How to use the SRA’s client and matter risk assessment template 

Adapt it correctly and it can help you build a process that works  

The Solicitors Regulation Authority’s (SRA) recently-released template for client and matter risk assessments is just the beginning of a firm’s assessment journey with its clients and matters. The templates were created to guide firms and help them understand the SRA’s requirements and expectations and, significantly, how to comply with them. 

The template highlights the questions firms should be asking, how important it is to maintain documentation and that firms need to record their considerations.

In light of the SRA template, how does a firm build a client and matter risk assessment process that works?

As the SRA notes, “If you choose to use the template, you should adapt the template to suit your firm.”

This means you should use the factors in the template to help you assess the money laundering risk posed by the client or transaction. Remember, the factors listed are not exhaustive. There may be other risk factors for you to consider depending on the nature of your client and your firm’s risk exposure.

Risk assessments are always performed at the beginning of a client relationship but other information often emerges later as the relationship progresses. The risk assessment process should take into account these changes. The more you know your client, the more you will be able to assess risks and spot suspicious activities.

It is also important for your firm’s lawyers to be aware of the firm wide risk assessment when they are conducting the matter risk assessment. Those assessments need to match up.

From the SRA

The SRA recommends that for each client and matter you should:

  • assess if the service you are going to provide could be used to launder money
  • understand why your services are needed 
  • understand the source of funds and wealth of the client
  • be vigilant to red flags throughout the course of the matter, and consider whether there is information that doesn’t fit with your assessment of risk
  • consult your firm’s policies to decide what action you need to take to mitigate any risks identified
  • determine what information or evidence you need to collect for due diligence purposes and how this will be monitored
  • document and record all steps taken

Going beyond tick boxes

When customising your risk assessment template, make sure your form has more than just tick boxes. You want anyone who reads to see the rationale behind the risk assessment.

The risk assessment is dynamic, so consider creating an assessment process where your lawyers review the risk assessment throughout the matter. If possible, conduct a review after all the information has been obtained and before the transaction takes place, to make sure there are no new risks which need to be considered.

Perhaps most importantly, get everyone trained on the risk assessment process. This means, have your lawyers know that the process is more than ticking the boxes. Have everyone understand how the factors translate into a low or medium or high risk.

Omnitrack is fully compliant with the SRA’s new template. The templates can be seamlessly adapted to your law firm’s own workflow. With Omnitrack, it’s never been easier to manage your law firm’s AML compliance.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.