Risk assessment

Sectoral Risk Assessment - Anti-money laundering and terrorist financing

Updated 5 March 2024


Money laundering is the means by which criminals make the proceeds of crime appear legitimate. The National Crime Agency (NCA) believes that money laundering costs the British economy more than £100 billion per year . By preventing money laundering, we can take away criminals’ incentive to commit acquisitive crimes, for example trading drugs or human trafficking, so many of which particularly impact on the vulnerable. This helps reduce wider crime to create a better, safer society for everyone.

The funding of terrorism can also be facilitated by the same weak controls that allow money laundering to take place.

We are responsible for the supervision of authorised firms for their anti-money laundering (AML) compliance, and we take our responsibilities very seriously. We owe a duty to society at large, and to protect the integrity of the legal sector through tackling intentional and unintentional enablers of money laundering.

Open all

A risk-based approach is embedded in UK legislation and AML best practice. It means that firms should assess their risks and target their resources to the areas or products that are most likely to be used to launder money. Similarly, we take a risk-based approach to directing our resources, focusing effort most on supervising the firms that are most likely to be used to launder money.

The UK Government periodically undertakes a National Risk Assessment pulling together risk-based information from all sectors in scope of the AML requirements, law enforcement and other sources. Drawing on this, and in order to fulfil our duties under Regulation 17 of The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (as amended) (‘the Regulations’), we also produce a risk assessment of our supervised sector. This is to help firms to better estimate the risks they are exposed to. Our sectoral risk assessment must be considered as a part of each firm’s firm-wide risk assessment.

This sectoral risk assessment is not a substitute for a firm-wide risk assessment, which firms are obliged to draft and maintain under Regulation 18.

We ask to see firms' written risk assessments and policies, procedures and controls as part of our proactive supervision programme, or in response to specific information we have received. Your firm's risk assessment should not be disclosed to customers, or third parties, because it may be useful to those who are seeking to launder money.

This document sets out information on money laundering, terrorist financing and proliferation financing risk that we consider most relevant for firms we supervise.

We will continue to refresh this sectoral risk assessment on a regular basis to keep up to date with emerging risks and trends.

Who does it apply to?

The Regulations place obligations on firms offering services that are most likely to be targeted by those wishing to launder money.

These include independent legal professionals, tax advisers and trust and company service providers as defined in the Regulations.

What to do with this information

All firms that are within scope of the Regulations must comply with all the regulatory requirements. This includes taking appropriate steps to identify, assess and maintain a written record of their risk of being used for money laundering or terrorist financing.

Firms must have regard to this risk assessment, and any updates, when creating and maintaining their own written risk assessment as required by Regulations 18 and 18A of the Regulations, along with a comprehensive knowledge of their business and clients.

We may ask to see your firm's risk assessment.

We have seen increasing numbers of firms facilitating vendor frauds. This involves properties, usually residential, being targeted by fraudsters and being sold without the consent or knowledge of the genuine owners, with fraudsters often impersonating the owners. The conveyancing process is attractive to fraudsters because it provides both the method of committing the fraud and the means of laundering.

Once the purchaser has transferred the money into their solicitor’s account, and on completion to the supposed seller, the funds have passed through two solicitors firms’ client bank accounts making the funds appear to come from a genuine property transaction. However, these funds represent criminal property and are therefore proceeds of crime.

Failures in identification and verification make it easier for such frauds to take place. Firms should:

exercise caution when clients are not met face to face

ensure that the vendor’s title is properly established

properly scrutinise any identity documents to ensure they appear authentic and show no apparent signs of being forged or altered.

Warning signs to consider include:

  • properties being offered for sale over or under the market value
  • reluctance on the client’s part to provide documentation
  • altered, forged or stolen identity documents such as passports
  • pressure to complete the transaction very quickly – for example within a few days
  • instructions for minimal work be done – for example no searches requested
  • complex or unusual circumstances around the transaction
  • cash property purchases
  • funds coming from or going to unconnected third parties
  • being instructed to act for both the seller and the purchaser in the transaction
  • property being bought/sold in back-to-back sales.

Proliferation financing

Amendments to the Regulations in 2022 mean that all firms must now carry out an assessment of their exposure to the risk of proliferation financing.

