Risk assessment

The UK Government periodically undertakes a National Risk Assessment pulling together risk-based information from all sectors in scope of the AML requirements, law enforcement and other sources. Drawing on this, and in order to fulfil our duties under Regulation 17 of The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (as amended) ('the Regulations'), we also produce a risk assessment of our supervised sector. This is to help firms to better assess the risks they are exposed to.

A risk-based approach is embedded in UK legislation and AML best practice. It means that firms should assess their risks and target their resources to the areas or products that are most likely to be used to launder money. Similarly, we take a risk-based approach to directing our resources, focusing effort most on supervising the firms that are most likely to be used to launder money.

Under Regulation 18(2)(a), firms must take our sectoral risk assessment into account when drafting their own firm-wide risk assessment (FWRA). This sectoral risk assessment is not a substitute for a FWRA, which firms are obliged to draft and maintain themselves under Regulation 18.

We ask to see FWRAs and policies, procedures and controls as part of our proactive supervision programme, or in response to specific information we have received. Your FWRA should not be disclosed to customers, or third parties, because it may be useful to those who are seeking to launder money.

This document sets out information on money laundering, terrorist financing and proliferation financing risk that we consider most relevant for firms we supervise.

We will continue to refresh this sectoral risk assessment on a regular basis to keep up to date with emerging risks and trends.

Who does it apply to?

The Regulations place obligations on firms offering services that are most likely to be targeted by those wishing to launder money.

These include independent legal professionals, tax advisers and trust or company service providers as defined in the Regulations.

What to do with this information

All firms that are within scope of the Regulations must comply with all the regulatory requirements. This includes taking appropriate steps to identify, assess and maintain a written record of their risk of being used for money laundering or terrorist financing.

Firms must have regard to this risk assessment, and any updates, when creating and maintaining their own written risk assessment as required by Regulations 18 and 18A of the Regulations, along with a comprehensive knowledge of their business and clients.

We may ask to see your firm's risk assessment.

Capital flight from high-risk countries

Firms should remain aware of current world events which may present emerging risk, such as autocratic regime changes in countries which are recognised as being high-risk for money laundering, as well as other financial crimes such as bribery and corruption.

For example, information suggests the collapse of the Sheikh Hasina regime in Bangladesh has led to an exodus of politically exposed persons (PEPs) who may have purchased UK property assets with funds illicitly taken from the country. The money may have been transferred out of Bangladesh using informal value transfer systems such as hawala, also known as hundi, or via various international banking routes before reaching the UK.

Firms who deal with clients or funding from countries that may present a heightened risk, particularly those whose regimes have changed or are unstable, should make sure that:

• they run stringent checks on clients who are PEPs or may be connected to PEPs
• client due diligence is consistent, e.g. that the source of funds makes sense for a proposed property purchase
• sources and origins of funds and wealth are properly evidenced and match the value of assets being transferred.

The use of offshore companies or accounts may be used to try and conceal or obscure true beneficial ownership or origins of funding therefore robust enhanced due diligence checks clients as well as any associated parties must be a consideration.

Client account issues

We have noted an increase in poor client account practice recently. These are not necessarily indicative of money laundering itself, but could potentially facilitate it, intentionally or otherwise. This includes:

• using client accounts as a banking facility in breach of Accounts Rule 3.3, which naturally involves the risk of its origin being obscured
• retaining client funds for longer than is necessary, in breach of Accounts Rule 2.5, which could involve these monies being put to the wrong purposes
• incorrectly recording funds on client ledgers, eg cash purchase funds being described as a mortgage.

Poor CDD scrutiny

We have noted a number of matters where firms have gathered client due diligence (CDD) but failed to properly scrutinise it. If they had, they would have noticed various mismatches between what the client was telling them and what the evidence showed. Examples of this include:

• the client's appearance and age not matching the photo ID they had supplied, in one case by several decades
• the client telling the firm that purchase monies came from their salary, but this not being backed up by the payslips supplied
• a superficial reading of the source of funds of third-party funders
• over-reliance on e-verification leading to high-risk clients not being identified as such, despite indicators being present.

