Client privilege, compliance and the rule of law: Swedish lawyers and money laundering prevention

Can, and will, lawyers police their clients? This article aims to shed light on the private front-line workers of the Financial Action Task Force on money laundering (FATF). The analysis is based on a study of how Swedish lawyers perceive and handle obligations to police clients within FATF style risk-based anti-money laundering/counter terrorism (AML/CTF) regulation. We find that the lawyers were reluctant to taking on the responsibility for AML/CTF, and that their front-line work was directed towards being compliant enough. Relatedly, we identify several practices of separation that serve to mediate between the conflicting aims and interests in the everyday of this form of private policing. Another finding is that the lawyers by and large position themselves as knowledgeable actors, and view risks of AML/CTF as knowable. Nevertheless, lawyers experienced a principle clash between being ‘not banks’, and being front-line workers for FATF. In particular, the lawyers perceived their role as front-line workers to be more complex due to their professional norms and ethics on client privilege, and what they saw as the proper role of lawyers, being in conflict with the obligation to report clients and their transactions. In concluding, we suggest that paying more attention to the everyday experience of front-line workers when devising regulatory tools may be a way to promote engagement in ‘true’ crime prevention on their part.


Introduction
The regulatory activity to do with surveillance of transnational financial flows deemed potentially suspect in relation to money laundering, has intensified [1], underscoring an increasing intertwining of regulation and policing [2]. Since its inception in 1989, the Financial Actions Task Force against Money Laundering (FATF) has contributed to this development 1 . In the late 1980's drug money laundering of money was considered the major threat to financial institutions [3]. In 2001 FATF issued 40 recommendations that explicitly included the prevention of the financing of terrorism, contributing to securitization of the regulatory field [4], and promoting the establishment of a 'risk-security nexus' ( [5], p. 538). In addition to the extended scope of regulatory ambitions of the FATF, audiences targeted have widened. Initially, FATF was focused on the functioning of banks and other financial institutions. Though these remain main target groups, pressure has increased on 'designated non-financial businesses and professions (DNFBPs)' [6] to engage in anti-money laundering and counter terrorism financing (AML/CTF) 2 . As Tsingou [7] observes: 'while most of the public AML discourse refers to countries and criminals, the actors to be found at the forefront of AML activities are, in practice, mostly private. ' In relation to private actors, FATF evokes the idea of a public-private partnership to crime prevention [8][9][10]. Put briefly, regulated industries are encouraged to pro-actively prevent crime rather than passively comply with the rules. The FATF recommendations can be considered soft law, but come with a sharp edge. The content of the recommendations is mirrored in hard regulation such as the 3rd and 4th EU Directives [11,12], and in the next step in national legislation [13]. As Nance [14] delineates, the FATF can be viewed as a defacto multilevel regulator relying on national law enforcement to sanction non-compliance, and enrolling a wide range of business actors as agents in its aims to prevent crime and terrorism. In the context of AML/CTF, business actors are attractive as they have access to knowledge about their clients and their affairs that is not available to the regulator or law enforcement. By enrolling private actors, FATF-style regulation attempts to draw on this knowledge, including privileged, to prevent crime.
Relying on business actors as proactive front-line workers in the fight against crime raises several concerns. Business actors are businesses. They do not necessarily follow the intent of the law, but can rather be expected to use regulation to promote their business interests [15]. Several types of business actors do in fact 'have incentives not to disclose or report crimes and offences' ( [8], p. 515, emphasis in original). Taking such dis-incentives into consideration, 'defendable compliance' [16], rather than proactive policing, seems a likely outcome. Research on banks indicate that such compliance is indeed present in the context of AML/CTF [17][18][19]. It thus appears that: '… there will continue to be a less than virtuous shifting of responsibility between the regulator and the regulated, with the latter merely doing sufficient to proverbially "cover their backs".' ( [20], p. 70).
Another concern, is that all business actors are not law abiding. Privileged knowledge may thus be used for sinister purposes. As has been highlighted in research on DNFBPs like accountants and auditors (e.g. [21,22]), and lawyers (e.g. [23,24]), some of the actors relied upon to prevent crime may themselves be primary offenders, or may allow themselves to be used by criminals. By way of illustration, Lankhorst and Nelen [25] discuss how the culpable involvement of lawyers may include their authorizing payments from third party accounts, or their carrying out illicit financial transactions on behalf of criminals. At the same time, it is this very vulnerability that contributes to making professional services providers like lawyers 'well positioned' [27] to police and report suspicious clients and suspicious transactions.
This article analyses how one type of private actors, lawyers in law firms, understand and apply AML/CTF risk identification and risk management. In so doing, we aim to shed more light on the private front-line actors of FATF. The role of lawyers as purported front-line workers of FATF, has so far gathered little scholarly interest. Yet, placing lawyers in this role is pertinent as it can be argued that the role of lawyers is more complex than that of e.g. banks. To be sure, as Zacharias [28] underscores, lawyers are indeed gatekeepers. Yet, obligations of investigating and ultimately reporting clients put that societal role to the test. Client confidence, and privileged information, is at the very core of the services provided by lawyers. From the perspective of the profession, this could be a source of concern and resistance. The strong reactions, and legal actions, of provincial law societies to AMLlegislation in Canada illustrates this point [29]. The argument by the European Bar Association [30] that lawyers, as guardians of the rule of law 3 , ought to be exempt from the requirement to provide information about clients to competent authorities further illustrates the conflicts of interest and roles. Taken together, these principle concerns could be seen as a disincentive for lawyers to participate in pro-active crime prevention in relation to money laundering and terrorism financing. In summary, we would therefore expect the use of lawyers as front-line actors for FATF to be complex and we therefore probe how they understand and take on that role.
