Client and matter risk assessments
18 October 2023
Introduction
This thematic report sets out our findings on how firms assess clients and matters to identify money laundering and terrorist financing risks. Taking a risk-based approach to preventing money laundering is important because it helps you direct your resources appropriately to the highest risk areas. In order to do this, and to make sure you are mitigating the risk of money laundering, you need to understand and assess the risk posed by each client and matter – then act accordingly.
Risk assessing clients and matters is a requirement under regulation 28(12) and (13) of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (‘MLRs’). This has been a legal requirement since 26 June 2017.
Regulations 28(12) and 28(13) of the MLR require firms to take steps to identify the money laundering and terrorist financing risks posed by a particular customer (or ‘client’) and matter.
Firms must carry out a written client and matter risk assessment.
A client risk assessment should identify and assess the risks posed by an individual client.
A matter risk assessment should focus on the specific risk factors that a matter presents, beyond, or different to, the client risks already identified.
These risk assessments will help you to identify and understand the money laundering, terrorist financing risks. This in turn will help you decide whether you wish to accept the client, what level of customer due diligence (CDD) you will undertake and any additional steps you might wish to take to mitigate the risk posed. A risk assessment can also be a useful tool to understand your exposure to financial sanction risks. We have published separate guidance on complying with financial sanctions legislation.
Your client and matter risk assessments can also help you determine the level and frequency of ongoing monitoring needed for a client or matter. Ongoing monitoring is a requirement under regulation 28(11) of the MLR. The MLR require you to scrutinise transactions throughout the course of a business relationship, including the source of funds, where necessary.
Failure to properly risk assess can expose your firm to the risk of abuse by criminals.
Under regulation 28(12) of the MLR you must undertake appropriate CDD measures based on:
- your firm-wide risk assessment (FWRA) required under regulation 18 of the MLR
- your assessment of the level of risk arising in any particular case.
To assess the level of risk in a particular case, regulation 28(13) of the MLR requires that you must take account of:
- the purpose of an account, transaction or business relationship
- the level of assets to be deposited by a customer or the size of the transactions undertaken by the customer and
- the regularity and duration of the business relationship.
Your firm should:
- have effective systems in place to identify potential risks with any client and matter in scope of the MLR
- consider risks identified within your FWRA
- apply due diligence to each matter based on the risk posed by that client and the work you will undertake for them
- adequately document the risks, and the actions to mitigate them.
Under regulation 28(16) of the MLR, you must be able to demonstrate to us as your supervisory authority that the extent of the measures you have taken are appropriate to the risks of money laundering and terrorist financing.
We undertook a thematic review to better understand how firms were complying with the requirements of the MLR and identify examples of good practice and poor practice.
We inspected 30 firms and found the following.
- 94% of firms had a process in place to risk assess clients and matters.
- 20 firms assessed client and matter risks using various templates which were manually filled in. Eight firms assessed client and matter risks via systems built into their case management system. Two firms did not have a process to risk assess clients or matter risks. Both firms were referred to our anti-money laundering (AML) Investigation Team for not complying with regulation 28(12) and (13) of the MLR.
- Most firms’ risk assessment process considered client risk and matter risk together, rather than as separate documents. While this is usually fine , assessments must be completed comprehensively. We found one firm’s assessment was limited to client risk only, and three firms’ risk assessment processes were limited to considering matter-specific risks. These firms’ processes were only partially compliant with regulations. We are working with these firms via compliance plans to bring their processes in line with the regulatory requirements.
- While 94% of firms had a process in place to risk assess their clients and matters, nearly half (47%) of files we reviewed did not contain a documented CMRA. In a minority of cases, this was because it was too early in the transaction to complete a risk assessment.
- Of the files that contained documented CMRAs, 77% were completed properly. Of the files that contained documented CMRAs, 67% contained good evidence of ongoing monitoring as firms had reviewed the risk at appropriate intervals.
A client and matter risk assessment template can be an effective tool to assess risk if used properly.
We have seen good and poor use of client and matter risk assessment templates from our proactive AML supervision work. The difference between good and poor use is how a firm adapts a template to suit its needs.
We have seen examples of firms relying too heavily on client and matter risk assessment templates without tailoring them. Or using lengthy or overly complicated templates where some of the risks were not applicable. For example, we saw firms using standard templates that include service areas which are not provided by the firm, making parts of the document pointless.
We also found instances where firms were either using a tick-box approach to decide whether the matter posed any money laundering risks, with no ability to capture nuance. This contained a simple yes/no response with no rationale to explain the risk.
We have therefore created a client and matter risk assessment template that firms might choose to use. We have also published supporting notes on how to complete the client and matter risk assessment template.
If you choose to use our client and matter risk assessment template, you should adapt it to make sure it captures the risks your firm is exposed through your clients and the type of work you do. You should consider the factors in the client and matter risk assessment template to help you to assess the money laundering risk posed by the client or transaction. The factors listed are not exhaustive. There may be other appropriate risk factors for you to consider depending on the nature of the client, the transaction and your firm’s risk appetite.
A CMRA is an important and practical document which will help you consider the money laundering and terrorist financing risks posed by a particular client or matter. It should also help you decide what level of due diligence is appropriate and what information you might need from the client to complete CDD under the MLR.