These examples illustrate that, in order to be effective, due diligence at any level must not only be collected but analysed.

A particular incident involved due diligence being signed off by the fee earner, partner and MLCO, but missing multiple issues of concern which were not identified or analysed. This demonstrates how diffusion of responsibility can lead to risks being missed. Every person in the process apparently thought than another person was responsible for scrutinising the documents. Firms should encourage all of their fee earners and management to see AML as their own responsibility.

Changing firm business models

We have noted an increase post-Covid in firms operating as a network of consultants with their own practices. In these cases, the consultant operates semi-independently, with their own caseload, with the benefit of the firm's systems and resources. Often the consultant lives and works some distance from the firm, and attends their offices for occasional client meetings.

These firm structures can be of benefit to firms and solicitors, but their decentralised nature can carry risks. We have noted that it is sometimes difficult for these firms to keep a central AML policy in operation, to monitor compliance, and to ensure a consistent standard across the firm. MLCOs and MLROs in these firms will need to be more vigilant and potentially more interventionist in order to make sure that the firm is not put at risk by non-compliance. Firms should also check the level of AML knowledge of new entrants to the firm and undertake training where needed. A new consultant who previously occupied a partnership role may, for example, be unfamiliar with AML processes because these were delegated to other staff.

Technology

There are similar risks in the use of new types of financial technology, for example, fund transfer systems and crowdfunding platforms. Any use of new technologies should be preceded by an assessment of the risks they may introduce and effective mitigation of these risks where possible.

We have not so far seen any evidence of the use of deepfake technology to impersonate legitimate clients. Firms should nonetheless remain alert to the potential of this new use of artificial intelligence.

This greater use of technology in all respects also heightens the importance of cyber security. Cyber security breaches could allow criminals to gain total access to both clients' sensitive data and the firm's systems, allowing them to be used for laundering money. Recently, a cyber attack involved all users of a particular case management system, affecting large numbers of firms. You can find a range of cyber security resources here.

Global economic uncertainty pressures

A continuing issue which is of growing importance is the issue of sufficient resourcing of AML work. As economic conditions have continued to deteriorate and uncertainty has increased, firms are likely to be under pressure to reduce costs, and elements of businesses that are not directly revenue generating may see their budgets reduced.

Whatever decisions are made about resourcing, economic conditions do not change the requirement to comply with the Regulations. They remain a legal obligation which applies regardless of budget.

In fact, the economic conditions are more likely to increase a firm's exposure to would-be money launderers, emboldened by a perception that they are in a position of relative strength in dealing with firms. Potential clients may seek to emphasise the amount of revenue they can bring to a firm as a bargaining tactic. Poorly-resourced AML systems, or staff under pressure due to diminished headcount, could also create weak points in a firm's AML protections.

As a part of our duties as an AML supervisor, we have been reviewing the compliance of firms we supervise, including reviewing FWRAs, policies, controls and procedures and client files. We publish our findings from recent inspections annually in the autumn.

We have published several other pieces of guidance and supporting information, also informed by this proactive work:

• warning notices on:
  • money laundering and terrorist financing
  • suspicious activity reports
  • firm-wide risk assessments
  • client and matter risk assessments
  • sham litigation.
• an AML topic guide which informs our approach to enforcement
• guidance for AML officers
• guidance on sanctions
• guidance on firm-wide risk assessments and client and matter risk assessments
• guidance on AML training.

Weak controls

Inadvertent failures and gaps in a firm's AML compliance can introduce real and dangerous vulnerabilities into their ability to protect themselves from would-be money launderers.

For example, weak screening controls put firms at risk of being used or infiltrated by organised crime gangs. Individuals posing as solicitors, or solicitors that are being controlled by criminal elements, can use the structures of a firm (particularly the client account) to provide a veil of legitimacy to the proceeds of crime.

The most common weaknesses we have observed included inadequate:

• source of funds checks
• independent audits
• screening of staff and
• matter risk assessments.

