Jonathan Bennett
When compliance failures surface in regulatory reports or enforcement action, scrutiny tends to land in the same place: the individual matter. Was the client properly identified? Was source of funds obtained? Was the risk assessment completed? Was enhanced due diligence applied where it should have been? These are the questions that follow a regulatory visit, an enforcement notice or a suspicious activity report that should have been filed sooner. They are the visible end of a compliance failure, the point at which something clearly went wrong. But in focusing so heavily on what happened at matter level, firms can inadvertently overlook the structural conditions that allowed it to happen.
These are not the wrong questions. But they may not be the most important ones.
Looking beyond the individual matter
A recent discussion on Credas’ podcast, Beyond the Check: Brick by Brick, has highlighted a structural gap in how many firms approach anti-money laundering obligations, one that sits not in the execution of individual checks but in the framework that should be informing them. Luke Haddon, MLRO at Keystone Law, and Mike Ross, Head of Risk and Compliance at Anderson Strathern, explored whether firms are sometimes so focused on the outcome of compliance that they lose sight of what should be shaping those outcomes in the first place.
The ‘Compliance Waterfall’
Luke Haddon describes the issue through what he calls the “Compliance Waterfall.” The concept is straightforward in theory, though demanding in practice. Client matter risk assessments, which most firms now carry out as standard, should not be treated as standalone exercises. They sit at the base of a much wider hierarchy of risk assessments, each informing the next: national risk assessments shape sectoral guidance, sectoral guidance shapes firm-wide policy, and firm-wide policy should be shaping individual matter assessments.
The problem, as Haddon sees it, is that many firms have become competent at completing risk assessments without always interrogating the reasoning behind them. “Too often people decide a matter is low risk, but they don’t think about why,” he observed. It is the question of why that the waterfall is designed to answer.
Mike Ross echoed this concern and extended it. Risk assessment, he argued, should not be a purely top-down exercise. Firms that develop genuine expertise in particular areas of practice bring their own knowledge to bear on how risk presents in that context. That experience should feed back upwards, informing future reviews and keeping firm-wide assessments grounded in operational reality rather than abstract frameworks.
Why conveyancing deserves closer attention
The practical stakes of this become especially apparent in conveyancing. It is a discipline that carries familiarity risk: fee earners dealing with high volumes of similar transactions can fall into the habit of treating certain matters as routine. Yet both national and sectoral risk assessments continue to identify conveyancing as a higher-risk area, and for sound reasons. A single property transaction can move significant sums quickly. The scale and speed of funds involved is qualitatively different from most other forms of financial crime, where smaller amounts accumulate over time.
Cash purchases sharpen this further. The absence of a mortgage lender, the pace at which such transactions can move and the appeal they hold for clients eager to complete can create pressure that runs counter to careful risk assessment. Haddon described the common scenario: a cash buyer arrives wanting to move quickly. The matter looks straightforward. The temptation is to progress. But this, he suggested, is precisely the moment when firms need to pause and consider how the transaction maps onto both their firm-wide risk assessment and the broader risk environment.
The point, importantly, is not to treat cash buyers with suspicion as a class. It is to ensure that firms can demonstrate a clear and considered rationale for whatever conclusion they reach.
A related challenge concerns the relationship between firm-wide and matter-level assessments. Where a practice-wide risk assessment identifies a particular area of work as medium or high risk, but individual matters in that area are routinely assessed as low risk, there is not necessarily a problem. What matters is whether there is a documented rationale that bridges the two. Without it, the waterfall stalls.
Technology has a role to play in maintaining consistency across high-volume environments, and both Ross and Haddon acknowledged as much. Risk scoring tools and automated workflows are now common, particularly in residential conveyancing. But both were firm on the limits of automation. Regulators, Ross noted, are not opposed to technology-assisted assessments in principle. The concern is when firms rely on automated outputs without understanding how those conclusions were derived. “There’s no silver bullet in AML,” he said. Technology can support judgement. It cannot substitute for it.
For smaller firms, the challenge is less about automation and more about capacity. Where compliance responsibilities sit alongside fee earning, keeping pace with evolving regulatory expectations can be difficult. Ross’s practical suggestion is worth noting: for firms that genuinely lack the time or internal expertise, targeted external input at key points can deliver significant efficiencies and provide reassurance that controls remain aligned with current expectations.
Creating a culture where compliance connects
Underlying all of this, however, is a point that precedes any discussion of process or technology. Compliance frameworks only function if the people using them understand how the components connect. Haddon spoke about the importance of cultivating an environment where fee earners feel able to raise concerns, ask questions and escalate where something does not seem right. The language he used was deliberately human: recognising “that funny feeling in their tummy” and knowing who to speak to. It may sound informal, but it describes something essential.
“Everything impacts everything else,” Haddon said. “It’s holistic.”
For firms managing increasingly complex AML obligations across multiple practice areas, that may be the most important framing of all. Individual checks matter. But the structure that informs them matters more.
Beyond the Check is a podcast series for legal and property professionals, hosted by Rhian Del-Valle, Head of Enterprise at Credas, alongside leading industry experts. The series explores the realities of AML compliance in practice, from risk frameworks to technology and regulatory change. All episodes are available at credas.com.