Our analysis is based on an interview study with lawyers in Sweden. Sweden constitutes something of an extreme case in the European context. There is no professional monopoly 4 for Swedish lawyers, making the incentive for state regulation smaller than in countries like the UK or Denmark [31]. Moreover, there is a strong tradition of self-regulation of the profession via the Swedish Bar Association. This tradition and relative autonomy vis-a-vis the state is further reflected in the role of the Swedish Bar in AML/CTF governance. In Sweden, it is the Bar that is the designated body monitoring AML/CTF compliance among lawyers. In e.g. the UK, the role of the Bar associations is comparatively weaker [32].
We pose three main questions in relation to how Swedish lawyers understand and apply FATF-style regulation: First, to what extent do lawyers take on the responsibility for preventing crimes of money laundering and terrorism financing? Second, considering that lawyerslike other regulated private actorsare in fact not the police, how do lawyers know how to assess and manage risks of money laundering and terrorism financing? Our third concern is how lawyers act on identified risks of the crimes concerned.
The article is structured as follows. In the next section, we outline a risk-based approach to AML. This includes a framing of the crimes as risk, and has implications for the allocation of responsibility, as well as views on knowledge, and possibilities for action. Then follows a section on methodology where we describe our interview study with Swedish lawyers. We then discuss the case of lawyers with a view to the position of the Swedish Bar Association, before outlining our findings on the three main research questions. In the final part of the article we discuss our results and conclusions. The overall conclusion is that the lawyers in our case work to protect the business interest of good client relationships, and to uphold professional norms and ethics, while being compliant enough. To that end, they make use of several practices of separation. Moreover, a 'true' pro-active crime prevention appears secondary in their use of the risk-based approach, as illustrated by the low incidence of reporting.

Delineating the risk-based approach
Regulation on AML/CTF mixes the 'repressive approach' of criminal law with the 'preventative approach' of banking law [34]. In terms of prevention, the FATF take on AML further emphasises the uses and merits of the 'risk based approach', as underscored in the first of the 40 FATF Recommendations [6], as well as in subsequent EU Directives [11,12]. The identification and management of risk as a preventative strategy in AML/CTF can be viewed in light of the growing trend for risk-based regulation across various fields of society (e.g. [35,36]). This trend reflects a change in how risk is being viewed in Late Modernity, away from 'the opportunity for gain and more possibility of loss' ( [37], p. 141). In contemporary society, risk management has become established as a tool for managing all kinds of problems and harms [38]. Risks to be managed range from individual health issues [39] to threats to national security [40]. FATF's risk-based approach to AML/CTF is an example of the latter. In the following, we will not attempt to go into all the details of the FATF-recommendations and associated directives and national legislation. Rather, we aim to highlight some generic features of the risk-based approach to AML/CTF, and the partly overlapping implications for the private actors that are to put them into practice. This will then serve to guide our empirical analyses.
The framing of crime as risk conveys that these crimes can and ought to be handled like other harmful risks: through risk management procedures. In theory, a risk-based approach appears advantageous not only for regulators like FATF, but also for the private actors that are to comply with the risk-based regulation. In essence, this stems from the promises of risk assessment and risk management to direct efforts primarily to 'high-risk' clients and transactions. In discussing the regulatory move to a risk-based approach to anti-money laundering, Unger and van Waarden [41] further underline how a risk-based approach encourages proactivity on behalf of the subjects of regulation: Risk-based regulation offers to respect these subjects, to make use of their experience and knowledge, to take their judgments seriously, as useful contributions to rule development and application. Citizens and companies, subjects of the law, are treated like resourceful actors, rather than ignorant children who have to be taught a lesson ( [41], p. 959) A risk-based approach makes it up to the private actors to decide what is risky and not, and what is reportable. 'When objects of concern are described in terms of risk, they are placed in a web of expectations about management and actor responsibility' ( [38], p. 6). It is the actor who decides on the risk assessment and risk management that will end up being held responsibleand blamed [42]. In this way, outsourcing of critical tasks to private actors can be understood as a means to blur boundaries of accountability across sectors, and for the state to avoid blame [43]. A similar argument has been made in relation to AML/CTF, where the risk-based approach is seen as a means to shift responsibility and blame to the private actors [44]. Yet, private actors may not be willing to take on that responsibility. Tulloch and Lupton's [45] discuss how '… risk knowledges are constantly contested and are subject to disputes and debates over their nature, their control and whom is to blame for their creation'. As outlined in the introduction, private actors have other interests and obligations to safe-guard that may conflict with responsibilities for crime prevention.
A second feature of the risk-based approach is that it presumes that risks are knowable. What was not known before can now be knowable as a risk: 'Knightian uncertainties become risks when they enter into management systems' ( [38], p. 5). In principle, then, a risk-based approach implies that private actors have knowledge concerning even those illicit activities that the regulator does not know aboutand are knowledgeable even without the special knowledge and skills of law enforcement. Practice is another matter. In practice, risks of money laundering and terrorism financing appear less readily knowable. Banks are well versed in the risk management of their core business endeavours. Nevertheless, previous studies discuss how bank managers complain about not having access to all the relevant knowledge to be able to make fully risk-based decisions on AML/CTF issues [10]. Studies further show how banks resort to further outsourcing of the riskmanagement tasks to specialised providers when knowledge is lacking [17,19]. Hence, contrary to the standard template of risk as knowable, these findings rather point to a 'variance in ways of seeing, believing, managing and discovering' ( [46], p. 72) risk, and to a lack of knowledge of the crimes to be prevented.
