The Money Laundering Regulations 2017 require every SRA-regulated solicitor to carry out a firm-wide risk assessment. This is not optional. It is the foundation of your anti-money laundering (AML) compliance framework. Without it, your firm cannot demonstrate that its client due diligence, ongoing monitoring, or internal reporting are proportionate to the risks you face.

Many solicitors treat the risk assessment as a box-ticking exercise. That is a mistake. The SRA inspects these documents with care, and a poorly structured assessment can lead to regulatory action. This guide explains how a solicitor should structure a compliant and practical AML risk assessment for their firm.

Why the AML Risk Assessment Matters for a Solicitor

The firm-wide risk assessment is the document that records your firm's exposure to money laundering. It must cover three broad areas: the risks posed by your clients, the risks posed by the services you provide, and the risks arising from the jurisdictions in which you operate. The SRA expects this to be a living document, reviewed at least annually or when your practice changes materially.

For a solicitor, the consequences of getting this wrong are serious. The SRA can impose a fine, a rebuke, or in the worst cases, a referral to the Solicitors Disciplinary Tribunal. In 2023, the SRA fined several firms for failing to maintain adequate AML risk assessments. These fines typically ran into tens of thousands of pounds. A proper assessment protects your firm, your clients, and your professional reputation.

Structuring the Firm-Wide Risk Assessment

A good risk assessment follows a logical structure. It should be written in plain English, avoid jargon, and be easy for your COLP or COFA to update. Below is a template structure that works for most high-street solicitors, whether you are a sole practitioner or a multi-partner LLP.

1. Firm Profile and Context

Start with a brief description of your firm. Include your SRA number, the number of fee-earners, the types of legal services you offer, and your typical client base. This section sets the scene for the risk analysis that follows.

Example: "Smith & Jones Solicitors is a three-partner high-street firm in Birmingham. We specialise in residential conveyancing, probate, and family law. We have five fee-earners and handle approximately 200 matters per year. Our clients are predominantly individuals, with a small number of corporate clients for commercial property work."

2. Money Laundering and Terrorist Financing Risks

This section should identify the specific money laundering typologies relevant to your firm. The National Risk Assessment (NRA) published by HM Treasury is your starting point. For a solicitor, the most common risks include:

  • Property purchases using unexplained wealth. A client buying a house with cash from an unknown source.
  • Third-party funding. A family member or friend providing funds without a clear legitimate source.
  • Complex ownership structures. A corporate client with multiple layers of ownership that obscure the beneficial owner.
  • Trusts and offshore structures. A trust used to hold assets without a clear commercial rationale.
  • Proceeds of crime. A client who is known to have been involved in fraud, bribery, or tax evasion.

For each risk, explain how it could arise in your practice. A conveyancing solicitor might note that a client purchasing a property through a company registered in a high-risk jurisdiction is a red flag. A probate solicitor might note that a deceased estate with multiple beneficiaries from different countries creates complexity.

3. Client Risk Assessment

This is the most important section. You must assess the risk posed by your typical client types. The regulations require you to consider the client's identity, the source of their funds, and the nature of their business or occupation.

Create a simple risk matrix: low, medium, high. Assign each client type a risk rating based on objective criteria.

Example client risk categories for a solicitor:

  • Low risk: A UK resident individual buying a residential property with a mortgage from a UK bank, where the funds come from a UK salary. A local business with a clear trading history and UK directors.
  • Medium risk: A UK resident individual buying a property with a large cash deposit from a family gift. A company with a complex group structure but UK-based operations.
  • High risk: A politically exposed person (PEP) from a high-risk jurisdiction. A client using a trust or offshore company with no clear commercial reason. A client who is a professional intermediary (e.g., another solicitor or accountant) acting on behalf of an undisclosed principal.

Your client risk assessment must be applied consistently. Do not rely on gut feeling. Use objective indicators such as the client's country of residence, the source of funds, and the complexity of the transaction.

4. Service-Specific Risk

Different legal services carry different money laundering risks. The SRA's thematic review of AML compliance found that conveyancing and corporate work are the highest-risk areas for solicitors. Probate and litigation are generally lower risk, but still require attention.

Example service risk ratings for a solicitor:

  • High risk: Residential conveyancing (especially cash purchases), commercial property, corporate restructuring, trust formation.
  • Medium risk: Probate (especially where there are multiple beneficiaries or overseas assets), litigation (where settlement funds are paid through the firm's client account).
  • Low risk: Family law (where no property or large sums are involved), employment law, advice-only work.

For each service, explain why it carries that risk. A conveyancing solicitor should note that property transactions are a common vehicle for money laundering because they involve large sums and can be structured to obscure the source of funds.

5. Geographic Risk

You must assess the risk posed by the jurisdictions in which your clients are based or from which their funds originate. The Financial Action Task Force (FATF) maintains a list of high-risk jurisdictions. The UK government also publishes its own list of high-risk countries.

