Mastering client matter risk assessments: Your shield against financial crime
 In Industry Insights
0

Solicitors, COLPs, MLCOs and MLROs are on the front lines of the fight against financial crime. The SRA has been crystal clear about the importance the regulator places on comprehensive client and matter risk assessments. 

Recent SRA research highlights both progress and remaining gaps. Between April 2022 and April 2024, firms significantly improved their risk assessment practices. The percentage of files without any client/matter risk assessment dropped from 21% to 19%. This is encouraging, but it still means nearly one in five matters were in breach of the Money Laundering Regulations. 

A strong client and matter risk assessment system is your shield against financial crime. It helps you identify high-risk situations early, apply appropriate customer due diligence, and decide whether to proceed with or decline a client or transaction. 

Inadequate assessments can lead to serious consequences – from unwittingly facilitating illicit activity to unwanted regulatory attention, with its associated cost and reputational damage.

By contrast, effective risk assessments (tailored to each client and matter and updated as situations change) enable you to stay compliant and derisks your business. In short, mastering this process is important for solicitors and compliance officers who want to keep their firms safe and successful.

Checklist: Building a robust risk assessment system

  1. Establish a standardised risk assessment template: Start by creating or adopting a comprehensive risk assessment form for your firm (the SRA’s official template is a great – albeit long – starting point). Make sure it covers all key elements – identifying potential financial crime risks, recording the required level of customer due diligence (CDD), checking for any sanctions exposure, and prompting a decision on whether to accept the client/matter. Tip: Include fields to note the date, the person completing the assessment, and any supervisory sign-off required for higher-risk cases. Remember you can always edit the document later if it needs to be streamlined.  
  2. Customise the template to your firm’s profile: One size does not fit all. Tailor the risk assessment form and process to reflect your firm’s unique risk profile, practice areas, and client base. This is where the Firm-Wide Risk Assessment becomes relevant. A conveyancing-focused firm should include specific questions about property transaction risks, while a corporate firm might emphasise complex ownership structures. Decide whether you will use separate assessments for the client and the matter or a combined form – either approach is fine as long as all relevant risk factors are evaluated and recorded.
    • Tip: Clearly explain in your procedures (and on the form) how to assess different risk factors. What are the thresholds of risk? Are there any examples you can give? This ensures consistency and helps train fee earners in using the form correctly. 
  3. CDD and recording: For each new client and matter, perform the appropriate level of due diligence before proceeding. Verify the client’s identity and beneficial owners, screen for politically exposed persons (PEPs) or sanctions hits, and understand the source of funds for the matter.
    • Tip: Document all findings by keeping copies of ID documents, screening results, and notes of any unusual information. If any red flags or suspicious information appear (for instance, a client reluctant to provide details or funds coming from a high-risk jurisdiction), record these on the risk assessment. This evidence will support your risk rating and decisions, and it demonstrates to regulators that you are doing your checks diligently. 
  4. Assess the risk and decide on next steps: Using the information gathered, assign a risk level to the client/matter (e.g. low, medium, high) in line with your firm’s risk criteria and overall risk appetite. Ensure this risk level aligns with your firm-wide AML risk assessment – for example, if your firm-wide assessment flags certain situations as high risk, your matter assessment should reflect that. Based on the risk level, decide whether to proceed and what safeguards are needed. For a low-risk matter, standard CDD may suffice; for a high-risk matter, enhanced due diligence (EDD) and senior management approval will be required.
    • Tip: Record the rationale for the risk rating and the decisions made. If you decide to take on a high-risk client, note why (e.g. “PEP status mitigated by source of wealth evidence, additional monitoring in place”). If you decline a client due to risk, document the factors that led to that decision. This written record is invaluable if your decisions are ever questioned. 
  5. Integrate risk assessment into daily practice: Make risk assessment a living part of your matter management, not a one-off form to file away. Every fee earner and team member should understand that no new matter starts without a completed risk assessment, and that they should be considering risk throughout the life of the case. Ensure your processes embed the risk assessment at matter opening and require revisiting it when certain triggers occur. For instance, if a transaction’s value jumps significantly or the client’s ownership structure changes, fee earners should update the risk assessment.
    • Tip: Consider integrating the risk assessment into your case management or client onboarding software so that it’s a mandatory step in opening a new file. This promotes consistency across the entire practice and makes it easier for COLPs/MLROs to oversee compliance. 
  6. Review and update assessments regularly: A risk assessment should never be static. Schedule periodic reviews for long-running matters (e.g. review the risk at least annually or at key stages of a case). Importantly, be reactive to new information: if something about the client or matter changes – such as new intelligence, a client being investigated elsewhere, or the emergence of a suspicious transaction – update the risk assessment immediately. Adjust the risk level if needed and record what changed. This dynamic approach keeps the assessment relevant and ensures you catch evolving risks.
    • Tip: Each time you review or update a risk assessment, log the date, changes made, and why. If a matter becomes high risk mid-way, note the factors (e.g. “Client became a PEP in March 2025; risk level raised from Medium to High and EDD performed”). This creates an audit trail showing you actively manage risks over time. 
  7. Maintain clear and comprehensive records: Finally, ensure all your risk assessments and related documents are stored in an organised, retrievable manner. Consider keeping a central repository (physical or digital) of risk assessment forms for every matter, along with supporting documents (ID copies, company searches, transaction monitoring notes, etc.). Make sure the records are accessible for internal audits or SRA inspections at short notice. Good record-keeping not only proves your compliance, it also helps your team pick up a file and quickly understand the risk profile of a client.
    • Tip: Treat your risk assessment records as living documents – encourage team members to add notes whenever something noteworthy happens (e.g. “30/09/2025: payment from unexpected source – investigated and cleared by MLRO, noted in file”). Clear, detailed records could be your lifesaver if ever your firm’s AML controls come under scrutiny.

