Our recent half-day “AML building blocks” workshop with FirstAML was all about turning a messy pile of AML obligations into a coherent, working system. Over the morning, 170 delegates followed the fortunes of fictional firm Harbour Gate Legal LLP and its newly appointed MLRO, Amelia Price – a character who felt uncomfortably familiar to many of the people on the call.
Meet Amelia and Harbour Gate
Amelia has just taken over as MLRO and MLCO at Harbour Gate Legal, a traditional practice with offices in Cardiff and Bristol. They are heavily involved in property (residential and commercial) and private client, and they have a corporate department. Like many firms, they also act for some offshore high-net-worth clients and rely heavily on professional introducers such as accountants, tax advisers and mortgage brokers.
She has inherited a system that “sort of” works, but only just. From a little dip test, she has seen that the client and matter risk assessments are inconsistent. Sometimes they are just tick-boxed, sometimes there’s not much information in them, sometimes they’re not done at all.” Annual training is patchy, and no-one can quite articulate how all the different AML “blocks” fit together. Amelia’s brief is simple and brutal: sort it out before the SRA comes knocking.
Firm-wide risk assessment: the bedrock
Sophie opened with the firm-wide risk assessment (FWRA), stressing that this is not just another document to file away. “We refer to this in the compliance world as the bedrock of your AML compliance programme”, she commented.
The session contrasted fluffy, generic risk assessments with firm-specific ones that actually drive decisions. Using Harbour Gate as an example, delegates were asked to score different client groups by risk. The poll results were telling: run-of-the-mill residential property came out at around eight out of ten, while repeat instructions for Dubai property investors, offshore HNWs and a BVI trust all scored ten.
The point was not the exact numbers, but the discipline of ranking real risks and then asking: does our FWRA reflect this? Do our controls? If your FWRA still reads like a generic template, you are unlikely to be answering “yes”.
Policies, controls and procedures: matching words and reality
From FWRA, we moved to policies, controls and procedures (PCPs) – the bit most firms think they have sorted because there is a big manual on the shared drive. The presenters were clear that the SRA is less interested in how glossy your documentation looks than whether it bears any resemblance to reality.
When we later came to independent audit, the test was summarised neatly: “basically, what you are doing is checking, or you’re getting someone else to check that what you say you do, is what you actually do, and whether that’s effective”. That three-part question (say/do/effective) runs through the whole building-blocks model.
Client and matter risk assessments: beyond “annoying” forms
Ed’s session on client and matter risk assessments (CMRAs) picked up Amelia’s early discovery that things were all over the place. He admitted that if he had run a poll asking whether people’s CMRAs were inconsistent, “the answer would have probably been yes.”
The room recognised the sentiment: “Risk assessments are difficult. They are sometimes annoying, and [we get] pushback”. But the SRA’s message is that CMRAs are a core control, not a nice-to-have. Done properly, they are where you join the dots between FWRA, CDD, source of funds/wealth and matter strategy. Done badly (or not at all), they are a ready-made finding for an inspector.
For Harbour Gate, that means moving from multiple forms and inconsistent narratives to a single, firm-wide approach that forces fee-earners to answer the “does this make sense?” question on every matter.
CDD, source of funds and source of wealth: making the story hang together
In the CDD and SoF/SoW segment, the focus was on proportionality and narrative. The presenters noted the level of specificity the SRA now expects in high-risk work.
Rather than treating source of funds as a list of documents to collect, the workshop framed it as a plausibility test: does the matter make sense in light of what we know about the client’s business, income and background? Where it doesn’t, have we pressed for a better explanation and recorded the rationale?
The message for Amelia was clear: she cannot fix Harbour Gate’s AML simply by tightening up ID checks. She needs to embed a culture of asking and answering awkward questions about money – especially in those 10/10 risk areas the poll surfaced.
Independent AML audit: not a “one and done”
A big chunk of time was spent on Regulation 21 AML audits, reflecting their growing prominence in both SRA and LSAG guidance. Unsurprisingly, when Amelia asked whether Harbour Gate had ever had an independent AML audit, the answer was no.
A quick poll of attendees on barriers to commissioning an audit received a range of responses: it was split between cost, time commitments and “no barriers – everyone loves it.” The presenter joked, “I’m delighted by the people who can’t think of anything better than having an AML audit” – but the point was serious.
Too many firms still see audit as a tick-box for the regulator rather than a tool for the MLRO. As one speaker put it, “you instruct it, it gets done, you get the report, you have a quick look at it, done and done. I don’t need to do that until next time. But that is not realistic.” For Amelia, the challenge is to use her first audit as a roadmap, prioritising findings, agreeing actions with management and feeding them back into FWRA, PCPs, CMRAs and training.
Training and culture: the new sheriff in town
The final “block” was training and culture, where the human side of Harbour Gate’s problems really shows. The workshop pushed delegates to think beyond the annual all-staff PowerPoint.
Nor can training be treated as a compliance chore. Sean summarised the standard nicely: “It cannot be a tick box exercise…Everyone needs to understand why HGL’s controls matter, and how they can apply them.”
For Amelia, now very much “the new sheriff in town”, that means designing training that is role-specific, risk-based and practical, using real Harbour Gate scenarios, file reviews and audit findings to make the lessons stick. “Ultimately, it’s about culture…we talk about culture quite a lot.” The workshop broke this down into concrete components: leadership tone, consequences for non-compliance, feedback loops from audit and supervision, and day-to-day conversations about risk.
Putting the blocks together
The morning ended where it began: with Amelia looking at a slightly overwhelming to-do list and asking for a plan. The presenters walked through how her FWRA will shape her PCPs, how those PCPs must show up clearly in CMRAs and CDD, how independent audit will test the whole system, and how training and culture glue it together.
Crucially, the “building blocks” metaphor was revisited. AML is often experienced as a mess of overlapping requirements. By stepping back and viewing it from a bit of distance, the workshop showed how those blocks can actually support each other – if someone like Amelia is empowered to line them up.
For firms who joined us on the day, the challenge now is to do the same exercise with their own data, risks and people. If you missed the session – or want your partners and fee-earners to see what Amelia is up against – you can watch the recording here. The passcode is XS1z+g8W and the recording will be available until 28 December 2025.
