Completing the client and matter risk template
Firms that are in scope of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR) must carry out a written client and matter risk assessment (risk assessment) under regulation 28 (12) and (13) of the MLR.
These notes will help you use the risk assessment template we have created. If you choose to use the template, you should adapt the template to suit your firm.
You should consider the factors in the template to help you to assess the money laundering risk posed by the client or transaction. The factors listed are not exhaustive. There may be other appropriate risk factors for you to consider depending on the nature of the client/transaction and your firm’s risk appetite. Your risk appetite should be documented in your firm wide risk assessment.
Risk assessments should be performed at the beginning of a client relationship in conjunction with performing customer due diligence. For some clients, additional information to inform the risk profile may only emerge later in the transaction or as the relationship progresses. Your risk assessment process should take into account any changes in the risk posed by the client or matter.
Under regulation 28 (12)(ii) of the MLR, the customer due diligence measure you apply, must reflect your firm wide risk assessment under regulation 18 of the MLR and the level of risk arising in any particular matter.
Under regulation 28(13) of the MLR, you must assess:
- the purpose of an account, transaction or business relationship
- the level of assets to be deposited by a customer or the size of the transactions undertaken by the customer
- the regularity and duration of the business relationship
The better you know your client and understand your instructions the better placed you will be to assess risks and spot suspicious activities.
Note: It may not be necessary to undertake a written risk assessment for every matter. A matter risk assessment is less likely to be needed where:
- matters undertaken for a given client are highly repetitive in nature. For example,
- risk remains consistent between one matter and another
- and the risk is addressed comprehensively by the client risk assessment
If, by using a risk-based approach, you do not carry out a risk assessment for every matter for a given client, you should ensure you still regularly review the client risk assessment.
Completing a risk assessment will tell you the level and extent of due diligence that is required to mitigate any risks identified in relation to your client or particular transaction.
You should review risk assessments at appropriate intervals during the client relationship, during the transaction and just before the transaction is completed to identify if anything has changed. Information you learn while acting for the client should also inform your risk assessment.
For each client and matter you must identify the clients including beneficial owners. You should:
- assess if the service you are going to provide could be used to launder money
- understand why your services are needed and whether it appears reasonable or genuine
- understand the source of funds and wealth of the client/owners
- be vigilant to red flags throughout the course of the matter, and in particular consider whether there is information that doesn’t fit with your assessment of risk
- consult your firm’s policies to decide what action you need to take to mitigate any risks identified.
- determine what information or evidence you need to collect for due diligence purposes and how this will be monitored
- document and record all steps taken.
The questions in this guidance mirror the questions on the template and provide a descriptor of what you should consider for each question. The descriptions are not exhaustive.
It is a requirement under regulation 27 & 28 of the MLR to identify and verify your client's identity using independent sources.
It is important to understand what type of client you are dealing with (for example, a natural person, a limited company, a charity etc). This is because the level of due diligence checks required under the MLRs differ based on the type of client involved.
For an individual, you should record the client’s forename(s) and surname.
Date of Birth
This is shown as DoB in the template.
2a Client Risk
Is it unusual for this type of client to instruct us?
Your view on this may differ if you have acted for the client once or multiple times.
Existing clients - You should not assume that existing clients are necessarily lower risk. There is no provision in the MLRs for waiving client due diligence requirements because of a long-standing or personal relationship.
For new clients, you should try to understand why they chose your firm. Does the client fit within the usual range of clients that typically instruct your firm? If not, does the type of client align with your firm’s risk appetite?
Your risk appetite is the level of risk your firm is willing to accept. This should be documented in your firm wide risk assessment. Your firm wide risk assessment must consider the risks your clients may pose, the geographic areas in which your firm operates, the services you offer, the types of transactions you work on and the ways you deliver services to your clients.
You should consider if a new client exposes the firm to new risks and how those risks will be managed. These considerations should be documented on the risk assessment.
Do you have any concerns about the client?
If you have any concerns about the client or associates linked to the client or transaction (if you are aware of any), you should record them on the risk assessment. These should be monitored and reviewed regularly, according to the level of risk.
