Long read: 9 AML compliance myths and how law firms can fix them

By Jonathon Bray and Jonathan Coleman (FirstAML)

In the current climate, no law firm can afford complacency about AML compliance. Yet certain myths persist – misconceptions that can lull firms into a false sense of security. These myths often stem from outdated assumptions or a misunderstanding of SRA requirements.

Unfortunately, reliance on such misinformation can have serious consequences. The SRA has ramped up its enforcement of rules in recent years. Firms that once flew under the radar are now finding themselves subject to audits, fines, and disciplinary action.

COLPs, COFAs, law firm partners, and risk managers should take note: even well-intentioned myths can land a firm in trouble. By dispelling these myths, your firm can shift from a reactive stance to a proactive compliance culture that anticipates regulators’ expectations.

1. “We’re too small to need all these formal AML documents.”

The Myth: Small firms sometimes believe that comprehensive anti-money laundering controls – like a firm-wide AML policy or risk assessment – only apply to higher risk firms or those handling large financial transactions. A two-partner high-street practice might think, “Money laundering won’t happen here – we know our clients, and regulators only focus on large firms.” This myth implies that limited size or simple client bases exempt a firm from formal AML compliance.

The Reality: All solicitors’ firms in scope of the money laundering regulations must comply, regardless of size. The Money Laundering Regulations 2017 (MLR 2017) and SRA rules make no “small firm” exception for having an AML policy and a practice-wide risk assessment. In fact, the SRA has explicitly fined small firms for failing to put basic AML controls in place. Fines are regularly around 2-3% of turnover.

Recent statistics show small firms are disproportionately subject to AML scrutiny. Firms with 20 or fewer fee earners accounted for 86% of SRA enforcement actions in 2023/24. In other words, smaller practices are very much on the SRA’s radar – perhaps because they often lack dedicated compliance staff and thus run higher risks of breaches. The SRA takes a risk-based approach, meaning it will visit or review firms of any size if they engage in high-risk work or if random sampling calls them up. 

Regulatory basis: For firms in scope of the MLR 2017, failing to have a firm-wide AML policy and risk assessment contravenes Regulation 18 and 19. SRA rules are also relevant, such as the duty to uphold the rule of law, maintain public trust, and have “effective governance structures, arrangements, systems and controls in place” to meet regulatory obligations.

Even the smallest firm can implement an effective AML policy with a methodical approach:

1. Perform a Firm-Wide Risk Assessment: Map out the types of legal services you offer, your client demographics, jurisdictions involved, transaction values, etc. Identify which areas are high risk (e.g. cash-intensive clients, complex corporate structures, property deals) and document the assessment. Tip: Use the SRA’s templates as a starting point, or take specialist advice.
2. Create a written AML policy and procedures: Based on your risk assessment, draft a clear policy that outlines procedures for client due diligence, source-of-funds inquiries, record-keeping, ongoing monitoring, reporting suspicious activity, and sanctions screening. Even a short policy is better than none – it should reflect the risks you identified and set out how you manage them.
3. Assign responsibilities: Even a sole practitioner should formally designate an MLRO (Money Laundering Reporting Officer) to receive internal suspicious activity reports, and an MLCO (Money Laundering Compliance Officer) responsible for overall AML systems. In a very small firm these may be the same person (often the principal), but document the appointment. 
4. Train all staff (including Principals): Ensure that everyone in the firm, from partners to support staff, understands the AML policy and their role in it. Training should cover how to spot red flags, how to conduct due diligence, and the legal obligations. Regular tailored staff briefings coupled with online courses can fulfill this. Tip: Ensure your training addresses the real risks faced by your firm. 
5. Implement Client and Matter Risk Assessments: Beyond the firm-wide view, for each new client or matter, perform a tailored risk evaluation (more on this under Myth 6). This ensures even a small firm applies a risk-based approach case-by-case. Tip: Start with the SRA’s client and matter risk assessment template, editing it down according to the firm-wide risk assessment.
6. Monitor and Update: Treat AML compliance as an ongoing process. Periodically (at least annually) revisit your firm-wide risk assessment and policy. If you open a new practice area or notice an emerging risk (e.g. a new typology of fraud in your region), update your documents. Keep minutes or records of these reviews – they demonstrate proactive compliance if the SRA ever inspects. Tip: Regulation 21 says that firms need to establish an independent audit function, to check the effectiveness of the AML controls in place. This will apply to most law firms in scope of MLR 2017.

2. “As long as we do really thorough ID checks, we’re covered for AML.”

The Myth: Many solicitors equate “AML compliance” with performing ID checks on clients at onboarding – copying passports, driver’s licenses, utility bills, etc. This myth is the belief that identity verification alone satisfies anti-money laundering due diligence. Once you’ve verified your client is who they say they are, the thinking goes, your anti-money laundering obligations are done. In reality, this is a dangerous oversimplification, based on outdated AML rules.

