Risk assessment

A risk-based approach is embedded in UK legislation and AML best practice. It means that firms should assess their risks and target their resources to the areas or products that are most likely to be used to launder money. Similarly, we take a risk-based approach to directing our resources, focusing effort most on supervising the firms that are most likely to be used to launder money.

The UK Government periodically undertakes a National Risk Assessment pulling together risk-based information from all sectors in scope of the AML requirements, law enforcement and other sources. Drawing on this, and in order to fulfil our duties under Regulation 17 of The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (as amended) (‘the Regulations’), we also produce a risk assessment of our supervised sector. This is to help firms to better estimate the risks they are exposed to. Our sectoral risk assessment must be considered as a part of each firm’s firm-wide risk assessment.

This sectoral risk assessment is not a substitute for a firm-wide risk assessment, which firms are obliged to draft and maintain under Regulation 18.

We ask to see firms' written risk assessments and policies, procedures and controls as part of our proactive supervision programme, or in response to specific information we have received. Your firm's risk assessment should not be disclosed to customers, or third parties, because it may be useful to those who are seeking to launder money.

This document sets out information on money laundering, terrorist financing and proliferation financing risk that we consider most relevant for firms we supervise.

We will continue to refresh this sectoral risk assessment on a regular basis to keep up to date with emerging risks and trends.

Who does it apply to?

The Regulations place obligations on firms offering services that are most likely to be targeted by those wishing to launder money.

These include independent legal professionals, tax advisers and trust and company service providers as defined in the Regulations.

What to do with this information

All firms that are within scope of the Regulations must comply with all the regulatory requirements. This includes taking appropriate steps to identify, assess and maintain a written record of their risk of being used for money laundering or terrorist financing.

Firms must have regard to this risk assessment, and any updates, when creating and maintaining their own written risk assessment as required by Regulations 18 and 18A of the Regulations, along with a comprehensive knowledge of their business and clients.

We may ask to see your firm's risk assessment.

We have seen increasing numbers of firms facilitating vendor frauds. This involves properties, usually residential, being targeted by fraudsters and being sold without the consent or knowledge of the genuine owners, with fraudsters often impersonating the owners. The conveyancing process is attractive to fraudsters because it provides both the method of committing the fraud and the means of laundering.

Once the purchaser has transferred the money into their solicitor’s account, and on completion to the supposed seller, the funds have passed through two solicitors firms’ client bank accounts making the funds appear to come from a genuine property transaction. However, these funds represent criminal property and are therefore proceeds of crime.

Failures in identification and verification make it easier for such frauds to take place. Firms should:

exercise caution when clients are not met face to face

ensure that the vendor’s title is properly established

properly scrutinise any identity documents to ensure they appear authentic and show no apparent signs of being forged or altered.

Warning signs to consider include:

• properties being offered for sale over or under the market value
• reluctance on the client’s part to provide documentation
• altered, forged or stolen identity documents such as passports
• pressure to complete the transaction very quickly – for example within a few days
• instructions for minimal work be done – for example no searches requested
• complex or unusual circumstances around the transaction
• cash property purchases
• funds coming from or going to unconnected third parties
• being instructed to act for both the seller and the purchaser in the transaction
• property being bought/sold in back-to-back sales.

Proliferation financing

Amendments to the Regulations in 2022 mean that all firms must now carry out an assessment of their exposure to the risk of proliferation financing.

Simply put, this means the risk of the firm being involved with the global proliferation of nuclear, chemical, biological or radiological weapons by groups and countries which are not permitted to have them under international treaty. This includes both materials for weapons, and also ‘dual-use goods’. These are goods which are not manufactured as weapons but could be used in weapons or to produce them, for example fertiliser.

We consider the overall risk posed by proliferation financing to the legal profession to be low. In most cases, firms will be able to cover their proliferation financing risk as part of their AML firm-wide risk assessment, given that many of the risk indicators are the same.

There are, however, some sectors which have heightened exposure to proliferation financing, and where we would expect a more thorough risk assessment, either as part of the AML firm-wide risk assessment or as a standalone document. These include:

• trade finance
• commercial contracts
• manufacturing - particularly in relation to dual-use goods
• commodities – particularly mined metals and chemicals
• shipping/maritime
• military/defence
• aviation.

Firms may be of a greater risk where they have exposure to countries which:

• are subject to UN sanctions (for example, Iran or North Korea)
• are suspected of using or seeking to acquire nuclear, chemical, biological or radiological weapons (for example, Syria)
• share a porous border with such countries.

