Anti-money laundering (AML) compliance is not optional—it’s a legal obligation. For small law firms and sole practitioners, understanding and implementing a Firm-Wide Risk Assessment (FWRA) is essential to meet the requirements of the Money Laundering Regulations 2017 (MLRs) and avoid regulatory breaches.
Why This Guidance Matters
The SRA’s AML Guidance Note makes it clear: while guidance does not provide a defence to non-compliance, having compliant AML arrangements in place before an inspection or contact from the AML Investigation Team may be considered a mitigating factor [1].
Key Areas of Concern for Small Firms
1. Client and Matter Risk Assessments (CMRAs)
Under Regulation 28(12) and (13) of the MLRs, firms must risk assess every client and matter. This has been mandatory since June 2017, yet many firms still fall short.
- Risk assessments must be completed before substantive work begins.
- Using the SRA’s CMRA template is a good start, but it must be applied consistently and timely.
- Initial assessments should be updated as new information emerges during the matter [2].
2. Failure to Maintain a Compliant FWRA
Despite declaring compliance, many firms fail to produce evidence of a FWRA prior to inspections. This is a breach of Regulation 18 MLRs, which requires:
- A written, documented FWRA
- Regular updates and senior management approval
- Consideration of client types, geographic risks, services, transactions, and delivery channels[3]
Improving Your FWRA: What to Include
The SRA has identified common weaknesses in FWRAs. Here’s how to strengthen yours:
Client Risk
- Go beyond general descriptions like “long-standing clients.”
- Include details on ownership structures, high-net-worth individuals, and PEPs.
- Document mitigating controls for higher-risk clients.
Transactional Risk
- Describe the size and frequency of transactions.
- Include average and high-value transaction data.
- Use this to monitor for inconsistencies and potential laundering attempts.
Products and Services
- List all legal services offered and assess their individual AML risks.
- Include any non-core practice areas and evaluate their risk exposure.
Delivery Channel Risk
- Detail how services are delivered (face-to-face, email, video calls).
- Assess risks of non-face-to-face interactions, third-party instructions, and passporting.
AML Policies, Controls and Procedures (PCPs)
Your FWRA should inform your AML PCPs. These must include:
- Client Due Diligence (CDD): Identify and verify clients before accepting funds.
- Company Due Diligence: Identify and verify Ultimate Beneficial Owners (UBOs).
- Ongoing Monitoring: Keep CDD records up to date and monitor client relationships.
- PEP Screening: Apply enhanced due diligence for PEPs and their associates.
- Sanctions Compliance: Identify designated persons to comply with the UK sanctions regime [1].
Common Pitfalls to Avoid
- Using untailored templates that don’t reflect your firm’s actual risk profile.
- Failing to update your FWRA regularly.
- Assuming you don’t need to screen for PEPs or sanctions because you “don’t act for them.”
- Not linking your FWRA to your client and matter risk assessments.
Final Thoughts
The SRA continues to take robust enforcement action against firms without a compliant FWRA [3]. For small firms, the key is to treat AML compliance as a living process, not a one-time task.
References
[1] SRA | Your AML obligations | Solicitors Regulation Authority
[2] SRA | Firm-wide risk assessments | Solicitors Regulation Authority
[3] SRA | Compliance with the money laundering regulations – firm risk …