The Problem
Despite regulatory obligations, a significant number of firms do not conduct risk assessments at all.
In 20th of June 2024, Solicitors Regulation Authority (SRA) reported that 51% of client and matter risk assessments were ineffective.
Some firms conduct risk assessments but only at a very surface level. Others have no clue what it even is.
This is a striking problem in the legal sector and one that SRA is cracking down on.
This article aims to point out why law firms struggle with Risk Assessments and why it is such a big problem.
What is Client Risk Assessment?
Client Risk Assessment (CRA) is a process where law firms [and other regulated entities] evaluate the potential risks posed by their new, and existing clients. The ultimate goal is to ensure compliance with Anti-Money Laundering (AML) regulations and protect the firm from legal and reputational damage.
The process runs in parallel to the onboarding stage and requires lawyers or their assistance to dig into their client’s background, understand why they have instructed and whether it all makes sense.
The initial risk assessment provides lawyers a framework to decide what level of due diligence is required throughout the onboarding process. This could be simplified, standard or enhanced.
In a nutshell, risk assessment is about identifying and assessing the risks associated with each client and matter.
Common Issues Identified by the SRA

The SRA has raised several concerns regarding the compliance of law firms with AML regulations. Some of the most common issues identified include:
- Lack of Risk Assessments: Many firms fail to conduct risk assessments for their clients and matters. Whilst the SRA reported 51% of firms weren’t compliant, the actual number could be much larger as most firms have not been audited.
- Incorrect Use of Risk Assessments: Some firms conduct risk assessments but do not use them correctly. This includes failing to identify the correct level of risk (high, medium, low) and missing specific AML risks.
Current practice for Client Onboarding & Risk Assessments

The workflow:
Initial Client Instruction
The traditional process of client risk assessments in law firms begins with the initial client instruction and matter inception. This stage involves several key steps:
- Client Onboarding: The firm collects basic information from the client, including personal details and the purpose of the instruction. This is the first point of contact and sets the foundation for the risk assessment process.
- Conflict Checks: Before proceeding, firms must conduct conflict checks to ensure that taking on the client does not present any conflicts of interest. This step is crucial for maintaining the firm’s integrity and compliance with professional standards.
- Engagement Letters: Once conflicts are cleared, the firm sends an engagement letter to the client, outlining the terms of the engagement, the services to be provided, and the fees.
Sending Questionnaires
After the initial instruction, firms send questionnaires to clients to gather detailed information required for the risk assessment. This step includes:
- The questionnaire typically requests basic personal information as well as more detailed information about the client’s business, the source of funds, and the purpose of the transaction. This information is crucial for assessing the risk associated with the client and the matter.
- Clients are required to fill out these questionnaires, which can be a time-consuming and cumbersome process. The use of Word documents or Excel sheets for these questionnaires is common, but it often leads to delays and client frustration due to the rigid and outdated format.
- Once completed, clients send the filled-out questionnaires back to the firm. This step often involves multiple back-and-forth communications to clarify details or request additional information.
Data Entry and Verification
After receiving the completed questionnaires, firms move on to the data entry and verification stage. This process involves:
- The information from the questionnaires is manually entered into various systems. This includes entering data into internal risk assessment documents, compliance storage tools, and tools for conducting AML checks.
- Firms use tools likes SmartSearch, WorldCheck or Creditsafe to perform AML Screening checks on clients. AML Screening looks into an entity to search for issues related to PEP, Sanctions or Adverse Media. This is needed to answer many of the questions within the risk assessment.
- Some firms also use biometric identification tools like Thirdfort, SumSub or Onfido for EID&V or enhanced identity verification with NFC Chip.
- A significant pain point in this stage is lack of integration with the above systems, checks and platforms.
- As a result, a lot of time is taken by data migration and double entry of the same data. This process is extremely costly due to number of platforms required (firms often need 3 to 4 systems for just client onboarding & AML – none of them have integration or proper risk assessment facilities – requiring lawyers to migrate the end data to word or excel sheet).