This risk of diversion across borders, where criminals and terrorists may export goods to a border region and then smuggle them to a country subject to sanctions, is one to which firms should be particularly aware.

The 2023 Legal Sector Affinity Group guidance includes advice on assessing the risk of proliferation finance.

Technology

There are similar risks in the use of new types of financial technology, for example, fund transfer systems and crowdfunding platforms. Any use of new technologies should be preceded by an assessment of the risks they may introduce and effective mitigation of these risks where possible.

This greater use of technology in all respects also heightens the importance of cyber security. Cyber security breaches could allow criminals to gain total access to both clients’ sensitive data and the firm’s systems, allowing them to be used for laundering money. Recently, a cyber attack involved all users of a particular case management system, affecting large numbers of firms. You can find a range of cyber security resources here .

Wider economic pressures

A separate issue which is of growing importance is the issue of sufficient resourcing of AML work. As economic conditions have continued to deteriorate, firms are likely to be under pressure to reduce costs, and elements of businesses that are not directly revenue generating may see their budgets reduced.

Whatever decisions are made about resourcing, firms need to understand that economic conditions do not change the requirement to comply with the Regulations. In fact, the economic conditions are more likely to increase a firm’s exposure to would-be money launderers, emboldened by a perception that they are in a position of relative strength in dealing with firms. Potential clients may seek to emphasise the amount of revenue they can bring to a firm as a bargaining tactic.

Where you are working alongside other professionals, or on one aspect of a wider legal matter, you should also consider supply chain risk.

A supply chain refers to the end-to-end activities/actions involved in the provision of a service/product to the end customer or beneficiary.

A simple supply chain could involve only a few individuals / companies while a more complex supply chain could involve multiple service providers.

Understanding the purpose of the service you are providing and who is ultimately benefiting from it is important in being able to identify and manage any supply chain risks. This could involve making preliminary enquiries of your client to help you understand the purpose of the whole instruction and how your instructions fit into the overall supply chain. If necessary, you should also look beyond your own instruction to understand the totality of the transaction and identify any risks. This may include taking steps to understand the role of other professionals in the supply chain, eg accountants or company formation agents, and ensuring that these services fit with your understanding.

As a part of our duties as an AML supervisor, we have been reviewing the compliance of firms we supervise, including reviewing firm risk assessments, policies, controls and procedures and client files. We publish our findings from recent inspections annually in the autumn.

We have published several other pieces of guidance and supporting information, also informed by this proactive work:

• warning notices on:
  • money laundering and terrorist financing
  • suspicious activity reports
  • firm risk assessments
  • client and matter risk assessments
• an AML topic guide which informs our approach to enforcement
• guidance for AML officers
• guidance on sanctions
• guidance on firm risk assessments and client and matter risk assessments .

Weak controls

Inadvertent failures and gaps in a firm's AML compliance can introduce real and dangerous vulnerabilities into their ability to protect themselves from would-be money launderers.

For example, weak screening controls put firms at risk of being used or infiltrated by organised crime gangs. Individuals posing as solicitors, or solicitors that are being controlled by criminal elements, can use the structures of a firm (particularly the client account) to provide a veil of legitimacy to the proceeds of crime.

The most common weaknesses we have observed included inadequate:

• source of funds checks
• independent audits
• screening of staff and
• matter risk assessments.

We have also observed that while larger firms may have greater resources to protect them from money laundering risks, they will often silo off risk-based information in a compliance team or system. This can mean that those working on a file may:

• lack ready access to the underlying risk assessment and due diligence documentation and information and
• be prevented from conducting effective ongoing monitoring of risk.

Firms should remain vigilant and make sure their policies, controls and procedures adequately protect the firm against the risk of money laundering and terrorist financing.

Developing a culture of compliance is vital. Firms' outcomes are improved if staff understand the reasons for preventing economic crime, and their role in doing so, rather than seeing it as the job of a compliance team or an AML officer.

Politically Exposed Persons (PEPs) and higher risk jurisdictions

We have found that smaller firms in particular are potentially taking an overly simplistic approach to risks associated with PEPs and higher risk jurisdictions.

The UK economy is highly integrated with the rest of the world, and services offered in the UK are attractive to those in high risk jurisdictions who wish to make the proceeds of crime seem legitimate. A blanket assumption that PEPs would not instruct your firm, or that your firm would never accept instructions from a PEP, is not a sufficient protection against the risks they present. Neither approach would itself satisfy the requirement at Regulation 35(1) to have measures in place to identify PEPs.

