SRA releases client and matter risk assessment template to combat high levels of non-compliance

Template available in Omnitrack 

In a session on anticipated increased AML regulations at the Law Society’s recent Anti-Money Laundering and Financial Crime Conference 2023, the Solicitors Regulation Authority’s (SRA) representative made an announcement: The agency would be releasing a client and matter risk assessment template.

Anyone attending the conference could hear the sighs of relief from the participants, many of whom are in charge of compliance for their firms.

The template is now available and it could make a huge difference in how law firms manage their client and matter risk. 

Risk assessing clients and matters is a requirement for regulated firms under the Money Laundering Regulations 2017. The regulations require firms to take steps to identify the money laundering and terrorist financing risks posed by a client and matter. Firms must have a process in place to assess risk at client and matter level which is followed in practice. They must make sure they complete and document a risk assessment for each client and every matter.

As the SRA representative at the conference pointed out, law firms are recognising the importance of enterprise risk and how it will affect their business. They need to consider the cost side of what they’re doing. 

However, in a recent warning notice, the SRA noted that client/matter risk assessments are often not being done or not being used correctly. According to its newest figures, nearly 30% of firms audited by the SRA for their adherence to AML rules in the last year were non-compliant. 

The SRA anticipates that these templates will help firms improve the ongoing non-compliance it sees in client/matter risk assessments. 

How Omnitrack can help

We have built this template in Omnitrack. Perhaps even more importantly, the Omnitrack user can customise the template based on their firm’s requirements and to ensure that they don’t fall short of the SRA’s regulations. Specifically, firms can ensure that their fee earners more carefully take into account AML risks and don’t adopt a “tick-box” approach. They can incorporate ongoing monitoring and make sure the firm-wide risk assessment is considered in client and matter risk assessments. They can include the specific questions that their firm would have for different firms, based on their unique requirements. The bespoke template will ensure they don’t miss any risk areas, don’t waste their time on areas that are not an issue for them and know when it is necessary to conduct enhanced due diligence.

The implications of being used to facilitate money laundering are serious. They could involve criminal, regulatory and disciplinary sanctions for a firm and individuals in the firm, civil action against the firm and its practitioners and damage to a firm’s reputation leading to a loss of business. It’s important to recognize that AML risks are real business risks and must be appropriately identified, assessed and mitigated.

While the Practice Wide Risk Assessment (PWRA) is a comprehensive approach to identifying and assessing all the money laundering and terrorist financing (ML/TF) risks a firm faces, it is the clients and matters that makes a law firm run. This makes the client and matter risk assessments the level at which risks are often identified. 

A firm can decide whether to assess client risk and matter risk separately, or whether to include both in one document. If a firm is subject to an AML inspection, the SRA will check to see whether each client and matter has an appropriate risk assessment on file. 

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.