Continuous Monitoring
The risk assessment process does not end with the initial data entry and verification. Continuous monitoring is essential to ensure ongoing compliance and to identify any changes in the client’s risk profile. This includes:
- Regular Updates: Firms must regularly update the risk assessments based on new information or changes in the client’s activities. This ensures that the risk profile remains accurate and up-to-date.
- Ongoing Verification: Continuous verification of client information, particularly for long-standing clients, is necessary to ensure that the initial risk assessment remains valid. This can involve periodic checks and re-verification of identity documents.
- Monitoring Transactions: Firms must monitor transactions for any unusual or suspicious activity that could indicate money laundering or terrorist financing. This involves scrutinising the purpose of transactions, the source of funds, and the overall transaction pattern.
The Tech-stack:
Traditional Tools
Historically, law firms have relied on on Word and Excel to conduct their client risk assessments. While these tools are familiar and accessible, they come with significant limitations and frustrations that hinder efficiency and accuracy.
- Word : Word documents are commonly used to create and distribute questionnaires to clients. Clients fill out these forms with their information and return them to the firm. The rigid format of Word documents often leads to delays, as clients may find them cumbersome and time-consuming to complete. This is equally painful for the associates who have to extract, assess and action this information on other platforms.
- Excel: Excel sheets are used to compile and analyse the data collected from clients. While Excel can handle large volumes of data, it is prone to errors, especially with manual data entry. Additionally, the lack of real-time data integration with other systems can result in inefficiencies and inaccuracies.
Challenges and Limitations of Traditional Tools
- Manual Data Entry: One of the biggest drawbacks of using Word documents and Excel sheets is the need for manual data entry. This process is not only time-consuming but also increases the risk of human errors.
- Lack of Integration: Traditional tools often operate in silos, meaning data entered into one system does not automatically update in another. This lack of integration requires manual intervention to move data between systems, leading to delays and potential errors.
- Inefficiency: The manual, repetitive nature of these tools can create a significant administrative burden. Staff must spend considerable time entering data, verifying information, and updating records, which detracts from more valuable legal work.
- Client Frustration: Clients may become frustrated with the lengthy and rigid process of filling out questionnaires and providing the same information multiple times. This can negatively impact their overall experience and satisfaction with the firm.
AML Tools
To enhance the efficiency and accuracy of client risk assessments, many firms have adopted AML check tools such as Verify, SmartSearch, and Creditsafe. These tools are designed to automate parts of the risk assessment process, providing faster and more reliable results.
- Verify: This tool allows firms to quickly verify the identity of clients and assess their risk level. It uses various data sources to confirm client information and flag potential risks.
- SmartSearch: SmartSearch offers a comprehensive suite of AML checks, including identity verification, sanctions screening, and adverse media checks. It integrates with other systems to streamline the risk assessment process.
- Creditsafe: Creditsafe provides real-time access to global credit reports and risk assessments. It helps firms evaluate the financial stability of clients and identify any red flags.
Biometric Identification Tools
In addition to Screening tools, some firms use biometric identification tools such as Thirdfort and EID&V for enhanced identity verification. These tools leverage biometric data to provide a higher level of security and accuracy in verifying client identities.
- Thirdfort: Thirdfort uses facial recognition and document verification to confirm the identity of clients. It integrates with other systems to provide real-time updates and streamline the verification process.
- EID&V: EID&V combines electronic identity verification with biometric data to offer a robust solution for verifying client identities. It helps firms comply with AML regulations and reduce the risk of fraud.
Why Are Client Risk Assessments Such a Problem for law firms?

Administrative Burden and Inefficiency
One of the primary issues with client risk assessments in the legal sector is the significant administrative burden they impose. The process involves numerous repetitive tasks that require manual effort, leading to inefficiencies and a high potential for human error. Key challenges include:
- Manual Data Entry: Entering data manually from questionnaires into various systems is time-consuming and prone to errors. This process often involves double data entry, where information must be copied and pasted into multiple documents and tools.
