All law firms that carry out work within the scope of the Money Laundering, Terrorist Financing, and Transfer of Funds Regulations 2017 (MLRs), are required to have a written firm-wide risk assessment (FWRA) in place. This document (also known as a practice-wide risk assessment (PWRA)) is separate to assessments of risk for individual clients or matters.

The FWRA must identify and assess the risks of money laundering and terrorist financing that may affect firms. The contents of the risk assessment are key to determining how the firm will apply a risk-based approach to its compliance with the MLRs as reflected in its policies and procedures.

LSAG guidance states, “The PWRA is the central reference point for how a practice protects itself from money laundering and terrorist financing. The better the quality of the PWRA , the easier it will be for the practice to take a risk-based approach to protecting their business, which allows for greater efficiency and efficacy. The PWRA  must be comprehensive, tailored to the practice, accurate and kept up to date.”

We spoke with Kate Burt about why firm-wide risk assessments are an integral part of your law firm’s AML strategy.

When would a law firm need to show their firm-wide risk assessment to the SRA or other regulators?


There are a number of different scenarios where you may be required to present your FWRA:

  • As part of proactive visits or a rolling programme
  • Following a report or complaint received
  • As part of regulators’ standard thematic review

For more information about what to expect during an SRA visit, visit the on-demand webinar and SRA website in relation to firm inspections .

Some of the most common areas missed from FWRAs as confirmed in the SRA’s AML annual report 2021-22 are as follows:

  • Areas identified in the SRA’s own sector risk assessment
  • Transaction type
  • Delivery channels

The FWRA must set out mitigating measures to offset the identified risks. One way to achieve this is to leverage legal tech.

Firms that use Legl are able to actively mitigate risk identified in their FWRA and evidence their workings with full audit trails should they ever be called upon to demonstrate this.

Through Legl’s MLRO dashboard, firms are able to have oversight of CDD activity to help manage their AML risks.

Best practice to creating a firm-wide risk assessment:


Section R18(4) of the LSAG guidance states that you must record all steps taken to review the firm-wide risk assessment – “These steps may include interviews with appropriate individuals across the practice, and reviews of recent client/matter risk assessments in order to assess whether these have an impact on the overall risks to the practice.”

When creating your practice’s firm-wide risk assessment, do your groundwork and ensure audit trails for all your workings. If the person completing this document is inexperienced or under-resourced, it’s best to seek support from a specialist.

The use of templates for creating a firm-wide risk assessment


Kate supports using a template as a starting point to provide a framework and an indication of how information can be presented. Kate offers caution with a template approach, as your practice’s FWRA must be bespoke and include firm-relevant mitigating controls. As emphasised in LSAG guidance 5.12, “You must make sure that the use of a template does not lead to a tick-box approach to risk assessments.”

How often does a firm-wide risk assessment need updating?


“The PWRA is a living document and should be kept under continual review. A practice should undertake periodic reviews (at least every one to two years) to help maintain the accuracy of the PWRA and review emerging risks. It is also important to ensure that the PWRA reflects changes in the practice.” LSAG 5.5

In addition to routine reviews, your FWRA may need updating in response to changes within the practice or legislation. Kate provides an example – where a firm working with residential conveyancing moves into the area of international commercial property, the firm would require amendments to their FWRA and mitigating controls. Other changes include (but are not limited to) new teams, firm mergers, and new partners with different risk profiles.

How to ensure mitigation of controls


Acting for individual clients without meeting them is a significant risk factor for a law firm. Mitigate this risk using a more robust approach to ID&V through our platform.

Legl gives firms a platform and tools to implement firm-wide risk and compliance processes, tailored to each department’s needs whilst delivering to key standards in bank-grade digital CDD and AML.

Legl’s International Company Reports helps enable your firm to build a picture of your international business clients. This solution aids effective management of risk around client due diligence. With International Company Reports, you can access and view key company financials, people, credit information, and group structures in one comprehensive report.

The use of Legl in your toolkit can help to bring the risk profile of your firm down. Try it today!