You must have a process in place to assess risk at client and matter level which is followed in practice. You must make sure that you complete and document a risk assessment for each client and every matter.
You can decide whether to assess client risk and matter risk separately, or whether to include both in one document. For example, if you act for a client on a single transaction, you might decide it is practical to assess both risks in a single document. Alternatively, if you act for repeat clients on unconnected matters, you might decide to assess the risks separately.
Should your firm be subject to an AML inspection, we will check to see whether each client and matter has an appropriate risk assessment on file. Through our proactive AML supervision we have found that most firms have a process in place that should be followed to assess client and matter risk. However, we have seen instances where this process is not followed by fee earners, leaving firms open to the risk of being used to launder money.
The examples below set out good and poor practice we found:
Good practice
- Where risk ratings were used, the firm recorded how it arrived at that rating and the thinking behind it.
- The form used required fee-earners to make an active decision on the level of due diligence required based on the level of risk.
- The CMRA was tailored to the firm’s risk. For example, questions were added to the CMRA template to help fee-earners identify additional risks specific to the firm’s clients.
- Each client and matter contained a written risk assessment.
- Where fee-earners felt the level of risk was different from that identified in the FWRA, they documented their rationale for this.
- Relevant sections of the CMRA form were completed, with a clear explanation of the risk level and level of due diligence required.
- The CMRA was reviewed reactively when additional information about the client or matter was received. For example, when funds were received on a matter to ensure it is consistent with the information the firm held.
- The firm reviewed their CMRA at key stages in a transaction. For example, prior to exchange and completion in a conveyancing matter.
- The fee-earner was required to make an active assessment of the risk posed, not rely on a tick-box form. The CMRA automatically flags high-risk matters to the money laundering compliance officer for approval.
- The CMRA reflected the risks identified in the firm’s FWRA.
Poor practice
- The client risk was considered in isolation and the risks relating to the matter were not assessed. Or vice versa.
- The firm used a template with standard text for all transactions, which discouraged analysis of risk by the fee earner.
- The firm relied on e-verification system ratings instead of fee-earners forming their own assessment of the risk. Or fee-earners provided little or no input into the risk assessment.
- Inconsistent use of CMRA across the firm.
- The matter rating did not reflect the FWRA and there was no rationale to explain why the fee-earner had deviated from the rating in the FWRA. For example, the firm consider conveyancing transactions to be high risk in its FWRA, the matter risk assessment rated the matter as low risk.
- The form used did not clearly show the fee-earner when the threshold for enhanced due diligence had been met.
- No controls were put in place to check or review CMRA processes.
- The CMRA was not completed ahead of advice being provided and funds being received into the client account.
- The firm used a scoring system that was hard to understand. For example, the matter involved money laundering red flags, but the overall score of the assessment was low. The reason for this was unclear.
- The CMRA addressed business risk (creditworthiness and reputational risk), rather than AML risk factors.
Under regulation 18 of the MLR, firms that are within scope of the MLR must have a written FWRA in place. This has also been a legal requirement since 26 June 2017.
CMRAs and FWRA are often mentioned alongside each other however it is important to understand the differences between these documents.
What is it?
FWRA
A centrally held document which should be tailored to the firm.
The FWRA is most effective if all relevant staff understand it and are familiar with it.
CMRA
A key document which should be accessible to anybody working with a particular client or on a particular matter.
What is it used for?
FWRA
To assess AML and terrorist financing risks the firm is exposed to.
CMRA
To assesses the risk each individual client and matter poses.
What's the level of risk considered?
FWRA
It should identify all money laundering risks faced by the firm and consider how any risk can be mitigated. Must be comprehensive, tailored to the firm, and kept up to date.
CMRA
Considers the level of risk posed by a particular client or matter.
It must take account of the FWRA, for example if cryptocurrencies are assessed as high risk at firm level, this should be assessed as high risk at matter level (unless specific circumstances mean that it poses a different level of risk, in which case this should be explained).
Who compiles it?
FWRA
Should be completed and updated by somebody with comprehensive knowledge of the firm, its services and its clients, for example the Money Laundering Compliance Officer, Money Laundering Reporting Officer, or senior management team.
CMRA
Ideally completed by the fee-earner working on the matter.
Where it is completed by a central compliance team, those with knowledge of the matter should monitor it.
What must it include?
FWRA
Must address risk factors relating to:
- your clients (for example, demographics, PEPs or close relatives or associates of PEPs)
- the countries or geographic areas in which your firm operates (for example, UK, EU, high risk third countries) or the countries/geographic areas to which your clients are linked or derive their income from
- your products or services (for example, conveyancing, tax advice, forming of trusts, client bank accounts)
- your transactions (for example, size, frequency or complexity)
- your delivery channels (for example online or via apps or portals, in person, remotely).
CMRA
In assessing the level of risk in a particular case, you must take into account the following factors:
- the FWRA
- the purpose of an account, transaction or business relationship
- the level of assets to be deposited by a customer or the size of the transactions undertaken by the customer
- the regularity and duration of the business relationship
- High-risk factors under regulation 33(1) of the MLR.