Warning notice

Warning notice

Compliance with the money laundering regulations – firm risk assessment

Compliance with the money laundering regulations – firm risk assessment


This document is to help you understand your obligations and how to comply with them. We may have regard to it when exercising our regulatory functions.

Who is this warning notice relevant to?

This warning notice is relevant to firms and individuals we regulate who are subject to The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 ("the money laundering regulations").

Statutory Requirements

Regulation 18 of the money laundering regulations requires firms to take steps to identify the risks of money laundering and terrorist financing that are relevant to it.

Your firm-wide risk assessment must be in writing, kept up-to-date and provided to us upon request. It also must accurately set out what risks your firm is exposed to and you must also record the steps you have taken to prepare the risk assessment.

As part of the risk assessment, you must consider your risk arising from:

  • your clients (e.g. whether any of them are Politically Exposed Persons or family members or known close associates of Politically Exposed Persons)
  • the countries or geographic areas you operate in (e.g. any country that may bring a risk of corruption or may be considered a high-risk third country)
  • your products or services (e.g. whether you are involved in conveyancing)
  • transactions (e.g. are any of the transactions of a larger size)
  • your delivery channels. (e.g. online or without any face to face contact)

You must also consider relevant materials that we publish, including, but not limited to this warning notice and our sectoral risk assessment.

Your firm's risk assessment should form the backbone of your policies, controls and procedures (required under the money laundering regulations 18, 19, 20 and 21) to prevent money laundering. It should be a useful document to your firm and staff, as it sets out your appetite for higher risk activities and should feed into your assessments of individual clients and matters.

Our concerns

We have a responsibility as an anti-money laundering supervisor to make sure those we supervise meet the requirements in the legislation and have appropriate policies, controls and procedures in place to prevent money laundering. Firm-wide risk assessments are a key component of this.

We undertake proactive monitoring to prevent and detect money laundering, including thematic reviews, desk-based monitoring and visits to firms. We have undertaken several recent thematic reviews, one in 2017 when the updated regulations came into force, and one in 2018 into firms acting as trust and company services providers (a high-risk area for money laundering).

More recently, we have called in and reviewed 400 risk assessments to understand what best practice looks like.

We are seeing too many firms that do not have a risk assessment in place, and those firms could be failing to prevent money laundering. An anti-money laundering firm-wide risk assessment is an important and obligatory part of the regulations. Failure to have one is both against the law and places your firm at greater risk of being used to launder money.

We also have a broad concern that firms have not taken into account our sectoral risk assessment as they are required to by Regulation 18(2)(a).

Our expectations

Preventing money laundering is a high priority for us. Money laundering allows criminals to change dirty money into clean assets and funds that have no obvious link to criminal activity. This supports serious crimes such as people and drug trafficking, which cause enormous harm to people, especially the vulnerable, as well as undermining the stability of our financial markets and the integrity of the legal services sector. Solicitors and law firms are in a position of privilege and act as gatekeepers to assets and markets that are tempting to criminals, so we expect the profession to take proactive action to avoid enabling financial crime.

It is clear from our work that many firms have still not put a compliant firm-based anti-money laundering risk assessment in place.

Of the 400 risk assessments we assessed, we have taken follow up action on around 20% which did not meet the required standards. We have also seen broad use of templates, some with prepopulated specimen text. In some cases near-identical risk assessments were submitted by different firms, something that is particularly concerning.

Of those risk assessments that are in place, we are seeing that many do not take into account the minimum risks that the regulations require firms to consider. In particular we are seeing a high number of risk assessments that do not consider:

  • factors relating to doing business with clients from high-risk jurisdictions
  • transactions or
  • the delivery method of their services.

Some risk assessments we have seen are incomplete and miss off some of the areas required in the money laundering regulations. An example of this is that many firms do not understand their responsibilities when dealing with Politically Exposed Persons (PEPs) and their close associates and family members. Stating that your firm does not provide services to PEPs, as many firms have done, does not address the need to be able to identify PEPs and to put in place appropriate controls.

Failure to have a money laundering risk assessment in place for your firm is a significant breach of the money laundering regulations. We will take robust enforcement action where firms do not have one in place, where it is not sufficient to meet their responsibilities or where breaches are not rectified immediately.