Client and matter risk assessments
Client and matter risk assessments
Published: 18 October 2023
This document is to help you understand your obligations and how to comply with them. We may have regard to it when exercising our regulatory functions.
The money laundering regulations have been in force since 2017.
Despite this, we continue to see a persistent level of non-compliant client/matter risk assessments, and this remains an area where improvement is necessary. This was first raised as an issue in our 2019/20 report when we found 29 per cent of files had no written matter risk assessment. In our last reporting period (2022/23) we found 51 per cent of the client/matter risk assessments were deemed ineffective.
During our proactive inspections and reviews, we assess a number of client files from different fee earners. We have found that a lack of client and matter risk assessments across several fee earners’ files can often indicate wider systemic problems, such as not having processes in place to undertake client due diligence or enhanced due diligence.
Common issues we see include:
- client/matter risk assessments not being done at all or not being used correctly. We saw examples where the correct level of risk (ie high, medium, low) was not identified, specific AML risks were missed out, fee earners failed to take into account AML risks and instead targeted business or other types of risk, or adopted a tick-box approach without giving any real thought to the risks involved
- client/matter risk assessments not reflecting or taking into consideration the firm-wide risk assessment. For example, a fee-earner assessing a conveyancing matter as being low risk when the firm-wide risk assessment stated all conveyancing matters should be treated as high risk
- an over-reliance on template risk assessments which are not tailored to the firm, missing areas which should be covered
- not clearly showing when enhanced due diligence was necessary, which risks this not being carried out.
Undertaking effective client/matter risk assessments is a key step in preventing money laundering as it should inform the correct level of client due diligence to apply, as well as ongoing monitoring.
This warning notice sets out our expectations of what firms and individuals need to do when conducting client/matter risk assessments and should help firms take the necessary steps.
Who is this warning notice relevant to?
This warning notice is relevant to firms and individuals we regulate who are subject to the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (‘the money laundering regulations’).
SRA Standards and Regulations
- Paragraph 7.1 of the Code of Conduct for individuals requires you to keep up to date with and follow the law and regulation governing the way you work. This obligation includes making sure you comply with your legal obligations under the Proceeds of Crime Act 2002, the Terrorism Act 2000 and the money laundering regulations.
- Paragraph 2.1(a) of the Code of Conduct for Firms requires you to comply with all our regulatory arrangements, as well as with other regulatory and legislative requirements. You must make sure you comply with the requirements of the money laundering regulations and ensure you monitor compliance of these regulations.
Regulations 28(12) and 28(13) of the money laundering regulations require firms to take steps to identify the risks posed by a particular customer (or ‘client’) and matter. A client risk assessment must identify and assess the risks posed by an individual client. A client risk assessment must always be carried out at the beginning of a client relationship.
A matter risk assessment should be carried out and recorded at the earliest opportunity save for certain exceptions discussed below. A matter risk assessment should focus on the specific risk factors that a matter presents, beyond, or different to, the client risks already identified. In assessing the level of risk in a particular case, you must take account of:
- the purpose of the account, transaction or business relationship
- the level of assets to be deposited by a customer or the size of the transactions undertaken by the client
- the regularity and duration of the business relationship.
The primary purpose of a client and matter risk assessment is to determine the level of client due diligence needed. It must also take account of the high-risk factors set out at regulation 33(1).For example, a person established in a high-risk third country, a politically exposed person (PEP) or a family member or known associate of a PEP, a person who has provided false or stolen identification documentation, or in complex and unusually large transactions.
The result of the client and matter risk assessments should also dictate the level and extent of due diligence undertaken on a client or matter. For example, if a client or matter is assessed as being high risk, then regulation 33 of the money laundering regulations states that enhanced due diligence must be applied. Undertaking a client or matter risk assessment will also help you consider what controls should be in place to mitigate risk.
How you assess the risk at a client/matter level must also reflect the risks identified in your firm-wide risk assessment. We have published guidance to help firms comply with the requirement to have a firm-wide risk assessment and the areas to cover. You must consider relevant materials that we publish, including, but not limited to this warning notice, our sectoral risk assessment and any Legal Sector Affinity Group guidance.
Carrying out a client and matter risk assessment
A client risk assessment must always be carried out at the beginning of a client relationship. This is because once completed it will inform the level of due diligence to be carried out.
We have found that most firms now have a process in place to conduct client/matter risk assessments. Those processes, however, were not always followed by fee-earners. Risk assessments are only effective if appropriate action is taken because of them, therefore it is important that they are being used correctly. In practice that means firms monitoring how well fee-earners are complying with the requirement to carry out a risk assessment and making sure they are completing it correctly.
It is for you to decide whether you have two separate documents:
- one each for risk assessing the client and the matter
- or one document which risk assesses both the client and matter.
The client/matter risk assessment should ideally be completed by the person handling the matter as they will generally be best placed to identify and assess the risks posed by the client and the matter. It might also be appropriate for other individuals within the firm to complete the assessment. For example, individuals working within a firm’s compliance department, or the firm’s Money Laundering Compliance Officer, provided that the assessment correctly identifies and assesses the risks posed by the client or matter.
