Client and matter risk assessments
We take a look at the SRA Warning Notice published on 18 October 2023
Overview
The SRA’s Warning Notice (18 October 2023) highlights persistent weaknesses in Client and Matter Risk Assessments (CMRAs), with over half of reviewed assessments deemed ineffective in 2022/23.
The regulator links this to systemic AML compliance failings, citing issues such as missing or poorly completed assessments, over-reliance on generic templates, lack of rationale for risk ratings, and failure to apply enhanced due diligence where required. Firms are reminded that CMRAs must be tailored, comprehensive, aligned with the firm-wide risk assessment, and kept under regular review to meet both regulatory and statutory obligations.
Concerns
The SRA stated their concerns
| High Levels of Ineffectiveness | In their 2019/20 report, "29 per cent of files had no written matter risk assessment." This worsened in the 2022/23 reporting period, where "51 per cent of the client/matter risk assessments were deemed ineffective." |
| Wider Systemic Problems | The lack of CMRA points to wider systemic problems, such as not having processes in place to undertake CDD and EDD Common identified issues: - Assessments "not being done at all or not being used correctly." - Failure to identify the correct risk level (high, medium, low) or missing specific AML risks. - Fee-earners targeting business or other types of risk instead of AML risks - Adopting a "tick-box approach without giving any real thought to the risks involved." - CMRA not reflecting or taking into consideration the firm-wide risk assessment (e.g. assessing a conveyancing matter as low risk when the FWRA deems it as high) - Over-reliance on template risk assessments which are not tailored to the firm." - Not clearly showing when EDD was necessary |
Standards and Regulations
The SRA point to the Code of Conduct for Solicitors and the Code of Conduct for Firms:
They in particular point to:
- Paragraph 7.1 Code of Conduct for individuals: Solicitors must "keep up to date with and follow the law and regulation governing the way you work," including compliance with the Proceeds of Crime Act 2002, the Terrorism Act 2000, and the money laundering regulations.
- Paragraph 2.1(a) Code of Conduct for Firms): Firms must "comply with all our regulatory arrangements, as well as with other regulatory and legislative requirements," specifically ensuring compliance with and monitoring of the money laundering regulations.
Statutory Requirements
| Regulation | Extract |
| Regulation 28(12) | 28.—(12) The ways in which a relevant person complies with the requirement to take customer due diligence measures, and the extent of the measures taken— (a)must reflect— (i)the risk assessment carried out by the relevant person under regulation 18(1); (ii)its assessment of the level of risk arising in any particular case; (b)may differ from case to case. |
| Regulation 28(13) | 28.—(13) In assessing the level of risk in a particular case, the relevant person must take account of factors including, among other things— (a)the purpose of an account, transaction or business relationship; (b)the level of assets to be deposited by a customer or the size of the transactions undertaken by the customer; (c)the regularity and duration of the business relationship. |
| Regulation 30 | 30.—(1) This regulation applies when a relevant person is required to take any measures under regulation 27, 28 or 29. (2) Subject to paragraph (3) or (4), a relevant person must comply with the requirement to verify the identity of the customer, any person purporting to act on behalf of the customer and any beneficial owner of the customer before the establishment of a business relationship or the carrying out of the transaction. (3) Provided that the verification is completed as soon as practicable after contact is first established, the verification of the customer, any person purporting to act on behalf of the customer and the customer's beneficial owner, may be completed during the establishment of a business relationship if— (a)this is necessary not to interrupt the normal conduct of business; and (b)there is little risk of money laundering and terrorist financing. |
| regulation 33(1) | 31.—(1) Where, in relation to any customer, a relevant person is unable to apply customer due diligence measures as required by regulation 28, that person— (a)must not carry out any transaction through a bank account with the customer or on behalf of the customer; (b)must not establish a business relationship or carry out a transaction with the customer otherwise than through a bank account; (c)must terminate any existing business relationship with the customer; (d)must consider whether the relevant person is required to make a disclosure (or to make further disclosure) by— (i)Part 3 of the Terrorism Act 2000 M1; or (ii)Part 7 of the Proceeds of Crime Act 2002 M2. |
The SRA's Expectations
The main expectations would seem to be
| Expectation | Commentary |
| Carry out CMRA | A client matter risk assessment must be carried out at the beginning of each business relationship. This will inform on the level of CDD. Most firms now have CMRA process, but fee-earner do not always follow the processes. Firms therefore should be monitoring compliance with the requirement and that it is completed correctly. The CMRA can either one for the client and one for the matter, that is a decision for the firm. Who should complete the CMRA: - case handler - best place to identify and assess the risk of the client and matter - others - compliance staff / MLRO - provided the CMRA correctly identifies and assess client and matter risk Most matters within scope will require a CMRA There should be a risk assessment for each new matter for a client - especially if the risk is novel "There might be times however when it is less likely that one will be needed. For example, when matters for a client are highly repetitive in nature, with the level of risk remaining consistent between one matter and another and the risk is comprehensively addressed in the client risk assessment. You should however still conduct ongoing monitoring to make sure that any transactions are consistent with your knowledge of the client, their business, and their risk profile, and document your decision making accordingly." "While there is no requirement to risk assess matters which fall outside of the money laundering regulations, it might well be appropriate to do so. For example, where the client might later instruct you on a matter which is within scope or the initial matter branch into scope of the regulations. Ancillary relief work, for example, is typically out of scope, but might in its later stages involve buying and selling real property or forming trusts." |
