Risk assessments: anti-money laundering

Law firms should regularly identify and assess the risk of money laundering they face, in the form of practice-wide, client and matter risk assessments.

Regulation 18 of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) requires law firms to carry out a written risk assessment to identify and assess the risk of money laundering that they face.

Carrying out a risk assessment will help you to:

  • develop policies, procedures and controls to reduce the risk of money laundering
  • apply a risk-based approach to detecting and preventing money laundering
  • understand the level of risk associated with certain business relationships and transactions
  • make appropriate risk-based decisions about clients and retainers

It’s important that you keep your risk assessment under review as the Solicitors Regulation Authority (SRA) may ask to see your assessment – especially if something goes wrong with compliance at your firm.

More detailed information can be found in chapter 2 of the anti-money laundering guidance for the legal sector.

Practice-wide risk assessment

There are no set rules that indicate your firm is at high risk of exposure to money laundering activity.

The conclusions of your practice-wide risk assessment are a matter of judgement and should reflect the nature of your work and clients.

However, your practice-wide risk assessment should consider:

  • the UK's national risk assessment (NRA), updated in December 2020
  • the National Crime Agency's national strategic assessment, updated in July 2023 to identify the threats posed by:
    • proliferation financing
    • sanctions against Russia and Russian-linked individuals
    • increasing levels of cybercrime, including theft, malware and ransomware
    • the use of money mules
    • Chinese underground banking networks
    • international controller networks that exchange cash for cryptoassets
    • vulnerabilities in the creation and oversight of UK corporate structures
  • the SRA’s sectoral risk assessment, updated in July 2023 to:
    • remove legal cannabis and COVID-19 as key risks
    • update on proliferation financing and financial sanctions risk

It should also:

  • clearly state what you do when you identify a high-risk client or matter
  • reference your firm’s policies, controls and procedures
  • list the steps your firm has taken to reduce the money laundering risk it faces

The MLR 2017 outlines what you should consider in your risk assessment, including:

  • the clients you act for
  • whether you work in or with countries that, for example, have significant levels of corruption or are subject to sanctions
  • whether you offer services in practice areas deemed ‘high risk’ due to holding client money
  • the characteristics of transactions, including the source of funds and whether a transaction is outside your firm’s normal area of work
  • your firm's delivery services, including the use of agents and intermediaries or online services

See section 2.3 of the guidance for the legal sector for a full list of factors your risk assessment should consider.

It’s important that your risk assessment is written down and kept up to date.

Your risk assessment can be formatted in multiple ways, including in paragraphs, as a table or a matrix with risk ratings.

Make sure that when you complete your risk assessment you:

  • keep a record of the sources you use
  • review it regularly, reflecting changes in your circumstances or to the SRA's risk assessment. You should keep a note of when you carry out these reviews

High-risk regulated activities

In your risk assessment, you should assess what proportion of your work is made up of regulated activities, especially those identified as 'high risk' by the NRA.

The NRA specifies the following services as most likely to be abused by money launderers:

  • trust and company formation
  • conveyancing
  • client account services

To reduce risks when working in these areas, you must:

You should document what measures are in place to mitigate these risks, and adjust your policies, controls and procedures accordingly.

Find out more about money laundering warning signs

High-risk jurisdictions

If you’re involved with clients or matters based in ‘high-risk’ jurisdictions, your risk assessment should reflect this.

At a minimum, you’ll need to consider how you deal with clients and matters that involve those listed on the list of high-risk third countries.

You may also wish to keep up to date with:

Client and matter risk assessment

As well as a practice-wide risk assessment, you need to undertake a risk assessment at client and matter level.

This will inform the way you conduct your customer due diligence and ongoing monitoring.

You can use the SRA client and matter risk template as a base to develop a risk assessment tailored to your firm.

The factors listed in the SRA template are not exhaustive.

There may be other risk factors you should consider depending on the nature of the client or matter and your firm’s risk appetite.

Your processes for carrying out the client and matter level risk assessment should be set out in your practice-wide risk assessment. See section 2.5 of the guidance for the legal sector.

Protect yourself and your firm from money laundering

Complete our online AML courses, led by a leading expert in risk management. Modules include:


Call our AML helpline for support on issues such as due diligence, source of funds, sanctions and the high-risk jurisdictions list

Join the Risk and Compliance Section to stay up to date with your regulatory obligations.

Gain practical know-how with the Anti-money Laundering Toolkit (3rd edition)

Find out how to assess and address risk in your practice

Learn how to improve the quality of your risk assessment