AML FILE REVIEWS · SMALL LAW FIRMS · LONDON
Your AML policy says the right things. Do your files?
The SRA consistently finds that the most common AML failures in law firms are not in the documentation. They are in the files. Written policies exist. Client and matter risk assessments are either missing, generic, or not matched to the actual risk. Client Due Diligence (CDD) is incomplete or inconsistently applied. We provide independent file reviews that examine what is actually happening in practice — and tell you what we find.
Client risk
Matter risk
CDD in practice
WHERE AML FAILURES ACTUALLY LIVE
The gap between written policy and file practice
Most firms have AML documentation. Many firms' files tell a different story. Understanding that gap — honestly and systematically — is where independent review adds the most value.
The SRA's AML Annual Report 2024-25 — the most recent and most detailed supervisory data available — identifies client and matter risk assessments as the single largest cause of SRA referrals. Across the files reviewed, 16% had no assessment at all or incomplete documentation. A further 39% had an assessment that failed to effectively evaluate the money laundering risk. That is 55% of reviewed files with a client or matter risk assessment problem of one kind or another, under Regulation 28 of the Money Laundering Regulations 2017.
The same report records 151 AML outcomes in 2024-25 — up from 78 the previous year and 47 the year before that. The SRA carried out 935 proactive engagements including onsite inspections, desk-based reviews and thematic assessments. Almost a third of firms examined were assessed as non-compliant, with a further 54% only partially compliant. The direction of travel is unambiguous: supervisory activity is increasing, outcomes are increasing, and the expectation that all firms will face AML scrutiny in the near future has been stated explicitly by the SRA.
This is not a criticism of the people responsible for those files. It reflects the structural reality of a small firm: the MLRO is also a fee earner, the policies were drafted once and not revisited as the work changed, and fee earners were trained generically rather than in relation to the specific risks the firm actually faces. The gap between policy and practice is entirely understandable. It is also exactly what a supervisory inspection will find.
The question an independent file review answers is not "do you have the right documents?" It is "are those documents being applied in practice — and is that practice consistent, documented, and proportionate to the risk on each file?"
01.
Risk assessments completed as a formality
Client and matter risk assessments exist on file — but they carry a default rating, are undated, or do not reflect the actual characteristics of the client or the transaction. They satisfy the requirement on paper but not in substance.
02.
CDD not matched to the risk level
Standard CDD is applied regardless of the risk assessment outcome. Higher-risk clients and matters are not receiving enhanced due diligence. Lower-risk matters are receiving disproportionate scrutiny. The risk-based approach exists in the policy but not in the file.
03.
Source of funds not adequately evidenced
Source of funds and source of wealth are not consistently sought, documented, or evaluated — particularly on higher-value property transactions where this is a specific area of SRA scrutiny.
04.
Ongoing monitoring absent in practice
CDD was collected at the start of the client relationship and has not been reviewed as the relationship developed, the client's circumstances changed, or new matters were opened that carry a different risk profile.
05.
Inconsistency between fee earners
Some fee earners apply the firm's CDD and risk assessment procedures rigorously. Others do not. The inconsistency reflects a training gap — fee earners have not been trained to the specific risks in their practice area or to the firm's own risk profile.
UNDERSTANDING THE OBLIGATION
What client and matter risk assessments actually require
The LSAG guidance and the Money Laundering Regulations set out clear requirements. Here is what an adequate client and matter risk assessment involves in practice.
The risk-based approach — which underpins the entire AML regulatory framework — requires that the level of CDD applied to any client or matter is proportionate to the risk that client or matter presents. This means that risk must be genuinely assessed, not assumed. It cannot be adequately discharged by applying standard CDD to everything regardless of the actual risk profile.
The LSAG guidance distinguishes between three levels of risk assessment that must operate together: the Practice Wide Risk Assessment (PWRA or FWRA), which assesses the risk profile of the firm as a whole; the client risk assessment, which assesses the risk presented by each individual client; and the matter risk assessment, which assesses the risk of each specific transaction or matter separately from the client risk.
All three must be in place, must be current, must be documented, and must demonstrably inform the level of CDD applied. An adequate FWRA does not substitute for a client risk assessment. An adequate client risk assessment does not substitute for a matter risk assessment. They operate at different levels and serve different purposes.
Practice Wide Risk Assessment (FWRA)
Assesses the risk profile of the firm as a whole — the types of clients the firm serves, the work it does, the geographies it operates in, and the inherent money laundering and terrorist financing risks those factors present. Must be documented, current, and reviewed periodically or when the firm's circumstances change. Every client and matter risk assessment should be consistent with this foundation.
Client Risk Assessment
Assesses the risk presented by each individual client — their nature, background, geographic connections, PEP or sanctions status, and the circumstances in which they are instructing the firm. Must be completed at the start of the relationship and reviewed as the relationship develops. Determines the baseline level of CDD to be applied to that client across all their matters.