| Recording Rational for a Client / Matter Risk Rating | You must record a risk assessment for every client and provide it on request. Whether you use high/medium/low or a numerical system, the key is to identify high-risk matters needing EDD and ensure fee-earners follow the right process. The SRA continues to see overly basic, tick-box forms that lack space for rationale or commentary. This risks complacency, particularly in repetitive matters, and can miss unusual or high-risk factors. Each assessment should record:
Firms with no clear process for identifying high-risk matters or recording decisions risk regulatory action. |
| Keeping the Risk Assessment under Review | If new information arises after the initial risk assessment, you must review and update it as part of ongoing monitoring under regulation 28(11). Failing to scrutinise transactions or refresh client due diligence may lead to disciplinary action. Knowing your client well helps you identify risks and avoid unwitting involvement in money laundering. |
| Using a Template Use of the SRA Template | The SRA accepts the use of CMRA templates as a starting point but stresses they must be:
Generic, off-the-shelf templates without tailoring should be avoided. Even the SRA’s own CMRA template must be adapted to each firm. |
| Using a Scoring System | The SRA notes that many firms use scoring systems to assess client or matter risk, with higher scores indicating greater risk. Fee earners should be trained to use these systems effectively. Scores should guide but not replace judgment — certain factors, like clients in high-risk countries or PEPs, must automatically trigger a high-risk rating. Any system that is confusing, poorly weighted, or fails to identify key risks is unlikely to meet regulations 28(12) and (13). |
Key takeaways
The key takeaways seem to be:
| What Firms Can Do | How |
| Review and Update Processes: | Firms must review their existing client and matter risk assessment processes to ensure they are robust, comprehensive, and align with the SRA's expectations and statutory requirements. |
| Mandate and Monitor Usage: | Ensure that processes for conducting client/matter risk assessments are consistently followed by all fee-earners. Firms need to "monitor how well fee-earners are complying with the requirement." |
| Enhance Training | Provide thorough training to fee-earners on identifying and assessing AML risks, properly completing risk assessments, understanding the firm-wide risk assessment, and using any scoring systems effectively. |
| Promote Rationale Recording | Implement forms or systems that require fee-earners to clearly articulate the rationale for their risk ratings and the mitigation actions planned, moving away from simple "tick-box" approaches. |
| Tailor Templates | If using templates, ensure they are thoroughly "tailored to your firm" and align with the firm's specific risk profile and firm-wide assessment. Avoid "generic and off-the-shelf templates. |
| Regular Review and Monitoring | Establish clear procedures for ongoing monitoring of client relationships and matters, including revisiting and updating risk assessments when new information emerges. |
| Identify High-Risk Factors | Ensure all fee-earners are aware of and correctly apply enhanced due diligence for high-risk factors (e.g., high-risk third countries, PEPs). Any scoring system must account for these. |
| Document Decisions | All decisions regarding risk levels, due diligence applied, and any departures from standard procedures or firm-wide assessments must be clearly documented. |
Enforcement
- Consequences of Non-Compliance: "Failure to comply with this warning notice may lead to disciplinary action, criminal prosecution, or both."
- Impending Fixed Financial Penalties: "Given the continued levels of non-compliance, we will consult in the coming year on fixed financial penalties for AML systems and controls failings. This will include issues such as not undertaking a client or matter risk assessment."
- Disciplinary Action for Lack of Scrutiny: "Where we find that during the business relationship you failed to scrutinise transactions or review existing documents or information obtained for the purpose of applying client due diligence, we are likely to take disciplinary action."
Source:
Further Reading:
The SRA provides several resources to assist firms, including:
- SRA template client and matter risk assessment
- Client and matter risk assessment thematic review
- Firm-wide risk assessment guidance (updated September 2023)
- SRA webinar | Anti-money laundering: matter risk assessments
- SRA anti-money laundering annual report 2022-23
- Legal Sector Affinity guidance (2023)
- Professional Ethics helpline for further assistance.
Your next step
At Alexander Christian, we offer discreet yet thorough support with standalone file reviews, look-back assessments, and remediation exercises—available as a one-off service or on a regular basis.
An independent, second set of eyes brings clarity. We focus not on excuses, but on insights that help you see your firm’s position objectively, address non-compliant behaviours, and strengthen alignment with your FWRA, PCPs, and CMRA.
Client Matter Risk Assessments are the granular proof of your compliance culture. Regulators may only review a sample of files, but their findings speak volumes about your practice as a whole. Ensuring accuracy and consistency is not optional—it is essential.
The regulators have sounded the alarm —get in touch today.
Disclaimer
This post is not intended to be legal or regulatory advise. Nor is it intended to be construed as such. You must seek independent legal advice from a firm that undertakes such work for your individual circumstances.