In today’s increasingly complex regulatory landscape, risk assessments form the cornerstone of a law firm’s anti-money laundering (AML), counter-terrorist financing (CTF) and proliferation financing (PF) efforts.

A practical risk assessment ensures compliance with regulations set by the Solicitors Regulation Authority and the Financial Conduct Authority and underpins the overall integrity of the firm’s financial crime prevention strategy. This article examines the good and bad practices associated with risk assessments and stresses the importance of having robust procedures in place.

Managing Risk Assessments

It is a law firm’s legal requirement to undertake a comprehensive risk assessment regularly, given the constant updates to legislation. This assessment must cover all potential risk areas, including money laundering, terrorist financing and PF. It is essential that the systems and controls implemented are both comprehensive and proportionate to the nature, scale and complexity of the firm’s operations. Moreover, regular reviews of these risk assessments are crucial to ensure that they remain current and reflective of the evolving threat environment.

Recent legislative developments, notably section 188 of the Economic Crime and Corporate Transparency Act 2023, allow firms to share information to prevent, detect, and investigate economic crime. However, this information sharing must be carefully managed to avoid misuse for commercial purposes or as a pretext for unjustifiably excluding customers. Additionally, firms must be mindful of their obligations under the General Data Protection Regulation when handling shared data.

Key Elements of an Effective Risk Assessment

An effective risk assessment is not a static exercise but a dynamic process that informs day-to-day operations. It should clearly identify which parts of the business are most vulnerable to money laundering, terrorist financing and PF. This involves a thorough analysis of:

– The types of customers and beneficial owners involved

– The various products and services offered

– The geographical areas of operation and the associated country risks

– The channels through which transactions are conducted (e.g. internet, telephone, branches).

Furthermore, risk assessments should provide a framework for decision-making, influencing areas such as the level of customer due diligence applied and the criteria for accepting or maintaining business relationships. For specialised sectors like cryptoassets, bespoke assessments should be undertaken to address the unique risks posed by different types of cryptoassets, including anonymity-enhanced or privacy coins.

Good Practices in Risk Assessment

Several practices stand out as exemplary within the industry. Firstly, a robust risk assessment will inform the design of AML controls and ensure that every aspect of the firm’s operations is scrutinised. Law firms are encouraged to utilise reputable sources such as National Risk Assessments, FATF mutual evaluations, typology reports, NCA alerts, and insights from court judgements or non-governmental organisations. These sources offer invaluable context in understanding the evolving nature of financial crime.

Moreover, firms that excel in risk management consider a broad spectrum of factors when assessing risk. These include company structures, political connections, reputation, source of wealth, expected account activity, sector risk, and even the specific delivery channels employed. Recognising the potential for undue familiarity between relationship managers and clients, the best practice is to actively manage this risk to maintain objectivity. Furthermore, engaging in both public-private and private-private partnerships facilitates the exchange of insights on emerging financial crime typologies and reinforces a culture of continuous improvement.

Common Pitfalls and Bad Practices

Despite the clear benefits of robust risk assessments, many firms fall prey to several pitfalls. One common issue is the use of an inappropriate risk classification system that inadvertently prevents any customer from being categorised as ‘high risk’. In some cases, countries with higher risk are assigned low-risk scores merely to avoid the inconvenience of enhanced due diligence measures. Additionally, there are instances where relationship managers can override risk scores without providing sufficient evidence, thereby undermining the integrity of the assessment process.

Another problematic area is when risk assessments are swayed by the potential profitability of new or existing relationships rather than objective criteria. This can result in a firm being unable to justify why certain customers are deemed high, medium or low risk. Moreover, reliance on group risk assessments by UK branches or subsidiaries, without tailoring these assessments to comply with specific UK AML requirements, represents a significant oversight.

The Importance of Robust Procedures

For law firms, the importance of a meticulously executed risk assessment cannot be overstated. Effective risk assessments provide the foundation for implementing controls that not only safeguard against financial crime but also ensure compliance with evolving legal and regulatory standards. By learning from both good and bad practices, legal professionals can develop and maintain risk management procedures that are both comprehensive and agile. Ultimately, a commitment to robust risk assessment processes is an investment in the long-term integrity and success of the firm.