If by “old” you mean closed files, then no. The horse has bolted on those, unfortunately. Any issues which should have been captured during the risk assessment process will have already crystallised.
You do have an opportunity to update older active files, however. So long as you don’t attempt to mislead your SRA auditor.
Money Laundering Regulations
Under Regulation 28 of the Money Laundering, Terrorist Financing, and Transfer of Funds (Information on the Payer) Regulations 2017, solicitors have an obligation to conduct thorough client and matter risk assessments for work that falls within scope, including transactions, probate, tax advice and “trust and company services”.
The importance of client and matter risk assessment is that it should inform the level of CDD to apply and the source of funds/wealth enquiries you should make. It is your “stop and think” opportunity.
See the SRA’s Warning Notice on client and matter risk assessments, in which the regulator highlights persistent non-compliance with this part of the Money Laundering Regulations. Key concerns include incomplete or ineffective assessments, failure to align with firm-wide risk assessments, and over-reliance on generic templates. Firms must ensure comprehensive, tailored risk assessments, record rationales for risk ratings, and continuously monitor and update assessments. A template risk assessment is available.
Since the warning, SRA auditors are focusing on client and matter risk assessments.
Retrospective Risk Assessment
Risk assessment is not a one-time snapshot. It is intended to reflect the shifting information available to the solicitor and the changing risk picture.
So there is a strong argument that, if your systems have been updated and improved, you should indeed revisit live files. It makes sense to prioritise files which are more likely to have elements of high risk, for example those involving offshore entities, complex property transactions, and clients based in higher risk countries.
You could also use this as an opportunity to demonstrate ongoing due diligence, by targeting files where there may have been material changes to the client profile or changes to instructions.
Transparency with the SRA
If your firm is anticipating an SRA visit, transparency is paramount. Attempting to mislead the auditor, even by omission of relevant information, is prima facie dishonesty and could have severe consequences. Instead:
- Document Retrospective Improvements: Clearly document any retrospective improvements made to risk assessments or CDD processes.
- Communicate Honestly: The SRA no doubt expects firms to review their process when they are notified of an AML audit. Be upfront about where and why these improvements were made. This demonstrates a proactive approach to compliance and enhances your firm’s credibility.
Best Practices
To ensure compliance and manage risks effectively, consider the following best practices:
- 1. Document Changes: Keep detailed records of changes to your risk assessment process and the rationale behind them. Use version control to clearly identify which document is currently in use.
- 2. Selective Reassessment: If you cannot physically reassess all files, focus on in-scope, high-risk, and materially changed files for reassessment under the new process.
- 3. Training and Awareness: Ensure all team members understand the updated processes and their application to both new and existing files.