Please see ongoing monitoring section below for more information.
Do you have any concerns about this client, agent or third parties?
Under paragraph 3.1 of the SRA Code of Conduct for Solicitors, if your client is represented by an intermediary, agent or representative (for example, a third party representing the client), you must only accept instructions from someone properly authorised to provide instructions on the client’s behalf. The third party’s authority to act must be evidenced and recorded.
You must also comply with regulation 28(10) of the MLR and identify and verify the intermediary's identity.
You should record details of any concerns you may have regarding your client based on the information you have reviewed. For example, if it is not reasonable for the third party to provide instructions. You should also record any actions that will be taken to address any issues identified.
Please see section 2d for guidance on identifying and verification requirements.
Is the client a designated person/entity?
A designated person is an individual, entity or ship that is subject to sanctions. The Office of Financial Sanctions Implementation (OFSI) maintains a Consolidated List of designated persons. Please see the questions in section 3b for guidance on sanctions.
2b. Jurisdiction risk
When assessing jurisdiction risk, you should consider if it is reasonable for a client in that location to instruct your firm.
Consider if there are any known ‘red flags’ relating to the location of the client. This should apply locally, regionally, nationally or internationally. For example, a local area known for criminal activity (such as drug trade or terrorism), an international jurisdiction known for high levels of corruption or tax havens.
You should also consider if the client is based in a high-risk jurisdiction or a high-risk third country. Please refer to the enhanced due diligence section for guidance on high-risk jurisdictions and high-risk third countries.
You should also consider if there are any concerns arising from geographical connections the client may have. For example, business affiliates or third parties living in or has links to high-risk jurisdictions high-risk third countries or sanctioned countries.
Record any issues or red flags considered or identified in the space provided.
Where is the client based?
For individuals, this means where the client is resident. For an entity, you should consider the jurisdiction it was incorporated and the laws it may be subject to. You should also consider the entities address for the purposes of the client relationship as relevant for this question.
Are there any overseas elements?
You should answer yes to this question if your client, beneficial owners, any third parties or entities linked to the transaction are based abroad.
If your client/ beneficial owners are an overseas entity (incorporated outside of the United Kingdom) and the anticipated work involves buying, selling, leasing or otherwise transferring property, you should check their overseas entity status on Companies House. Please refer to the guidance on the Companies House website for more information.
If the transaction involves overseas elements, please see section 3b for guidance on high-risk third countries and high-risk countries.
You should also consider if you will be receiving funds from overseas.
2c. Delivery channel risk
When assessing delivery channel risks, you should consider if you will meet the client in person or not. If you are not meeting the client face-to-face, are you comfortable that there is a legitimate reason for this?
You should record details of the steps you will take to ensure that the client is who they claim to be.
2d. Due Diligence review
What steps have you taken to verify the client or instructing third party’s identity?
Provide details of the steps you have taken to verify the client or any instructing third party’s identity in the space provided.
Under the MLRs you must identify and verify your client’s identity. For an individual, this means verifying the client’s name, date of birth and current address using independent sources.
If you have been unable to identify and verify these details, you should consider whether there is a good reason for this. Section 6.14.7 of the Legal Sector Affinity Group (LSAG) guidance provides examples of clients that may not be able to provide standard identification documentation.
In cases where the checks you have carried out flag concerns about the client, these should be reviewed and noted. You should record any steps you take to address those concerns in the client section of the risk assessment.
You should record any issues you experience when identifying and verifying your client’s identity and address.
Refer to section 6.12 onwards of the LSAG guidance for more information on identifying and verifying clients.
Is there any adverse media about the client or beneficial owners?
It is good practice to consider and assess any negative/adverse media or press coverage on your client. This can be checked by conducting a search on the client (e.g. via a web search). This may be flagged by your e-verification provider if you use one.
Where concerns are highlighted, you should consider the reliability of the source, recentness, relevance and seriousness of any allegations before proceeding with the transaction. You should undertake further research or put in place controls appropriate to any risks identified.