We have also observed that while larger firms may have greater resources to protect them from money laundering risks, they will often silo off risk-based information in a compliance team or system. This can mean that those working on a file may:

• lack ready access to the underlying risk assessment and due diligence documentation and information and
• be prevented from conducting effective ongoing monitoring of risk.

Firms should remain vigilant and make sure their policies, controls and procedures adequately protect the firm against the risk of money laundering and terrorist financing.

Developing a culture of compliance is vital. Firms' outcomes are improved if staff understand the reasons for preventing economic crime, and their role in doing so, rather than seeing it as the job of a compliance team or an AML officer.  Importantly, comprehensive and relevant AML training leads to better regulatory outcomes for firms.

Politically Exposed Persons (PEPs) and higher risk jurisdictions

We have found that some firms are potentially taking an overly simplistic approach to risks associated with PEPs and higher risk jurisdictions.

The UK economy is highly integrated with the rest of the world, and services offered in the UK are attractive to those in high risk jurisdictions who wish to make the proceeds of crime seem legitimate. A blanket assumption that PEPs would not instruct your firm, or that your firm would never accept instructions from a PEP, is not a sufficient protection against the risks they present. Neither approach would itself satisfy the requirement at Regulation 35(1) to have measures in place to identify PEPs.

It is for firms to decide their own risk appetite, but their policies should be realistic. With the proper policies, controls and procedures, there is nothing to prevent a firm taking on PEP clients. If a firm has an overly restrictive PEP policy, it is at risk of:

• turning away clients for no good reason, restricting access to legal services
• being counter-productive if the firm has a policy which is ignored or routinely breached.

From 10 January 2024 the way in which domestic PEPs should be treated has changed. Domestic PEPs are now defined as those PEPs entrusted with prominent public functions by the UK, and are subject to a different level of risk assessment and enhanced due diligence (EDD). The difference is as follows:

• The starting point for the assessment is that the customer or potential customer presents a lower level of risk than a non-domestic PEP.
• If no enhanced risk factors are present, the extent of EDD measures to be applied in relation to that customer or potential customer is less than the extent to be applied in the case of a non-domestic PEP.

While domestic PEPs may now be subjected to a lower level of EDD than other PEPs, it remains EDD. It must be at a higher level than the CDD you usually apply, and include the measures specified at Regulation 33(5).

It is also important to note that PEPs may instruct a variety of firms, not just those that are large and high-profile. In our proactive work, we noted that PEPs are equally likely to instruct small firms and sole practitioners.

External support

Many firms engage external advice to meet their compliance requirements. In most cases, this is a helpful resource. Some firms, however, rely too heavily on external consultants or systems.

This can include:

• Unsuitable use of templates for risk assessments, failing to take the firm's individual circumstances into account.
• Using electronic identification and verification systems without understanding the underlying processes or their limitations.
• Assuming that because an e-verification check has cleared a client, no further checks or due diligence are needed.
• Using external consultants to draft their compliance documents who do not have an in depth understanding of the work of the firm.
• Using external consultants who have limited knowledge of the legal profession.

While seeking external help with your compliance can be of benefit, the firm itself is in the best position to understand its own risks and design and implement effective mitigation.

You should consider whether the person who is carrying out the audit is sufficiently independent and removed from authorship of the firm's risk assessments and policies, controls and procedures.

It is also important to note that the obligations under the MLR 2017 apply to the firm and cannot be outsourced. The same can be said for the individual responsibilities held by a firm's MLCO, MLRO and beneficial owners, operators and managers under the Regulations.

Firms should also exercise caution when relying on accreditation schemes to fulfil AML obligations such as independent audit (where applicable due to firm size and nature) under regulation 21. In particular, firms should check whether the scheme is intended to provide this kind of assurance. We have, for example, noted that the remit of some schemes only runs to checking that an AML policy exists rather than checking that it is compliant. Likewise, the training modules of some schemes are geared towards a particular part of the firm or its work, neglecting other key roles.