The Reality: Client Due Diligence (CDD) is much more than just ID verification. Verifying identity is only one step. MLR 2017 requires a risk-based assessment of the client and matter, understanding the source of the client’s funds, the purpose of the transaction, and whether any additional checks are warranted. Simply collecting a copy of a passport does not evaluate whether the funds involved might be illicit or whether the client’s profile poses a higher risk of money laundering. 

The SRA has repeatedly found that firms get into trouble by treating CDD as a checkbox exercise limited to ID documents, while failing to probe deeper. In fact, one of the most common compliance failures reported by the SRA is firms’ failure to carry out source-of-funds checks, verify where client money was coming from or the economic rationale of transactions – even though these checks are “fundamental to understanding the risk of every transaction”.

A simplistic “ID-only” approach has led to multiple enforcement actions. For example, a legal executive in a conveyancing department was personally fined £3,500 for not adequately establishing the source of funds in property transactions. She had verified the clients’ identities but did not follow up on red flags about the large sums involved, thereby willfully disregarding the firm’s AML policies. The SRA concluded that merely confirming identity, without asking “Where is this money coming from and is it legitimate?”, was not sufficient and had the potential to facilitate money laundering. 

To ensure you’re fully covered on this point, firms should adopt risk-based client due diligence beyond simple identification:

• Verify identity and authenticity of documents: Yes, start with the basics – obtain reliable, independent source documents (passport, photo ID, etc.) and verify that they are genuine and the person before you matches the ID. Also identify beneficial owners behind corporate clients and verify their identities where required. Use electronic verification tools to streamline or replace manual ID checks.
• Assess the client’s risk profile: As you onboard the client, determine if they present higher risk. Using the client and matter risk assessment, consider factors like: Are they a PEP or linked to one? From a high-risk country (based on sanctions, FATF lists)? In an industry known for cash usage? Any adverse media results when you research their background? A simple internet search can reveal red flags (e.g. news of past fraud allegations). If high-risk, apply enhanced due diligence (EDD), including getting senior management approval to take on the client, obtaining extra ID checks, and closely examining sources of wealth.
• Understand the purpose of the retainer: Document why the client is seeking your services and the nature of the transaction. Is the transaction rationale clear and legitimate? Understanding this context will help spot if something doesn’t add up. For instance, a client’s claim that funds are from an inheritance should be consistent with their background and documents. If a client is based outside your usual territory, is there a good reason for them to be using your firm? If a rationale is unclear or overly complex for no good reason, that’s a red flag.
• Enquire into source of funds: For any transactional matter (e.g. handling client money, M&A, property purchases, large settlements), always ask: “Where is this money coming from?” and, if high-risk, ask for evidence. Source of funds checks might include bank statements, proof of earnings, sale agreements for assets, etc., to support the client’s explanation. Regulators expect this, especially when the sums are large or the client is not well-known to you. The SRA has called understanding source of funds “a fundamental part of the risk-based approach”, noting that firms need to do this far more often than they currently do. If a client is unwilling or unable to provide a plausible source of funds, that is a strong warning sign.
• Document and risk-rate the matter: Keep a record of all CDD steps. Note the client’s risk level (e.g. low/medium/high) in a risk assessment form. A higher risk rating should trigger senior review and possibly more frequent monitoring. For example, a high-risk file might be checked every few months to ensure no new issues have arisen, and any incoming funds on that file should be scrutinised each time.
• Ongoing monitoring: Don’t consider CDD a one-off task. Especially for longer matters or client relationships, continue to be alert. If new information emerges (the client engages in an unexpected transaction, or there is news of a sanctions designation, etc.), update your due diligence. Ensure that funds received align with the profile – if a low-income client suddenly transfers a significant sum, pause and re-verify. Keep CDD information updated if the matter goes on for years (IDs can expire, circumstances can change).

Remember: a firm that had all the passports on file but didn’t look for the warning signs of a money laundering scheme is not compliant in the SRA’s eyes. Make sure ID checks are the beginning of your AML controls – not the end.

3. “We can’t possibly have to check the other side’s client for sanctions.”

The Myth: Lawyers often focus AML and sanctions checks on their own client, under the assumption that you are only responsible for vetting those you directly represent. This myth holds that due diligence on opposing parties or the other side’s client is not necessary, since “they’re not our client.” For example, in a transaction between A (your client) and B (opposing party), a solicitor might screen A against sanctions lists but not consider B. The misconception is that sanctions compliance is satisfied as long as you aren’t directly advising a sanctioned individual.

The Reality: Sanctions liability can arise even if you indirectly deal with a sanctioned party. The UK’s Office of Financial Sanctions Implementation (OFSI) operates a strict liability regime for sanctions breaches. This means that if your firm facilitates a transaction involving a designated (sanctioned) person – even unknowingly – you could be in breach of the law and subject to penalties. It is no defence to say, “but they weren’t our client.” 

