertaking relevant work needs to be aware of the issues.  This is particularly the case in relation to the CMRA – as we shall come to shortly.  Those tasked with the day-to-day handling of matters must understand where AML issues can arise and what are the flags and alerts that indicate money laundering may be taking place.  They are, after all, the ones who are best placed to spot such issues as and when they arrive.

Firm Wide Risk Assessments

Not only is the FWRA a requirement of the MLR 17 (regulation 18), it is also a vital tool by which firms can and must develop and refine their policies, procedures and controls so as to enable them to reduce the risk of money laundering taking place. It helps them to take a risk-based approach to AML and will assist them in detecting and preventing money laundering by helping them to assess the risk posed by certain clients and matters.  If your firm does not have a sufficiently detailed and through FWRA, then it is likely to find itself on the receiving end of less than welcome SRA attention.

The SRA have said in their Guidance Note on FWRAs that they continue to find a significant proportion of firm wide risk assessments which fall short of their expectations or where firms only put in place a FWRA after the SRA have asked to see it. At Infolegal, we have seen several instances of this and we need to stress to firms that this is not an acceptable way to conduct their practices.  The requirement to have a firm wide risk assessment has now been in force since 2017 so there can be little or no excuse by firms not to have one in place. The FWRA is a vital component in the firm’s  AML controls and we have seen on many occasions that the SRA will take robust action against those firms that do not have one in place.

It is not simply the lack of the FWRA that the SRA might pick up on.  The SRA is as keen to ensure that the FWRAs that exist are adequate and cover everything that needs to be addressed.  This includes:

  • issues relating to sectorial risk assessments;
  • issues identified in the MLR 17 such as the firm’s client base, the countries or geographic areas in which the firm operates, the products or services the firm provides along with the transactions it undertakes and how they are delivered;
  • the risk of money laundering arising in relation to particular geographic areas or matter types;
  • the need to address proliferation financing; and
  • how the firm deals with PEPs. 

Client Matter Risk Assessments

As we pointed out in our article “Managing AML Risk Assessments” in October, the SRA have recently become very concerned that firms are not addressing client and matter risk assessments in an adequate manner.  Their Warning Notice, published on the 18th October, highlighted the fact that the SRA have concerns about the “persistent level of non-compliant client/matter risk assessments”, 51% of which were deemed to be ineffective in the 22/23 reporting period.

The requirement for a CMRA is to be found in regulations 28(12) and 28(13) of the MLR 17 and requires firms to take steps to identify the risks posed by a particular customer (or ‘client’) and matter. In so far as the client is concerned, the SRA state that the “client risk assessment must identify and assess the risks posed by an individual client. A client risk assessment must always be carried out at the beginning of a client relationship”.  As to the matter itself, the SRA state that the “matter risk assessment should be carried out and recorded at the earliest opportunity save for certain exceptions discussed below. A matter risk assessment should focus on the specific risk factors that a matter presents, beyond, or different to, the client risks already identified”. This should include the purpose of the transaction or business relationship, the size of the transactions undertaken by the client and the regularity and duration of the business relationship.

The main aim of the CMRA is to work out the level of client due diligence needed taking account of the high-risk factors set out at regulation 33(1) and help the firm to consider what controls should be in place to mitigate risk.  This might include where the client is based in a high-risk third country, a politically exposed person or their associate or family member, a person who has provided false or stolen identification documentation, or in complex and unusually large transactions.  Thus if a client or matter is assessed as being high risk, then regulation 33 of the MLR 17 states that enhanced due diligence must be applied.

The CMRA ties in with the FWRA in so far that how you assess the risk at a client/matter level should take account of the risks identified in the FWRA.

The SRA have produced a template to assist firms with their CMRA.  It is a somewhat lengthy document – extending as it does to 7 pages – and as such is not particularly adaptable.  For that reason Infolegal has produced its own more targeted documents that should be easier to use in practice.  These will be available to Infolegal subscribers to download from the Infolegal Infohub together with an explanatory guide as to how the forms need to be completed.

Policies Controls and Procedures (PCPs)

The third area where the SRA is looking particularly closely at firms is in relation to the PCPs that they put in place in order to deal with AML issues within the firm. The MLR 17 requires that firms  “establish and maintain policies, controls and procedures to mitigate and manage effectively the risks of money laundering and terrorist financing” and that they regularly review and update those PCPs.  They are also required to record them in writing, make a written record of any changes and document the steps taken to communicate those PCPs, or any changes to them, to personnel within the firm.  The PCPs need to be appropriate to the size and nature of the firm and must include risk management practices, internal controls, CDD, reliance, record keeping and monitoring their internal communication.

There are a number of key points to bear in mind in relation to this:

  • the training of relevant staff as to what is required of them is essential. If staff are not told about what they need to do then they cannot be compliant;
  • covering reliance is essential, even if the firm does not use it. Regulation 39 of the MLR 17 states that a relevant person (i.e. a law firm) can rely on a third person to carry out due diligence identification and verification, and to assess and obtain appropriate information on the purpose and intended nature of the business relationship.  However, there are a number of criteria that must be observed when doing so.  Many firms therefore take the view that it is preferable not to use reliance.  If that is the case, then it is vital they specify in their AML policy that they do not use reliance and that staff are made aware of this.


In conclusion, we cannot stress strongly enough the importance of making sure that the firm’s AML compliance arrangements are up-to-date and comprehensive.  The firm must adopt a proactive system that identifies risks and addresses the source of those risks.  Firms must ensure that all relevant personnel are aware of the dangers of financial crime generally, and money laundering in particular, and must be able to implement all of the requirements in relation to identity checking, sanctions, matter and client risk assessment and more.

If you or your firm have any concerns as to AML compliance, then Infolegal can assist you.  For more information please contact us at and we will be pleased to assist you.

Share on social media