Simply put, this means the risk of the firm being involved with the global proliferation of nuclear, chemical, biological or radiological weapons by groups and countries which are not permitted to have them under international treaty. This includes both materials for weapons, and also ‘dual-use goods’. These are goods which are not manufactured as weapons but could be used in weapons or to produce them, for example fertiliser.

We consider the overall risk posed by proliferation financing to the legal profession to be low. In most cases, firms will be able to cover their proliferation financing risk as part of their AML firm-wide risk assessment, given that many of the risk indicators are the same.

There are, however, some sectors which have heightened exposure to proliferation financing, and where we would expect a more thorough risk assessment, either as part of the AML firm-wide risk assessment or as a standalone document. These include:

  • trade finance
  • commercial contracts
  • manufacturing - particularly in relation to dual-use goods
  • commodities – particularly mined metals and chemicals
  • shipping/maritime
  • military/defence
  • aviation.

Firms may be of a greater risk where they have exposure to countries which:

  • are subject to UN sanctions (for example, Iran or North Korea)
  • are suspected of using or seeking to acquire nuclear, chemical, biological or radiological weapons (for example, Syria)
  • share a porous border with such countries.

This risk of diversion across borders, where criminals and terrorists may export goods to a border region and then smuggle them to a country subject to sanctions, is one to which firms should be particularly aware.

The 2023 Legal Sector Affinity Group guidance includes advice on assessing the risk of proliferation finance.


There are similar risks in the use of new types of financial technology, for example, fund transfer systems and crowdfunding platforms. Any use of new technologies should be preceded by an assessment of the risks they may introduce and effective mitigation of these risks where possible.

This greater use of technology in all respects also heightens the importance of cyber security. Cyber security breaches could allow criminals to gain total access to both clients’ sensitive data and the firm’s systems, allowing them to be used for laundering money. Recently, a cyber attack involved all users of a particular case management system, affecting large numbers of firms. You can find a range of cyber security resources here .

Wider economic pressures

A separate issue which is of growing importance is the issue of sufficient resourcing of AML work. As economic conditions have continued to deteriorate, firms are likely to be under pressure to reduce costs, and elements of businesses that are not directly revenue generating may see their budgets reduced.

Whatever decisions are made about resourcing, firms need to understand that economic conditions do not change the requirement to comply with the Regulations. In fact, the economic conditions are more likely to increase a firm’s exposure to would-be money launderers, emboldened by a perception that they are in a position of relative strength in dealing with firms. Potential clients may seek to emphasise the amount of revenue they can bring to a firm as a bargaining tactic.

Where you are working alongside other professionals, or on one aspect of a wider legal matter, you should also consider supply chain risk.

A supply chain refers to the end-to-end activities/actions involved in the provision of a service/product to the end customer or beneficiary.

A simple supply chain could involve only a few individuals / companies while a more complex supply chain could involve multiple service providers.

Understanding the purpose of the service you are providing and who is ultimately benefiting from it is important in being able to identify and manage any supply chain risks. This could involve making preliminary enquiries of your client to help you understand the purpose of the whole instruction and how your instructions fit into the overall supply chain. If necessary, you should also look beyond your own instruction to understand the totality of the transaction and identify any risks. This may include taking steps to understand the role of other professionals in the supply chain, eg accountants or company formation agents, and ensuring that these services fit with your understanding.

As a part of our duties as an AML supervisor, we have been reviewing the compliance of firms we supervise, including reviewing firm risk assessments, policies, controls and procedures and client files. We publish our findings from recent inspections annually in the autumn.

We have published several other pieces of guidance and supporting information, also informed by this proactive work:

Weak controls

Inadvertent failures and gaps in a firm's AML compliance can introduce real and dangerous vulnerabilities into their ability to protect themselves from would-be money launderers.

For example, weak screening controls put firms at risk of being used or infiltrated by organised crime gangs. Individuals posing as solicitors, or solicitors that are being controlled by criminal elements, can use the structures of a firm (particularly the client account) to provide a veil of legitimacy to the proceeds of crime.

The most common weaknesses we have observed included inadequate:

  • source of funds checks
  • independent audits
  • screening of staff and
  • matter risk assessments.

We have also observed that while larger firms may have greater resources to protect them from money laundering risks, they will often silo off risk-based information in a compliance team or system. This can mean that those working on a file may:

  • lack ready access to the underlying risk assessment and due diligence documentation and information and
  • be prevented from conducting effective ongoing monitoring of risk.

