Client and matter risk assessments - what are firms not getting right?

The SRA have raised concerns of persistent non-compliance of law firms when it comes to client and matter risk assessments. The SRA feels this is a strong area for improvement for firms. In 2019/20, nearly a third of client files had no written matter risk assessment, while in the last reporting period of 2022/23, over half of the client or matter risk assessments were found to be ineffective.

The SRA’s concern is that a lack of client and matter risk assessment across files can often indicate a wider systemic problem across the firm, such as not having appropriate client due diligence processes in place, or falling short on enhance due diligence.

What are some of the issues the SRA have found with client/matter risk assessments?

The SRA have found that some client/matter risk assessments are not being done at all, or not being used correctly. The SRA have found examples where the levels of risk, i.e. high medium and low, were not identified. Specific AML risks were also missed, fee earners failed to take into account AML risks and instead had targeted other types of risk, such as business risk, or adopted the tick-box approach without giving any real thought into the actual client and matter risks involved.

Another issue are client and matter risk assessments which don’t correlate with the firm-wide risk assessment. For instance, if a fee-earner assesses that company formation as a matter is low risk, but the firm-wide risk assessment says that all company formation should be treated as high risk, then it should be considered as such.

The SRA also found there was an over-reliance on template risk assessments which are not tailored to the firm, which are then missing issues which should have been covered. Also some assessments did not show where enhanced due diligence was necessary and not being carried out.

The SRA’s warning to firms and regulated individuals that undertaking these client and matter risk assessments are vital to ensuring that money laundering is appropriately tackled and legal obligations under the money laundering regulations are being followed.

How should firms carry out client/matter risk assessments?

The Money Laundering Regulations require firms to take steps to identify the risks posed by a particular client and matter. A client risk assessment must identify and assess the risks posed by an individual client. A client risk assessment must always be carried out at the beginning of a client relationship.

A matter risk assessment should be carried out and recorded at the earliest opportunity save for certain exceptions discussed below. A matter risk assessment should focus on the specific risk factors that a matter presents, beyond, or different to, the client risks already identified. In assessing the level of risk in a particular case, firms must take account of:

Purpose of the account, transaction or business relationship
Level of assets to be deposited by a customer or the size of the transactions undertaken by the client
Regularity and duration of the business relationship

High risk factors, such as being established in a high risk third country or being a PEP or being involved in complex or unusually large transactions must also be considered.

For example, if a client or matter is assessed as being high risk, then regulation 33 of the money laundering regulations states that enhanced due diligence must be applied. Undertaking a client or matter risk assessment will also help you consider what controls should be in place to mitigate risk.

What does the SRA expect to be done?

A client risk assessment must always be carried out at the start of a client relationship. This is because the client risk assessment informs the level of due diligence to be carried out.

It is imperative that fee-earners follow these processes. Risk assessments are only effective if action is taken because of them. This means firms should monitor fee-earners compliance with this.

Your firm can either have two risk assessments, one for the client and the matter, or one document which assesses both client and matter risks.

This should be completed by the person handling the matter. The MLRO or others from the compliance department can contribute.

After the risk assessment, ongoing monitoring should be undertaken to ensure any transactions are consistent with the knowledge of the client, their business and risk profile.

Even if there is no requirement to risk assess certain matters if they fall out of scope of the money laundering regulations, it could be a good idea to do so.

You must record a risk assessment for every client you act for as part of your client due diligence measures. You must also be able to provide copies of any risk assessment to the SRA on request.

These assessments must have space for fee-earners to record the level of risk and record any justification or commentary. The rationale for the risk level and level of due diligence must be clearly recorded.