You should complete this section of the form if your client or a beneficial owner of your client is not an individual. Use the first box to provide details about the entity. For example, who are the beneficial owners, shareholders and or controllers?
You should use the second box to describe the steps you have taken to identify and verify any beneficial owners.
For entities, what steps have you taken to identify and verify ultimate beneficial owners?
Under regulation 28(3) of the MLR, where the client is a legal person, trust, company, foundation or similar legal entity you must identify the client and take reasonable measures to understand the ownership and control structure of that legal person, trust, company, foundation or similar legal arrangement.
For a company, you should obtain the following information.
- Company name and number
- Company address
- The law to which the company is subject
- Full names of boards of directors
- Ownership and control structure of the company
- Names of beneficial owners/shareholders (with percentages held or other key controlling parties)
- Information to evidence it is listed on the regulated market, where necessary
For a trust, the information below should be obtained.
- Trust name
- The law to which the trust is subject to
- Full name of trustees
- Full name of settlor and or the beneficiaries
- Indicate whether trustees, settlor or beneficial owners is the client
- Indicate whether the beneficial owner is the settlor, beneficiary, or trustee
- Nature and purpose of the trust
- Is the trust registered with HMRC?
You should consider if you experience difficulties in identifying and verifying directors, beneficial owners or controllers. Some structures (not limited to companies) are designed to facilitate anonymity. Consider if you are dealing with a structure that is unnecessarily complex or if the individuals appear reluctant to provide you with documentation. Such issues should be documented in the risk assessment.
Have you identified any reportable discrepancies?
If the information you hold on the person of significant control of a company or a registrable beneficial owner of an overseas entity is significantly different to the information recorded by Companies House, you are required to report it to Companies House under regulation 30A of the MLR.
Companies House has guidance available on its website. Section 6.14.10 of the LSAG guidance also has helpful information.
If you answered yes to this section. Provide details of your findings along actions you will take to address the concerns.
If applicable, have you checked the register of overseas entities?
Overseas entities who bought, want to buy, sell or transfer property or land in the UK, must register with Companies House.
If your client/ beneficial owners are an overseas entity (incorporated outside of the United Kingdom) seeking the above services, you should check their overseas entity status on Companies House. Please refer to the guidance on the Companies House website for more information.
Do we usually carry out this type of work?
Consider if the matter is within your area of expertise and your firm’s risk appetite. It is important to consider this because if you do not fully understand the risks in a transaction, you cannot manage the risks.
Your risk appetite is the level of risk your firm is willing to accept. This should be documented in your FWRA.
If the transaction relates to an area that falls outside of your firm’s usual parameters, you should consider if this exposes your firm to new risks and how those risks will be managed.
This should be documented on the risk assessment.
Does the matter involve creating a complex structure?
Criminals can use complex structures as a way of obscuring the source of funds in a transaction or their ownership. If the matter involves creating a complex structure, it is important that you consider if there is a genuine purpose for this. Complex structures can be used to launder money or disguise ownership.
Your assessment of whether a structure is unusual or unduly complex should be based on the risk of money laundering it poses. You should consider what you know about your client, the client’s business, if the matter is in line with your previous dealings with the client and if it makes sense for the transaction to be structured in this way.
Your considerations should be documented on the risk assessment.
Does it involve a cash intensive industry?
Cash intensive businesses have a high cash turnover, for example nail bars and takeaway restaurants. Non-business entities may also fall into this group, for example, charities.
Cash-intensive businesses are riskier because there is a greater risk of disguising illegal funds within legitimate payments.
If your client is a cash intensive business, you should record how this risk will be mitigated.
Does it involve a high-risk industry?
The client's sector or area of work is also a significant risk factor, in particular if it is as area with a higher risk of corruption or being used for money laundering. For example, the arms trade, casinos, or trade in high-value items such as art or precious metals.
If your client operates in a high-risk sector, you should record how this risk will be mitigated.
Does the matter involve a risk of proliferation financing?