Firms should remain vigilant and make sure their policies, controls and procedures adequately protect the firm against the risk of money laundering and terrorist financing.

Developing a culture of compliance is vital. Firms' outcomes are improved if staff understand the reasons for preventing economic crime, and their role in doing so, rather than seeing it as the job of a compliance team or an AML officer.

Politically Exposed Persons (PEPs) and higher risk jurisdictions

We have found that smaller firms in particular are potentially taking an overly simplistic approach to risks associated with PEPs and higher risk jurisdictions.

The UK economy is highly integrated with the rest of the world, and services offered in the UK are attractive to those in high risk jurisdictions who wish to make the proceeds of crime seem legitimate. A blanket assumption that PEPs would not instruct your firm, or that your firm would never accept instructions from a PEP, is not a sufficient protection against the risks they present. Neither approach would itself satisfy the requirement at Regulation 35(1) to have measures in place to identify PEPs.

It is for firms to decide their own risk appetite, but their policies should be realistic. With the proper policies, controls and procedures, there is nothing to prevent a firm taking on PEP clients. If a firm has an overly restrictive PEP policy, it is at risk of:

  • turning away clients for no good reason, restricting access to legal services
  • being counter-productive if the firm has a policy which is ignored or routinely breached.

From 10 January 2024 the way in which domestic PEPs should be treated has changed. Domestic PEPs are now defined as those PEPs entrusted with prominent public functions by the UK, and are subject to a different level of risk assessment and enhanced due diligence (EDD). The difference is as follows:

  • The starting point for the assessment is that the customer or potential customer presents a lower level of risk than a non-domestic PEP.
  • If no enhanced risk factors are present, the extent of EDD measures to be applied in relation to that customer or potential customer is less than the extent to be applied in the case of a non-domestic PEP.

The FCA is due to provide interpretative guidance on the new provision later in 2024. Until they do so, it will be for firms to decide how best to interpret the exercise set out above. While domestic PEPs may now be subjected to a lower level of EDD than other PEPs, it remains EDD. It must be at a higher level than the CDD you usually apply, and include the measures specified at Regulation 33(5).

It is also important to note that PEPs may instruct a variety of firms, not just those that are large and high-profile. In our proactive work, we noted that PEPs are equally likely to instruct small firms and sole practitioners.

External support

Many firms engage external advice to meet their compliance requirements. In most cases, this is a helpful resource. Some firms, however, rely too heavily on external consultants or systems.

This can include:

  • Unsuitable use of templates for risk assessments, failing to take the firm's individual circumstances into account.
  • Using electronic identification and verification systems without understanding the underlying processes or their limitations.
  • Using external consultants to draft their compliance documents without an in depth understanding of the work of the firm.
  • Using external consultants who have limited knowledge of the legal profession.

While seeking external help with your compliance can be of benefit, the firm itself is in the best position to understand its own risks and design and implement effective mitigation.

You should consider whether or not the person who is carrying out the audit is sufficiently independent and removed from authorship of the firm's risk assessments and policies, controls and procedures.

It is also important to note that the obligations under the MLR 2017 apply to the firm and cannot be outsourced. The same can be said for the individual responsibilities held by a firm's MLCO, MLRO and beneficial owners, operators and managers under the Regulations.

The 2020 NRA said:

'The risk of abuse of legal services for money laundering purposes remains high overall. Legal service providers (LSPs) offer a wide range of services and the services most at risk of exploitation by criminals and corrupt elites for money laundering purposes continue to be conveyancing, trust and company services and client accounts.'

The NRA goes on to highlight how a lack of focus on compliance, taking a tick-box approach or a lack of understanding of risk in firms, leads to a higher risk of being exploited by criminals.

The NRA rated the legal sector as being low risk of being used for terrorist financing.

The risk assessment identifies several potential emerging issues including:

  • sham litigation (ie fake lawsuits between collaborating parties to launder money as payment of damages through the courts)
  • use of crypto assets for payments, which while not always automatically suspicious inherently make it harder to identify the beneficial owner and as a result should be treated as high risk
  • use of crowdfunding, which can make the source of funds extremely difficult to establish.

We have noticed that firms will often attempt to address risk by highlighting what they do not do. Firms should consider the services they provide and the risk each of them presents.