Third, the labelling of a threat or harm as a 'risk' calls for action in order to handle or reduce it [47]. FATF's use of a risk-based approach can thus be seen as an attempt to co-opt private actors into more pro-activity. An ambiguous threat may be difficult to deal with, but established risk management routines and procedures can be applied to a risk. At the same time, an investment in existing or new systems and databases does not ensure proactive crime prevention among the private actors. Rather, previous research indicates that the aim tends to be that of 'defendable compliance' [16] as reported by Favarel-Garrigues et al. [17,19], and Canhoto and Backhouse [18]. This leads us back to the issue of the extent to which private actors really are willing to take on an extended responsibility for crime prevention. In practice, there exist opposing demands and interests that private actors need to handle [13]. Hence, pro-active crime prevention may not win out. For instance, Canhoto [48] discusses how employees on the ground face demands to be vigilant in AML/CTF, whilst simultaneously having to cater to demands to be sales orientated. Relatedly, AML/CTF efforts may also result in banks getting rid of clients that are not very lucrative in the first place [17,19].
In summary, as portrayed in Fig. 1., we focus on the following three facets of a risk-based approach. First, the risk-based approach promotes a responsibilisation of the private actors, albeit a responsibilisation that targeted private actors may be reluctant to embrace. Second, it presumes that risks of money laundering/terrorism financing are knowable for the private actors, though as we have discussed that may be more difficult for these actors in practice. Third, the risks-based approach suggests that it is actionable for private actors, yet what action is taken may not follow the intent of the regulator. Hence, how a FATF-style regulation plays out in business practice appears a rather open question in spite of the frame set by a riskbased approach.
In the remainder of this article, we will go more in-depth into how the risk-based approach was perceived and acted upon by Swedish lawyers. Before so doing, we will present how and why we have designed and conducted our study.

Method
The rather few studies of how private actors deal with the risk-based approach have focused on banks, where the research by Favarel-Garrigues and colleagues (e.g. [17,9,19]) on French Banks constitutes the most comprehensive work to date. By studying lawyers, we expand the empirical basis of the analysis of how private actors serve as front-line actors within FATF-style regulation. The article is based on a qualitative case study that aims to explore how lawyers in Swedish law firms deal with the risk-based approach to AML/CTF in extant regulation. Similar to the heuristic trait of processtracing [49,50], we have conducted semi-structured interviews on explorative and descriptive questions on AML/CTF practices and procedures.
A first exploratory interview was held with a senior official at the Swedish Bar Association, to help contextualise our understanding of the role of the Bar as a supervising body, and to get further insights into the position of the Bar on issues of the content of the regulation, and compliance. Next, we turned to interviews with practitioners. We chose to interview informants at two large firms, and at two medium sized firms. In the large firms, we have interviewed two to three partners, as well as designated AML officers and professionals. In the medium sized firms, we have asked to talk to persons involved in managing AML/CTF, including partners and associate lawyers. A reason for this design was that previous studies of banks indicate that engaging in the proposed partnership against crime is costly [10,18]. We therefore expected large, and resourceful law firms to put more time and effort into their AML/ CTF work, for instance by utilizing compliance databases 5 . This, in turn, could affect what knowledge was used for money laundering vetting purposes, in that standardised ·

Knowable (for Private Actors)
· Actionable (for Private Actors) Fig. 1 Generic Features of the Risk-Based Approach to AML/CFT 5 To get a feel for the design and content of compliance databases we acquired provisional access to two such products through one of the leading providers.
knowledge adapted to FATF-style regulation would be more likely to come more to the fore in decision-making and processing of 'risk'. A total of 15 key interlocutors in law firms were interviewed. We are aware that the small number puts limitations on generalisability, but our aim was to get more detailed insight into a context that has been largely ignored and thus to privilege getting access to the 'behind the scenes' of AML practices among private actors. All but one interview was recorded. One informant declined to be recorded, but agreed to our taking extensive notes. Interviews commenced with general questions on the respondent's position, role(s), and responsibilities within the firm. We then turned to our main theme on how respondents, and the firm, worked with AML/CTF and the risk-based approach. Here we asked questions around how AML/CTF was conducted in practice, by whom, how the work proceeded (and if in any particular 'steps'), what support was available, etc. We further probed respondents for possible problems encountered, and how these were (or were not) resolved. We also asked respondents about their views on their own role, and that of lawyers, in AML/CTF 6 .
The interview data were analysed in two main iterations. First, we sought to capture the AML/CTF process at the law firms, in order to achieve a level of understanding for the what, when and how AML/CTF risks were identified and managed, and the extent to which lawyers complied (or not). In the next round, we read, and listened, to the interviews with the explicit aim to capture sections pertaining to the questions of responsibility, types of knowledge, and actionability, including views on reporting 7 . These findings are presented below.

The case of lawyers
As discussed in the introduction, the professional norms and ethics of lawyers add to the complexity of using them for policing purposes, and need to be taken into consideration in order to understand how they work with the risk-based approach. Lawyers have professional norms and ethics to consider, that may run contrary to the requirements of AML/CTF obligations. In principle, professional norms and ethics of the profession endorse a strong client privilege, and the role of lawyers in society is to be guardians of the rule of law, as argued by the European Bar Association [30]. Consequently, The European Bar is critical of AML/CTF obligations for lawyers: Providing authorities with the competence to access information on an identity from, amongst others, lawyers would clearly interfere with its principle of legal professional privilege and professional secrecy and should therefore be firmly rejected (CCBE, June 2011, Para. 7). 6 Though acknowledging that the question of to what extent lawyers themselves may be implicated in money laundering crimes is well worthy of investigation, we did not have the possibility to explicitly probe this sensitive issue in the present study. 7 Please refer to Engdahl and Larsson [8] for a discussion of how the duty to report crimes in the Swedish context primarily befalls the police, tax-and customs authorities, as well as some other specified actors, notably those engaged in social services provision. This makes the AML/CTF obligation for lawyers, and other regulated industries, to report suspicious client and their transactions, stand out. The Swedish Bar Association, an association under private law, is the main interest organization for the Swedish law profession. The Swedish Bar is in charge of questions of ethics and membership in the profession, including disciplinary measures and disbarment. Like the European Bar, the Swedish Bar puts a large emphasis on the role of lawyers as guardians of the rule of law.
