Beyond Compliance: The Strategic value of Firm Wide Risk Assessments
Firm wide risk assessments (FWRAs) are essential for managing regulatory and financial crime risks in UK law firms. Unlike client or matter level checks, a FWRA examines the whole practice, including its client base, services, jurisdictions, delivery methods and internal controls. As financial crime threats continue to increase and regulatory scrutiny intensifies, a FWRA is not just a requirement, it is an important part of a firm’s overall risk management.
Regulatory Requirements
Under Regulation 18 of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs 2017), firms that are within scope must keep a documented FWRA, and the Solicitors Regulation Authority (SRA) expects this assessment to reflect the size and nature of the business.
The purpose of a firm wide risk assessment is to help firms identify the money laundering risks they are, or could be, exposed to, and consider how any risks could be mitigated. Essentially, it helps firms to take a risk-based approach to preventing money laundering. Firms must consider risks linked to higher-risk clients, complex ownership structures, conveyancing and corporate work, high-risk jurisdictions, remote service delivery and proliferation financing.
In September 2022, an amendment to the MLRs 2017 introduced the requirement for practices to identify and mitigate the risk of Proliferation Financing (‘PF’). Under Regulation 18A, you are required to carry out a risk assessment which assesses the inherent proliferation financing risks your firm faces given your clients, services, geography and delivery channels. You may include this as part of your firm wide risk assessment, or you may create a standalone document.
Why It Matters
Failing to maintain a FWRA is a breach even when no money laundering occurs.
The SRA has reaffirmed that firms supervised under the Money Laundering Regulations must maintain a firm wide risk assessment reflecting the nature and volume of regulated work undertaken – SRA | Firm-wide risk assessments | Solicitors Regulation Authority.
Over the years, the SRA has issued notices and guidance reminding firms that having a FWRA has been a requirement since 2017 but to date, a substantial proportion of firms are yet to implement one or if they have, this has not been maintained or is inadequate.
As part of its risk-based supervisory work, the SRA has increased its engagement with firms and frequently carries out desk-based reviews (DBRs) and AML inspections to ensure firms in scope of the MLRs 2017 are complying with their legal obligations under the legislation. This is an ongoing, rolling program whereby several firms are selected each month, meaning the chance of being audited is increasing.
One key area of focus for the SRA is the FWRA. They scrutinize the firm’s ability to identify and assess the money laundering risks it faces and often find they are outdated or overly generic.
A well-prepared FWRA helps the firm understand where its risks lie, supports proportionate controls such as enhanced due diligence and senior sign-off, and highlights broader risks including sanctions exposure and governance weaknesses.
Recent SRA AML Annual Reports confirm that FWRAs remain one of the most common areas of non-compliance identified during inspections, and that firms are frequently criticised for using generic, template-style assessments that do not reflect the true nature, size or risk profile of the business. The SRA has made clear that such documents are inadequate, and that firms must tailor their FWRA.
Outcomes
Data from recent SRA reports shows that a substantial proportion of AML supervisory engagements result in required improvements, and only a relatively small proportion of firms are found to be fully compliant.
Below are the steps the SRA might take at the end of an AML DBR or inspection:
- Guidance: a firm is doing well and is compliant with the standards required in the MLRs 2017. This includes cases where the firm needs to make minor changes.
- Letters of engagement: partially compliant firms, where there are some elements of a firm's controls that need improving, but there is some good practice, and the firm is generally doing well at preventing money laundering.
- Compliance plan: partially complaint firms where the SRA has more widespread concerns. The SRA implements a compliance plan where several elements of a firm’s controls need improving or where the level of non-compliance is of concern. A compliance plan sets out a series of actions the firm needs to take, and by when, to bring them back into compliance with the regulations.
- Referral for investigation: where the SRA finds significant or widespread non-compliance, it will refer firms for investigation and possible enforcement action. This might result in a regulatory sanction. Where necessary, it will also set up a compliance plan to assist the firm in meeting its obligations.
Recent Notable Cases
In March 2025, the London office of Simpson Thacher & Bartlett was fined £300,000, plus costs, after operating for years without a compliant FWRA.
In May 2025, a four-partner recognised body was fined the maximum £25,000 for not having a compliant FWRA for nearly eight years. In the same month, another recognised body was referred to the Solicitors Disciplinary Tribunal and subsequently fined £120,000 for failings including a lack of a compliant FWRA over a 15 year period.
In July 2025, Amphlett Lissimore Bagshaws LLP was fined £114,000 for long-standing AML and risk assessment failures. That same month, thirteen firms received a combined £275,000 in fines for similar shortcomings.
Several other firms have also faced sanctions related to missing or inadequate FWRAs. These include a small firm fined £20,000 for failing to have any FWRA despite conducting high-risk conveyancing work, a firm fined £7,900 for submitting a non-compliant FWRA, and another fined £5,215 for operating without a FWRA or an MLRO for extended periods.
Another notable case involved a solicitor who was struck off after handling approximately £8.8 million in unverified client funds and failing to carry out adequate due diligence. Contributing to the decision was his admittance to the SRA that he did not know what a FWRA was, despite declaring to the SRA in 2019 that the firm had one in place. The case demonstrates how an inadequate FWRA can lead to systemic weaknesses that expose firms and individuals to the most serious regulatory outcomes.
Keeping It Up to Date
A FWRA must be reviewed and updated at least annually, and immediately whenever there are significant changes to the firm’s business, client base, jurisdictions, or risk environment, and always after a sectoral update by the SRA or other relevant bodies.
After updating your FWRA, you must ensure your firm’s policies, controls and procedures (PCPs) are updated accordingly to mitigate identified risk areas, including enhanced due diligence on PEPs, fund source validation and screening related to emerging jurisdictions or informal transfer channels.
The FWRA should be approved by senior management and stored in a central location that is easily accessible to all staff members involved in risk assessment and mitigation, as well as those who interact with clients or potential clients, just like the firm’s PCPs. Ensure all staff, particularly fee earners working on in-scope matters, have access to the relevant documentation and receive appropriate training.
Conclusion
A FWRA is the backbone of a firm’s AML framework. When kept up to date and genuinely reflective of the firm’s work, it strengthens due diligence, supports informed decision-making and protects the firm’s reputation.
A strong FWRA provides the foundation upon which all other AML controls are built, including client and matter risk assessments, EDD triggers, sanctions screening processes and governance arrangements. Conversely, weak or generic FWRAs are one of the strongest predictors of wider AML failings, something repeatedly confirmed through SRA enforcement actions, where over half of reviewed firms each year are found to have missing or inadequate assessments.
Given the regulator’s increasing zero tolerance stance and the substantial fines issued to both small firms and global practices, treating the FWRA as a living, evolving document is not only a regulatory requirement but also a key safeguard against financial crime, operational risk and reputational damage.
At DG Legal, we ensure that all our retainer clients who provide services within scope of the MLRs 2017 have a compliant FWRA and maintain it appropriately. If you need support preparing or updating your FWRA, please get in touch by email: consultants@dglegal.co.uk or by phone: 01509 214 999 and our team of specialists will help you understand the SRA’s expectations and develop a compliant assessment tailored to your practice.