This may require you to divide services and products into subcategories, in order to draw out high risk elements from lower risk ones. A large amount of solicitors' money laundering risk depends on the services, or combination of services they offer.

Based on our supervisory work and analysis, we have found that the following services pose the highest risk.




Property is an attractive asset for criminals because of the large amounts of money that can be laundered through a single transaction, and the fact that property will tend to appreciate, can be used to generate rental income or can be lived in.



Solicitors are in a position of trust, and their client account can be viewed as a way of making criminal funds appear to have a legitimate source. Criminals target client accounts as a way of moving money from one individual to another through a trusted third party under the guise of a legal transaction without attracting the attention of law enforcement.

You must never allow your client account to be used as a banking facility, or to pass funds through it without a legitimate underlying transaction. Firms should be aware of any attempt to pay funds into a client account without a genuine reason, or to get a refund of funds from a client account (particularly to a different account from which the original funds were paid).

It is a good idea not to make the details of your client account visible (for example by including them in engagement letters) and to provide them only when required.

Third-party managed accounts

If you hold client money in a third-party managed account , you should be aware that there are still risks in play.

You will be less able to monitor the movement of client monies, but under the MLRs the responsibility for any breach would still rest with you.

You should also carry out due diligence on the account provider to make sure that they are properly defended against risks such as ransomware and cyber attacks.

Creating or managing trusts and companies

Trusts or corporate structures which can facilitate anonymity can help disguise the source or destination of money or assets. Law enforcement have flagged that many investigations of money laundering lead to opaque corporate structures, used to hide the beneficial ownership of assets.

We would regard the following red flags to denote scenarios of particularly high risk:

  • any involvement of bearer shares
  • quick repayment of loans by entities under the client’s control
  • the involvement of an entity type or jurisdiction which may facilitate anonymity
  • involvement of one or more jurisdictions seemingly unrelated to the matter
  • use of nominee trustees or shareholders
  • using pre-existing entities (as opposed to newly formed ones) in an attempt to make a transaction seem more legitimate
  • using non-business relationships to mask control of an entity, for example, family members.

Tax Advice

Firms need to be aware that while offering certain types of advice and services, there is a higher risk that they may come into contact with the proceeds of crime.

One such example would be in offering advice (which includes assistance and material aid as per the definition in the Regulations) to a client who is attempting to evade or avoid tax.

The national risk assessment addresses tax advice directly:

‘The provision of tax advice and acting as an agent with HMRC on behalf of clients provides several means to launder money and poses a high risk.’

Family Offices

Family offices will generally offer a mix of legal (such as tax advice, conveyancing etc), wealth and property management, accountancy and concierge services, often for ultra-high net worth individuals and their families and associates. These may be stand-alone companies, or a service offered alongside others by a company catering to high net-worth individuals, for example an investment bank.

Use of these services adds one or more extra layers between the firm and the client and may obscure the origin of funds or assets.

Firms must also bear in mind their obligations under regulation 28(10) when dealing with intermediaries such as family offices. In these circumstances firms must:

  • verify that the intermediary has the authority to act
  • identify the intermediary
  • verify the intermediary’s identity.

Each client is different, and each will have their own particular risk-profile. There are a number of different factors that increase the risk of money laundering presented by clients. Warning signs include clients:

  • with an excessive or unreasonable desire for anonymity or privacy
  • acting outside their usual pattern of transactions
  • whose identity is difficult to verify
  • being evasive about providing ID documents
  • pressuring you into a certain course of action.

The risk posed by your client also extends to the risk posed by the beneficial owner, if applicable. You need to be confident you know who your client is and why they are asking for your services, and any risk that you do not should be duly considered.

You should also not assume that existing clients are necessarily lower risk. Clients may seek to be onboarded with you for low risk work, and then transition to higher risk work in order to bypass more stringent checks at the point of onboarding.

Existing clients can also present a risk where they have been onboarded in a way that may deviate from your firm’s standard practices. Common scenarios include:

  • clients onboarded in another firm which has since merged with your own
  • clients ported from a foreign branch office, or a company in the same group
  • clients onboarded by a consultant or individual who may not be applying the firm’s approach consistently.

Effective ongoing monitoring of all clients is the best control against these risks.



Politically exposed persons (PEPs)

PEPs may be from the UK or abroad. Generally speaking, PEPs may have access to public funds or significant public influence and the Regulations require PEPs and their close family members and associates to be identified and require extra checks to mitigate the risks of corruption.

