Principles and risk-based regulation - Understanding risk ma...

Learning Outcomes

This article explains risk management and risk-based regulation in legal practice for SQE1, including:

• The SRA Principles and their role in legal practice
• The concept and operation of risk-based regulation
• Identification, assessment, and management of regulatory risks in law firms
• Risk management strategies for practical scenarios, including conflicts of interest and anti-money laundering compliance
• The Legal Services Act 2007 regulatory objectives and their relationship to risk management
• Firm-wide and matter-level risk controls
• Principal POCA offences and reporting obligations
• Adequacy of professional indemnity insurance in light of a firm’s risk profile

SQE1 Syllabus

For SQE1, you are required to understand the principles and risk-based regulation of legal services, with a focus on the following syllabus points:

• the SRA Principles and their application in legal practice
• the concept and operation of risk-based regulation
• how law firms identify, assess, and manage regulatory risks
• the relationship between risk management, compliance, and professional conduct
• practical risk management strategies, including anti-money laundering and conflicts of interest
• firm obligations under the SRA Codes (for Solicitors and for Firms) to maintain systems, controls, and supervision
• the Legal Services Act 2007 regulatory objectives and the oversight role of the Legal Services Board
• reporting and controls under the Money Laundering Regulations 2017 and POCA 2002

Test Your Knowledge

Attempt these questions before reading this article. If you find some difficult or cannot remember the answers, remember to look more closely at that area during your revision.

1. What is meant by a "risk-based approach" to regulation in legal practice?
2. Which SRA Principle requires solicitors to act in the best interests of each client?
3. Name two key steps a law firm should take when implementing risk management procedures.
4. In what circumstances must a law firm conduct enhanced due diligence on a client?

Introduction

Effective risk management is central to modern legal practice. Solicitors must comply with the SRA Principles, which set the ethical and professional standards for the profession. The SRA adopts a risk-based approach to regulation, focusing on the most significant threats to regulatory objectives. Law firms are expected to identify, assess, and manage risks to ensure compliance, protect clients, and maintain public trust. This aligns with the Legal Services Act 2007 regulatory objectives, including the protection of consumers, support for the rule of law, promoting competition, encouraging an independent and effective profession, and increasing public understanding of legal rights and duties. Oversight by the Legal Services Board (LSB) ensures that approved regulators such as the SRA implement these objectives proportionately and transparently across the sector.

The SRA Principles: The Ethical Basis

The SRA Principles are the core ethical standards that all solicitors and regulated firms must follow. They underpin all aspects of legal practice and guide decision-making in complex situations.

Key Term: SRA Principles
The SRA Principles are the fundamental ethical and professional standards that solicitors and regulated firms must uphold in all legal activities.

The current SRA Principles require you to:

1. Uphold the rule of law and the proper administration of justice.
2. Act in a way that upholds public trust and confidence in the solicitors’ profession and legal services.
3. Act with independence.
4. Act with honesty.
5. Act with integrity.
6. Act in a way that encourages equality, diversity, and inclusion.
7. Act in the best interests of each client.

These principles are mandatory and apply to all work, whether reserved or unreserved, and to both individuals and entities regulated by the SRA.

Key Term: independence
Independence means providing objective advice and representation, free from improper influence by clients, third parties, or personal interests.

Key Term: integrity
Integrity requires solicitors to act honestly, fairly, and in accordance with the highest professional standards, even where there is no explicit rule.

Where principles conflict, duties that safeguard the wider public interest (such as the rule of law and maintaining public trust) take precedence over an individual client’s interests. Acting with honesty and integrity is assessed objectively. The test for dishonesty, following Ivey v Genting Casinos, examines the solicitor’s state of knowledge or belief as to the facts, and then applies the standards of ordinary decent people to determine whether the conduct was dishonest.

Principles 2 and 6 emphasise professional behaviours that maintain confidence in the profession, including fairness, non-discrimination, and inclusive practice. Principle 7 requires solicitors to advance each client’s interests, but never at the expense of the court, the administration of justice, or the rights of others.

Risk-Based Regulation: Focusing on What Matters Most

The SRA regulates solicitors and law firms using a risk-based approach. This means that regulatory resources and attention are directed to areas where the risk of harm to clients, the public, or the rule of law is greatest.

Key Term: risk-based regulation
Risk-based regulation is a regulatory strategy that prioritises supervision and enforcement on the basis of the likelihood and impact of risks to regulatory objectives.

The SRA identifies, assesses, and monitors risks at three levels:

• Sector-wide risks: e.g., money laundering, cybercrime, or poor client care.
• Firm-level risks: e.g., inadequate supervision, poor financial controls, or high staff turnover.
• Individual risks: e.g., dishonesty, lack of competence, or conflicts of interest.

The SRA publishes a Risk Outlook, highlighting the most significant current risks to the profession (such as misuse of client account, conveyancing fraud, or sanctions breaches). Firms should map the Risk Outlook to their own practice profile and the Government’s National Risk Assessment, focusing controls on high-risk services such as trust and company services, conveyancing, and use of client account as a banking facility. Regulators operate under the LSA 2007 objectives; the LSB oversees the SRA’s approach to ensure it is evidence-based and proportionate.

Worked Example 1.1

A law firm handles high-value property transactions for overseas clients. The SRA’s Risk Outlook identifies money laundering as a key sector-wide risk. What should the firm do to comply with risk-based regulation?

Answer:
The firm should conduct a firm-wide risk assessment, identify property transactions and overseas clients as higher risk, and implement enhanced due diligence and monitoring procedures for these matters.

Risk Assessment and Management in Practice

Law firms must have systems to identify, assess, and manage risks relevant to their business. This is not only good practice but also a regulatory requirement under the SRA Code of Conduct and, for anti-money laundering, under the Money Laundering Regulations 2017.

An effective risk framework ordinarily includes:

• governance (clear responsibilities for risk, including COLP/COFA roles)
• a documented firm-wide risk assessment and risk register
• proportionate policies, controls, and procedures (PCPs)
• competent supervision and training
• regular monitoring, audit, and remedial action
• management information to the partners on key risk indicators (e.g., file reviews, complaints, near misses).

Firm-Wide Risk Assessment

Firms must regularly assess risks to their business, including:

• the nature of their clients and matters
• the services they provide
• the jurisdictions in which they operate
• delivery channels (e.g., remote instructions)

The assessment must be documented, kept up to date, and made available to the SRA on request.

Key Term: risk assessment
A risk assessment is a structured process to identify and evaluate potential threats to regulatory compliance, client interests, or the firm’s business.

Under the SRA Code for Firms, managers must ensure appropriate systems and controls are in place to monitor financial stability and manage material risks to compliance, including AML, data protection, client money, and complaints handling. The firm-wide AML risk assessment (Regulation 18 MLR 2017) should draw on current national/regulatory guidance, be approved by senior management, and inform the detailed PCPs (Regulation 19).

Policies, Controls, and Procedures

Firms must implement appropriate policies and controls to mitigate identified risks. These may include:

• client due diligence (CDD) and enhanced due diligence (EDD) procedures
• internal reporting mechanisms (e.g., a Money Laundering Reporting Officer)
• staff training on risk awareness and compliance
• regular audits and monitoring of compliance

Key Term: client due diligence (CDD)
CDD is the process of verifying a client’s identity and assessing the risk they pose, especially in relation to money laundering or terrorist financing.

Key Term: enhanced due diligence (EDD)
EDD is additional scrutiny and verification required for higher-risk clients or transactions, such as those involving politically exposed persons or high-risk jurisdictions.

In addition, effective PCPs should cover:

• screening of employees and ongoing staff vetting where appropriate
• risk assessment of new products, delivery channels, and technology (e.g., eID&V tools)
• oversight of complex or unusually large transactions with no apparent economic purpose
• reliance arrangements and group information sharing (where permitted) with appropriate safeguards
• record-keeping and retention schedules
• a training plan tailored to staff roles and risk exposure.

Worked Example 1.2

A firm is instructed to act for a new client based in a country identified as high-risk for money laundering. What steps should the firm take?

Answer:
The firm should apply enhanced due diligence, including verifying the client’s identity with independent sources, understanding the source of funds, and obtaining senior management approval before proceeding.

Managing Conflicts of Interest

Conflicts of interest are a key regulatory risk. Solicitors must not act where there is a conflict, or significant risk of conflict, between their own interests and those of a client, or between two or more clients.

Key Term: conflict of interest
A conflict of interest arises where a solicitor’s duty to act in the best interests of a client conflicts, or may conflict, with another duty or personal interest.

Firms must have systems to identify and manage conflicts, including clear procedures for checking new matters and ongoing monitoring. There is an absolute bar on acting where there is an own-interest conflict or significant risk of one. Where clients’ interests conflict (or are likely to), the SRA Code permits limited exceptions:

• substantially common interest (clear common purpose and strong consensus on how it is to be achieved), and
• competing for the same objective (e.g., separate bidders for an asset through an auction or tender), in each case subject to informed written consent, appropriate safeguards to protect confidential information, and the firm being satisfied that it is reasonable to act.

Confidential information may independently restrict acting. If the firm holds material confidential information for a current or former client that would be relevant to another client’s matter where interests are adverse, it must not act unless effective information barriers remove any real risk of disclosure, or the holder of the information gives informed written consent.

Worked Example 1.3

A solicitor is asked to act for both the buyer and seller in a business sale. Is this permitted?

Answer:
Generally, no. Acting for both sides creates a significant risk of conflict. Only in rare cases where the clients have a substantially common interest and all conditions for informed consent are met may a solicitor act for both.

Worked Example 1.4

Two existing clients instruct a firm separately to bid for the same commercial property at auction. Can the firm act for both?

Answer:
Potentially yes, under the “competing for the same objective” exception, if each client gives informed written consent, the firm puts in place effective safeguards (e.g., separate teams and access controls), and it is reasonable in all the circumstances. The firm must keep this under review and cease to act for one or both clients if a significant risk of conflict emerges.

Anti-Money Laundering and Risk Management

Law firms are subject to strict anti-money laundering (AML) obligations. A risk-based approach is required by the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 and enforced by the SRA.

Firms must:

• conduct risk assessments for clients and matters
• apply CDD and EDD as appropriate
• monitor transactions for suspicious activity
• report suspicions to the firm’s MLRO and, if necessary, to the National Crime Agency (NCA)
• keep records of due diligence and reports

Failure to comply can result in regulatory action, criminal penalties, and reputational damage.

Key operational points include:

• appointing a Money Laundering Compliance Officer (MLCO) (where required) and a nominated officer/MLRO (Regulation 21)
• obtaining SRA approval for beneficial owners, officers, and managers (BOOMs) (Regulation 26)
• documenting the firm-wide risk assessment (Regulation 18) and PCPs (Regulation 19)
• conducting CDD when establishing a business relationship, carrying out an occasional transaction of €15,000 or more, if there is suspicion, or if previous CDD is inadequate (Regulation 27)
• maintaining ongoing monitoring to ensure transactions are consistent with the client profile (Regulation 28(11))
• training relevant staff regularly (Regulation 24)
• keeping CDD and transaction records for at least five years (Regulation 40).

Key Term: Money Laundering Reporting Officer (MLRO)
The nominated officer who receives internal reports of suspicions, evaluates them, and, where appropriate, makes Suspicious Activity Reports to the NCA.

Key Term: beneficial owner
The individual(s) who ultimately own or control a client or on whose behalf a transaction is conducted; in companies, typically those with more than 25% ownership or control (as defined in the MLRs).

Key Term: politically exposed person (PEP)
An individual entrusted with prominent public functions (and their family members or close associates) who, due to the position held, presents higher AML risk and requires EDD.

EDD must be applied in circumstances set out in Regulation 33, including high-risk third countries, PEP relationships, complex or unusually large transactions, unusual patterns of transactions, and any situation where there is a higher risk of money laundering or terrorist financing. For PEPs, firms must also obtain senior management approval, establish source of wealth and source of funds, and apply enhanced ongoing monitoring. Simplified due diligence (SDD) may be applied in lower-risk situations, but only after a documented risk assessment.

POCA creates the principal money laundering offences of concealing, arranging, and acquiring/using/possessing criminal property (ss. 327–329), and the “failure to disclose” offence in the regulated sector (s. 330). The MLRO commits a separate failure-to-disclose offence under s. 331, and tipping off is prohibited under s. 333A. A defence to primary offences can arise where a DAML (defence against money laundering) is obtained from the NCA, either expressly or deemed after the seven-working-day notice period and, where applicable, the 31-day moratorium expires without refusal.

Key Term: tipping off
An offence under POCA s. 333A committed by disclosing that a SAR has been made or that an investigation is contemplated, where that disclosure is likely to prejudice the investigation.

Firms must also consider the corporate offence of failure to prevent the facilitation of tax evasion under the Criminal Finances Act 2017 and the UK financial sanctions regime administered by OFSI, including checking names against the consolidated sanctions list and obtaining licences where necessary before receiving fees from designated persons.

Worked Example 1.5

A firm receives funds from a new client to purchase a property. Minutes before exchange, the client cancels and instructs the firm to return the funds to two overseas third-party accounts. The matter raises suspicion and the MLRO files a SAR. The client asks why there is a delay in sending the money back. What should the firm do?