- Repetitive Tasks: The nature of risk assessments involves repetitive tasks such as verifying client information, conducting AML checks, and updating records. These tasks can consume a considerable amount of time, detracting from more valuable legal work.
- Resource Allocation: The need for significant manual effort means that firms must allocate substantial resources to the risk assessment process. This can strain the firm’s capacity to handle other important tasks and reduce overall productivity.
Client Frustration and Onboarding Delays

The traditional process of client risk assessments can lead to significant client frustration and onboarding delays. Clients often find the process cumbersome and time-consuming, which can negatively impact their experience and perception of the firm. Specific pain points include:
- Lengthy Questionnaires: Clients are required to fill out lengthy and detailed questionnaires, often multiple times throughout their engagement with the firm. This repetitive and rigid process can be off-putting and frustrating for clients.
- Delays in Response: The back-and-forth communication required to gather and verify information can lead to delays in the onboarding process. Clients may take time to complete the questionnaires, and additional follow-ups can further extend the timeline.
- Negative First Impressions: A lengthy and cumbersome onboarding process can create a negative first impression for clients. This can lead to client drop-off, where potential clients choose to take their business elsewhere due to the initial frustration.
Double Data Entry and Error Risks
Double data entry is a significant issue in the traditional process of client risk assessments. The need to enter the same information into multiple systems increases the risk of errors and inefficiencies. Key problems include:
- Increased Error Risk: Manually entering data multiple times increases the likelihood of errors. Mistakes in data entry can lead to incorrect risk assessments and potential non-compliance with AML regulations.
- Inefficiencies: Double data entry is inherently inefficient, requiring more time and effort from staff. This duplication of work detracts from other valuable tasks and reduces overall productivity.
- Lack of Real-Time Data: The manual nature of the process means that data is not updated in real-time across systems. This can lead to inconsistencies and delays in accessing accurate information.
Lack of Integration and Real-Time Data Sync
Disjointed systems and the lack of real-time data synchronisation are major challenges in the traditional risk assessment process. These issues result in inefficiencies and potential errors, impacting the overall effectiveness of the process. Specific challenges include:
- Data Silos: Information is often stored in separate systems that do not communicate with each other. This creates data silos, where information is isolated and not readily accessible across the firm.
- Manual Data Transfer: The lack of integration between systems requires manual intervention to transfer data from one system to another. This process is time-consuming and increases the risk of errors.
- Delayed Updates: Without real-time data synchronisation, updates to client information are not reflected immediately across all systems. This can lead to outdated or inaccurate risk assessments and potential compliance issues.
Impact on the Business
The inefficiencies in the traditional process of client risk assessments can have significant impacts on the business:
- Client Drop-Off: The lengthy onboarding process and poor first impression can lead to client drop-off. Potential clients may choose to take their business elsewhere if the process is too cumbersome.
- Operational Inefficiencies: The manual, repetitive nature of the current process results in a loss of time and money. Delays in starting matters, billing, and completion times reduce overall efficiency.
- Reduced Revenue: Inefficient processes mean fewer billable hours and, consequently, lower revenue. Streamlining the risk assessment process can help increase profitability.
Regulatory Consequences of Non-Compliance

Non-compliance with AML regulations can have severe consequences for law firms. Regulatory bodies such as the SRA impose strict requirements for client risk assessments, and failure to comply can result in significant penalties. Key risks include:
- Fines and Penalties: Non-compliance can lead to hefty fines and penalties. For example, in the SRA’s recent enforcement actions, firms faced substantial fines for failing to conduct proper client risk assessments.
- Reputational Damage: Non-compliance can damage a firm’s reputation, leading to a loss of trust from clients and stakeholders. This can have long-term negative impacts on the firm’s business and client relationships.
- Legal Repercussions: In severe cases, non-compliance can result in legal actions and sanctions against the firm. This can include criminal prosecution and disqualification from practicing law.