The Regulations require firms to be able to identify PEPs and their associates and family members and to undertake enhanced due diligence on them.

Onboarded clients may become PEPs over time due to a change in their circumstances which makes effective ongoing monitoring very important. PEPs also retain their status for at least twelve months after leaving the relevant office.

Physical cash intensive sectors or businesses

The nature of the client’s business might increase risk if it is cash-intensive (eg take-aways, car washes, nail salons and lessors of residential or commercial property) and therefore presents a greater risk of disguising illegal funds within legitimate payments.

The client’s sector or area of work is also a significant risk factor, in particular if they are associated with a higher risk of corruption or being used for money laundering, for example those from the arms trade, casinos, or trade in high value items (eg art or precious metals).

You should also be vigilant for types of business which are at particular risk of being involved in modern slavery and human trafficking. The NCA has identified businesses such as car washes, nail bars and takeaways as examples of this, as well as live-in factories, care homes and the garment trade. A recent alert also highlights risk in the construction sector.

Familiar clients

Dealing with individuals with whom you, or your staff, may be familiar (such as friends or family) can lead to complacency in assessing and addressing risk and broader compliance with the Regulations.

You should seek to account for and appropriately challenge assumptions of the low risk nature of clients with whom you have a non-professional relationship. You should also ensure you are appropriately verifying information you may know (or think you know) about the client and ensure you have done all the checks required.

Employees may also pose unique risks as they may be in a position to avoid controls and otherwise use their influence and knowledge to manipulate the firm improperly.

This also extends to referrals via trusted third parties. Being referred by someone known to you does not automatically mean a client is legitimate or trustworthy. You should take the same care and apply the same measures as you would for any other client.

Anonymity/cannot prove ID

You should be aware that clients who are seeking anonymity on behalf of themselves, a third party or beneficial owner may be seeking to launder money.

You should also be alert to risk regarding clients who are evasive about proving their identity, who produce non-standard documentation or who wish to have undue control over how a service is provided.

In some circumstances there may be valid reasons why clients cannot easily provide ID evidence (for example those in care homes), but it is up to you to have processes in place to check that validity in such scenarios.

It is generally legitimate for a client to expect confidentiality in dealing with their legal representative. Excessive or unreasonable desire for privacy or anonymity, however, should be treated as a warning sign and trigger further scrutiny.

Intermediaries or agents

While there may be perfectly good reasons for a client to seek to engage with a law firm through an agent or third party, it may make it more difficult to understand who the underlying customer is. Similarly, it creates the risk that the third party or agent does not have the appropriate permission to act on behalf of the customer.

This can also include entities such as family offices, as outlined above.

Regulation 28(10) requires you to identify and verify both the intermediary and the underlying client, as well as obtaining evidence of the intermediary’s authority to instruct you.

There are a number of factors that might make an individual transaction higher risk. Much of the work in identifying risk involves being alert for unusual activity or requests that do not make commercial sense. The use of cash, either as part of a transaction or for payment of fees is inherently higher risk, and firms should have a policy on what amount of cash they will accept, and in what circumstances. You should consider what is normal for your particular firm.

Understanding the source of funds and the source of wealth will help you to manage the risk from a transaction. For the avoidance of doubt, for a source of funds check you should be checking where the customer got the funds from, not just ensuring the funds came from a bank account at a regulated UK financial institution. You should consider the following factors:



Size and value of the transaction

Money launderers incur a risk with each transaction, and so criminals may seek large or high value transactions to launder as much money as possible in one go.

If there is no good explanation for an unusually large transaction, or a client is seeking to make a number of linked transactions this presents a higher risk.

Cryptocurrency and crypto assets (crypto), including digital assets such as non-fungible tokens

Cryptocurrencies and assets present various risks:

  • They may facilitate anonymity and obscure the origin of funds.
  • They are volatile and often subject to sudden and unpredictable changes in value.
  • Clients may use the opaque nature and volatility of crypto as an explanation for having unusually large amounts of money. This should be clearly evidenced.
  • The crypto may have been purchased on an unregulated exchange.
  • The crypto may have been purchased on an exchange operating legally in a jurisdiction with a less stringent AML regime.

Physical cash

Physical cash can facilitate anonymity and enable money laundering. There may be legitimate reasons that a client wants to pay in cash.

