Comprehensive AML Risk Assessments

AML, firmwide, risk, assessment, SRA, sanctions, proliferation financing

The Money Laundering Regulations 2017

All law firms that are subject to the Money Laundering Regulations 2017, and so the great majority of all firms in private practice, are required to conduct an occasional risk assessment, generally referred to as the firmwide risk assessment. Any failure to have done so since this requirement was introduced by the regulations, or to have updated it in recent years, will be likely to result in a referral to the disciplinary team at the SRA and a fine. No specific guidance is provided on how often the assessment should be kept under review but doing so annually should prove to be satisfactory, but not if in the meantime there have been more fundamental changes within the firm such as mergers or lateral hires that will mean that further client services will now be provided.

Proliferation Financing

If your firm is required to conduct and keep under review an AML risk assessment then you will also be required to do so in relation to the issue of proliferation financing as well. This is as a result of the Money Laundering and Terrorist Financing (Amendment) (No.2) Regulations 2022. This introduced the additional requirement for all in the regulated sector through an amendment to r.18 of the MLR 2017 where the need for an AML risk assessment is set out. This is defined as being:

“the act of providing funds or financial services for use, in whole or in part, in the manufacture, acquisition, development, export, trans-shipment, brokering, transport, transfer, stockpiling of, or otherwise in connection with the possession or use of, chemical, biological, radiological or nuclear weapons, including the provision of funds or financial services in connection with the means of delivery of such weapons and other CBRN-related goods and technology, in contravention of a relevant financial sanctions obligation”.

To most, especially in high street practice, the thought that their clients might be involved in any such activities will seem far-fetched to say the least, and this is recognised  to a degree in the explanatory guidance that is also provided with the regulations. Section 13 of the note provides that although no specific action had been proposed to minimise the regulatory burden on small businesses the risk principle which underpins the MLR 2017 might fairly be taken into consideration in respect of this additional burden.


In addition to the AML firmwide risk assessment and the proliferation financing risk assessment, there is a third assessment that is required, in this case in relation to possible dealings with those who have become “designated persons”, or targets, within the sanctions regime as operated by the Office for Financial Sanctions Implementation (“OFSI”) within HM Treasury.

Whereas the need for a risk assessment is a specific requirement in relation to money laundering and proliferation financing the need for one in relation to sanctions instead features in the list of factors that will be one of the “features of and effective sanctions compliance regime” as listed in the SRA’s Guidance Note “Complying with the UK Sanctions Regime” of the 28th November 2022. More recently the SRA have also described compiling a sanctions risk assessment as “best practice” in their guidance note of the 23rd January this year and have also suggested that the same headings that are the prerequisites of a valid AML risk assessment should also be used in one dealing with sanctions risks as well.

Whereas the need for AML and Proliferation Financing risk assessments only arises for those within the regulated sector the imposition of strict liability for having any dealings with any designated person, and so clients and counterparties alike, applies to all law firms and so regardless of whether they are regulated or not.

The likelihood of encountering anyone who has been made a target by OFSI may be more of a possibility than ever dealing with anyone who is actively involved with weapons of mass destruction, but only slightly so for most firms. The January SRA guidance note does however suggest the circumstances where this might be more likely. Either way the firm should nonetheless adopt a policy to ensure that this risk area will be managed in an effective manner and also to provide a public statement to show that it is aware of its responsibilities in this regard.

Should it ever become the case that the firm finds that it is now in receipt of instructions from a sanctions target it may continue to act as long as it is not circumventing the regime but will be unable to have any financial dealings with that client. They will therefore not only have to report to OFSI the fact they find themselves in this position, subject to the very poorly explained duty of legal professional privilege in this context, but will also need to apply for a licence to charge for their fees and expenses in so doing. It is worth mentioning here that the SRA has suggested that firms might like to add to their terms of business documents the right to cease to act should they become aware that a client is or has become a designated person.

The Three-in-One Risk Assessment

With all of the above in mind Infolegal have created a three-in-one risk assessment which is available to Infolegal InfoHub subscribers.  This allows firms to  record and edit in their comments and observations on the risks listed in r.18 MLR 2017 for AML concerns whilst also providing the facility for appropriate comments as to both proliferation financing and sanctions controls. Users can elect to complete the form in its entirety or, if they are outside the regulated sector for AML and Proliferation Financing for example, complete the sanctions section only.

Whether using the Infolegal form or not, all firms are advised to complete their risk assessments in as much detail as possible, especially in relation to the details of the services provided and the CDD measures that they have in place. This is based very much on the responses that firms have received in various recent SRA monitoring inspections.

We would also strongly recommend that firms repeat this exercise every 12 months, or sooner in the event of substantial changes within the firm, and ensure that their AML policy in their practice manual refers to the fact that it has been drawn up or updated so as to be in line with the conclusions that flow from the risk assessment. Infolegal InfoHub subscribers will find our template AML manual in part 3 of the Office Procedures Manual for both sole principals and firms.

Find Out More

To find out more about the Infolegal three-in-one risk assessment, and the other guidance and services that Infolegal offers to solicitors firms. please email us at 

Share on social media