Case study of AML Fines in the UK Legal Sector
Table of Fines
Date | Name of the Firm | Reason for the AML Fine | Context | Source |
---|---|---|---|---|
22 April 2024 | Ogden Lyles & Fox, Obaseki & Co, Fairhurst Menuhin & Co, Austen Jones Solicitors, David Barney & Co | Inadequate due diligence, improper use of client accounts, failure to conduct proper AML training, misleading statements, reliance on outdated AML manuals | The SRA issued over £76,000 in fines across multiple firms for various AML compliance failures, highlighting ongoing issues such as improper client account usage and inadequate risk assessments. | https://www.legalfutures.co.uk/latest-news/sra-anti-money-laundering-blitz-continues-with-76k-in-fines |
11 April 2024 | Austen-Jones Solicitors | Failure to train staff in AML, inadequate AML documentation for conveyancing work | Austen-Jones Solicitors was fined £15,200 for failing to train staff and not having necessary AML documents since starting conveyancing work in 2017. The firm failed to maintain a firm-wide AML risk assessment for almost six years, despite SRA guidance. They cooperated with the investigation and remedied the breaches. | https://www.lawgazette.co.uk/news/london-firm-fined-15k-for-failing-to-train-staff-in-aml/5119331.article |
27 June 2022 | Clarkes Law LLP | Incorrectly declaring proper AML risk assessment, failure to maintain compliant AML policies and procedures | Clarkes Law LLP was fined £2,000 and £1,350 in costs for not having a compliant AML risk assessment and inadequate policies until February 2022. The firm’s failures included outdated guidance and insufficient staff training. Despite these issues, there was no evidence of harm to consumers, and the firm cooperated with the investigation and showed remorse. | https://www.lawgazette.co.uk/news/firm-fined-after-wrongly-saying-it-had-proper-aml-risk-assessment/5112926.article |
22 February 2024 | Fairbrother & Darlow | Lack of compliant firm-wide risk assessment, policies, controls, and procedures | Fairbrother & Darlow was fined £16,000 for AML compliance failures, including no compliant AML controls for nearly six years. The firm made an incorrect compliance declaration and only remedied the breaches in 2023. The SRA found the firm’s non-compliance to be reckless and potentially harmful to public confidence in the legal profession. | https://www.legalfutures.co.uk/latest-news/berkshire-firm-hit-with-16k-fine-for-aml-compliance-failures |
23 June 2021 | Cartwright Solicitors, Morrison Spowart Solicitors, Alister Pilling, Fairhurst Menuhin & Co Solicitors, JE Bennett Law Ltd, Charles Hoile Limited | Delayed compliance with new AML regulations, inadequate AML risk assessments | The SRA fined six firms £800 each for failing to meet AML obligations by the end of January 2020. This action marks the beginning of the SRA’s intensified enforcement against non-compliant firms, highlighting the need for rigorous client money checks and proper AML risk assessments. | https://www.lawgazette.co.uk/news/sra-begins-money-laundering-clampdown-with-six-firms-fined/5108953.article |
15 December 2023 | Angel Wilkins, Oakmount Law Solicitors | Lack of compliant risk assessment, inadequate AML policies and procedures | Angel Wilkins was fined £7,900 for a non-compliant AML risk assessment and lacking proper controls. Oakmount Law Solicitors was fined £3,120 for using a generic risk assessment and inadequate policies. Both firms cooperated with the SRA, showed remorse, and have since implemented compliant procedures. | https://www.lawgazette.co.uk/news/two-more-firms-fined-thousands-over-aml-failings/5118224.article |
7 July 2021 | Crawford & Company Legal Services Limited, Law Together LLP, Picasso Legal Limited, Smooth Law Limited, AB Corporate LLP, Hole & Pugsley, Lake Jackson | Delayed AML compliance declaration, inadequate risk assessments | The SRA fined seven firms £800 each for failing to make timely AML declarations required by January 2020. These firms delayed their declarations for over a year, violating SRA conduct rules. This action follows a similar round of fines the previous month. | https://www.lawgazette.co.uk/news/sra-fines-fresh-batch-of-firms-for-breaching-aml-rules/5109108.article |
