Client and Matter Risk
Background
The SRA, as a result of their AML Audits, continue to witness a persistent level of non-compliant client/matter risk assessments, and this remains a key area where improvement is needed. It is the cause of the majority of fines.
The concern regarding failures in this area was first raised as an issue in the SRA 2019/20 report when we found 29 per cent of files had no written matter risk assessment. In the reporting period (2022/23) the regulator found 51% of the client/matter risk assessments were deemed ineffective.
During the SRA’s AML Audits, the regulator assessed over 1000 client files from different fee earners. They uncovered a worrying lack of client and matter risk assessments across several fee earners’ files can often indicate wider systemic problems, such as not having processes in place to undertake client due diligence or enhanced due diligence.
Common Client Matter Risk Issues
Issues the SRA commonly uncover include:
Over-dependence on template client matter risk assessments which are not tailored to the specific firm as well as missing areas which should be addressed.
- Client/matter risk assessments not reflecting or taking into consideration the firm-wide risk assessment. For example, a fee-earner assessing a conveyancing matter as being low risk when the firm-wide risk assessment stated all conveyancing matters should be treated as high risk
- Failure to conduct enhanced AML due diligence when needed.
- Only conducting a single point-in-time assessment, often at the outset of a matter i.e. failure to conduct ongoing client matter risk assessments.
- Complete absence of AML client/matter risk assessments or CMRAs being used incorrectly. The SRA identified examples of failure to identify the appropriate level of risk (ie high, medium, low), missing specific AML risks, lawyers failing to identify AML risks such as targeted business or other types of risk, adopted a tick-box approach without giving due consideration the apparent AML risks on the matter.
Having an effective AML client/matter risk assessment on all relevant matters is a key step in preventing money laundering as it should link to the correct level of client due diligence to apply. Ongoing monitoring is crucial.
AML Client Matter Risk Assessments - A Statutory Requirement
Regulations 28(12) and 28(13) of the money laundering regulations mandates that law firms must undertake measures to ascertain the potential risks presented by a specific client, and the respective matter. A comprehensive client risk assessment is imperative to discern and evaluate the potential risks associated with an individual client, and it must invariably be conducted at the outset of a client relationship but then continue as an ongoing process.
An AML client matter risk assessment should be carried out and recorded at the earliest opportunity save for certain exceptions discussed below. A matter risk assessment should focus on the specific risk factors that a matter presents, beyond, or different to, the client risks already identified. In assessing the level of risk in a particular case, you must take account of:
- the purpose of the account, transaction or retainer
- the level of assets to be deposited by a client or the size of the transactions undertaken by the client
- the regularity and duration of the retainer
The main reason for an AML client and matter risk assessment is to determine the level of client due diligence needed. It must also take account of the high-risk factors set out at regulation 33(1).For example, a person established in a high-risk third country, a politically exposed person (PEP) or a family member or known associate of a PEP, a person who has provided fake or stolen ID, or in unusually large or complex transaction.
An AML client and matter risk assessment should also dictate the level and extent of due diligence undertaken on a client or matter. For example, if a client or matter is assessed as being high risk, then regulation 33 of the money laundering regulations states that enhanced due diligence must be applied. Carrying out an AML client matter risk assessment will also help you consider what should be done to manage risk. Notwithstanding that the majority of law firms have a process in place to conduct AML client/matter risk assessments they are not always followed. AML client/matter risk assessments are only valid where the relevant action is taken. It is imperative that they are being used correctly. In practice that means firms monitoring how well fee-earners are complying with the requirement to carry out AML client matter risk assessments a.
Client/Matter Risk Scoring and Ratings
A record of an AML client matter risk assessment is needed for every matter as part of your client due diligence measures. You must also be able to provide copies of any AML client matter risk assessment to the SRA on request.
In utilising a ranking, rating or scoring system, such as high/medium/low system, to risk-assess matters, you will be required to show how you identify high-risk matters requiring ED and related processes for handling such matters.
The SRA often see AML client matter risk assessments that are very basic or tick box in nature, where fee-earners only had to mark whether a file was high risk, medium risk, or low risk. Often, these AML client matter risk assessments do not allow or encourage the lawyer to capture what they determined arrived at a risk score.
The danger in the aforementioned approach is that lawyers may fail in applying appropriate consideration to the relevant risks, and facilitate complacency when dealing with similar or perceived ‘straight forward’ matters. In the absence of a provision for unrestricted text or dedicated space within the risk assessment, practitioners may encounter difficulty in documenting unique or specialised aspects pertaining to a client or matter. The SRA talks of instances that have observed wherein practitioners have opted to deviate from the firm's overarching firmwide risk assessment or policies without providing a documented justification for their departure.
The SRA may take action, including issuing fines, where a firm does not have a process for identifying high-risk matters, or if the firm is not risk assessing clients and matters adequately.
Ongoing Client/Matter Risk Assessments
The SRA have made it clear that if during the business relationship with a client a lawyer fails to scrutinise transactions or review existing documents or information obtained for the purpose of applying client due diligence, they are likely to take disciplinary action. This is likely to include fines.