A free and independent legal profession operating in accordance with sound rules developed by the Advocates themselves is an important part of a society governed by the rule of law and a prerequisite for the protection of individual freedoms and rights. Consequently, an Advocate holds a position of significant responsibility in our society. ( [51], Code of Professional Conduct, para. 1, emphasis in English original).
Moreover, like the European Bar, the Swedish Bar is quite critical of the AML/CTF obligations put on lawyers. In the words of one senior official, commenting on the low incidence of reporting 8 among Swedish lawyers: It's not that lawyers aren't knowledgeable about the law, can't be bothered or such. It's because of a lot of things, among other things that this is in conflict with rules on confidentiality and so on that have been in place since 1948. And then a new special law that obviously has not considered the rules that exist for lawyers. (Swedish Bar, 1) Irrespective of these espoused views, the Bar is the designated Supervisory Authority for issues of AML/CTF for lawyers in Sweden. The monitoring of lawyers is thus outside the official remit of the Swedish Financial Services Authority, the agency that supervises 9 banks and financial services providers, and acts as coordinator for the supervision of other regulated industries in Sweden. The profession supervises itself, and issues guidance. It can further be noted that, in a report on 'pro-active supervision', the Swedish Bar uses the phrase 'A question of quality and trust, as well as independence and self-regulation' ( [31], our translation) as the subtitle, emphasizing the primacy of self-regulation, and of professional norms and ethics. This position of the Bar in relation to AML/CTF is further emphasised in the content of its guidance. Here, it is proposed that, in order to handle clashes of roles and regulations, and ambiguities within AML/CTF regulation, it is: '…normally the lawyer responsible for the client or case that decides which information is possibly to be disclosed.' ( [52], p. 21) However, in the view of FATF, lawyers should rather be treated more like other DNFBPs (and DNFBPs more like banks) in relation to AML/CTF [53]. Sweden 8 The total number of reports from lawyers to the Swedish Financial Police during the five-year period 2011-2015 amounted to eighteen [50], making the average number of reports less than four per annum. By way of comparison, in the United Kingdom, the number of reports from 'independent legal professionals' during the one year period 2014/2015 amounted to 3827 [54]. 9 Incidentally, the supervision strategy the Financial Supervisory Authority is itself defined as 'risk-based' [49]. received some criticism specifically to do with lawyers in the 2006 Mutual Evaluation [53]. The, at that time existing, permission for Swedish lawyers to 'tip-off' clients after 24 h in the case of reporting raised concerns: 'This could hamper investigations heavily and should be amended' ( [53], p. 10). The most recent Mutual Evaluation was carried out when the duty for lawyers to report suspicions of money laundering and terrorism financing had been implemented in Swedish law, but before the Money Laundering Act [55], implementing the 3rd EU Directive [11], was implemented. In extant legislation, tipping-off is no longer allowed.
FATF further raised concerns to do with the proactivity of the supervisory authorities for DNFBPs, including that of lawyers. With a view to the Swedish Bar's supervision of lawyers, the 2010 follow-up report [56] states that there are in fact 'legally binding' rules in place for lawyers on AML/CTF, although these may not appear as such at first glance: The Swedish Bar Association has issued a legally binding AML/CFT guidance. The term "legally binding guidance" may confuse; however, the authorities indicate that the Code of Judicial Procedure (Chapter 8, Section 4, paragraph 1) and the Charter of the Bar Association (Section 34) ensure that guidance issued by the Bar Association is legally binding. ( [56], p. 29) In addition, the follow-up report observed that the Bar's guidance not only provides help with interpretation of the AML/CTF regulation, but also 'adopts certain views' on the difficulties that may be encountered by lawyers.
The guidance describes and interprets the AML Act and serves both as an introduction to the legislation and as an aid in relation to certain practical and administrative matters. The guidance also adopts certain views on a number of difficulties which arise from an interpretation of the legislation. ( [56], p. 29, our emphasis) The contents of these 'certain views' are not further discussed, though. Considering the position taken by the Swedish Bar elsewhere, however, it seems plausible to assume that these views may relate to questions on professional norms and ethics.

Swedish lawyers and money laundering prevention
In this section, we first discuss to what extent the lawyers in our study took on responsibility for preventing crimes of money laundering and terrorism financing. Next, we elaborate on whether and how lawyers knew, or came to know, what clients, cases, and/ or transactions constitute (high) 'risks' of these crimes. Finally, we turn to the question of action, and whether lawyers were inclined to report suspicions of money laundering or not.