It is for firms to decide their own risk appetite, but their policies should be realistic. With the proper policies, controls and procedures, there is nothing to prevent a firm taking on PEP clients. If a firm has an overly restrictive PEP policy, it is at risk of:

• turning away clients for no good reason, restricting access to legal services
• being counter-productive if the firm has a policy which is ignored or routinely breached.

From 10 January 2024 the way in which domestic PEPs should be treated has changed. Domestic PEPs are now defined as those PEPs entrusted with prominent public functions by the UK, and are subject to a different level of risk assessment and enhanced due diligence (EDD). The difference is as follows:

• The starting point for the assessment is that the customer or potential customer presents a lower level of risk than a non-domestic PEP.
• If no enhanced risk factors are present, the extent of EDD measures to be applied in relation to that customer or potential customer is less than the extent to be applied in the case of a non-domestic PEP.

The FCA is due to provide interpretative guidance on the new provision later in 2024. Until they do so, it will be for firms to decide how best to interpret the exercise set out above. While domestic PEPs may now be subjected to a lower level of EDD than other PEPs, it remains EDD. It must be at a higher level than the CDD you usually apply, and include the measures specified at Regulation 33(5).

It is also important to note that PEPs may instruct a variety of firms, not just those that are large and high-profile. In our proactive work, we noted that PEPs are equally likely to instruct small firms and sole practitioners.

External support

Many firms engage external advice to meet their compliance requirements. In most cases, this is a helpful resource. Some firms, however, rely too heavily on external consultants or systems.

This can include:

• Unsuitable use of templates for risk assessments, failing to take the firm's individual circumstances into account.
• Using electronic identification and verification systems without understanding the underlying processes or their limitations.
• Using external consultants to draft their compliance documents without an in depth understanding of the work of the firm.
• Using external consultants who have limited knowledge of the legal profession.

While seeking external help with your compliance can be of benefit, the firm itself is in the best position to understand its own risks and design and implement effective mitigation.

You should consider whether or not the person who is carrying out the audit is sufficiently independent and removed from authorship of the firm's risk assessments and policies, controls and procedures.

It is also important to note that the obligations under the MLR 2017 apply to the firm and cannot be outsourced. The same can be said for the individual responsibilities held by a firm's MLCO, MLRO and beneficial owners, operators and managers under the Regulations.

The 2020 NRA said:

'The risk of abuse of legal services for money laundering purposes remains high overall. Legal service providers (LSPs) offer a wide range of services and the services most at risk of exploitation by criminals and corrupt elites for money laundering purposes continue to be conveyancing, trust and company services and client accounts.'

The NRA goes on to highlight how a lack of focus on compliance, taking a tick-box approach or a lack of understanding of risk in firms, leads to a higher risk of being exploited by criminals.

The NRA rated the legal sector as being low risk of being used for terrorist financing.

The risk assessment identifies several potential emerging issues including:

• sham litigation (ie fake lawsuits between collaborating parties to launder money as payment of damages through the courts)
• use of crypto assets for payments, which while not always automatically suspicious inherently make it harder to identify the beneficial owner and as a result should be treated as high risk
• use of crowdfunding, which can make the source of funds extremely difficult to establish.

We have noticed that firms will often attempt to address risk by highlighting what they do not do. Firms should consider the services they provide and the risk each of them presents.

This may require you to divide services and products into subcategories, in order to draw out high risk elements from lower risk ones. A large amount of solicitors' money laundering risk depends on the services, or combination of services they offer.

Based on our supervisory work and analysis, we have found that the following services pose the highest risk.

Each client is different, and each will have their own particular risk-profile. There are a number of different factors that increase the risk of money laundering presented by clients. Warning signs include clients:

• with an excessive or unreasonable desire for anonymity or privacy
• acting outside their usual pattern of transactions
• whose identity is difficult to verify
• being evasive about providing ID documents
• pressuring you into a certain course of action.

The risk posed by your client also extends to the risk posed by the beneficial owner, if applicable. You need to be confident you know who your client is and why they are asking for your services, and any risk that you do not should be duly considered.

You should also not assume that existing clients are necessarily lower risk. Clients may seek to be onboarded with you for low risk work, and then transition to higher risk work in order to bypass more stringent checks at the point of onboarding.