Firms should remember that audit functions under regulation 21 must:

1. examine and evaluate the adequacy and effectiveness of the firm's AML policies, controls and procedures
2. make recommendations in relation to those policies, controls, and procedures
3. monitor the firm's compliance with those recommendations.

'Effectiveness' in particular implies that some form of file review is needed to assess whether the policies are being followed and are serving the intended purpose.

The 2025 National Risk Assessment says at 5.193-5.196:

The money laundering risk for the sector is assessed to have remained high with no significant change in vulnerabilities since 2020. Criminals are often drawn to legal service providers due to the veneer of legitimacy legal professionals can offer due to perceptions of the sector's integrity. The nature of the services offered, and the volumes of money that can be moved through them also contribute to the sector vulnerabilities, although the speed of transfer can often be slower than in some other regulated sectors. Non-compliance levels remain relatively low across the sector, but the vulnerabilities the sector is exposed to and the scale of money laundering involving the legal sector have also remained high since 2020.

Vulnerabilities

The 2020 NRA judged that the services most at risk of abuse for money laundering purposes were conveyancing, trust or company services and misuse and exploitation client accounts. These continue to be assessed as the highest risk services and more details on these areas are below.

Legal Service Providers that offer a combination of legal services, such as solicitors, are at the greatest risk in the legal sector. […]

Criminals may use a combination of legal services to frustrate due diligence efforts and complicate transactions. Whilst criminals typically seek to use a single lawyer or firm, ultra-high-net worth criminals wishing to avoid scrutiny may employ the services of several firms. This can make it more difficult for a single LSP to identify illicit activity, particularly where inadequate source of funds checks are performed.

The NRA goes on to highlight how a lack of focus on compliance, taking a tick-box approach or a lack of understanding of risk in firms, leads to a higher risk of being exploited by criminals.

The NRA rated the legal sector as being low risk of being used for terrorist financing.

The NRA contains more detailed sections on Property, Companies & Trusts, and Professional Enablers. Firms should familiarise themselves with those sections when preparing their FWRA.

Where you are working alongside other professionals, or on one aspect of a wider legal matter, you should also consider supply chain risk.

A supply chain refers to the end-to-end activities/actions involved in the provision of a service/product to the end customer or beneficiary.

A simple supply chain could involve only a few individuals / companies while a more complex supply chain could involve multiple service providers.

Understanding the purpose of the service you are providing and who is ultimately benefiting from it is important in being able to identify and manage any supply chain risks. This could involve making preliminary enquiries of your client to help you understand the purpose of the whole instruction and how your instructions fit into the overall supply chain. If necessary, you should also look beyond your own instruction to understand the totality of the transaction and identify any risks. This may include taking steps to understand the role of other professionals in the supply chain, eg accountants or company formation agents, and ensuring that these services fit with your understanding.

Proliferation financing

Amendments to the Regulations in 2022 mean that all firms must now carry out an assessment of their exposure to the risk of proliferation financing.

Simply put, this means the risk of the firm being involved with the global proliferation of nuclear, chemical, biological or radiological weapons by groups and countries which are not permitted to have them under international treaty. This includes both materials for weapons, and also 'dual-use goods'. These are goods which are not manufactured as weapons but could be used in weapons or to produce them, for example fertiliser.

We consider the overall risk posed by proliferation financing to the legal profession to be low. In most cases, firms will be able to cover their proliferation financing risk as part of their AML FWRA, given that many of the risk indicators are the same.

There are, however, some sectors which have heightened exposure to proliferation financing, and where we would expect a more thorough risk assessment, either as part of the AML FWRA or as a standalone document. These include:

• trade finance
• commercial contracts
• manufacturing - particularly in relation to dual-use goods
• commodities – particularly mined metals and chemicals
• shipping/maritime
• military/defence
• aviation.

Firms may be of a greater risk where they have exposure to countries which:

• are subject to UN sanctions (for example, Iran or North Korea)
• are suspected of using or seeking to acquire nuclear, chemical, biological or radiological weapons (for example, Syria)
• share a porous border with such countries.