For a typical high-street solicitor, geographic risk is usually low because most clients are UK residents. But if you act for a client from a high-risk jurisdiction, you must apply enhanced due diligence (EDD).

Example: "Our firm acts for a small number of clients from Nigeria and Pakistan, both of which are on the FATF list of jurisdictions with strategic AML deficiencies. We apply EDD for all such clients, including verifying the source of funds through independent bank statements and obtaining a legal opinion on the legitimacy of the funds."

6. Delivery Channel Risk

How do clients interact with your firm? If you meet clients face-to-face, the risk is lower because you can verify identity in person. If you take instructions online or by post, the risk is higher because you cannot rely on physical verification.

Most solicitors still meet clients in person for initial instructions. But if you offer remote services, you must have robust identity verification procedures. The SRA expects you to use electronic verification tools (e.g., a credit reference agency check) for remote clients.

7. Overall Risk Rating and Mitigation

After assessing each risk category, assign your firm an overall risk rating. Most high-street solicitors will be medium risk. A firm that only does conveyancing for high-net-worth clients from high-risk jurisdictions would be high risk.

Then list the controls you have in place to mitigate those risks. These should include:

  • Your client due diligence (CDD) procedures, including when you apply simplified or enhanced due diligence.
  • Your ongoing monitoring procedures, including how you review existing clients.
  • Your internal reporting procedures, including who is the nominated officer (MLRO).
  • Your staff training programme, including how often training is delivered and who attends.
  • Your record-keeping procedures, including how long you keep CDD records (five years after the end of the business relationship).

Example: "Our firm is rated medium risk overall. We mitigate this by applying CDD to all clients, using electronic verification for identity and address. We apply EDD to all high-risk clients, including PEPs and clients from high-risk jurisdictions. We train all fee-earners annually on AML obligations. Our COFA reviews the risk assessment every six months."

Common Mistakes Solicitors Make

The SRA's enforcement data shows several recurring errors in firm-wide risk assessments. Avoid these:

  • Generic text. Do not copy a template from another firm. Your assessment must reflect your specific practice.
  • No client risk matrix. A list of client types without a risk rating is not an assessment.
  • Ignoring geographic risk. If you act for clients from high-risk jurisdictions, you must address this explicitly.
  • No review date. The assessment must be dated and reviewed regularly.
  • No link to policies. Your risk assessment should cross-reference your AML policy, CDD procedures, and training records.

Integrating the Risk Assessment with Your AML Policy

Your firm-wide risk assessment is not a standalone document. It should inform your AML policy and procedures. For example, if your risk assessment identifies conveyancing as high risk, your AML policy should require enhanced due diligence for all cash purchases. If your risk assessment identifies PEPs as high risk, your policy should require a senior partner to approve any new PEP client.

Many solicitors keep the risk assessment and AML policy as separate documents, but they should be cross-referenced. The risk assessment explains why you have certain procedures. The policy explains how you apply them.

For more detailed guidance on the SRA Accounts Rules and how they interact with AML obligations, see our SRA Accounts Rules Essentials guide. If you are a COFA, our COFA Fundamentals guide covers the specific responsibilities of that role.

Practical Steps to Complete Your Assessment

If you have not yet completed a firm-wide risk assessment, or if yours needs updating, follow these steps:

  1. Gather data. Review your client list for the last 12 months. Identify the types of clients, the services you provided, and the jurisdictions involved.
  2. Use the NRA. Download the latest National Risk Assessment from the Home Office website. Use it to identify the money laundering typologies relevant to your practice.
  3. Draft the assessment. Follow the structure above. Be specific. Use examples from your own practice.
  4. Review with your COLP or COFA. The risk assessment should be signed off by the COLP or COFA. They are responsible for ensuring it is adequate.
  5. Train your staff. Share the assessment with your fee-earners. They need to understand the risks you have identified and how to apply CDD accordingly.
  6. Set a review date. Put a reminder in your calendar to review the assessment in 12 months, or sooner if your practice changes.

If you need support with your AML compliance, our COFA compliance support service can help you review and update your risk assessment and policies. We also offer a free firm health check that covers AML compliance as part of the review.

Final Thoughts

A well-structured AML risk assessment is not just a regulatory requirement. It is a practical tool that helps your firm identify and manage the real risks of money laundering. For a solicitor, the consequences of a poor assessment can be severe. Take the time to get it right.

The structure outlined in this guide works for most firms. Adapt it to your specific practice. Be honest about your risks. And review it regularly. Your COLP, COFA, and the SRA will thank you for it.

If you are unsure whether your current risk assessment meets the SRA's expectations, speak to a legal-sector-specialist accountant who can review it with you. Every firm is different, and a one-size-fits-all approach rarely works for AML compliance.