The MLR statutory instrument introduced in September 2022 brought in the amendments 16A, 18A and 19A of the MLRs in relation to proliferation financing (PF).
Under regulations 18A -19A of the MLRs, all firms in scope of the MLR must carry out a firm wide risk assessment incorporating PF and include PF in their policies, controls and procedures.
PF is defined in regulation 16(A)(9) of the MLRs as ‘the act of providing funds or financial services for use, in whole or in part, in the manufacture, acquisition, development, export, trans-shipment, brokering, transport, transfer, stockpiling of, or otherwise in connection with the possession or use of, chemical, biological, radiological or nuclear weapons, including the provision of funds or financial services in connection with the means of delivery of such weapons and other CBRN-related goods and technology, in contravention of a relevant financial sanctions obligation’.
Section 18.10 of the LSAG guidance contains a list of factors to be considered when assessing PF risks.
Are there any there any other Anti-Money Laundering (AML) or Counter Terrorist Financing risks?
The risk factors in this template are not exhaustive. It is therefore important that you consider other appropriate risk factors particular to each matter/client to assess other money laundering or terrorist financing risks that may be present.
Have you checked the source of funds for this transaction?
Source of funds means the money that is being used to fund the transaction in question. It is essential that you understand the nature, background and circumstances of the client, including their financial position. This allows you to assess whether the service/transaction is in keeping with your understanding of their background and circumstances.
Regulation 28(11)(a) of the MLRs requires firms to undertake a source of funds check where necessary.
A source of funds check should consider how the client accumulated the funds for the transaction. This will need to go beyond the location of the funds and consider how the client obtained that money (for example, was it salary, or a gift?).
You must ensure that the funds are not the proceeds of crime. This means that it is not enough to know that the funds are coming from a UK bank account or having sight of the client’s bank account statements showing that the funds are available. You need to go back as far as is needed to build a clear picture of how the client accumulated their money for the transaction. For some, it may be as little as six months, for others it might require looking back several years.
You should provide details of the checks you have conducted and any documentation you may have obtained. If you do not consider it necessary to check the source of funds in a transaction, the reason should be documented in the box provided.
If the client is a PEP, you must apply a source of wealth check under regulation 35 of the MLR. A source of wealth check must also be completed for PEPs. This is covered in the source of wealth section further below.
Identifying the source of funds in a transaction is one of the most valuable checks you can do to protect your firm from the risk of money laundering and terrorist financing. It is important to document the source of funds checks conducted on each client or matter and the conclusions derived from these checks. Full guidance on source of funds is available in section 6.17 of the LSAG guidance.
Is the matter transactional?
This question is asking if money will be exchanged or transferred from one party to another.
Does the transaction arrange for the movement of funds or assets?
The requirement to do source of funds checks might apply even if no money is coming through your client account. If the service is not transactional, it is important to establish whether it could facilitate the movement of funds or assets. For example, a firm instructed to draw up a contract to transfer assets from one party to another party will not receive funds in their client account but will be facilitating the movement of assets.
Under section 328 of the Proceeds of Crime Act 2002, an offence is committed if a person enters into, or becomes concerned, in an arrangement they know or suspect facilitates (by whatever means) the:
- use or
- control of criminal property, by or on behalf of another.
Are we receiving funds from overseas?
You must take extra care when dealing with funds from geographic locations that are subject to sanctions, a high-risk third country, or otherwise associated with a higher risk of money laundering, corruption or criminality (for example, drug trade or terrorism).
Please see section 3b for guidance on countries subject to sanctions, high-risk third countries and high-risk jurisdictions.
Are we receiving funds from third parties?
Where you have identified that funds are coming from a third party you should understand their relationship to your client. This will help you decide if their involvement makes sense in the transaction.
You should also verify that person’s identity and check the funds are not the proceeds of crime. In higher risk situations, source of wealth checks may be necessary.
Will this matter be funded by digital assets? eg crypto
The anonymity of some digital assets such as cryptocurrencies pose a risk of money laundering and terrorist financing.