This risk of diversion across borders, where criminals and terrorists may export goods to a border region and then smuggle them to a country subject to sanctions, is one to which firms should be particularly aware.

The Legal Sector Affinity Group guidance includes advice on assessing the risk of proliferation finance.

Risk factors

Risk is the likelihood of money laundering or terrorist financing taking place through your firm. Risk in this document refers here to the inherent level of risk before any mitigation – it does not refer to the residual risk that remains after you have put mitigation in place. Risk can exist in isolation, or through a combination of factors that increase or decrease the risk posed by the client or transaction.

The different types of risk factors that we consider to be significant for firms we regulate are set out below. Your firm's risk assessment will need to address all of these.

You should not confuse low frequency with low risk. A firm that conducts three conveyances a year, for example, is likely to be less familiar with the process and have less of an appreciation of current risks than a firm that carries out several every day.

We expect firms to have both:

• a realistic awareness of the risk posed to the profession and to their own business and clients
• systems to manage risk appropriately.

It is important to note, though, that none of these risk factors are prohibitive in and of themselves, nor are they a reason to withdraw from offering these services.

We have noticed that firms will often attempt to address risk by highlighting what they do not do. Firms should consider the services they provide and the risk each of them presents.

This may require you to divide services and products into subcategories, in order to draw out high risk elements from lower risk ones. A large amount of solicitors' money laundering risk depends on the services, or combination of services they offer.

Based on our supervisory work and analysis, we have found that the following services pose the highest risk.

Each client is different, and each will have their own particular risk-profile. There are a number of different factors that increase the risk of money laundering presented by clients. Warning signs include clients:

• with an excessive or unreasonable desire for anonymity or privacy
• acting outside their usual pattern of transactions
• whose identity is difficult to verify
• being evasive about providing ID documents
• pressuring you into a certain course of action.

The risk posed by your client also extends to the risk posed by the beneficial owner, if applicable. You need to be confident you know who your client is and why they are asking for your services, and any risk that you do not should be duly considered.

You should also not assume that existing clients are necessarily lower risk. Clients may seek to be onboarded with you for low risk work, and then transition to higher risk work in order to bypass more stringent checks at the point of onboarding.

Existing clients can also present a risk where they have been onboarded in a way that may deviate from your firm’s standard practices. Common scenarios include:

• clients onboarded in another firm which has since merged with your own
• clients ported from a foreign branch office, or a company in the same group
• clients onboarded by a consultant or individual who may not be applying the firm’s approach consistently.

Effective ongoing monitoring of all clients is the best control against these risks.

There are a number of factors that might make an individual transaction higher risk. Much of the work in identifying risk involves being alert for unusual activity or requests that do not make commercial sense. The use of cash, either as part of a transaction or for payment of fees is inherently higher risk, and firms should have a policy on what amount of cash they will accept, and in what circumstances. You should consider what is normal for your particular firm.

Understanding the source of funds and the source of wealth will help you to manage the risk from a transaction. For the avoidance of doubt, for a source of funds check you should be checking where the customer got the funds from, not just ensuring the funds came from a bank account at a regulated UK financial institution. You should consider the following factors:

The way in which you deliver your services can increase or reduce risk to the firm.

If you do not meet clients in person, it is inherently more difficult to identify and verify their identity. These risks can be mitigated by the use of effective electronic identification and verification tools.

These tools represent an evolution in the identification and verification capabilities of firms and may be seen as an improvement when compared to some previous common practices such as relying on certified copies of documents.

While they can be valuable in aiding firms to fulfil their AML duties, they may however present risks where they are not fully understood: For example:

• Being used in a way that was not intended. For example, just because a system has stated that a client has 'passed' does not mean no further enquiries are necessary, nor does it obviate the requirement to identify and verify them.
• Assuming that such a system fulfils the requirement to carry out a client/matter risk assessment. These systems may be very helpful in informing the client/matter risk assessment, but cannot do so automatically.
• Those using them are not properly trained in the systems leading to user error.
• Viewing the checks as a one-time exercise and failing to regularly update the checks as part of their ongoing monitoring obligations.

