The Art of Timing for Client Risk Assessment
Part 1: Identity Risk
With the spotlight intensifying on law firm compliance, and regulators handing out record- breaking fines, understanding the nuances of anti-money laundering (AML) regulation is no longer optional, it is essential. Firms can no longer afford to treat AML as a back-office concern. In this environment, knowing when and how to approach client due diligence, is critical to stay on the right side of the regulations.
A Question of Timing
A common area of uncertainty relates to the timing and frequency of client identity verification (ID&V). While many practitioners feel confident about collecting ID&V at the outset of a client relationship, uncertainty tends to grow once that relationship is established and long-running.
The regulations allow for a risk-based approach, which gives firms much flexibility and this creates uncertainty. There is no single answer for how frequently ID&V should be refreshed and this can leave fee-earners and compliance teams unsure whether their approach is proportionate or potentially deficient. The LSAG guidance, the legal sector’s definitive document for applying the regulations, helps to bridge that gap, encouraging firms to align ID&V practices with their own Practice-Wide Risk Assessment (PWRA). What is reasonable for one firm may not be for another, depending on the client base, the nature of the work, and the risks involved.
Longstanding Clients
The instinct to avoid upsetting longstanding clients by asking for updated identification is still prevalent in many firms, but this approach is not supported by regulatory guidance.
The LSAG guidance makes it clear that there is no exemption in the Money Laundering Regulations for long-standing or familiar clients. Paragraph 6.2 confirms that personal relationships cannot replace independent verification. When handled sensitively the client relationship can be preserved and ‘blaming’ the increasing regulatory obligations can be a useful tactic when empathising with a client’s frustrations. Sometimes citing this paragraph to support your explanation that updated ID is not about distrust but about meeting legal obligations can sometimes be effective.
Risk Based Approach
The regulations allow for a risk-based approach, which gives firms some flexibility, but also creates uncertainty. There is no single answer for how frequently ID&V should be refreshed. This can leave fee-earners and compliance teams unsure whether their approach is proportionate or potentially deficient. The LSAG guidance helps to bridge that gap, encouraging firms to align ID&V practices with their own Practice-Wide Risk Assessment (PWRA). What is reasonable for one firm may not be for another, depending on the client base, the nature of the work, and the risks involved.
While ID&V is a core part of Customer Due Diligence (CDD), it is not the whole picture and much of the regulation and sector guidance does refer to CDD in a broad sense rather than breaking down to the level of ID&V specifically. A robust client risk assessment considers the nature and purpose of the business relationship, the source of funds, jurisdictional risks, and other evolving factors. The process is not static. A piece of new information, a change in beneficial ownership, or a shift in the client’s risk profile or nature of the matter instruction should trigger further review, not just of ID&V, but of the entire risk assessment.
Internal Policy
In practice, some firms establish policies stating ID&V must be updated every one to three years, or whenever a new matter is opened. Others link ID review to specific trigger points, for example, if a client is identified as a politically exposed person (PEP), or if enhanced due diligence (EDD) is required. Expired passports, address changes, or inconsistent client information should also prompt an immediate review.
The regulations themselves include explicit triggers. Regulation 27(9) outlines circumstances in which CDD must be reapplied, particularly where there is a doubt about the validity of previously obtained documentation, or where there is reason to believe the client’s identity may have changed. There are also links between AML and tax compliance requirements. If a firm has a legal obligation to contact a client under the International Tax Compliance Regulations during a calendar year, this contact may require updated CDD.
Leveraging Technology
Technology can assist in monitoring these changes. Many electronic verification tools now offer alerts when clients appear on sanctions or PEP lists, helping firms meet their obligation for ongoing monitoring without relying on teams to manually track these developments. Spreadsheets or file review calendars can help flag high-risk matters and remind teams to review CDD at key points where case numbers are low.
Due Diligence on Third Parties
In some cases it is appropriate to conduct due diligence including ID&V on other parties who are not your immediate client such as beneficiaries, executors or deputies and in some cases counter-parties.
A Boardroom Issue
Ensuring that AML compliance is not treated as an isolated concern but as an integral part of a firm’s strategic operations is crucial. This requires board-level oversight, regular training for relevant staff, and clearly documented processes that can withstand regulatory scrutiny.
Firms that embed CDD into their client engagement process from the outset and revisit it regularly are best placed to manage regulatory expectations while maintaining strong client relationships.
For firms unsure where to begin or lacking the internal resources to confidently implement these practices, seeking external advice or an independent review can provide clarity and assurance. With the right systems in place, firms can approach AML compliance not just as a regulatory hurdle but as a reflection of their professionalism and commitment to ethical legal practice.