By Ed Marshall
At the risk of making you utter the phrase “not another AML blog post”, welcome to another anti-money laundering blog post. The idea for this one came from our recent visit to the SRA COLP COFA Conference and was cemented in the day-to-day work we undertake here as risk and compliance specialists.
Something I have been working on with my client base is Client and Matter Risk Assessments (CMRAs) and, when the Head of Proactive AML Investigations highlighted them as a major concern, it gave me the inspiration to write this. Something I hear and see on a daily basis with clients and in training is the frustration about the amount of work required to stay on the right side of AML regulations. The message, simply, is this: yes, it’s a burden but we have to do it – and it isn’t just to keep us busy or because “the SRA said so”.
Why CMRAs matter
At its core, a client risk assessment evaluates the individual risks posed by a specific client – their jurisdiction, beneficial ownership, media presence, and ownership structure – while a matter risk assessment focuses on the transaction or engagement itself: the size, purpose, frequency, source of funds, and whether it involves complex or high-value activity.
From a practical standpoint, a robust assessment helps a firm decide whether to accept instructions, tailor client due diligence, and allocate resources where they are most needed.
The NCA states that a realistic estimate for laundered money in the UK is over £100 billion, which only emphasises why these assessments matter. We do not want the legal profession to clean dirty money and fund criminal behaviour.
The SRA made the point starkly at the recent conference: half of all firms referred after proactive visits were flagged because of poor or missing CMRAs, and of the files that did have a CMRA, around four in ten were deemed ineffective.
More striking still, the SRA said that of 135 investigated firms, 111 had CMRA processes and expectations in place, yet clearly failed to implement them. That tells us two things. First, fee-earners are either not completing their CMRAs or are adding so little substance that the exercise cannot stand up to scrutiny. Second, supervision and management of client matters is not doing its job. That is a short road to regulatory action – anything from a report requiring improvements (to be checked later) through to a fine and all the negative publicity that comes with it.
We often describe the CMRA as a story. Explain the issues at hand. Describe the risk, however insignificant it may feel. Weigh up what you know of the client against what you are being told, and ask whether that makes sense for the story as you see it.
What good looks like
Whatever happens in the future with AML supervision, FCA or otherwise – CMRAs will be a constant. They are baked into the underlying legislation. Knowing your client and understanding what they are asking you to do is not going to change. Your risk assessment should reflect this. Even the lowest of low-risk matters should explain how and why the risk is low. A CMRA is both a shield and a compass: it protects the firm from regulatory and reputational harm and guides decision-making so that resources and controls are focused where the risk is highest.
But who should “own” the CMRA? In my view, it is pretty straightforward. The file handler must, because they understand the client and scope of work best. An onboarding team can prepare the groundwork and gather documents, but the judgement call sits with the fee earner and possibly their supervisor.
It is good practice for supervisors to review the CMRA at the outset and again at key milestones. Escalate to the MLRO/MLCO when the risk rating is High, or when a PEP or sanctions issue is in play, or when red flags persist despite proposed controls.
Treat material changes as the trigger for an update: a change of scope, a new or third-party payer, a jurisdictional shift, compressed timescales, unusual funding routes, or significant new information about the client’s ownership or wealth should all prompt a re-assessment. This is part of your “ongoing monitoring” duty.
The MLRO’s role is to keep the standard consistent, spot patterns across files, and ensure that High-risk matters are handled and evidenced properly.
In practice, a good CMRA avoids generic wording and tells a short, specific story about risk and response. It identifies the particular factors that matter on this particular file, explains why they drive the rating, and shows how that rating guides what you do next. The reader should be able to follow the evidence trail at a glance and understand how the file handler came to their conclusion.
A risk rating must then lead to action. If it does not change what you do next, it is just a label. Low risk should still prompt proportionate CDD, appropriate corroboration of source of funds, and ongoing monitoring. Medium risk should add targeted due diligence – e.g. independent corroboration, beneficial ownership checks that go beyond public registers, supervisor sign-off before funds are received, and so on. High risk should mean full EDD, e.g. deeper source-of-wealth work with documentary evidence, adverse media review, and MLRO/MLCO (or designated partner) approval before onboarding and before any movement of funds.
Your CMRA should make it obvious what you decided, why, and what evidence you relied on. Spell out the specific factors that drove the risk rating – client, geography, product or service, delivery channel, and transaction behaviour. Maintain the CMRA with relevant updates that explain the impact on risk, the actions taken, and any re-approval. Record decisions to onboard, decline or exit, with a short reason, and note any internal reporting reference (but do not attach any SARs!).
From admin to control
None of this is purely administrative. And it can be turned into useful management information if you actually use the data. Some firms build a simple monthly tracker to be discussed at compliance meetings. You can track items such as volumes of CMRAs completed and the mix of ratings, the share of High-risk matters by practice area, whether High-risk files are receiving timely senior sign-off, how often trigger events occur and how quickly the CMRA is updated, and which red flags are recurring or emerging. You can use file reviews to identify where reasoning is missing or generic and turn that into targeted refreshers with anonymised examples of “good” and “poor”.
Whatever happens with AML supervision in the future (it looks likely to change to the FCA), the fundamentals of a good CMRA do not change. Regulators will continue to expect a documented, risk-based assessment that drives proportionate controls and can be explained on audit. In practice, that means your risk rating must lead to action, trigger events must prompt an update, the rationale matters as much as the outcome, and any wider learnings should loop back into the FWRA and training so the system improves over time. If the supervisory label changes, you may need to re-map references in your FWRA and PCPs, but the day-to-day workflow is likely to remains the same: identify specific risks, record your reasoning, apply proportionate controls, and keep an audit trail that shows how the risk was mitigated.
