AML/CFT changes

Clients must now be risk-rated for AML/CFT purposes.

If a law firm is a reporting entity under the Anti-Money Laundering and Countering Financing of Terrorism Act 2009 it must:

• undertake a written risk assessment;
• have a written AML/CFT programme;
• appoint a compliance officer;
• conduct client due diligence (CDD);
• prepare an annual AML/CFT report;
• report suspicious activities and prescribed transactions.

From 1 June 2025, new obligations under the Anti-Money Laundering and Countering Financing of Terrorism (Requirements and Compliance) Regulations 2011, require firms to risk rate every new client as part of their AML/CFT processes.

New regulation 12AC of the Anti-Money Laundering and Countering Financing of Terrorism (Requirements and Compliance) Regulations 2011, introduces a requirement for reporting entities to assign a risk-rating to each new client when conducting standard or enhanced CDD. Firms must also keep a record of the client’s risk rating and review it as appropriate, in accordance with s 31 of the Act, which requires ongoing CDD and account monitoring.

For most firms, the risk-rating process  can be a simple, objective determination using a rating scale of low, medium, or high risk. Firms using the LEAP AML App can assign a risk-rating for the client when conducting their CDD.

In line with these changes the By Lawyers Practice Management guide has been updated. It now includes revised commentary on AML/CFT compliance under The Lawyer and Client Relationship, and new or amended Risk Assessment and Risk Assessment Review precedents for firms, clients, and matters. The AML/CFT Policy in the 101 Staff Handbook has also been updated accordingly.