Matter-based risk assessments were introduced in the 2017 Money Laundering Regulations (MLR). Fundamentally, the idea is you’re supposed to look at the client and matter, and decide how risky it is for money laundering or terrorist financing. You can then decide on the amount of client due diligence (CDD) you need to do. This is what the matter-based risk assessments are for.
There has been some high-level feedback on the struggles that lawyers are having with the introduction, given that they were all doing CDD before. Firms already had processes and procedures in place which didn’t include this step, and it’s been difficult to try and include it. Nevertheless, this is now the law.
By now, you’ll no doubt have a new process in place that includes matter-based risk assessments. However, this article will help you determine whether your new process is compliant and is going to work.
What does the law say about matter-based risk assessments?
The matter-based risk assessments regulation sits at Regulation 28(12)(a) of the MLR. It states:
“The ways in which a person complies with the requirements to take CDD measures must reflect:
- The firm’s risk assessment
- Its assessment of the level of risk arising in any particular case”
The first thing you should be aware of when you look at this is that it was primarily written for banks. When banks talk about commencing a business relationship, that means someone opening a bank account. When someone has an account they can make what constitutes as regulated transactions whenever they want through their bank account.
In the legal sector, this is slightly different. People can’t do transactions using lawyers without them knowing about it. So, the approach taken by banks would be to do a client-based risk assessment when an account is first opened, take the information they have, and set up something called ‘transaction monitoring’. Transaction monitoring is where they would use software to monitor certain behaviours and when something looks odd, this would trigger an alert of possible fraud and may block the account.
When the Regulation talks about ‘the level of risk arising in any particular case’, it’s talking about an account facet of the business relationship. For lawyers, although it doesn’t actually say the word ‘matters’ it means matters.
CDD is a matter-based activity, and the ‘CDD measures’ mentioned in the Regulation come in five parts:
- Matter risk assessment
- Identify the client
- Verify the client
- Purpose and nature checks (this is where the source of funds and source of wealth lives)
- Ongoing monitoring
So, to complete your CDD measures, you need to make sure that you’re approaching your purpose and nature checks on a matter-by-matter basis. You can return to the same client risk assessment, but you also have to add the particular factors of each matter, if there are any, into the risk assessment.
What does the SRA say about matter-based risk assessments?
The SRA did some work reviewing a number of files in 2019/2020. From that, they commented on the Regulation involving matter-based risk assessments, which included:
- 29% of the files didn’t have a written matter risk assessment: Although the Regulation doesn’t specifically say it has to be written down, it’s clear that the Regulators are looking to see a written record.
- There was no conclusion following the risk assessment: This is something we see quite a lot. Although it’s unclear why this is the case.
- Conflict with the firm’s risk assessment: Remember, it states in the Regulation that it must reflect ‘the firm’s risk assessment’. Therefore, if your firm’s risk assessment states that a particular department is high-risk, and you determine that a matter for that department is low-risk, it’s not consistent and they’ll pick up on this.
- Assumption the E-ID system did it for them: There are systems that incorporate this as part of the process, but one of the things that the regulator is aware of is the over-reliance on technology.
The SRA has expectations that fee earners should know how to do matter-based risk assessments properly and they must reflect the firm’s risk assessment, as there shouldn’t be a conflict between the two documents.
What part of matter-based risk assessments are causing lawyers to struggle?
One of the biggest issues we’ve seen is many lawyers are not sure of the purpose of completing a matter-based risk assessment. Although we’ve found that many law firms do have policies in place confirming that matter-based risk assessments are mandatory, there are still blank and incomplete forms on the files.
There are instances when risk assessments have been completed at the start of the matter. However, as further information is gathered, such as the source of funds and source of wealth, or further CDD, the risk assessments aren’t revisited and updated.
Another issue we’ve come across relates to risk assessments being completed to an extent, and the risks are rated low, medium, or high. However, there’s no narrative behind the risk rating, so it’s impossible to see how they’ve come to this conclusion.
Overall, many lawyers tend to carry out risk assessments, but the information they’ve gathered is all in their heads, and in many cases, there’s a failure to write anything down, and this is essential.
Carrying out risk assessments correctly is extremely important as if the SRA carry out an audit on your files, they need to see that you’ve actually considered the risks, recognised any red flags, and identified what level of due diligence should be done for that client.
Considering practice or firm-wide risk assessments
There can’t be a conflict between your matter-based risk assessment and your practice or firm-wide risk assessment. It’s therefore important that you get your firm’s risk assessment right.
Your practice or firm-wide risk assessment needs to reflect the National Risk Assessment. This has the following as high-risk:
- Trust and company service provision: Creation of trust, creation of companies, company secretarial work, and trust administration work are considered high-risk
- Conveyancing: Both residential conveyancing and commercial property are considered high-risk
- Misuse of client account: Anything going through the client account is considered high-risk
- Sham litigation: Although generally litigation is low-risk, sham litigation is an arrangement that’s considered high-risk
As well as reflecting the National Risk Assessment, your firm risk assessment also has to reflect the Regulator Sectoral Risk Assessment.