It is also important to note that being paid into a bank account, even a UK bank account, does not render a sum of physical cash legitimate. Sums deriving from physical cash should undergo the same checks that the original sum would.

Cash purchases of real property

Large sums of ready cash, as opposed to monies raised by a loan or mortgage, should prompt questions about the client's source of funds and potentially of wealth.

Legitimate sources of funds for these transactions could, for example, be an inheritance, a gift, a lottery win, etc. They should be reasonably simple to prove, and unwillingness to disclose the source of this cash should be considered a warning sign.

Transactions that do not fit the norms of your firm or the client's activity

Firms will know where their expertise is and what services they normally provide. In addition, initial client due diligence should include gathering some information on the expected ongoing client relationship and related activities.

If a new or existing client is requesting transactions or services that you wouldn't normally expect your firm to offer, you might consider this suspicious if there is no obvious reason for the request.

Similarly, if a client is requesting services which are not in line with your customer due diligence or are out of their normal pattern of transactions, without a good reason, you should consider whether this constitutes suspicious behaviour.

Transactions or products that facilitate anonymity

Accurate and up-to-date information on beneficial owners is a key factor in preventing financial crime and tracing criminals who try to hide their identity behind corporate structures.

Firms should be alert to customers seeking products or transactions that could facilitate anonymity and allow beneficial owners to remain hidden without a reasonable explanation.

This may also apply to transactions which do not involve money or personal property, such as artworks, vessels or aircraft.

New products, delivery mechanisms or technologies

The changing nature of money laundering means that criminals are always seeking new ways to launder funds as old ways become too risky and loopholes are closed. Moving into a new business area or providing a new delivery channel for services means your firm may come across new or previously unidentified risks. In moving into a new area, you will not necessarily have a previous pattern of transactions with which to compare new behaviour that might be suspicious. You should risk assess any such new products, delivery mechanisms or technologies before using them.

Pooled funds and funding platforms

This refers to transactions where a large number of participants, often strangers to each other, contribute to fund the purchase of a property or asset. For example:

  • Cash gifts given at a wedding.
  • Crowdfunding to purchase a property.

These can be challenging for firms as it may prove difficult to establish the source of funds, particularly where there are numerous separate sums. Without knowing this it is impossible to assess the level of risk involved, or to determine whether any of the money involved has been laundered or is subject to sanctions.

Complex transactions

Criminals can use complexity as a way of obscuring the source of funds or their ownership. Firms should make sure that they fully understand the purpose and nature of a transaction they are being asked to undertake. If your client cannot tell you why the proposed transaction is so complex, for example saying 'tax reasons' without explaining further, this should be treated as a high risk.

You should make further enquiries or seek expert help if unsure.

The way in which you deliver your services can increase or reduce risk to the firm.

If you do not meet clients in person, it is inherently more difficult to identify and verify their identity. These risks can be mitigated by the use of effective electronic identification and verification tools.

These tools represent an evolution in the identification and verification capabilities of firms and may be seen as an improvement when compared to some previous common practices such as relying on certified copies of documents.

While they can be valuable in aiding firms to fulfil their AML duties, they may however present risks where they are not fully understood: For example:

  • Being used in a way that was not intended. For example, just because a system has stated that a client has 'passed' does not mean no further enquiries are necessary, nor does it obviate the requirement to identify and verify them.
  • Assuming that such a system fulfils the requirement to carry out a client/matter risk assessment. These systems may be very helpful in informing the client/matter risk assessment, but cannot do so automatically.
  • Those using them are not properly trained in the systems leading to user error.
  • Viewing the checks as a one-time exercise and failing to regularly update the checks as part of their ongoing monitoring obligations.

The Financial Action Task Force (FATF) has produced guidance on using these services.

Ultimately the firm is responsible for its own compliance, and this responsibility can never be outsourced.



Remote clients

Not meeting a client face-to-face can increase the risk of identity fraud and without suitable mitigation such as robust identity verification may help facilitate anonymity.

Not meeting face-to-face may make sense in the context of a given transaction or wider context. But where clients appear unnecessarily reluctant or evasive about meeting in person, you should consider whether this is a cause for concern.

You should also be aware of the risk posed by AI tools – known as 'Deepfakes' – which can impersonate a real person's appearance convincingly. This increases the risk of relying on video calls to identify and verify your client. If you only meet clients remotely, you should understand whether your electronic due diligence protects you against this, or to explore software solutions to assist in detecting deepfakes.

