MLR 2017 regulation 28 explained: how to build a client and matter risk assessment that holds up.
A full walkthrough of Regulation 28 of the Money Laundering Regulations 2017: what customer due diligence requires, how the risk-based approach works, and how to structure a client and matter risk assessment that survives an SRA inspection.
Jacob Styles · 14 July 2026 · 8 min read
Regulation 28 of the Money Laundering Regulations 2017 is the customer due diligence regulation, and it is longer and more layered than the shorthand "do your CDD" suggests. It covers identifying and verifying a client, understanding what a transaction is actually for, applying a level of scrutiny that matches the assessed risk, and continuing to watch the relationship after onboarding. Most firms know parts of Reg 28 well. Fewer firms treat it as one connected structure, which is where the gaps open up. This is a full walkthrough, limb by limb, with a practical route to building a client and matter risk assessment that actually satisfies it.
What regulation 28 covers, in outline.
Reg 28 sets out what customer due diligence (CDD) requires, in three connected parts: what CDD means in the first place (28(2)), how the depth of CDD must scale with risk (28(12)-(13)), and what has to continue after the client is onboarded (28(11)). A client and matter risk assessment (CMRA) is the document that ties all three together for a specific matter.
What counts as customer due diligence under regulation 28(2).
Regulation 28(2) requires a firm to:
- Identify the customer, unless their identity is already known to and verified by the firm.
- Verify the customer's identity, unless it has already been verified.
- Assess, and where appropriate obtain information on, the purpose and intended nature of the business relationship or occasional transaction (Reg 28(2)(c), quoted exactly).
That third limb is the one firms most often under-deliver on. Identifying and verifying a client has become largely mechanical, helped by electronic ID tools. Assessing the purpose and intended nature of the relationship is a judgement call that a tool cannot make for you: why is this client instructing this firm, for this matter, in this way, and does that story hold together. Where the client is a body corporate, Reg 28(3) adds further requirements: obtaining and verifying the company's name, company number and registered office address, and taking reasonable measures to understand the law it is subject to and the identities of its directors or equivalent officers.
How regulation 28(12)-(13) makes due diligence risk-based.
Reg 28(12) requires that the way a firm complies with its CDD obligations must reflect two things: the risk assessment the firm carried out under Regulation 18(1) (the firm-wide risk assessment, sometimes called a PWRA outside the legal sector; see what a PWRA is), and its assessment of the level of risk arising in the particular case in front of it. Critically, Reg 28(12)(b) confirms that CDD "may differ from case to case": the regulations do not expect uniform treatment, they expect proportionate treatment.
Reg 28(13) sets out the kind of matters relevant to assessing that case-specific level of risk, including the purpose of the account, transaction or relationship; the level of assets involved or the size of the transactions; and the regularity and duration of the relationship. This is, in substance, the legal basis for the client and matter risk assessment: Reg 28 does not use the term "CMRA," but the SRA's 2024/25 AML Annual Report describes CMRAs as required under "regulation 28(12) and 28(13)."
What regulation 28(11) requires after onboarding.
Reg 28(11) requires ongoing monitoring of the business relationship, with two limbs: scrutinising transactions throughout the relationship so they stay consistent with the firm's knowledge of the client, and keeping CDD records and information up to date. This is the limb of Reg 28 most likely to be forgotten entirely, because it has no natural trigger the way onboarding does. We cover it in full in ongoing monitoring under Reg 28(11).
How to build a client and matter risk assessment that satisfies regulation 28.
Putting the limbs above together, a CMRA that would hold up to inspection needs to show five things, in this order:
- The client risk factors. Who the client is, their business, their source of wealth, and whether they are a politically exposed person or subject to sanctions.
- The matter risk factors, drawing on the same categories Reg 18(2) sets out for the firm-wide assessment: the type of transaction, its value, the jurisdictions involved, and the delivery channel.
- A reasoned risk rating, low, medium or high, that follows logically from points 1 and 2, not a default setting applied to every file.
- The due diligence that rating triggers, including whether enhanced due diligence under Regulation 33 applies (mandatory for politically exposed persons and high-risk third countries) and what source-of-funds enquiry the rating calls for (see source of funds versus source of wealth).