Being responsibilisedto a degree Our interlocutors across firms emphasised the importance of good relations to clients. Law firms were businesses and it was important that clients were satisfied with their services, including the quality of client relationships. With a view to business interest, policing of clients was a dilemma. Lawyers told of their having initially been apprehensive that clients would react negatively to their queries, and that they would lose business. Said one partner: You were afraid that: 'Oh, this client isn't going to like us if we start asking questions about this and that, and taking inwhat if they go to somebody else? ' We cheated a little. The important thing was to get the case. (Partner 1, Large Firm A) Some years later, the requirements of the law were not presented as a threat to clients, and business interest, to the same extent. It was rather viewed as 'a necessary evil that causes a bit of friction' (Partner 2, Large Firm B)'. The reluctance to take on the responsibility for AML/CTF in the everyday had thus decreased over time. Nowadays, clients, at least large ones, were used to being asked about their identity etc. and tended to be prepared to provide information: There is greater awareness of these rules on the market. … It might not get to the top of their list of priorities. But it's not: 'Now since you're asking were considering engaging somebody else. You're being such a hassle!' We don't have that type of client. Though comparatively easier to accommodate over time, the principle opposition of business interest on the one hand, and the responsibility to prevent crime by adhering to regulatory requirements on the other, remained. One example provided of this clash of interests was related to the fact that timely services was of essence for clients, while the regulation prohibited a client being taken on without being fully AML/CTF vetted first. Due to vetting procedures being quite time consuming in some cases, cases could be delayed. Such delays, in turn, did not accord with the level of service clients expected from their lawyer. To mediate between the needs of clients, and that of the regulator, in such cases it did therefore happen that lawyers began advising on a case without the AML/CTFvetting being concluded, it was acknowledged. In this way, the needs of the client for speedy service was taken care of. In parallel, compliance with the regulation was seen to by not starting the billing process until all necessary documentation for the client in question was in place: Clients were not true clients if they had not been entered in systems for billing, it was argued. And the regulation concerned true clients.

Professional norms and ethics
Apart from 'pure' business interest, there were professional norms and ethics to consider in relation to clients, according to our informants. Client confidentiality was at stake, informants stated. The relationship between client and lawyer was one of trust, it was emphasised. Here there was thus another principle opposition between the requirements of AML/CTF regulation on one side and the rights of the client in relation to the lawyer on the other, according to our informants. Treating clients as criminals, as the regulation ultimately required in their view, undermined that relationship: And as a lawyer you're, it clashes with the idea of how lawyers are supposed to work and what issues you can trust bringing to a lawyer (Managing Partner, Medium Firm B) Putting the focus on the responsibility to prevent crime could result in clients being misrepresented and innocent persons reported, it was argued. This, in turn, would constitute a clear breach of professional ethics: But one may be wrongand if we report on our own client we have broken our ethical rules (Head of Risk Management, Large Firm B) You can't even inform the client -you are supposed to report them. And then you're supposed to just disappear. That's an extreme opposite to what you think the proper role of a lawyer really should be (Partner, Medium Firm B).
It can further be noted that all aspects of the conflict of interest experienced by our informants were not clearly visible to clients. They did know about client due diligence and similar measures, according to the lawyers. However, to what extent clients were really aware that they risked being reported to the financial police was debatable: I think that clients are aware that we need to bring in documentation to fulfil the regulation around money laundering. But I don't think clients in general are aware that we can end up in a situation where we have to report them to the police. (Partner 1, Large Firm A)

Law firms, not banks
Another observation on the topic of responsibility was that our informants drew a clear line of demarcation between law firms and banks. There was a better "fit" between the role and clients of banks, and the responsibilities laid upon private actors in the regulation. As a result, lawyers found the regulation more problematic: I see before me the banks as the main addressee for this regulation. And then one has added other addresses in steps. And have adapted the law to a certain extent, but not very much. We sometimes feel that it doesn't really fit our situation, terminology and those kinds of issues, and that's what we are grappling with. (Managing Partner, Medium Firm A) At the same time, the lack of fit made certain adaptations to their circumstances appear reasonable. The banks were positioned as more at risk to encounter suspicious transactions and clients, it was told. For one, banks were situated at the very core of the financial systems where transactions took place, whereas the lawyers were more to the side, 'facilitating' (Head of Risk Management, Large Firm A). Client relation-ships were also different, it was emphasised. Banks dealt with large numbers of anonymous clients. The law firms, by contrast, had more exclusive, long-lasting, and individualised relationships with clients, which, in turn, affected the degree to which they took on the responsibility for AML/CTF as part of the every-day. In the words of one partner: What's relevant for [this firm] is that we have comparatively few, and comparatively well-established, clients. And that probably means that the issue of money laundering isn't actualised every day. It's more like once you've made money laundering on one of these clients, it works, you know. (Partner 2, Large Firm B) Next, we turn to how lawyers knew, or came to know, about risks of AML/CTF. As we will see, they drew on several types of knowledge for that purpose.

Getting to know the risks
In all the firms, the legislation on AML/CTF from 2009 had driven investments in education and new procedures and routines. All our interviewees had participated in, or had themselves been conducting, educational programs on AML/CTF. Tools of e-learning, where lawyers and other staff worked through a programme with interactive components, were common. Here the co-operation between a set of large firms and the Bar Association was mentioned as important for guidance on how to conduct in-house training and how to interpret the law.
Databases and related products from specialised providers were also used. The large firms made use of the services of 'World-Check 10 ' from Thomson Reuters, and 'Orbis 11 ' from Bureau van Dijk. These are tools that provide information about organisations, and individuals, across the world, drawing on multiple sources like information from credit companies, public records, information about listed companies, news sites and more. Apart from providing information in a standardised format these tools provide categorisations of risk. Users thus get access to a preformatted assessment of whether, for instance, a firm has the kind of owner structure that merits a 'red' high-risk score although it is active in a 'green' low risk industry. This enabled a division of work between partners and supporting staff: I'm in a quite comfortable position. I tell my assistant to take it to the client registry: 'What do we need? Is this a client that is in some kind of risk zone, or? Can you ask them to check?' And then somebody does it for me. (Partner 1, Large firm A) The specialised databases allowed for a quick screening of clients with much smaller effort than manual searches on Google, for example, that were also used. However, the 10 http://www.world-check.com/ 11 http://www.bvdinfo.com/products/company-information/international/orbis licenses to use these databases were expensive and access was restricted to a limited number of lawyers' assistants and specialists that worked on compliance. Due to the costs of such systems, they were not considered a viable option for the medium sized firms. In these, the control process was more manual and more time consuming for staff.