Existing clients can also present a risk where they have been onboarded in a way that may deviate from your firm’s standard practices. Common scenarios include:

• clients onboarded in another firm which has since merged with your own
• clients ported from a foreign branch office, or a company in the same group
• clients onboarded by a consultant or individual who may not be applying the firm’s approach consistently.

Effective ongoing monitoring of all clients is the best control against these risks.

There are a number of factors that might make an individual transaction higher risk. Much of the work in identifying risk involves being alert for unusual activity or requests that do not make commercial sense. The use of cash, either as part of a transaction or for payment of fees is inherently higher risk, and firms should have a policy on what amount of cash they will accept, and in what circumstances. You should consider what is normal for your particular firm.

Understanding the source of funds and the source of wealth will help you to manage the risk from a transaction. For the avoidance of doubt, for a source of funds check you should be checking where the customer got the funds from, not just ensuring the funds came from a bank account at a regulated UK financial institution. You should consider the following factors:

The way in which you deliver your services can increase or reduce risk to the firm.

If you do not meet clients in person, it is inherently more difficult to identify and verify their identity. These risks can be mitigated by the use of effective electronic identification and verification tools.

These tools represent an evolution in the identification and verification capabilities of firms and may be seen as an improvement when compared to some previous common practices such as relying on certified copies of documents.

While they can be valuable in aiding firms to fulfil their AML duties, they may however present risks where they are not fully understood: For example:

• Being used in a way that was not intended. For example, just because a system has stated that a client has 'passed' does not mean no further enquiries are necessary, nor does it obviate the requirement to identify and verify them.
• Assuming that such a system fulfils the requirement to carry out a client/matter risk assessment. These systems may be very helpful in informing the client/matter risk assessment, but cannot do so automatically.
• Those using them are not properly trained in the systems leading to user error.
• Viewing the checks as a one-time exercise and failing to regularly update the checks as part of their ongoing monitoring obligations.

The Financial Action Task Force (FATF) has produced guidance on using these services.

Ultimately the firm is responsible for its own compliance, and this responsibility can never be outsourced.

When assessing geographic risk, you should consider the jurisdiction in which services will be delivered, the location of the client, and that of any beneficial owners or counterparties as well as the source and destination of funds.

In some jurisdictions the sources of money laundering are more common, for example locations where the production of drugs, drugs trafficking, terrorism, corruption, people trafficking or illegal arms dealing more commonly occur.

While countries with anti-money laundering and counter-terrorist financing regimes which are equivalent to the UK may be considered lower risk, you must guard against complacency. There have been major examples of local AML failures with international impacts, in what had been seen previously as low risk jurisdictions.

Below are the key issues to consider regarding geographic risk.

The sanctions regime has expanded recently, mainly due to the Russian invasion of Ukraine in 2022. The long-standing involvement of Russian interests and beneficial owners in British business, and vice versa, has meant that many firms have been exposed to the sanctions regime for the first time.

It is important to remember, however, that there are a large number of thematic and geographic sanctions regimes beyond Russia and Belarus. Firms cannot assume that sanctions are not relevant to them. There are a significant number of British nationals subject to sanctions.

The sanctions regime is separate to the proceeds of crime and money laundering regimes, but overlaps with them in many ways:

• It involves many of the same risk factors as money laundering, such as suspect jurisdictions, politically exposed persons (PEPs) and complex corporate structures.
• Sanctions create a motive for wanting to obscure the origin or recipient of funds or assets.
• The ownership and control requirements of the sanctions regime also mean that it is necessary to identify a corporate entity’s ultimate beneficial owners and those who control it – who may be different people. This makes it all the more important to carry out effective client due diligence (CDD).

We expect the sanctions regime to continue to expand, so all firms should be familiar with the requirements. Sanctioned individuals and businesses are likely to seek to instruct firms with weaker controls.

The sanctions regime is also strict liability and applies to all firms – indeed, to all natural and legal persons in the UK. The sanctions regime therefore poses a risk to all firms, whatever their size, nature or area of work.

We have also produced comprehensive guidance on the sanctions regime, as has the Office for Sanctions Implementation (OFSI) .

The Regulations require firms to put in place enhanced due diligence measures in dealing with countries subject to sanctions, embargos or similar measures. In the UK, the Office of Financial Sanctions Implementation maintains a searchable database of designated persons and entities . You can also subscribe to email alerts of any changes.