The Financial Action Task Force (FATF) has produced guidance on using these services.

Ultimately the firm is responsible for its own compliance, and this responsibility can never be outsourced.

When assessing geographic risk, you should consider the jurisdiction in which services will be delivered, the location of the client, and that of any beneficial owners or counterparties as well as the source and destination of funds.

In some jurisdictions the sources of money laundering are more common, for example locations where the production of drugs, drugs trafficking, terrorism, corruption, people trafficking or illegal arms dealing more commonly occur.

While countries with anti-money laundering and counter-terrorist financing regimes which are equivalent to the UK may be considered lower risk, you must guard against complacency. There have been major examples of local AML failures with international impacts, in what had been seen previously as low risk jurisdictions.

Below are the key issues to consider regarding geographic risk.

The sanctions regime has expanded over the past few years, mainly due to the Russian invasion of Ukraine in 2022. The long-standing involvement of Russian interests and beneficial owners in British business, and vice versa, has meant that many firms have been exposed to the sanctions regime for the first time.

It is important to remember, however, that there are a large number of thematic and geographic sanctions regimes beyond Russia and Belarus. Firms cannot assume that sanctions are not relevant to them. There are a significant number of British nationals subject to sanctions.

In particular the Office for Financial Sanctions Implementation (OFSI) have recently applied sanctions to a domestic neo-Nazi group, Blood & Honour, including under its aliases 28 Radio and Combat 18. The group's assets are now subject to an asset freeze. This further illustrates that sanctions are not only applicable to firms with overseas clients.

The sanctions regime is separate to the proceeds of crime and money laundering regimes, but overlaps with them in many ways:

• It involves many of the same risk factors as money laundering, such as suspect jurisdictions, politically exposed persons (PEPs) and complex corporate structures.
• Sanctions create a motive for wanting to obscure the origin or recipient of funds or assets.
• The ownership and control requirements of the sanctions regime also mean that it is necessary to identify a corporate entity's ultimate beneficial owners and those who control it – who may be different people. This makes it even more important to carry out effective client due diligence (CDD).

We expect the sanctions regime to continue to expand, so all firms should be familiar with the requirements. Sanctioned individuals and businesses are likely to seek to instruct firms with weaker controls.

The sanctions regime is also strict liability and applies to all firms – indeed, to all natural and legal persons in the UK. The sanctions regime therefore poses a risk to all firms, whatever their size, nature or area of work.

Firms involved in aviation, international trade, or shipping should also note the establishment of the Office for Trade Sanctions Implementation (OTSI). This operates in a similar manner to OFSI, but with a different focus.

We have also produced comprehensive guidance on the sanctions regime, as have OFSI and OTSI.

The Regulations require firms working in scope to put in place enhanced due diligence measures in dealing with countries subject to sanctions, embargos or similar measures (regulation 33(6)(c)(iii)). In the UK, the Office of Financial Sanctions Implementation maintains a searchable database of designated persons and entities. You can also subscribe to email alerts of any changes.

We have been conducting an ongoing programme of sanctions monitoring work since 2022 and have noted some themes. We have not noticed widespread intentional breaches of the sanctions regime. It is far more common for firms to breach the regime by exceeding the boundaries of a general or specific licence, for example by:

• failing to renew the licence in time when work is ongoing
• exceeding the limits of the licence in terms of fees
• failing to meet reporting requirements.

These are generally in line with HM Treasury's Legal Sector Threat Assessment, which also noted the frequent use of intermediary jurisdictions.

It is also important to note that breaches of the regime can, and do, attract severe penalties. The subsidiary of a large London firm was fined £465,000 in March 2025 due to sanctions breaches in the closure of its Moscow office.  The fine was assessed at £930,000, but reduced by 50% due to the firm having made a self-report.