18 January 2024 | Brinley Morris Rees & Jones | Reliance on outdated AML manual from 2003, failure to update AML policies and procedures | Richard Lionel Jones, owner of Brinley Morris Rees & Jones, was fined £14,100 for not updating the firm’s AML manual since 2003. The firm lacked a compliant risk assessment and failed to verify client funds properly. Jones’s declaration of compliance in 2020 was found inaccurate. The firm was shut down by the SRA in June after its parent company entered administration. | https://www.lawgazette.co.uk/news/hefty-fine-for-law-firm-owner-who-relied-on-2003-aml-manual/5118461.article |
19 October 2022 | Multiple firms | Routine non-compliance with AML regulations, lack of proper risk assessments, inadequate client/matter risk documentation | The SRA is extending automatic fines for AML non-compliance to ensure faster enforcement. Recent inspections revealed significant gaps in firms’ AML processes, with most firms only partially compliant. The SRA emphasizes the importance of proper AML procedures and has published a warning notice and guidance to help firms improve compliance. | https://www.lawgazette.co.uk/news/automatic-fines-likely-for-firms-still-failing-on-aml/5117596.article |
17 January 2024 | TTS Legal Ltd | Failure to verify sources of funds for property transactions, lack of firm-wide risk assessment until 2020 | TTS Legal Ltd was fined £23,216 for AML breaches, including not verifying client funds in three property deals from 2018 to 2020. The firm had no risk assessment until January 2020 and failed to properly scrutinize client funds, posing potential money laundering risks. The fine was 2% of its turnover, reduced by 20% for mitigating factors. | https://www.lawgazette.co.uk/news/sra-imposes-near-maximum-fine-for-breaching-aml-rules/5118434.article |
11 July 2023 | Bevan-Evans & Capehorn Solicitors LLP | No documented AML risk assessment for over four years, outdated AML policies and controls | The SRA fined Bevan-Evans & Capehorn Solicitors LLP £4,000 for serious AML compliance failures, including lacking a documented risk assessment from June 2017 to October 2021 and not having updated AML policies for five years. The firm also failed to nominate a money laundering compliance officer, breaching public trust and confidence. | https://www.lawgazette.co.uk/news/firm-without-aml-risk-assessment-for-four-years-fined-by-sra/5116603.article |
28 October 2022 | Pinkney Grunwells | Failure to maintain compliant AML risk assessment, inadequate policies and procedures, incomplete client due diligence | Pinkney Grunwells was fined £2,000 for failing to meet AML regulations. The firm incorrectly declared compliance and lacked proper systems to identify risky transactions. They did not renew customer due diligence, failed to conduct employee screening during employment, and lacked an independent AML audit. Despite these breaches, there was no consumer harm, and the firm showed remorse and cooperation. | https://www.lawgazette.co.uk/news/reckless-firm-not-meeting-aml-requirements-fined-2000/5114117.article |
The most consistent pattern across these cases is the failure of law firms to maintain up-to-date and compliant AML policies and risk assessments. Many firms also exhibit a lack of adequate training for their staff on AML procedures.
- Widespread Non-Compliance:
- Firms consistently fail to maintain compliant AML risk assessments and update AML policies.
- Inadequate Training and Procedures:
- A significant number of firms were fined for failing to train staff adequately in AML procedures.
- Outdated or non-existent AML manuals and reliance on outdated guidance are common issues.
- Failure to Conduct Proper Due Diligence:
- Many firms were penalised for inadequate or weak client due diligence and verification of client funds, particularly in property transactions.
- Lack of proper client/matter risk documentation is a recurring problem.
- Delayed Compliance and Declarations:
- Firms often delayed compliance with new AML regulations and were late in making required declarations.
Improving Client Risk Assessments

Let’s explore some strategies and best practices for enhancing the client risk assessment process.
Invest in Setup & Workflow Design
The first step in improving client risk assessments is to invest in setting up a robust workflow design. This involves mapping out the entire onboarding process, from initial client instruction to the final risk assessment. Key considerations include:
- Process Mapping: Clearly define each step in the risk assessment process. This includes initial client contact, data collection, verification, and continuous monitoring.
