Legal services remain attractive to money launderers and every so often it’s important to check that the fundamental elements of your risk procedure are in place. Pearl Moses revisits the core elements of risk assessments.

What is your risk rating?

There are no black and white rules that explain when your firm is at high risk of exposure to money laundering activity but factors that will play a part in setting your risk rating include:

  • the type of work you do
  • how often you engage in regulated activities
  • who your clients are and whether you occasionally work with PEPs
  • where your clients are based
  • what delivery channels you use to complete your work

It is important to be self-critical during this exercise - the requirement to undertake and maintain a documented firm-wide risk assessment is a key feature of the ‘risk-based approach’ to preventing and detecting money laundering that is mandated by the SRA and the Financial Action Task Force (FATF).

Regardless of the size of your practice or the amount of regulated work you undertake, you need to ensure your practice-wide risk assessment is written down and considers as a minimum the information contained in the UK’s latest national risk assessment and the SRA’s risk assessment of the legal sector.

The firm-wide risk assessment is your starting point and will allow you to both manage, mitigate and document your risks in the most effective way.

Client and matter risk assessments

In addition to the practice-wide risk assessment you will need to undertake a money laundering risk assessment at client level and matter level, which will inform the way you conduct your customer due diligence and ongoing monitoring.

One of the ways that smaller firms can meet the requirements set out in the Regulations is by creating a standardised client due diligence (CDD) form to be completed for each new client/matter.

Along with information on the client’s personal details and the purpose and nature of the instructions, such a form should specify the risk-rating allocated to the client/matter in accordance with the procedure set out in your firm-wide risk assessment, and any checks conducted subsequently in line with that risk-rating.

Risk-ratings could be allocated as follows:

  • low - this rating can be given, for example, when the client is a bank, publicly listed company or public body. In such cases simplified due diligence (SDD) can be applied in accordance with reg 37
  • standard - for example, when the client is a private company or an individual and no red flags are present
  • high - this rating is given, for example, when the client is in a high risk third country, is a politically exposed person (PEP) or if the transaction is complex or unusually large and has no apparent economic or legal purpose. In such cases enhanced due diligence (EDD) has to be applied

The form should include a section on the date of any ongoing monitoring performed on the file.

Red flags

Types of clients

Certain warning signs from clients could increase your risk and require further investigation.

  • What is the client’s business?
  • Are they a politically exposed person (PEP)?
  • Are they evasive about identification or difficult to verify?
  • Does the client have criminal convictions/associations or confiscation/restraint orders?
  • Do they have an unusually high level of knowledge about money laundering?

Countries or geographic areas of operation

Country risk factors should feature prominently in your firm-wide risk assessment.

Consider whether the jurisdictions in which your clients, or the beneficial owners of your clients, are based or operate their businesses:

  • have deficient anti-money laundering legislation, systems and practice
  • have high levels of acquisitive crime or higher levels of corruption
  • are situated in ‘offshore financial centres’ or tax havens
  • are subject to sanctions

Products or services

Much of a firm’s AML risk depends on the services or combination of services that they offer.

The Legal Sector Affinity Group guidance identifies the following as posing the highest risk of being used for money laundering:

  • misuse/abuse of client accounts
  • sale/purchase of real property
  • creation of trusts, companies and charities
  • management of trusts and companies
  • sham litigation


Consider how frequently you carry out higher risk transactions.

Factors that might make a transaction higher risk include:

  • the size and value of the transaction
  • the payment type (eg cash, bitcoin)
  • transactions or products that are complex, facilitate anonymity or don’t fit a usual pattern

Delivery channels

The way services are delivered can enhance or reduce your risk.

  • Is the method of delivery transparent or complex?
  • Be wary of payments to and from third parties, particularly if they’re unexpected.
  • Do you act for your clients without meeting them? If you do, you must be satisfied that not meeting the client makes sense in all the circumstances.

 Your risk assessment should list the steps you take to mitigate the money laundering risk in the work your firm engages in.

You should reference your policies, controls and procedures, make sure all staff are trained and put in place an ongoing system of monitoring to make sure that your risk assessment is up-to-date.

Pearl Moses is head of risk and compliance at the Law Society.