In the large firms, the aim was to control all new clients. Here, the AML specialists saw themselves as simultaneously enabling a more efficient process whilst keeping an eye on things, being 'both a bit controlling, but also supportive' (Risk Manager, Large Firm A). In one of the large firms, a designated 'control and support' group with special competence on AML/CTF and access to the main databases was tasked with vetting all new clients. This meant that AML/CTF was integrated in the process of selecting new clients and projects. In the other large firm, a similar centralised approach to AML/CTF was under way.
In parallel, lawyers exhibited strong confidence in their own knowledge and experience as a basis for making assessments. The heads of compliance of larger firms underscored how the long education required to become a lawyer, and the thorough experience lawyers in the firm had, should make them well prepared for handling the ambiguities of the riskbased regulation. Other lawyers further emphasised the competence and experience of professionals like themselves. Many referred to a strong reliance on 'gut feeling' to assess potential risks: And I have my experience as a lawyer, I know when the heat is on or when it smells. But the details of the regulationthat is the knowledge of somebody else (Partner 1, Large Firm A) [We] have a lot of clients that are businesses that are exempt from minimal requirements. But that isn't to say that you can just take your hands from everything. There are still other applicable parts of the law. And there is still the risk that some conditions may arise that may cause suspicion. The interviews thus showed that the lawyers drew on different sources of information and types of knowledge when assessing and managing possible AML/CTF risks. This, in turn, had implications for actionability.

Actionable risks and reporting
We now turn to the question of how actionable the risk-based approach was in practice, and to what extent lawyers embraced their duty to reported suspicious clients. A first main observation was that the framing of the crimes as 'risk' did appear to serve as a call for action. The firms did engage in risk management of their clients and their transactions, as discussed above, and treated them as risk objects.

Assessing risk
The process of identifying (high) risk and the 'suspicious' rather than normal clients and transactions was in part quite straightforward. There were standard checks, such as those incorporated in the systems of World-Check and Orbis, that either raised a degree of alarm or not. These, in turn, were modelled after the requirements in the regulation. If transactions were to do with countries listed on FATF's High-Risk and Non-Cooperative Jurisdictions 12 , directly or indirectly, this was a source of concern and would set off an alert. Similarly, clients that were predefined as likely to be high risk in the regulation, required more attention. If a client or somebody involved in a deal was categorised as a 'PEP', a Politically Exposed Person, further controls were made. So-called 'ad-hoc' clients were also treated with more caution than established clients, or clients referred by known parties. Particular caution was taken if such new prospective clients were foreign, our informants stated. Taken together, it was evident that lawyers made use of the risk-based approach as a way to frame and act in relation to crime prevention.
A second main observation was that the risk-based approach was not always as actionable in practice as the generic trait implied. One practical concern was to do with the applicability of the regulation, as it did not apply to all types of cases. In brief, it was compulsory to carry out AML/CTF risk assessment and procedures in the case of 'transactions', that is when money was being handled or transferred. By contrast, professional services in relation to 'processes' fell outside of the domain of the money laundering law. Typically, then, cases where lawyers were engaged by clients to represent them in court did not have to undergo the same AML procedures and assessments. Yet, this classification of clients and cases was plastic, and labels applied could be interpreted in different ways: And it can be pretty difficult to judge, I think … They tend to call the cases some strange name and then you can't quite tell what it is. (Lawyer's assistant, Large Firm B).
I would say that that's almost the most common questionfrom other lawyers in the firm. Whether this is such a type of client and such a transaction, or not a transaction, so to speak. And: 'Is the money laundering law at all applicable to this case?' (Associate Lawyer, Medium Firm A).
What was more, classification could change over time. A case started out as a typical 'process' could very well end up being transformed into a 'transaction'. One lawyer shared the following scenario of how a case that was in fact a 'transaction', and thus susceptible to scrutiny under the law, could initially and intentionally be framed as a 'process' to hide criminal intents: Processes are a pretty large business for us. Civil cases in court, that is. And that is not a transaction. And then we interpret it like the law is not applicable. But let's say that two parties come to you and are processing from a third country, a country far away from Sweden, who have chosen in their arbitration contract to have arbitration proceedings in Sweden. And it's not that uncommon to have neutral arbitration in Stockholm. And then they want us as solicitors, or arbitrators, and then that process ends with an agreement and you write a settlement contract. And one company is to pay 100 million SEK to the other company. And then you may ask yourself: 'Did that just turn into a transaction? Is it the case that this process has been made under the pretext to really get into a legitimate context?' I'm not saying we have seen this. But as a lawyer you speculate all the time around the hypothetical boundaries of the law and it feels pretty easy to circumvent it. (Managing Partner, Medium Firm A) Another observation was that the view of the large firms was that the bad guys were rather more likely to approach smaller firms. One reason provided for this standpoint was that criminals were bound to realise that large firms had 'compliance departments and other things that can put a stop to it' (Partner 1, Large Firm A). Another argument put forth by lawyers in larger firms was that the type of client large firms worked with were mostly quite safe to deal with: Real estate is one of the risk areas. That you have understood. Then it's like this that we are kind of privileged in a large firm like this one. We work a lot with the large funds and such, and there it probably has been filtered. I don't know who has put money in the funds, but when you work with the fund of a large bank and similar you feel a certain, a greater sense of calm than if a private individual comes in and says:' I want to buy this!' (Partner 2, Large Firm A) The medium sized firms more readily recognised that they were at risk of being used by criminal elements. However, they did not position themselves as being more at risk of being used by criminals than the larger, and more well known, firms. Rather, it was reflected upon how not only medium sized or small firms ran the risk of being used by criminals. The large reputable firms were at risk of being used as well 13 : We have learned that the really sophisticated money launderers they don't have a problem coming with their own foreign law firms, reputable law firms that come to another country to help them with a transaction. And then, suddenly they have a really nice law firm. It gives them a kind of legitimacy in relation to us, or the bank. (Managing Partner, Medium firm A).