If a transaction will be funded by digital assets, you need to conduct appropriate checks to ensure that the funds involved are not the proceeds of crime.
3a. Product/service risk
Based on the client’s profile, does it make sense for the client to instruct us on this transaction?
You should consider your knowledge and understanding of your client and the matter you have been instructed on before answering this question.
3b. Enhanced Due Diligence
It is important to assess if your client presents a high risk of money laundering or terrorist financing. You must apply enhanced due diligence when dealing with a high-risk client or matter.
Regulation 33(1) of the MLR sets out the circumstances when enhanced due diligence and enhanced ongoing monitoring must be applied. Enhanced due diligence must be applied in addition to the client due diligence measures required in regulation 28 of the MLRs. Enhanced due diligence will also apply in any circumstances you consider to be high-risk in your firm wide risk assessment. If a client is considered high risk in your firm wide risk assessment, but not considered high risk in your client risk assessment you should explain why.
When assessing whether there is a high risk of money laundering or terrorist financing you must consider the risk factors listed under regulation 33(6) of the MLRs. Section 6.19 of the LSAG guidance provides details of when to apply enhanced due diligence.
If you tick yes to any of the questions in this section, you:
- should speak with the nominated person at your firm before you proceed. For example, the Head of department, Money Laundering Compliance or Reporting Officer
- record that this is a high-risk client along with details of the additional measures that will be taken to mitigate the risk(s) identified.
For politically exposed persons (PEPs), you must obtain senior management approval before establishing or continuing a business relationship with PEP. Further guidance on PEPs is detailed below.
If the client is not an individual, is the structure complex or unusual?
Criminals can use complex structures as a way of obscuring the source of funds in a transaction or their ownership. Your assessment of whether a structure is unusual or unduly complex should be based on the risk of money laundering it poses. You should be mindful of structures that allow controls to be bypassed or have multiple layers which may disguise ownership.
Please see the question ‘does the matter involve creating a complex structure?’ in section 3 for more information.
Does the client own, manage or direct a business or activity that falls within a higher risk sector?
Some sectors carry a higher risk of money laundering, this may be because they carry an increased risk of bribery, corruption and money laundering for example.
Section 18.104.22.168 of the LSAG guidance contains guidance on identifying higher risk sectors.
Does the matter involve a client, a beneficial owner or other party linked to the
transaction, manage or direct a business or activity that is cash intensive?
Please see section 3 ‘does it involve a cash intensive industry?’ for guidance on cash intensive businesses.
Does the matter involve a client, a beneficial owner or any party established in
a high-risk third country or high-risk jurisdiction?
High-risk third countries
High-risk third countries are listed at schedule 3ZA of the MLR . The MLRs prescribe steps you must take if your client or any party to a transaction is established in a high risk third country.
Section 6.19.1 of the LSAG guidance provides more details on high-risk third countries.
Resources to help you consider whether a country is a high-risk jurisdiction include:
- Transparency International's corruption perception index
- The Basel AML Index
- CIA World Factbook
- FATF Jurisdictional Information
- The Know Your Country rating table
Sections 22.214.171.124 and 126.96.36.199 of the LSAG guidance provide useful guidance and useful links for high-risk jurisdictions you should consider.
Is the client a PEP, a family member or a close associate of a PEP?
The FCA has produced guidance ( FG 17/6) on identifying politically exposed persons (PEPs).
If you act for a PEP or an entity which may be owned/controlled by PEPs, you should address this in your risk assessment. You should also document any steps you may take to guard against the risks. Regulation 35(1) of the MLRs requires you to have appropriate risk management systems and procedures to determine whether a client or beneficial owner is a PEP.
When there is a PEP relationship (including where a PEP is a beneficial owner of a
client and where a client or its beneficial owner are a family member or known close
associate of a PEP), the MLRs specify that you must take the following steps to
deal with the heightened risk:
- have senior management approval for establishing a business relationship with a PEP or an entity beneficially owned by a PEP
- take adequate measures to establish the source of funds and source of wealth which are involved in the business relationship
- conduct closer ongoing monitoring of the business relationship and
- consider which aspects of your enhanced due diligence protocol are appropriate for the PEP in question.