Combining services

Some services might not be inherently high risk, but when combined with other services or transactions become risky. For example, there might be legitimate reasons for setting up a company, but if that company is used to purchase property and its structure disguises the beneficial owner, this could increase the risk of money laundering.

Clients may take steps to hide the combination of services they are using. For example, if a client is enquiring about, or taking advantage of information barriers within firms (for example between branches or practice areas) or allowing a significant amount of time to pass between instructions so they appear unlinked, these should be seen as indicators of risk.

Payments to or from third parties

Launderers can seek to disguise the source of funds by having payments made by or to associates or third parties. This is a way of disguising assets and you should make sure you identify the source of funds and source of wealth to mitigate this risk.

A payment to or from a third party is particularly suspicious if it is unexpected, occurs at short notice, or is claimed to have been made in error with a request for the money to be refunded.

There may be some legitimate reasons for third party payments, for example parents gifting a house deposit to their child. You should ensure you do appropriate due diligence including checking source of funds before accepting such payments.

Irregular methods of transfer

If a client insists on depositing a sum of money with your firm in portions or tranches, or asks you to transfer sums to them or third parties in a similar way, you should investigate further.

It may be that the client is transferring these sums in this way to evade AML controls imposed by banks.

If the reason given is deposit or withdrawal limits, this should be simple for the client to evidence.

When assessing geographic risk, you should consider the jurisdiction in which services will be delivered, the location of the client, and that of any beneficial owners or counterparties as well as the source and destination of funds.

In some jurisdictions the sources of money laundering are more common, for example locations where the production of drugs, drugs trafficking, terrorism, corruption, people trafficking or illegal arms dealing more commonly occur.

While countries with anti-money laundering and counter-terrorist financing regimes which are equivalent to the UK may be considered lower risk, you must guard against complacency. There have been major examples of local AML failures with international impacts, in what had been seen previously as low risk jurisdictions.

Below are the key issues to consider regarding geographic risk.



Countries that do not have equivalent AML standards to the UK

The Regulations set out that those countries which appear on FATF’s lists of countries subject to a call for action or increased monitoring are high risk third countries, and specific EDD measures must be applied.

These lists are not an exhaustive list of all high risk countries (notably omitting Russia, for example), and other higher risk jurisdictions are listed by sources such as the Basel Institute of Governance .

There are also information aggregators, like Know Your Country which combine insights from these resources. You should take a cautious approach to deciding whether a country is high risk for the purposes of applying enhanced due diligence. If in doubt about a country, you should consider treating it as higher risk.

Information to which your firm has access

While externally drawn up lists of high-risk countries may be useful, your firm may have access to wider intelligence that may cause you to upgrade the risk posed by a particular client, firm or geographic location. For example, there may be sector specific information you may be more aware of due to your firm’s main areas of business.

While overall the jurisdiction might be seen as generally low risk, it could still be high risk for your firm. For example, an otherwise low risk EU country, may be worth considering as high risk if there is well-known local criminality in a sector that you may have exposure to.

Local characteristics

A multi-branch firm may have day-to-day exposure to different risks across their various offices or locations. This could mean that what is unusual or a potential risk indicator in one branch is not necessarily the same in others.

For example, an office in the City of London may have a greater number of corporate and PEP clients, while a branch in a smaller regional town may have greater exposure to high cash-use businesses, such as restaurants and independent retailers.

Countries with significant levels of corruption

The Regulations require firms to put in place enhanced due diligence measures in dealing with countries with significant levels of corruption or other criminal activity, such as terrorism. Transparency International also produces a corruption perceptions index .

Stringent currency controls

China is an example of a country that has significant constraints on its citizens and residents investing or moving capital abroad. This has led to some people using alternative networks to move wealth out of the country.

Evasion of local currency controls is not an offence under UK law and does not automatically mean that funds are the proceeds of crime.

The informal value transfer systems used, however, often present risks of their own. Legitimately obtained money may be transferred by illegitimate means. Firms must ensure that methods of delivery, as well as the funds themselves, are legitimate.

LSAG has produced guidance on this subject.

The sanctions regime has expanded recently, mainly due to the Russian invasion of Ukraine in 2022. The long-standing involvement of Russian interests and beneficial owners in British business, and vice versa, has meant that many firms have been exposed to the sanctions regime for the first time.