Lawyers further assessed the business side of client's cases as part of AML risk management. Clients doing business in, or being registered in, a tax haven or similar, was not deemed problematic per se. However, if there was no apparent business reason for such a choice of location this could make lawyers wary: I mean it's not unusual or strange, even if it's been discussed a bit politically and in the media, to be offshore and so on. And part of it is that the ultimate ownership is not visible. And then the control question is: 'Who owns this?' and 'Can you confirm that it in that case is below 25%'. So from our perspective the law affects our questions pretty much. Then there is another aspect on this, it's supposed to feel right to represent the client as well, of course. So if you pick up on something strange somewhere you react on that, and begin to ask questions, and dig into it and try to get an answer to it (Partner 2, Large Firm A).
The transactions performed by clients and the deals lawyers provided services for were often complex. A high degree of complexity was not suspicious. Seemingly unnecessary complexity in a case raised the alert among lawyers, though. To be sure, ownership structures and transactions were often quite complex, but in normal cases that was for a reason. Here, informants further emphasised how knowledge and experience was required in order to be able to separate unnecessary and suspicious complexity from that which was necessary and normal. Not getting any answers to questions to do with CDD was also suspect, as was getting contradictory information from external sources as compared to the information provided by the client.
Indeed, it has happened that somebody has claimed to be the CEO -and it's not correct (Head of Risk Management, Large Firm B)

Constructing compliance
In addition to the actual making of risk assessments using various types of knowledge, it was also necessary to take action in order to be able to prove compliance. This involved putting together a visible trail of what had gone in to the risk assessment. To what extent and how one was to ensure compliance and how to make compliance visible was also an ambiguous task.
… if they [The Swedish Bar] were to come here … and want to check whether we have complied with this law, then we can't say every time, and with every client, that: 'Well, we made an overall assessment and we didn't need any papers'. That probably wouldn't fall on fertile ground. (Head of Risk Management, Large Firm A).
For that purpose, lawyers told of using the recommendations of the Financial Supervisory Authority (FSA) as a template for making compliance transparent and visible, in addition to the advice provided by the Swedish Bar. n terms of deciding what was to be reported and not the lawyers considered the regulation quite broad in its scope. Yet, they had drawn the conclusion that the regulator did not want reports to the financial police on every possible small offence. The question to ask in their view was rather: 'what's the intent of the law' (Head of Risk Management, Large Firm B). Moreover, though the law concerned money-laundering as well as terrorism financing, possible financing of terrorism was not on par with money laundering in terms of what risks lawyers were looking for: 'It's the money laundering that's in focus' (Head of Risk Management, Large Firm B).
The result was that very few activities and transactions were deemed reportable by our informants; Most of our informants had not been involved in reporting anything to the Financial Police. None of them had reported a transaction with an existing client.
It's never happened. Now it's more about getting to know the new client, of understanding their structure and what kind of people they are. And after, when we've done that, it's rare for transactions to appear strange. Not the deals I'm engaged in (Partner 2, Large Firm B) Nevertheless, at least two reports had been filed by informants in our study. Both of these concerned cases that were not to do with actual clients, and did therefore not involve the principle clash of interests of the kind lawyers worried about. In effect, the two reports were likely outside the boundary of compulsory reporting. Said one informant with reporting experience: 'I have reported one casebut in that case we were probably not obliged to report' (Head of Risk Management, Large firm B).
To sum up, the obligation to report was not taken lightly. Many reflected on how finding a transaction that fulfilled the requirements to report would not be easy to handle due to the clash with professional norms and ethics, as discussed above under the heading of responsibility.

Discussion and conclusions
The FATF and FATF-style regulation have received an increasing amount of scholarly interest, and this special issue adds to that research. In this article, the aim was to shed more light on the private front-line actors of FATF. These actors have received comparatively less attention in empirical work, yet are central to how FATF-style regulation plays out in practice. It is the private front-line actors that enact the risk based approach by surveying, controlling, and ultimately reporting suspicious clients and transactions. Moreover, as we discussed in the introduction, the role of front-line worker for FATF-style regulation may clash with other interests of the actors concerned. Notably, crime prevention may clash with business interests, private actors may in fact have a dis-incentive to report [8], and private actors may themselves be at risk of being primary offenders (e.g. [21,22,24]).
Specifically, we have analysed how lawyers in Sweden understand and take on their purported role in the prevention of money laundering and terrorism financing. Here, a starting point was that though lawyers have an established role of being gatekeepers [28], the obligations of the role of 'front-line' actor in FATF-style regulation likely puts that societal role to the test, not least by challenging client confidence, and privileged information. While acknowledging the limitations on generalizability inherent to a case study, we do propose that the findings from our in-depth interview study contributes to theory development on the role of lawyers as 'front-line' actors for FATF style riskbased regulation on AML/CTF. First, we asked how lawyers reacted to the 'responsibilisation' implied by the risk-based approach (compare Fig. 1). We find that lawyers were reluctant to taking on the responsibility for AML/CTF. Our results show that public interest and the obligation to police clients conflicted with business interest and the demand to service clients for the lawyers. These findings resonate with the results of previous studies on how banks strive to balance multiple and conflicting demands when applying AML/CTF regulation (e.g. [10,11,47]). However, this is not to say that lawyers saw themselves as similar to other private actors enrolled in FATFstyle regulation. We also find that lawyers experienced a principle clash between being 'not banks', and being front-line workers for FATF. Their professional norms and ethics on client privilege, and what they saw as the proper role of lawyers, clashed with the responsibility to report in the regulation. This finding is in line with the critical reactions of e.g. CCBE [30], and provincial law societies in Canada [29], and serves to emphasise that the duty to report that comes with being a front-line actor of FATF is more of a dilemma for lawyers as compared to banks. Still, the observed clash between professional norms and ethics on client privilege and the proper role of lawyers on one hand, and reporting on the other did not play out in full in our study. Filing reports to the financial police is rare among lawyers in Sweden, and this general picture was reflected in our study. None of our informants told of having reported an existing client.
Our second question concerned whether and how lawyers perceived risk as knowable (compare Fig. 1.). Within a risk based approach, the presumption is that risks of AML/CTF are knowable, and the partnership approach promoted by FATF further emphasises that private actors already possess critical knowledge of clients that can be used to prevent crime. Irrespective of this, previous studies on banks and AML have underscored that banks are not so knowledgeable as the regulation purports, and that they may resort to outsourcing to handle regulatory demands for knowledge of risks of money laundering and terrorism financing (e.g. [19]). By contrast, we find that the lawyers by and large position themselves as knowledgeable actors, and that, in consequence, they view risks of money laundering as knowable. In assessing risks, the lawyers to a large extent drew on their own professional knowledge and experience as lawyers. They also made use of devises like databases and relied on specialised AML knowledge. This further meant that what clients or transactions were deemed a known 'risk' or 'high risk' were not fully predefined, by for instance regulatory alert categories like PEPs. Rather, among the front-line actors we study, risk was negotiated and adapted from case to case, and 'gut' to 'gut'.
Our third question concerned to what extent risk was 'actionable' (again, compare Fig. 1.) Here, the answer from our study is multifaceted. First, we do find that risk can be seen as rather actionable in that activities or transactions that were identified as (high) risks, via lawyers' knowledge and experience, or by AML-vetting systems, were given extra attention of particular kinds. This seeming actionability is not without its caveats though. Notably, the different 'ways of seeing' [46] risk among lawyers affect both how risks becomes knowable and known, as discussed above, and how they are acted upon. Our study thus draws attention to the range of activities and interpretations that are involved in order for risks to be(come) actionable, and to the temporal fluidity of categories like 'transaction'. These findings illustrate that for an issue to become stabilised as (high) risk, several iterations of assessment are utilised, making risk appear less actionable per se.
Furthermore, we identify what we define as practices of separation. These practices serve as means for lawyers to mediate between the aims and interests of FATF-style regulation on one hand, and other, conflicting, aims and interests on the other. A first example of how these practices of separation play out is in relation to new cases, where 'clients' could be separated from 'true clients'. Lawyers, on occasion, initiate services before the outcome of the sometimes lengthy AML-vetting and risk assessment process. This is done to protect business interest as 'clients' are not to be kept waiting. By separating 'clients' from the 'true clients' entered into billing systems when AML-vetting and assessment is satisfactorily completed, the conflict between providing speedy professional services and being a front-line worker for FATF can be resolved. A second example of practices of separation rests on lawyers being careful to point out that law firms are 'not banks'. The categorization of law firms as 'not banks' allow lawyers to view AML-obligations as more malleable. The riskbased approach is tailored to fit banks and their business models, it was argued. It was not adapted to law firms and their particular circumstances and clients. In short, this practice of separation makes it seem reasonable for lawyers to, at times, adapt obligations as they see fit in order to accommodate their specific needs as 'not banks' while being compliant enough. Finally, the iterative process of risk assessment points to a third example of practices of separation. In line with extant research on regulatees aiming for making compliance defendable [16,20], we find that the lawyers document compliance with an eye to possible future audit. In order to exhibit compliance, lawyers provide an auditable trail that shows that risks are and have been handled properly, and that risk are being defined in accordance with standard AML/CTF knowledge as present in the regulation. These practices, we suggest, have implications for actionability: By separating actual risk assessment, and the bases thereof, from risk assessment as portrayed and filed for purposes of future audit, the complexity of actual risk assessment is hidden. In effect, the actionability of the risk-based regulation for lawyers, as presented to external audiences, is exacerbated.
To conclude, we have shown how lawyers understand and take on FATF-style AML/ CTF regulation in their role as front-line workers. The overall conclusion is that the lawyers in our case work to protect the business interest of good client relationships, and to uphold professional norms and ethics, while being compliant enough. In so doing, they make use of several practices of separation. A 'true' pro-active crime prevention appears secondary in their use of the risk-based approach, as illustrated by the low incidence of reporting. On the other hand, one needs to bear in mind that the small number of reports could be a consequence of the construction of the regulation; that risk-based regulation on AML/CTF simply is not an efficient means to the end of lawyers detecting the potentially rotten apples in their client stock. A remaining question is thus whether it would be possible for lawyers to better help prevent crime among their clients, and contribute to the quest for security in society, with recourse to other types of regulatory tools. To that end, further research could focus on the political willingness to give lawyers possibilities to combine activities of 'true' pro-active crime prevention with their strong professional norm of client confidentiality. So far, the FATF recommendations and EU directives do not appear to make enough of a distinction between the banking sector and the non-banking sector. Here, our case suggests that the reluctance among lawyers to become engaged in 'true' pro-active crime prevention, and not only in being compliant enough in order to avoid punishment and sanctions, is dependent on if and how the FATF can listen more closely to how the front-line workers perceive and handle the regulations on AML/CTF in practice.