Most matters within scope of the money laundering regulations will need to be risk assessed and a risk assessment should be undertaken on each new matter for a client, particularly where risks are novel. There might be times however when it is less likely that one will be needed. For example, when matters for a client are highly repetitive in nature, with the level of risk remaining consistent between one matter and another and the risk is comprehensively addressed in the client risk assessment. You should however still conduct ongoing monitoring to make sure that any transactions are consistent with your knowledge of the client, their business, and their risk profile, and document your decision making accordingly.
While there is no requirement to risk assess matters which fall outside of the money laundering regulations, it might well be appropriate to do so. For example, where the client might later instruct you on a matter which is within scope or the initial matter branch into scope of the regulations. Ancillary relief work, for example, is typically out of scope, but might in its later stages involve buying and selling real property or forming trusts.
Recording the rationale for a client/matter risk rating
You must record a risk assessment for every client you act for as part of your client due diligence measures. You must also be able to provide copies of any risk assessment to us on request.
It is up to you whether you use a ranking system, such as high/medium/low or a numerical system, to risk assess matters. What is important is that you can identify high-risk matters requiring EDD, and fee-earners know the process for dealing with these.
We continue to see forms that are very basic or tick box in nature, where fee-earners only had to mark whether a file was high risk, medium risk, or low risk. Often, these forms did not have space where the fee-earner could record their justification or any commentary on how they had arrived at a particular level of risk.
The risk with this approach is that fee-earners might not give proper thought to all relevant issues, and in particular might become complacent when dealing with repetitive matters. Moreover, when dealing with high-volume, repetitive matters, fee-earners might out of habit tick the same boxes without giving any real thought to the matter. Without a free text box or space on the risk assessment, fee-earners might also not be able to record unusual or niche aspects about a client or matter. We have seen instances where fee-earners have chosen to depart from the firm-wide risk assessment without recording their rationale for having done so.
It is important that the rationale for the risk level and level of due diligence is clearly recorded, along with what actions the fee-earner will take to mitigate those risks.
We may take action where a firm does not have a process for identifying high-risk matters, or if the firm is not risk assessing clients and matters adequately.
Keeping the risk assessment under review
Sometimes after completing the initial risk assessment, you might come across or be provided with additional information about your client. In such circumstances you must consider the additional information and re-visit the initial (or any subsequent) risk assessment. This is also part of your duty to conduct ongoing monitoring under regulation 28(11), to make sure that any transactions are consistent with your client’s business and risk profile.
Where we find that during the business relationship you failed to scrutinise transactions or review existing documents or information obtained for the purpose of applying client due diligence, we are likely to take disciplinary action.
This is because the better you know your client and the matter, the better placed you will be to assess and mitigate any potential risks. It also lessens the likelihood of your firm being unwittingly drawn into money laundering or dealing with the proceeds of crime.
Using a template
We continue to see firms using a template matter risk assessment form. We are comfortable with firms using a template as an initial starting point; however it is important to make sure the final version is comprehensive, tailored to your firm and aligned with the firm-wide risk assessment, and kept up to date. It should identify and record the money laundering risks faced by your firm in relation to a client or matter. The use of generic and off-the-shelf templates without any tailoring to your firm should be avoided.
We have published our own template for client/matter risk assessments, along with guidance notes on how to complete it. If firms choose to use these then they should make sure they are tailored to their own firm.
Using a scoring system to assess risk
We often see risk assessments which use a scoring system to assess the level of risk a client or matter poses. Very often firms will allocate different scores to different factors. For example, acting for a client based in a particular geographical region might attract a higher score than a client you have personally known for several years. Similarly, where the matter involves you creating a complex corporate structure, this might attract a higher score than a simple corporate transaction. Scores are then typically added together to create an overall risk score which determines the client and/or matter risk rating and the level of due diligence to be applied.
Care should be taken if you choose to use a scoring system. Fee earners should be trained and understand how to use any scoring system. The overall score should be seen as indicative rather than definitive. It is good practice to allow for over-riding a lower rating where necessary. You should make sure that the weight given to a particular issue can be adjusted in the circumstances of the matter and consider whether certain risk factors would automatically make a client or matter high risk, regardless of whether they meet a certain score threshold or not.
For example, clients based in high-risk third countries or a politically exposed person must be treated as high risk. Any scoring system used must account for these and other high-risk factors. Where a scoring system simply does not make sense, is hard to understand and apply, fails to give risk factors appropriate weighting, or its application has limited value in identifying and mitigating money laundering risks, then it is unlikely to satisfy regulations 28(12) and (13).
Failure to comply with this warning notice may lead to disciplinary action, criminal prosecution, or both.
Given the continued levels of non-compliance, we will consult in the coming year on fixed financial penalties for AML systems and controls failings. This will include issues such as not undertaking a client or matter risk assessment.
- SRA template client and matter risk assessment
- Client and matter risk assessment thematic review
- Firm-wide risk assessment guidance (updated September 2023)
- SRA webinar | Anti-money laundering: matter risk assessments
- SRA anti-money laundering annual report 2022-23
- Legal Sector Affinity guidance (2023)
If you require further assistance, please contact the Professional Ethics helpline.
This content is: