The client & matter risk assessment: the first thing an SRA inspector checks
The client and matter risk assessment is where SRA inspections often begin. What MLR 2017 Reg 28 requires, and why a weak or missing CMRA cascades.
Jacob Styles · 1 July 2026 · 6 min read
Ask anyone who has been through an SRA anti-money laundering inspection what the reviewer reached for first, and the answer is almost always the same: the client and matter risk assessment. It is the document that determines everything that should follow on a file, which makes it the natural starting point for any assessment of whether a firm's AML controls actually work. It is also, consistently, one of the areas where firms fall short.
What the regulations require
The client and matter risk assessment (CMRA) is grounded in Regulation 28 of the Money Laundering Regulations 2017. Reg 28 requires a firm, before establishing a business relationship or carrying out an occasional transaction, to assess the risk that the particular client and matter present, taking into account factors such as the client, the type of matter, the jurisdictions involved, the delivery channel and the nature of the transaction (MLR 2017, Reg 28(12)–(13)).
Crucially, this is a matter-level obligation. It is distinct from, and additional to, the firm-wide risk assessment under Regulation 18. The firm-wide assessment sets the overall picture of the risks the practice faces; the CMRA applies that thinking to the specific engagement in front of the fee-earner. A firm can have an excellent firm-wide assessment and still fail comprehensively at the matter level, because the two do different jobs.
The regulations also expect the assessment to be recorded where the firm is required to keep such records, and to be capable of being provided to the regulator. An assessment that lives only in a fee-earner's head satisfies neither the letter nor the purpose of the rule.
Why inspectors start here
There is a logic to reaching for the CMRA first. It sits at the top of the causal chain. The risk rating it produces is supposed to drive the level of customer due diligence, the depth of source-of-funds enquiry, whether enhanced due diligence applies, and how closely the matter is monitored. If the CMRA is wrong, missing or superficial, everything downstream is built on sand.
So an inspector opening a file with the CMRA is effectively asking a single diagnostic question: did this firm decide, in a reasoned way, how risky this matter was, and did it then behave accordingly? The answer to that predicts the quality of the rest of the file with uncanny reliability.
How often firms get it wrong
The SRA's own data shows this is not a marginal problem. In 2024/25, across the 5,873 files it reviewed, around 950 files, roughly 16%, had no client and matter risk assessment at all, or only an incomplete one (SRA AML Annual Report 2024/25). And that understates the issue, because a further large tranche of files contained an assessment that existed but did not effectively evaluate the money-laundering risk (SRA AML Annual Report 2024/25). Combine the two, and a striking share of files lacked a CMRA that actually functioned.
Around 950 files, one in six reviewed, had no client and matter risk assessment, or only an incomplete one.
That failure rate is precisely why the CMRA is such an efficient starting point for an inspector. Statistically, it is one of the most likely places to find a problem.
The cascade effect
The reason a weak CMRA is so damaging is that its failures do not stay contained. They propagate.
It miscalibrates due diligence
If a genuinely higher-risk matter is rated low, or not rated at all, the firm applies standard, or minimal, due diligence to a situation that demanded enhanced measures. The source-of-funds enquiry that should have happened does not. The senior sign-off that should have been triggered is not. Each downstream step inherits the original error.
It breaks the audit trail
When there is no reasoned risk assessment at the front of the file, there is nothing for the rest of the file to be consistent with. An inspector cannot trace a coherent line from "we judged this risk to be X" to "so we did Y". The file stops telling a story, and an incoherent file is a finding waiting to happen.
It undermines monitoring
Ongoing monitoring is supposed to be calibrated to risk. Without a reliable initial rating, the firm has no sensible baseline against which to spot when a matter's risk profile changes. The obligation to keep watching becomes untethered from any starting point.
It exposes the firm even where nothing went wrong
Perhaps most importantly, a defective CMRA is a breach in itself, regardless of whether any money laundering occurred. The firm can have handled an entirely legitimate matter and still be sanctioned for failing to assess and record the risk it was required to assess. Innocence of the underlying conduct is no answer to the absence of the document.
Why it matters
The client and matter risk assessment is small, often a single page, but it carries disproportionate weight. It is the hinge on which risk-based compliance turns, the first thing an inspector reads, and the failing the SRA's data shows firms are most likely to commit. When it is done well, it makes the rest of the file defensible. When it is thin, absent or box-ticked, its weakness spreads through every subsequent step and leaves the firm exposed on a matter it may have handled perfectly honestly.
For any firm wondering where to focus limited compliance attention, the evidence points to an unglamorous answer: start where the inspector starts.
Sources
- The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, Reg 28: www.legislation.gov.uk/uksi/2017/692/regulation/28
- SRA, Anti-Money Laundering Annual Report 2024-25: www.sra.org.uk/sra/research-publications/aml-annual-report-2024-25
- SRA, Anti-Money Laundering Annual Report 2024-25 summary: www.sra.org.uk/sra/research-publications/aml-annual-report-2024-25-summary
- Legal Sector Affinity Group (LSAG), Anti-Money Laundering Guidance for the Legal Sector
Written by Jacob Styles. This article is educational and does not constitute legal advice. Regulatory positions should be verified against current SRA guidance and primary legislation.
Book a free compliance health-check