Matter Risk Assessment
Assesses the risk presented by each specific transaction or matter — separately from the client risk assessment. A client assessed as standard risk may instruct on a matter that carries higher inherent risk. The matter risk assessment must be completed for each matter and must reflect the specific characteristics of that transaction — not just the client's overall risk profile.
CDD proportionate to the combined assessment
The outcome of the client and matter risk assessments together determines the level of CDD to be applied. Standard CDD for standard risk. Enhanced due diligence — including source of funds, source of wealth, and additional verification — for higher-risk clients or matters. Simplified due diligence only where permitted and demonstrably justified. The risk assessment and the CDD applied must be consistent and evidenced on the file.
What inadequate looks like — and what supervisors find
✗ A risk assessment form completed with a default rating and no explanation
✗ Client risk assessed as standard without considering geographic risk, PEP status, or business type
✗ Matter risk not assessed separately from client risk — or not assessed at all
✗ Source of funds noted as "confirmed" without any supporting evidence on file
✗ Source of funds on file, but not reviewed, not documented, and no explanation or reasoning
✗ CDD collected at client onboarding and not revisited on subsequent matters
✗ EDD not applied to clients or matters that the firm's own FWRA identifies as higher risks
What an adequate client and matter risk assessment looks like
✓ It is specific to the client or matter — not a generic template applied without thought
✓ It identifies the relevant risk factors — client type, geographic risk, product or service risk, delivery channel risk, transaction risk
✓ It reaches a documented conclusion — high, medium, or standard risk — with reasoning
✓ It determines the level of CDD to be applied — and that level is actually applied
✓ It is reviewed and updated when circumstances change — new matters, changes in client profile, changes in the transaction
✓ It is consistent with the firm's FWRA — the risk factors identified at firm level are reflected in the assessment of individual clients and matters
✓ It is evidenced and accessible to relevant persons
THE MOST IMPORTANT POINT ON THIS PAGE
A template is a starting point. It is not a risk assessment.
The SRA has now published a client and matter risk assessment template. This is genuinely useful — but the SRA has been explicit that it must be adapted to suit the firm. Understanding what that means in practice is the difference between adequate compliance and a tick-box exercise that satisfies the form but not the substance.
The SRA has consistently found — and explicitly criticised — risk assessments that are very basic or tick-box in nature, where fee earners only mark a file as high, medium, or low risk without documenting what they considered to arrive at that rating. An assessment that does not capture the reasoning is, in the SRA's view, inadequate — and it creates a particular danger: it encourages complacency when dealing with similar or apparently straightforward matters.
A genuine, adequate risk assessment must connect to the firm's own FWRA (firm-wide risk assessment). The FWRA is the foundation. It tells fee earners what the firm's specific risk profile looks like — not in generic terms, but in terms of the actual work the firm does and the actual clients it serves.
The SRA's AML Controls Webinar illustrated this precisely through a fictional case study: a fee earner was directed not just to a generic policy, but to specific information in the firm's FWRA — the types of conveyancing work that practice typically undertook, the typical range of purchase prices in their area, whether the firm regularly received funds from outside the jurisdiction, and the fact that the firm's probate department had relationships with French and Spanish law firms who could undertake CDD checks in those jurisdictions. That level of granularity in the FWRA is what enables a genuine, firm-specific risk assessment rather than a generic one.
What adequate tailoring looks like in practice
→The FWRA identifies the firm's specific practice areas and the typical risk profile of each — not "we do conveyancing" but "our conveyancing work is predominantly residential purchases in the £200,000-£500,000 range in North West London, with a small proportion of commercial transactions
→The FWRA addresses the specific risk factors relevant to the firm's client base — whether clients typically provide funds from within the UK, what proportion instruct remotely, what the firm's experience of PEP exposure has been
→The risk assessment template is adapted to include fields specific to the firm's practice areas — a conveyancing firm's template should prompt for property-specific risk factors; a probate firm's should prompt for probate-specific considerations
→The assessment includes a narrative field — not just a rating — so that the fee earner records what they considered and why they reached the risk rating they did
→The assessment is treated as a live document — reviewed as the matter progresses and updated when the risk profile changes, not completed once at the start and filed away
Quick Contact -
See our Privacy Page
See our Client Due Diligence Page
See our Pre-onboarding Page
See our Fees Overview Page
Call Us: 020 4578 4684
Get in Touch at Any Time
Do not hesitate to contact us with any queries.
Alexander Christian
Harrow Business Centre
429-433 Pinner Road
North Harrow
Middlesex
Greater London
HA1 4HN
Phone : 020 4578 4684 or
complete the contact form
We offer initial consultations by pre-arranged appointment only on:
Mondays and Tuesdays
- Pre- booked in advance
- In‑person at Harrow Business Centre
Office Hours
10am–4pm - Monday to Fridays
Contact Form: To help us respond efficiently, please complete the contact form. We may be with a client or have limited availability, and the form ensures we can follow up promptly and with the right information.