- Modern Templates and Technologies: Explore modern templates and technologies that can streamline the process. Customisable templates can be tailored to the specific needs of the firm, reducing the reliance on generic forms.
- Training and Compliance: Ensure that all staff are trained in the new workflow and understand the importance of compliance. Regular training sessions can keep staff updated on the latest regulations and best practices.
Ditch Word & Excel
Moving away from traditional tools like Word documents and Excel sheets can significantly improve the efficiency and accuracy of client risk assessments. Consider adopting integrated systems that offer real-time data synchronisation and automation. Benefits include:
- Integrated Systems: Use platforms that integrate with your existing tools and systems. This reduces the need for manual data entry and ensures that information is updated in real-time across all systems.
- Automation: Automate repetitive tasks such as data entry, verification, and monitoring. Automation can reduce the administrative burden on staff and minimise the risk of errors.
- Client Portals: Implement client portals that allow clients to enter their information directly into the system. This reduces the need for back-and-forth communication and speeds up the onboarding process.
Funnel Your Data into Risk Assessments
Aligning questionnaires with risk assessments can streamline the data collection process and reduce manual reconciliation. This involves:
- Customisable Questionnaires: Design questionnaires that are tailored to your firm’s specific needs and risk appetite. Customisable questionnaires can trigger conditionals based on the client’s responses, making the process more efficient.
- Pre-Populated Forms: Use pre-populated forms to reduce the need for clients to enter the same information multiple times. This can improve the client experience and speed up the process.
- Data Integration: Ensure that data collected through questionnaires is automatically funneled into the risk assessment system. This reduces the need for manual data entry and ensures consistency.
Breakdown and Weighted Sections
Dividing risk assessments into sections and assigning weighted scores to each section can improve the accuracy and effectiveness of the process. Consider the following:
- Sectional Approach: Break down risk assessments into specific sections such as client identity, source of funds, transaction details, and geographical risk. This allows for a more detailed and focused assessment.
- Weighted Scores: Assign weighted scores to different sections based on their importance. For example, a client’s geographical location might have a higher weight if they are from a high-risk country.
- Override System: Implement an override system that allows for adjustments based on the specific circumstances of each client. This ensures that the risk assessment is accurate and reflects the actual risk.
Evaluate Country Risks
Assessing country risks is a crucial part of client risk assessments, especially for clients with connections to high-risk jurisdictions. Steps include:
- High-Risk Countries List: Compile and regularly update a list of high-risk countries based on sources such as the Financial Action Task Force (FATF) and Transparency International.
- Country Risk Data Integration: Integrate country risk data into your risk assessment system. This allows for automatic risk scoring based on the client’s geographical connections.
- Enhanced Due Diligence (EDD): Apply enhanced due diligence for clients from high-risk countries. This includes additional checks and ongoing monitoring to mitigate the risk.
Use of Automation and AI
Leveraging automation and artificial intelligence (AI) can transform the risk assessment process by reducing manual effort and improving accuracy. Consider the following applications:
- Automating Repetitive Tasks: Use automation to handle repetitive tasks such as data entry, verification, and monitoring. This frees up staff to focus on more complex and value-added activities.
- AI-Powered Risk Assessments: Implement AI-powered tools that can analyse large volumes of data and identify patterns indicative of money laundering or terrorist financing. AI can provide real-time alerts and insights, enhancing the overall effectiveness of the risk assessment process.
- Continuous Improvement: Use AI to continuously improve the risk assessment process by learning from past assessments and outcomes. This ensures that the system adapts and evolves to address emerging risks.
Conclusion
Improving client risk assessments is not just about compliance; it’s about transforming the way law firms operate. By investing in modern tools and technologies, firms can streamline their processes, reduce administrative burdens, and enhance client satisfaction. The benefits extend beyond compliance, leading to increased revenue, better risk management, and a stronger reputation. Legal firms that embrace these improvements are well-positioned to thrive in an increasingly regulated and competitive environment.
