This blog is the second in a series of blogs set out to help firms grapple with the latest Legal Sector Affinity Group (LSAG) guidance.

A major part of a firm’s AML process is undertaking risk assessments. There are three levels at which a firm should assess the potential risk of exposure to money laundering and terrorist financing. As mentioned in our previous LSAG blog, these are practice-wide risks, client-related risks, and matter-level risks. The LSAG Guidance says that one should consider five “risk factors [which] should be addressed at any level of your practice’s risk assessments”. These are: 

  1. Client risk factors
  2. Geographic risks 
  3. Product or service risks 
  4. Delivery channel risks 
  5. Transaction risks

What questions should you ask in an AML risk assessment? 

The specific questions to consider within these categories will vary for each type of risk assessment, but the structure remains the same. For example, when assessing geographic risks as part of a practice-wide risk assessment (PWRA), a firm should consider the jurisdictions in which it generally operates. The guidance suggests asking whether “the practice operate[s] outside of the UK/EU or equivalent jurisdictions … and/or in areas with potentially higher levels of corruption”. But when assessing geographic risks whilst onboarding a particular client, the questions should be more specific. They will relate to the jurisdiction(s) in which that client operates.

Why take a risk-based approach? (RBA) 

There are dozens of potential questions that could be asked when considering each risk factor at each level of risk assessment. But they may not all be relevant to your firm, or a particular client. This is why it is important to take a risk-based approach.

In the first blog in this series, we introduced the concept of taking a risk-based approach. The guidance describes this as a “core principle of AML compliance”, and provides three benefits of taking a risk-based approach: 

  • more efficient and effective use of your resources, proportionate to the risks faced; 
  • minimising compliance costs and administrative burdens on practices and clients; and 
  • greater flexibility to respond to emerging risks as money laundering … methods change.

Underestimating the risks present at one level can have an adverse effect on the results of a risk assessment at another level. For example, if a firm fails to identify that it frequently acts for clients operating in high-risk sectors at client and matter level, this can impact the results of its PWRA. The PWRA is the key to understanding how your firm will respond to the threats of money laundering and terrorist financing that it faces as overall, not just in relation to specific clients or matters. Accordingly, the implications of underestimating the risks in your PWRA can be severe. If you do not properly identify and assess the money laundering and terrorist financing risks to which your practice is subject, you will be unable to properly protect your business.  

Conversely, overestimating the risks present at one level could also have harmful consequences at other levels of risk assessment, and on your practice overall. For example, your PWRA may overestimate the number of times you act for clients based in high-risk jurisdictions. Based on the PWRA results, your firm may decide to undertake extensive due diligence on every new client, above the level required by the Regulations. The firm may decide, for example, that it will never apply simplified due diligence, even where this is permissible. The impact of this could be: 

  1. That the firm’s resources are wasted asking unnecessary questions to clients, who may become deterred by the process. This could, in turn, lead to a loss in revenue. 
  2. That staff become fatigued by the process, concluding that AML is just a drawn-out tick-box exercise. In turn, they could become complacent when they encounter a client who actually poses a risk to the firm. Instead of deliberating on whether to enter into a business relationship with a high-risk client, and determining whether you have the expertise to mitigate the risks they pose, a staff member may simply onboard the client without pausing for thought. 

Use of technology in carrying out risk assessments

Taking a risk-based approach means only undertaking more extensive risk assessments and client due diligence (to be covered later in this series) when needed. But if a firm undertakes risk assessments using static Word or Excel forms, staff can still be asked unnecessary questions, leading to the attendant problems outlined above.

This is where technology can be helpful. Software tools can ensure staff are only asked relevant questions, helping the firm take a risk-based approach. As mentioned above, we will discuss client due diligence (CDD) in more detail later in this blog series. But, whilst risk assessments and CDD are separate aspects of the AML process, they do impact one another. 

For example, when onboarding a particular client, a firm may undertake its risk assessment prior to CDD. During the CDD process, the firm could subsequently discover that the client’s beneficial owner is a politically exposed person (PEP). Depending on certain factors (such as the jurisdiction in which they operate) this could impact the risk level assigned to the client. When this happens, the firm should revisit their initial risk assessment, and make any necessary changes. The firm should also consider whether it has the expertise to mitigate the risks the client poses. If the AML process is undertaken using a manual form, the risk assessment may already have been marked as ‘complete’, and staff could forget to revisit it, in light of the new information. But an AML tool can utilise conditional logic and prompt the user with additional questions, based on certain ‘triggers’ (e.g. acting for a PEP) . 

However, whilst technology can assist firms with AML processes, there are some pitfalls to be aware of. For instance, partially automating the AML process can make sure staff don’t overlook anything, and also help them save time. But firms should tread carefully when considering fully automating the process. An overly prescriptive system can discourage staff from thinking for themselves. A machine may automatically assign a client a high-risk score, based on certain triggers, such as a client being located in a high-risk jurisdiction. But a fee earner who has worked with a client for many years may have a reasonable explanation as to why the client is based where they are, and not consider them to be high risk. 

There is a further reason why fully automating the AML process can be dangerous. For example, the guidance says that enhanced due diligence (EDD) must be applied to clients established in high-risk countries. But the guidance also warns that not accepting business solely based on a client’s nationality can be discriminatory: “the outputs of automated systems may create a risk of discrimination against prospective clients”. One way to address this issue could be for EDD to be automatically triggered if, for example, a company is incorporated in a high-risk jurisdiction, or if an individual resides in a high-risk jurisdiction. But if an individual’s nationality is that of a high-risk jurisdiction, EDD should not be automatic. The system should give the user a choice, with a warning on the dangers of discrimination.

VinciWorks’ AML client onboarding solution

Easily edit your client onboarding form, including adding and editing questions, as well as editing form logic

VinciWorks’ AML client onboarding solution gives firms peace of mind that all necessary information has been recorded and that the firm has a strong defence in case of a breach. It can be used to streamline both the risk assessment and document collection aspects of client onboarding.


  • 100% customisable — admins can edit questions and tweak the risk assessment process
  • Upload documents via the questionnaire, which can be used to access all client information and documents in one centralised portal
  • Choice of direct client access or internal-only use
  • Conditional logic — the form adapts as it is completed, so relevant questions are asked based on the identified risk level
  • Securely share CDD analysis and information between offices for complex matters
  • Conduct and record regular checks to comply with ‘ongoing monitoring’ requirements