Answer:
The firm must not return the funds until DAML is obtained or deemed. It must not tell the client a SAR has been made (to avoid tipping off). A neutral explanation (e.g., internal compliance checks) may be given that does not prejudice any investigation. If DAML is refused, the firm must not proceed during the moratorium period.

Exam Warning

Failing to conduct proper risk assessments or to apply enhanced due diligence in high-risk situations is a common cause of regulatory breaches. For SQE1, be alert to scenarios where a firm overlooks AML risks or does not escalate concerns appropriately.

Data Protection and Confidentiality

Risk management also includes protecting client data and maintaining confidentiality. Firms must comply with the Data Protection Act 2018 and GDPR, as well as the SRA Principles.

• Implement strong data security measures (e.g., encryption, access controls)
• Train staff on data protection and confidentiality
• Have procedures for responding to data breaches

A breach of confidentiality or data protection can lead to regulatory sanctions and loss of client trust. Under the SRA Code, confidentiality (to current and former clients) is a core duty. Disclosure is permitted or required where the law demands (e.g., POCA, sanctions, court orders) or the client consents. The duty to disclose material information to a client is limited where disclosure is prohibited by law, where the client gives informed written consent not to receive the information, where serious physical or mental injury is feared, or where the information is contained in a privileged document mistakenly disclosed—such material must be returned unread.

Confidential information may also restrict acting for a new client adverse to a current or former client where that information would be material to the matter, unless effective information barriers eliminate any real risk of disclosure or the client consents.

Worked Example 1.6

A firm receives an email misdirected from the other side’s solicitor containing a privileged draft advice relevant to an ongoing dispute for its own client. What should the firm do?

Answer:
The firm should not read or use the material. It should promptly notify the sender and return or delete the document. The duty of confidentiality and professional conduct rules prevent exploiting inadvertent disclosure.

Professional Indemnity Insurance and Risk

All SRA-regulated firms must maintain adequate and appropriate professional indemnity insurance (PII). Effective risk management can reduce the likelihood of claims and may influence insurance premiums.

• Review claims history and address recurring issues
• Ensure robust supervision and quality control
• Disclose all relevant risks to insurers

Key Term: professional indemnity insurance (PII)
PII is insurance that covers legal practices against claims for losses caused by professional negligence or breaches of duty.

Under the SRA Minimum Terms and Conditions (MTC), recognised and licensed bodies must hold at least £3 million for any one claim (exclusive of defence costs). Most other firms must hold at least £2 million. “Adequate and appropriate” requires firms to consider the nature and value of their work, client profile, and potential exposure; higher-risk practices (e.g., high-value property or corporate transactions) typically need higher limits or top‑up cover. Freelance solicitors who carry out reserved legal activities must also maintain appropriate PII. Sound risk controls—thorough scoping and engagement terms, conflicts checks, file reviews, and prompt complaints handling—lower claim frequency and severity.

Worked Example 1.7

A boutique firm handles cross‑border M&A deals with values between £50–150 million. It currently purchases the MTC minimum. Is this likely to be adequate and appropriate?

Answer:
Probably not. Given the value and complexity of matters, a single error could exceed the MTC minimum. The firm should assess its exposure and arrange higher limits (top‑up) commensurate with deal sizes, along with strengthening supervision and quality assurance.

Key Point Checklist

This article has covered the following key knowledge points:

• The SRA Principles are the core ethical standards for solicitors and regulated firms.
• Risk-based regulation directs regulatory attention to the most significant risks.
• Law firms must conduct firm-wide and matter-specific risk assessments.
• Effective risk management includes policies, controls, supervision, and staff training.
• Conflicts of interest and anti-money laundering are key regulatory risks.
• Exceptions to conflicts are limited and subject to strict safeguards.
• POCA creates principal money laundering offences and reporting duties; MLRs require documented risk assessments, CDD/EDD, training, and record‑keeping.
• Data protection and confidentiality are essential components of risk management.
• Professional indemnity insurance is required and must be adequate and appropriate to the firm’s risk profile.

Key Terms and Concepts

• SRA Principles
• independence
• integrity
• risk-based regulation
• risk assessment
• client due diligence (CDD)
• enhanced due diligence (EDD)
• conflict of interest
• Money Laundering Reporting Officer (MLRO)
• beneficial owner
• politically exposed person (PEP)
• tipping off
• professional indemnity insurance (PII)