If your firm is within the scope of the Money Laundering Regulations 2017 (MLR 2017), you will be well aware of the importance of AML compliance. The SRA has made it clear: get this wrong and you risk significant regulatory consequences, including harsh fines and naming-and-shaming.
Here’s a straightforward guide to help you build (or sanity-check) your AML compliance framework.
The essential AML framework
1. Appoint the right people
- MLRO (Money Laundering Reporting Officer) – responsible for internal reports and deciding on external reports to the NCA.
- MLCO (Money Laundering Compliance Officer) – oversees overall compliance with the MLRs.
Make sure they have time, training, and authority to do the job properly.
2. Register properly
If you provide:
- Independent legal advice in transactions,
- Tax advice,
- Trust or company services,
…your firm must be registered with the SRA for AML supervision. Don’t assume this has been done—check.
Bear in mind that the definitions of these categories is widely interpreted by the SRA. Just because you exclude tax advice from your retainers, doesn’t mean you necessarily avoid being a tax adviser for the purposes of MLR 2017.
3. Firm-wide risk assessment (FWRA)
Your FWRA is the cornerstone of your AML framework. It must be:
- Up to date
- Specific to your firm
- Include sanctions and proliferation financing risk
The SRA is not keen on seeing off-the-shelf template FWRAs (they have seen them all). Make sure your document is appropriately tailored. Date it, and archive old versions to keep an audit trail.
This isn’t just a one-time exercise. Review it annually or when risks change.
4. Client and matter risk assessments
Each file within scope needs:
- A client-level risk assessment
- A matter-level risk assessment
These should drive the level of due diligence and ongoing monitoring. One-size-fits-all = red flag.
Use the SRA template as a starting point. After the initial shock, refine the template to reflect your firm’s practice. Ensure it is consistent with your FWRA.
5. Recognise high-risk work
There must be:
- A process to flag high-risk clients or matters (e.g., PEPs, complex structures, offshore elements)
- Enhanced due diligence (EDD) procedures that are actually used
This is almost certainly something that should be in the policy or handbook, with supporting training and file supervision to check people are following procedures.
6. AML policy
Your AML policy must:
- Reflect your actual procedures
- Be informed by your FWRA
- Be comprehensive
- Be reviewed regularly
If your policy is too long and complicated, unread, or doesn’t match how your firm operates, it’s worse than useless.
7. Customer due diligence (CDD)
You must go beyond ID checks:
- Identify and verify clients and beneficial owners
- Understand the transaction
- Understand client structure
- Obtain and assess source of funds and wealth
- Ongoing monitoring throughout the matter
Some firms still haven’t got the message that we need to do better than a passport and utility bill. Whilst that might help on the identification and verification, what does it actually tell us about AML risk?
8. AML training
- All staff must receive AML training
- It should be tailored, not just generic e-learning
- Keep training records
See the SRA checklist on what “good” AML training looks like:
Relatable — tailored to the firm’s specific risks and relevant to the roles of individual staff. It should be Ongoing, regularly updated to reflect new threats and changes in legislation. It must be supported by Leadership, with senior figures actively championing its importance. Finally, training should be Engaging and interactive, designed to hold people’s attention and encourage genuine understanding.
9. Independent audit
An AML audit is a legal requirement for most firms. It must be:
- Truly independent
- Focused on your firm’s AML systems and controls
- Rigorous enough to test the effectiveness of those controls
- Repeated periodically (ideally every 1–2 years)
You do not have to hire external auditors. Can you MLRO-swap with another firm?
10. Staff screening
You must:
- Screen relevant employees both at recruitment and on an ongoing basis
- Consider criminal records, qualifications, and competence
SRA findings often highlight screening processes which are lacking.
Employees can be your biggest AML risk.
11. Keep records
You must keep:
- CDD records
- Risk assessments
- AML decisions
- Training logs
…for at least 5 years.
Firms have been fined for being unable to lay their hands on previous versions of AML policies and other documents.
AML compliance checklist
| Area | Check |
| MLRO and MLCO appointed and competent | ☐ |
| Registered with SRA under correct AML headings | ☐ |
| Up-to-date firm-wide risk assessment (FWRA) | ☐ |
| Sanctions and proliferation financing risk covered | ☐ |
| Client/matter risk assessments on every file | ☐ |
| High-risk cases identified and treated properly | ☐ |
| AML policy is current and reflective of actual practice | ☐ |
| Effective, risk-based CDD procedures used | ☐ |
| Source of funds and wealth obtained and assessed | ☐ |
| Ongoing monitoring procedures in place | ☐ |
| AML training delivered and tailored to roles | ☐ |
| Independent audit completed recently | ☐ |
| Staff screening documented | ☐ |
| Records kept for at least 5 years | ☐ |
If any of these building blocks are missing, it’s time to act. Many SRA enforcement actions come down to firms failing on the basics.
Need support putting this into action? Don’t wait until it’s too late.
