
Phase Three: Risk-rating customers under the upcoming AML/CFT New Regulation
New risk rating requirements
From 1 June 2025, law firms will be required to risk-rate new customers engaging in AML captured work, keep a record of those ratings and review them as appropriate. The new changes under Regulation 12AC will mark a shift from box-ticking compliance towards a formalised risk-based approach that relies on objective factors to ensure fair and consistent assessments.
Each new customer will now be assigned a risk score as part of the customer due diligence process (CDD) which is determined by factors such as how the customer relationship was established; the type of business structure, nature of business activities, geographic location, and transaction patterns – allowing firms to better understand and manage potential risks.
Firms will be required to ensure that their systems and processes have the capabilities in place for meeting these new requirements. This includes having a documented methodology for risk assessment, capturing the rationale behind each customer’s risk rating, and regularly reviewing these ratings as part of their ongoing CDD and account monitoring obligations.
Purpose: Driving a more effective, risk-based approach
The aim is to reduce financial crime by making risk assessment more structured and consistent across the sector. By adopting a more responsive model, firms can be better equipped to detect and respond to higher risk scenarios, while maintaining a fair and proportionate approach to client onboarding and monitoring. This approach should allow firms to avoid over-investing in low-risk scenarios, which not only reduces operational costs but also improves the client experience by streamlining onboarding and monitoring for lower-risk customers.
Phase Three changes will ground customer risk assessments by focusing on objective and measurable factors which will enable firms to ensure fairer and consistent outcomes while better identifying and managing financial crime risks. Reporting entities will need to undertake (and maintain records of) a more genuine assessment of risk and a meaningful approach to client onboarding and customer due diligence.
What does this mean for our clients?
The introduction of this further requirement reinforces the overarching principle of “knowing your customer” and doing so at the earliest opportunity. By collecting detailed information at the pre-engagement stage, firms can accurately assess risk levels and address any potential concerns early in the process, ensuring time and resources are allocated where they are needed most.