It is important to remember, however, that there are a large number of thematic and geographic sanctions regimes beyond Russia and Belarus. Firms cannot assume that sanctions are not relevant to them. There are a significant number of British nationals subject to sanctions.

The sanctions regime is separate to the proceeds of crime and money laundering regimes, but overlaps with them in many ways:

  • It involves many of the same risk factors as money laundering, such as suspect jurisdictions, politically exposed persons (PEPs) and complex corporate structures.
  • Sanctions create a motive for wanting to obscure the origin or recipient of funds or assets.
  • The ownership and control requirements of the sanctions regime also mean that it is necessary to identify a corporate entity’s ultimate beneficial owners and those who control it – who may be different people. This makes it all the more important to carry out effective client due diligence (CDD).

We expect the sanctions regime to continue to expand, so all firms should be familiar with the requirements. Sanctioned individuals and businesses are likely to seek to instruct firms with weaker controls.

The sanctions regime is also strict liability and applies to all firms – indeed, to all natural and legal persons in the UK. The sanctions regime therefore poses a risk to all firms, whatever their size, nature or area of work.

We have also produced comprehensive guidance on the sanctions regime, as has the Office for Sanctions Implementation (OFSI) .

The Regulations require firms to put in place enhanced due diligence measures in dealing with countries subject to sanctions, embargos or similar measures. In the UK, the Office of Financial Sanctions Implementation maintains a searchable database of designated persons and entities . You can also subscribe to email alerts of any changes.



Client risk

You should remain vigilant to the possibility of your firm being instructed by a sanctioned entity or individual (a designated person) or an entity owned or controlled by them.

A robust and reliable check using the OFSI Consolidated List or a programme derived from it is the best way to tell whether or not the client is a designated person.

Ownership and control, however, is a broader concept and is different to ultimate beneficial ownership in the MLRs. If the control of the company is unclear or obscured, or appears to operate contrary to expectations, there is a risk you will unknowingly act for a designated person.

Some designated persons are also PEPs, but you should be aware that the two concepts are not interchangeable.

Geographic risk

You should be vigilant for any clients who are established in, or have links with, jurisdictions which have a country regime in place.

Similarly, you should exercise caution when dealing with entities whose chain of ownership originates from or passes through these jurisdictions.

Jurisdictions with a sanctions regime in place are generally widely known, so designated persons may use intermediaries, agents or other third parties to try to circumvent this.

Products & services risk

You should check to see whether there is a ban in place on the products and services you are offering. For example, it is currently prohibited to provide trust services to Russians or persons connected with Russia, unless a licence is in place.

We consider that the following areas of work are more exposed to sanctions risk:

  • trade (imports/exports outside of the UK)
  • shipping
  • aviation
  • immigration.

However, it is important to remember that all areas of work may be of interest to designated persons, including those (eg litigation) out of scope of the MLRs.

Transaction risk

The same principles as for AML apply here, and the most risky activities are likely to involve transactions which:

  • are large
  • are complex
  • involve obscure or uncertain sources of funds
  • involve risky jurisdictions or those with links to them
  • involve transfers to and from unrelated third parties.

The NCA has issued alerts on non-monetary assets being used to evade sanctions, including:

Delivery channel risk

Designated persons may attempt to hide their own true identity, or to obscure their true role.

As with AML, you should make sure that you identify and verify those with whom you deal.

Designated persons may use intermediaries, family offices or agents to obscure their involvement in transactions and other matters. You should ensure that the appropriate level of due diligence is carried out on both the principal and intermediary, and that you establish ownership and control of legal persons.

Summary of changes

This sectoral risk assessment was published on 5 March 2024. The major changes from our previous Sectoral Risk Assessment (dated 24 July 2023) are as follows:

  • We have drawn attention to the following new risks:
    • vendor fraud
    • pooled client funds
    • third-party managed accounts
    • irregular methods of transferring funds.
  • Sanctions has been placed under its own risk heading.
  • We have amended references to Covid-19, retaining risks which have become part of usual business and deleting factors which are no longer relevant.
  • We have made reference to the risk of modern slavery in relation to cash-based industries.
  • Further references to AI and cybercrime have been added.
  • The position with regard to domestic PEPs has been updated.

The SRA has published more information on preventing money laundering and terrorist financing.