Risk assessments are the foundation of AML compliance and, according to the SRA, the area where law firms most commonly get it wrong.
Here’s what a good one actually looks like, and why the tick-box approach keeps getting firms into trouble. All of that, in a five minute blog.
Why Risk Assessments Keep Coming Up
Every year, the SRA publishes its findings from AML supervisory visits across the legal sector. And every year, risk assessments sit at the top of the failure list.
In the most recent reporting period, the SRA carried out 935 proactive AML engagements across 833 firms. Around one in three were found to be non-compliant. The most common reasons were gaps in firm-wide and client risk assessments, weaknesses in AML controls, and limited internal monitoring. Risk assessments appear in almost every category of failure.
This isn’t a new problem, but the SRA’s tone has sharpened. Firms are increasingly expected to demonstrate that their risk assessments are active, documented, and driving real decisions, not sitting in a folder as evidence of compliance.
Two Separate Assessments, Two Separate Obligations
There’s a distinction worth being clear on, because conflating the two is itself a common failure.
The firm-wide risk assessment is required under Regulation 18 of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017. It must be a written document, approved by senior management, that identifies the money laundering and terrorist financing risks the practice is exposed to, based on its client base, geographic exposure, services offered, and transaction types. It should be reviewed regularly and updated when the firm’s circumstances change.
The client and matter risk assessment is required under Regulations 28(12) and (13) and must be completed for every single instruction. It needs to reflect both the specific characteristics of that matter, including the client, the transaction, the source of funds, and any risk indicators, and the broader context set by the firm-wide assessment. One informs the other.
The SRA has been clear that the firm-wide assessment is not a substitute for individual matter-level assessments. Both are required. Both must be documented.
What the SRA Keeps Finding
Across its 2024–25 supervisory activity, the most persistent risk assessment failures cluster around a few consistent themes.
Assessments are not always completed consistently or in full. Client and matter risk assessments are sometimes skipped entirely, partially completed, or completed after the matter has already progressed, which defeats the purpose.
Tick-box approaches are still common. Forms are filled in, but the answers do not reflect genuine consideration of the matter. Risk ratings are applied without reasoning, despite the SRA making clear it expects to see evidence that the assessment informed a decision, not just that it was done.
Firm-wide risks are not always carried through to client level. If a firm’s firm-wide assessment identifies elevated risk areas, that should be visible in how individual matters are assessed. Where there is no connection between the two, it is a clear red flag.
High-risk matters do not always receive appropriate oversight. Situations involving PEPs, complex ownership structures, or source of funds concerns should trigger escalation, but the SRA has found cases where this has not happened.
Assessments are often completed once and never revisited. Risk does not stop at onboarding, and where circumstances change, the assessment should change with them.
What a Good Risk Assessment Actually Looks Like
The SRA’s guidance, along with practical experience across the sector, points to a consistent set of characteristics.
Effective risk assessments are completed before the matter progresses, not retrospectively. They contain clear reasoning rather than just a risk rating, explaining what factors were considered and what that means in practice.
They are connected to the firm-wide picture, reflecting the risks identified at firm level in individual matters. They are also treated as live documents, revisited when circumstances change rather than filed away and forgotten.
Finally, they create a clear audit trail. It should be obvious when the assessment was completed, who carried it out, and what actions followed as a result.
The Difference Technology Makes
Manual risk assessments inevitably introduce inconsistency. Some fee-earners apply them rigorously, others less so. Digital AML workflows help address this by embedding risk assessment into the process itself.
They can make completion mandatory at the point of matter creation, prompt the right questions based on the specific context, automatically flag higher-risk scenarios, and create a clear, auditable record of decisions made.
This does not replace professional judgement. It supports it, ensuring that risk assessment is applied consistently and at the right time, rather than retrospectively or unevenly.
Taken together, the SRA’s message is consistent. Firms need both a firm-wide risk assessment and a matter-level assessment for every instruction, and both must be properly documented, actively used, and kept up to date. Completing them after the fact, or treating them as a formality, misses the point entirely. The real test is whether the assessment has shaped how the matter is handled, particularly where higher-risk scenarios require escalation or further scrutiny.