Will this matter involve a country subject to sanctions?
Sanctions are restrictive measures imposed by the government to achieve a specific foreign policy or national security objective. You can find out which countries are subject to UK sanctions via the government’s website .
Do you have any concerns that the client, a beneficial owner or any parties linked to the transaction is subject to financial sanctions or has links to a country subject to sanctions?
You must not accept payment from a designated person unless you:
- have been granted a licence to do so by the Office of Financial Sanctions Implementation (OFSI) or
- are doing so under the terms of a general licence.
Designated persons/entities are defined in section 2a of this guidance under the question ‘Is the client a designated person/entity?’
Is the transaction unusually complex or large? Does this transaction form part of an unusual pattern of transactions? Does the transaction lack an apparent economic or legal purpose?
Criminals can use complexity as a way of obscuring the source of funds in a transaction or their ownership. If the matter involves an unusually complex transaction, it is important that you consider if there is a legitimate reason for this.
You should consider if the transactions fits with transactions previously undertaken by the firm, the firm’s expertise and the firm’s risk appetite to take on unusual work if applicable.
If the transaction forms part of an unusual pattern of business or lacks an apparent economic reason, you should consider if you should proceed with the transaction.
Your considerations and any subsequent decisions should be documented on the risk assessment in the space provided.
3c. Risk level and justification
Considering the information you have, you should decide and record if the client and matter poses a low, medium or high risk. You should record your reason for these risk ratings in the box below. This will assist you to monitor any changes in the client’s profile when a review is completed at an appropriate time in the future.
Source of wealth
For high-risk matters, provide details of source of wealth checks you have conducted and the reason you are happy to proceed with the transaction.
Source of wealth is the origin of all the money a person has accumulated over their lifetime. You should take measures to understand the activities that have contributed toward the individual's total wealth. For example, does it make sense for a client to have accumulated their wealth from their professional activities? If not, have they inherited money, sold assets, or received an investment windfall? This information gives an indication of the amount of wealth your customer would be expected to have and a picture of how they acquired it.
The level of risk presented by the client should determine the extent of due diligence that is required to mitigate any identified risks.
You should indicate the level of due diligence that would be required.
Simplified due diligence – Simplified due diligence is the lowest form of due diligence. This is only applicable where there is little, or no risk of your client being involved in money laundering.
Regulation 37(3) of the MLRs sets out a list of factors to be considered in determining whether a situation poses a lower risk of money laundering or terrorist financing.
You should document why your customer is eligible for simplified due diligence and obtain evidence to support this.
Standard due diligence – This refers to the client due diligence measures to identify and verify your client in regulation 28 of the MLRs. The measures required will vary depending on the type of client involved.
This level of due diligence should be applied to low-risk matters (where simplified due diligence is not applicable) and medium risk matters.
Please refer to section 6 of the LSAG guidance for guidance on client due diligence requirements.
Enhanced due diligence
Please see section 3b for guidance on enhanced due diligence.
Date and Signature
The form should be signed and dated by the person completing it.
Ongoing monitoring is mandatory under regulation 28(11) of the MLRs. It is an essential part of risk management because any communication could bring with it a change in the risk profile of matter risk, client risk, or both. This is why risk assessments should be re-evaluated at appropriate intervals. This will alert you to update the risk profile of the client which may change over time (for example, where there is a change in beneficial ownership, a change in the nature of the client’s business or change of address etc).
You should review the risk assessment if important new facts emerge or at key stages in the business relationship.
You should be looking out for new instructions that do not fit the profile of the client and/or are not consistent with previous work you have undertaken for the client.
Record details of:
- how you have monitored identified risks since the form was initially completed
- any changes discovered since the form was completed
- any changes to the risk level for the client and the matter and
- how the client and matter will be monitored on ongoing basis, if necessary
The form should be signed and dated by the person reviewing the risk assessment.
The risk assessment should be reviewed as many times as is necessary for the level of risk applicable to the client and or the matter.