Considering client risk
The Regulation itself gives you an indication of what high-risk sectors are, such as oil, arms, precious metals, tobacco products, cultural artefacts, ivory. If a client operates in these sectors, they would be considered high-risk clients.
Clients who operate in cash-intensive businesses are also high-risk. These include businesses such as nail bars, car washes, barbers, fast food, and any businesses where people would legitimately pay in cash. Baddies often open businesses like these to launder their dirty money together with the legitimate cash earned.
Politically exposed people (PEPs) are also considered high-risk. The law doesn’t give you much wriggle room in this area. If a client is a politically exposed person and does a certain job, this is high-risk.
The financial Action Task Force (FATF) issues a list of jurisdictions where there’s a particular concern with their ability to handle anti-money laundering. This list is the high-risk third countries list. As FATF can’t take on face value that money from those jurisdictions is genuine, everyone dealing with that money has to check. This is why enhanced due diligence is required on high-risk third countries.
Considering matter risk
There has been a recent change in the MLR relating to matter risk. Regulation 19(4)(a)(i)(aa) did state:
“a transaction is complex or unusually large, and there is an unusual pattern of transactions, and…”
This has now changed to:
“a transaction is complex or unusually large, or there is an unusual pattern of transactions, or…”
You’ll note that the words ‘and’ have changed to ‘or’. When the word ‘and’ was included, it suggested that there would need to be a combination of things for it to trigger. However, this is not the case.
We’ve noticed that many firms still have the word ‘and’ in their policies and therefore their matter risk assessment process is looking for a combination rather than any individual factor. So, when lawyers are doing a matter risk assessment which is complex, unusually large, has an unusual pattern of transactions or no economic or legal purpose, these need to be triggered individually.
So, make sure you check your policies and make any necessary changes.
What does LSAG say about matter-based risk assessments?
Each regulator used to publish their own guidance. However, in 2017 the regulators got together and formed the Legal Sector Affinity Group (LASG). LASG then produced one set of guidance, the LASG guidance, to be used across the sector.
The LASG guidance confirms that matter-based risk assessments should not be a tick-box exercise but suggests you follow the below criteria:
- Talks about risk ratings
- Can have a template for similar cases, but it must not become a tick-box exercise
- Should assess and have regard to negative news results
- Suggest review of matter-based risk assessments on long-running matters – however, they don’t give an interval of how regular that should be
- Focus on recording reasoning for assessment
- Record why you’ve picked the CDD approach
When should you revisit matter-based risk assessments?
We know that there are things you simply can’t answer at the beginning of a case when completing a matter-based risk assessment. That’s why the matter-based risk assessment should be for the life of the file and not just a file-opening exercise.
Therefore, you need to consider all the stages where a matter-based risk assessment is needed. There are three particular stages when we believe this needs to be considered.
- When you’ve had an initial conversation with the client. You’ll have as much information as possible and are deciding whether there are any factors from the conversation that are causes for concern. This will determine what level of CDD we should do.
- When you’re undertaking CDD. Once you’ve received the documents from the client to undertake CDD, what you receive will either change your initial risk assessment or back it up. In reality, it’s only at this stage that you can do a proper risk assessment as you’ll now have all the CDD information.
- Before you potentially launder money. The last point in which to undertake a risk assessment is just before you do anything which could be laundering money. You should stop, revisit your risk assessment and update it before you potentially launder money.
It’s extremely important that you write everything down on your file. If it’s not written down, how are you going to prove that you’ve done it if something goes wrong? Regulators need to see that you’ve covered everything.
What help can be given to lawyers on matter-based risk assessments?
One way of ensuring lawyers complete a risk assessment in the first place is to make it mandatory in order for the file to be opened. However, although this helps ensure they complete one initially, they may only partially complete it or may not revisit and update it at key points of the case. We therefore suggest a three-step approach.
- Training: Training is key. Lawyers need to understand the importance of risk assessments and ensuring they receive good quality training can help significantly to drill down that point.
- File Reviews: A good way for firms to determine how lawyers are doing with their matter-based risk assessments is through file reviews. You’ll have a chance to discuss any specific issues and identify if there are specific departments that are struggling. This will allow you to revisit the training with them when it’s needed.
- Firm-wide risk assessment: If you’ve not already shared your firm-wide risk assessment, this may help. Lawyers will be able to see your thought process towards risk in different departments, and this will help them when completing their matter-based risk assessments.
Following this approach should help lawyers complete their matter-based risk assessments moving forward.
Get in touch
If you need any assistance with policy drafting and reviews, AML audits, or training, simply contact us and one of our experts will be in touch.