SRA Sectoral Risk Assessment

Oct 1, 2025 | Article

The SRA published its latest Sectoral Risk Assessment on Anti-money laundering and terrorist financing on 31/7/25, following the publication of the National Risk Assessment. 

Emerging risks

There are some new “emerging risks”, some of the previous “emerging risks” (vendor fraud, proliferation financing and supply chain risk) have been moved as they are now seen as ‘part of the risk landscape’, some other paragraphs have been moved around (to keep us on our toes ) and there are some new bits added in places, including in the sanctions section.  A lot of the content remains the same as in the March 2024 version however.

Obviously the new “emerging risks” are important to pay attention to and add to your FWRA:

  1. Capital flight from high-risk countries: Global political shifts including autocratic regime changes – such as the collapse of Sheikh Hasina’s government in Bangladesh in August 2024 – can trigger an influx of politically exposed persons (PEPs) and/ or illicit funds into the UK, often concealed through offshore companies or accounts, and an associated rise in attempted property purchases. Informal value transfer systems, such as Hundi or Hawala (aka ‘underground banking’) may be used to get funds out of the country (to avoid detection). This heightens the need for robust Enhanced Due Diligence (EDD) to verify source of funds, ownership and client legitimacy when dealing with clients or funding from such countries.
  2. Client account issues: The SRA has seen a rise in poor client account practices which could inadvertently enable money laundering. Key issues include using client accounts as a banking facility (i.e. like a bank account) (breach of R3.3 Accounts Rules), holding funds for longer than necessary (breach of R2.5), and inaccurate ledger entries (e.g. cash purchase funds being described as a mortgage), all of which risk obscuring the true origin or purpose of funds.
  3. Poor CDD scrutiny: Even though firms may be collecting client due diligence (CDD), they may fail to properly scrutinise it, missing inconsistencies and red flags. Examples given include a client’s appearance and age not matching the photo ID provided, no payslips to back up salary claims, superficial reading of source of funds and over-reliance on e-verification. The other concern is diffusion of responsibility when it comes to AML with everyone thinking it’s someone else’s job. Fee earners should treat AML as a personal responsibility.
  4. Changing firm business models: The SRA has concerns about the rise of consultancy-based firms post-Covid with their decentralised nature posing challenges for maintaining and enforcing consistent AML compliance. MLCOs and MLROs are required to be more vigilant and proactive, ensuring new consultants are trained and understand/ adhere to the firm’s policies and procedures.

Technology and global economic uncertainty pressures remain in the “emerging risks” section, with reference to remaining alert to deepfake technology (although the SRA acknowledges they haven’t yet seen any evidence of its use), and a reminder that poorly-resourced AML systems and diminished headcount create AML weak points.

Other points of note:

  • As previously, the document includes a helpful list of the SRA’s guidance in the AML space (easier than trying to find things on their website ).
  • The most common weaknesses remain inadequate source of funds checks, independent audits, staff screening and matter risk assessments.
  • AML training is further emphasised.
  • Concerns remain about how firms spot PEPs and carry out EDD on them, particularly taking into account the difference between domestic and non-domestic PEPs.
  • There is specific reference to exercising caution when relying on accreditation schemes (such as Lexcel and CQS) to fulfil AML obligations, presumably due to the number of cases we are seeing of AML fines issued to such accredited firms.
  • A specific reminder has been added about what a Regulation 21 audit should cover.
  • The ‘Risk in the Legal Sector’ section (including ‘vulnerabilities’) is worth a read – tying it into the National Risk Assessment (NRA).
  • The additional ‘Risk Factors’ section provides a helpful reminder that ‘risk’ referred to in the document refers to the inherent level of risk before any mitigation (as opposed to the residual risk after mitigation is put in place) and that firms should not confuse low frequency of work with low risk. Indeed, being less familiar with a work type is likely to lead to higher AML risks due to having less of an appreciation of current risks/ what is reasonable etc.
  • Whilst the NRA assesses terrorism to be a low-risk area overall in the legal profession, the risk for trust or company service providers has been increased from low to medium. It is worth bearing this in mind if you do TCSP work.
  • The sections covering the 5 key risk areas (products & services, client, transaction, delivery channel & geographic) remain largely the same, but it’s always worth re-reading them to ensure your FWRA is up to date.
  • The Sanctions risk section now includes reference to OFSI designation of UK organisations (as a reminder that sanctions don’t only apply to overseas clients), the creation of OTSI (which will be of particular relevance to firms involved in aviation, international trade or shipping work), the SRA’s sanctions monitoring work noting that most sanctions breaches relate to failing to comply with general or specific licences, and a reminder that designated persons may use countries, which aren’t themselves on a government list but which neighbour those that are, to hide their assets.

Next steps

 

  • Update your Firm Wide Risk Assessments (FWRA) to reflect the updated Sectoral Risk Assessment as soon as possible (remembering to keep a copy of the old version for SRA reference). (For retainer clients we have updated our template documents to assist you with this).
  • Review your client and matter risk assessment and source of funds processes and ensure staff are following them/ documenting their thought processes.
  • Ensure staff are being provided with, and are completing, adequate AML & sanctions training (and remember to keep a central record of training provided and ensure staff are keeping their own record).
  • Check when you last had a Regulation 21 Independent audit, whether you have completed the recommended improvements, and get the next one booked in!