Best practices in risk assessment documentation

A well-documented risk assessment process is critical for compliance and should be designed to provide a clear and detailed picture of a client’s risk profile. Consistency is key – every fee earner should use the same risk assessment template, ensuring that no crucial details are overlooked. We don’t want people “doing their own thing”, or thinking that parts of the MLRs don’t apply to them. The format should be structured yet flexible enough to allow for case-specific considerations.

Risk ratings must be clearly justified, leaving no ambiguity as to why a client or matter has been classified as low, medium, or high risk. Simply selecting a risk category is not sufficient; firms should document the reasoning behind the classification, including any factors that led to a decision. Otherwise, the temptation is just to tick the easiest option and get on with the chargeable work.

When red flags or unusual activity arise, documenting the response is essential. Any concerns identified should be logged alongside the steps taken to investigate or escalate the issue. For instance, if a client’s payment originates from a high-risk jurisdiction or unexpected source, records should detail the verification measures undertaken, such as source of funds checks or MLRO involvement. This ensures there is a clear audit trail demonstrating how risks were managed.

Supporting evidence should be kept alongside the risk assessment to create a comprehensive file. This might include identity verification documents, company searches, transaction records, and internet research. Where digital systems are used, documents should be stored in a manner that allows for easy retrieval in case of an audit. Many firms opt for encrypted AML platforms or secure document management systems to maintain confidentiality while ensuring accessibility.

Finally, risk assessment records should be regularly audited. The COLP, MLRO, or a designated compliance officer should periodically review a sample of files to ensure risk assessments are complete, accurate, and up to date. Internal audits help identify any gaps in documentation, allowing for corrective action before any external review by regulators. This proactive approach not only strengthens compliance but also fosters a culture of risk awareness within the firm.

Creating a risk-resilient firm

Client and matter risk assessments are more than a regulatory obligation – they are your proactive shield against fraud, money laundering, and other financial crimes. A well-designed risk assessment system, embraced across your firm, will help you spot warning signs early, make informed decisions about who you act for, and ensure you meet the SRA’s stringent AML requirements.

Equally important is the documentation: if it’s not written down, regulators will assume it didn’t happen. By fostering a culture that values meticulous risk assessment and record-keeping, solicitors, COLPs, and MLROs can protect their firms’ integrity and uphold the highest professional standards.

In summary, the core compliance principles are to:

  • Make risk assessments mandatory and tailored: Every new client or matter should undergo a documented risk assessment that’s customised to the specifics of that case – no exceptions.
  • Follow a clear checklist: Implement a step-by-step process to ensure you cover all bases – from initial due diligence to final sign-off – and repeat this process consistently.
  • Document everything: Keep clear records of what you did, why you did it, and what decisions were made. Good documentation is your proof of compliance and your guide if the client’s risk profile changes.
  • Stay vigilant and update regularly: Treat risk assessment as an ongoing activity. Update the assessment whenever new information arises, and review long-term matters periodically so nothing falls through the cracks.
  • Embed a compliance culture: Train your team and create an environment where conducting and updating risk assessments is second nature. When everyone understands the why and how of risk assessments, your firm is far less likely to slip up.
Recent Posts

Start typing and press Enter to search

Get your FREE COLP Insider email delivered fortnightly

We’ll never share your email address and you can opt out at any time, we promise

 

I do not want to subscribe

failure to prevent fraud offence
The fraud prevention tightrope: Navigating the UK’s new Failure to Prevent Fraud offenceIndustry Insights
sra compliance officer
There but for the grace of God go I… what every compliance officer secretly fearsIndustry Insights