- A date and a named sign-off, from the responsible fee-earner or the MLRO, so the assessment is attributable and, per Reg 28(12) and the SRA's own expectations, capable of being provided to the regulator on request.
A CMRA missing any of these five is vulnerable in an inspection, even if a document with that title exists on the file.
What happens when firms get regulation 28 wrong.
The SRA's 2024/25 figures show exactly where the gaps concentrate. Of the 5,873 files reviewed, 950 (16%) had no CMRA at all, or only an incomplete one, and a further 39% of the CMRAs that did exist failed to effectively evaluate the money-laundering risk. Of the 270 firms assessed as non-compliant, 135 (50%) were referred specifically for a lack of CMRAs on file, though 111 of those 135 actually had a process in place that was not being followed (SRA AML Annual Report 2024/25). We break this down fully in the client and matter risk assessment: the first thing an SRA inspector checks.
The stakes for getting Reg 28 wrong are not hypothetical. The largest AML fine against a UK law firm to date, £500,000 against Clyde & Co LLP, arose substantially from customer due diligence and ongoing monitoring failures across 14 transactions, precisely the two limbs of Reg 28 covered above (Solicitors Disciplinary Tribunal, Case No. 12481-2023). We cover that case in full in the £500,000 Clyde & Co fine.
Why it matters.
Reg 28 is usually taught, and usually audited, in pieces: an onboarding checklist here, a source-of-funds form there, a vague sense that monitoring should happen "sometimes." Read as one connected structure, it says something more specific: identify and verify the client, understand what they actually want and why, calibrate scrutiny to the risk that combination presents, document the reasoning, and keep watching for as long as the relationship lasts. A CMRA is simply the record that this happened. Firms that treat it as a form to complete once, rather than a structure to maintain, are the ones the SRA's own data shows falling short most often.
Frequently asked questions.
What is the difference between regulation 28(2) and regulation 28(11).
Regulation 28(2) sets out the initial customer due diligence duties: identifying and verifying the client, and assessing the purpose of the relationship. Regulation 28(11) is a separate, continuing duty that applies after onboarding: scrutinising transactions and keeping due diligence records up to date for as long as the relationship lasts.
Does regulation 28 use the term "client and matter risk assessment".
No, not verbatim. The term "CMRA" is industry and regulator shorthand for the risk-sensitive approach to customer due diligence that Regulation 28(12) and 28(13) require. The SRA's own 2024/25 AML Annual Report describes CMRAs as arising from those two sub-regulations.
Can customer due diligence be different for different clients under the same firm.
Yes, and it is meant to be. Regulation 28(12)(b) explicitly confirms that the way a firm complies with its CDD obligations "may differ from case to case." Uniform treatment regardless of risk is not what the regulations require.
Does regulation 28 require enhanced due diligence in every case.
No. Enhanced due diligence is required specifically in higher-risk situations defined elsewhere in the regulations, principally under Regulation 33, such as where a politically exposed person is involved or the matter touches a high-risk third country. Regulation 28 sets the general risk-based framework that determines when those enhanced measures are triggered.
Where does the firm-wide risk assessment fit into regulation 28.
Regulation 28(12)(a)(i) requires that customer due diligence reflect the risk assessment carried out under Regulation 18(1), the firm-wide risk assessment. The two documents are legally linked: the firm-wide assessment sets the general risk picture, and Regulation 28 requires matter-level CDD to be consistent with it.
Sources
- The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, Reg 28: www.legislation.gov.uk/uksi/2017/692/regulation/28
- The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, Reg 18: www.legislation.gov.uk/uksi/2017/692/regulation/18
- SRA, Anti-Money Laundering Annual Report 2024-25, 30 October 2025: www.sra.org.uk/sra/research-publications/aml-annual-report-2024-25
- Legal Sector Affinity Group (LSAG), Anti-Money Laundering Guidance for the Legal Sector, effective 23 April 2025
Written by Jacob Styles. This article is educational and does not constitute legal advice. Regulatory positions should be verified against current SRA guidance and primary legislation.
Book a call