When compliance failures make headlines or appear in regulatory reports, attention often turns to the checks carried out on individual matters.
Was the client properly identified? Was source of funds obtained? Was the risk assessment completed correctly?
These are all important questions, but in Episode 5 of Beyond the Check: Brick by Brick, Mike Ross, Head of Risk & Compliance at Anderson Strathern, and Luke Haddon, MLRO at Keystone Law, explored whether firms are sometimes focusing too heavily on the outcome without considering what should be informing those decisions in the first place.
At the centre of the discussion was a concept Luke refers to as the “Compliance Waterfall”. While most firms are familiar with client matter risk assessments, Luke argued that these assessments should not exist in isolation. Instead, they should be informed by a series of wider risk assessments that sit above them.
As he explained, a client matter risk assessment is ultimately shaped by what a firm identifies as its key risks, but those risks should themselves be informed by sectoral risk assessments, which are influenced by national risk assessments and, at the highest level, the guidance and expectations coming from bodies such as the Financial Action Task Force (FATF).
The challenge, according to Luke, is that many firms have become very good at completing risk assessments without always considering why a particular matter has been categorised in a certain way. As he noted during the discussion, “too often people decide a matter is low risk, but they don’t think about why.”
That question of “why” appeared repeatedly throughout the episode.
In conveyancing, for example, transactions can quickly become familiar. Fee earners may deal with dozens of similar matters every month and, over time, it can become easy to view certain types of work as routine. However, the wider risk picture tells a different story. Conveyancing continues to be identified as a higher-risk area within both national and sectoral risk assessments because of the significant sums of money involved and the speed at which funds can move through a transaction.
Luke illustrated this with a simple comparison. While many forms of financial crime involve relatively small amounts accumulating over time, a single property transaction can involve hundreds of thousands of pounds moving at once. It is one of the reasons regulators continue to focus so heavily on the sector and why firms cannot rely solely on familiarity when assessing risk.
This becomes particularly relevant when discussing cash buyers.
A cash purchase is often viewed as a positive instruction. There is no mortgage lender involved, transactions can progress quickly and clients are often keen to move at pace. Yet, as Luke pointed out, these are often the moments where firms need to pause and consider the wider context. He described the common scenario of a client arriving with a cash purchase and a desire to complete as quickly as possible. The temptation, particularly during quieter periods, can be to focus on winning and progressing the work. However, he stressed that firms need to step back and ask what risks may exist within the transaction and how those risks align with both their own firm-wide assessment and the wider risk environment.
Importantly, the discussion was not about treating every cash buyer as suspicious. Rather, it was about ensuring that firms can demonstrate why they reached a particular conclusion and how that conclusion was informed by a broader understanding of risk.
The conversation then turned to an issue many compliance professionals will recognise: the disconnect that can sometimes emerge between firm-wide risk assessments and client matter risk assessments.
John Dobson, Compliance Manager at Credas, highlighted a scenario where a firm’s practice-wide risk assessment identifies a particular type of work as medium or high risk, yet individual matters involving that work repeatedly receive low-risk classifications. In itself, that is not necessarily problematic. What matters is whether there is a clear rationale that explains the difference.
Mike Ross expanded on this point by suggesting that risk assessments should not simply be viewed as a top-down exercise. While national and sectoral assessments should influence a firm’s approach, there is also value in looking at the work being undertaken in practice and allowing that experience to inform future reviews. As firms develop expertise in particular areas, their understanding of risk evolves, and their risk assessments should evolve alongside it.
That theme of practicality continued throughout the discussion, particularly when the conversation moved to technology.
Risk scoring tools, automated workflows and case management systems are becoming increasingly common across the legal sector, particularly within high-volume areas such as conveyancing. While technology can provide consistency and help firms gather valuable management information, both Mike and Luke were keen to emphasise that it should support professional judgement rather than replace it.
Mike noted that there is often a misconception that regulators oppose automated risk assessments altogether. In reality, the concern is less about automation itself and more about firms relying on automated outcomes without understanding how those conclusions have been reached. As he put it, “there’s no silver bullet in AML.”
Technology can guide decision-making, but it cannot replace critical thinking.
The discussion also touched on one of the most significant challenges facing smaller firms: time.
Many firms do not have dedicated compliance teams. Risk assessments, policy reviews, training and regulatory monitoring often sit alongside fee earning and business development responsibilities. Keeping pace with regulatory change can therefore feel overwhelming, particularly as expectations continue to evolve.
It was here that Mike offered a practical suggestion that will likely resonate with many firms. Rather than trying to do everything internally, there may be occasions where bringing in external expertise makes sense. As he explained, “if you genuinely don’t have the time, inject a little expert help.” A relatively small investment at the outset can often save significant time later, while also providing reassurance that policies, controls and procedures are aligned with current expectations.
Underlying all of this was a broader point about compliance culture.
Processes, policies and technology all have a role to play, but effective compliance ultimately depends on people. Luke spoke about the importance of creating an environment where fee earners are willing to raise concerns, ask questions and escalate issues when something does not feel right. He described it as recognising that “funny feeling in their tummy” and speaking to the right people at the right time.
That may sound simple, but it arguably sits at the heart of the Compliance Waterfall itself.
Risk assessments, policies and procedures only become meaningful when the people using them understand how they connect. As Luke summarised during the discussion, “everything impacts everything else. It’s holistic.”
For firms navigating increasingly complex AML obligations, that may be the most important lesson of all.