For instance, if you are acting for a seller and the buyer (represented by another firm) is a sanctioned individual or entity, proceeding with the deal could amount to making funds or assets available to a designated person, which is prohibited. Law firms have been sternly warned about “unwittingly facilitating” sanctioned transactions. 

This means you must consider all parties involved in a matter for sanctions risk, especially when transactions or funds flow are involved. The SRA’s latest AML report noted that the regulator is actively investigating cases relating to breaches of the sanctions regime, particularly in matters linked to Russian clients or counterparties. We should expect enforcement in this area. 

However, in reality, most firms take a common sense approach to sanctions and do not routinely check every single counterparty. The SRA has endorsed this “proportionate but risk based approach”. Unlike AML compliance, there is no direct obligation to perform sanctions checks – it is more a case of self-preservation. You either do breach a sanction or you do not. If you do, there are consequences. But in the vast majority of domestic legal work, there is little to no sanctions risk. 

The SRA does, however, expect all firms to have considered their sanctions exposure in a formal risk assessment document.

You are not expected to due-diligence every opposing party in every matter to the same degree as your own client. However, when a matter involves a higher-risk exchange of funds or assets, or the other side is in effect benefiting from your services (directly or indirectly), you should consider sanctions exposure. 

Here’s how to approach it:

• Identify key third parties: At matter inception, identify all parties involved in the transaction or case who will be relevant to payments or asset transfers. In litigation, this might be a creditor or someone receiving settlement funds; in a property deal, the buyer, seller, and any intermediaries; in corporate deals, shareholders or beneficial owners of the entities. Pay special attention if the other side is from a high-risk jurisdiction (e.g. a country with sanctions or a high corruption index).
• Screen names against sanctions lists: Use the UK Sanctions List (OFSI’s consolidated list of targets) and, ideally, a screening tool to check those names. This can often be done quickly and at low cost. Remember to check variations and associated entities. If the name is common, gather enough information (date of birth, nationality) to confirm matches or false positives. OFSI’s strict approach means even partial matches warrant further inquiry – you might need to ask the other side’s solicitors for assurance if a name is similar to a sanctioned person.
• Assess your exposure: If you discover a party is sanctioned or high-risk, stop and escalate. Engage your COLP/COFA or MLRO. You may need to seek a licence from OFSI to proceed (for example, there are licences for legal fees or certain transactions involving designated persons, but you must apply). It may be that you have to exit the matter if a licence isn’t feasible. 
• Perform reasonable due diligence on source of funds from third parties: Even when no formal business relationship exists with the other side, if your client will be receiving funds from or sending funds to the other side, ensure those funds are not coming from a sanctioned bank or person. For instance, if the money to purchase a property is coming from the buyer’s offshore account in a jurisdiction known for sanctions evasion, query it. Sometimes requesting that the funds come through a UK bank (which will have its own sanctions filters) can add a layer of safety.
• Contractual clauses and assurances: In transactions, consider inserting clauses where appropriate that all parties confirm they are not sanctioned and will inform if that status changes. While this won’t absolve you of liability, it creates awareness and a paper trail. Some firms ask the other side’s lawyers for confirmation that their client is not on any sanctions list – again, not foolproof, but it shows diligence.
• Stay updated during the matter: Sanctions lists change frequently (especially during fast-moving geopolitical events). If your matter is long-running, periodically re-check the key parties. For example, many Russian individuals were added to sanctions lists in 2022; a party who was clear at the outset of a deal might become designated midway. Strict liability means you need to catch that change; otherwise you could unknowingly commit a breach.

By extending your horizon beyond just your own client, you protect your firm and uphold the wider legal obligation not to enable sanctioned parties. It’s about having a “whole transaction” view. The SRA and OFSI expect solicitors to be gatekeepers in the financial system. If there’s any reasonable chance that the “other side’s client” could pose a sanctions issue, it is far better to check early than to plead ignorance later. The cost of a quick sanctions search is nothing compared to potential penalties or reputational damage.

In summary: know who all the players are – not just the one paying your bill.

4. “The SRA doesn’t really expect us to see our own employees as an AML risk.”

The Myth: This misconception assumes that anti-money laundering compliance is solely outward-facing – focused on clients and external parties – and that a law firm’s staff are implicitly trusted. Some firms might think employee due diligence isn’t a regulatory requirement, perhaps reasoning that “we hired qualified solicitors, we don’t need to screen or monitor them for AML issues.” Similarly, there might be an assumption that as long as staff are hired in good faith, the firm won’t be held responsible for a “rogue employee” engaging in misconduct.

The Reality: The SRA absolutely expects firms to vet and monitor their own people as part of a robust compliance programme. Law firm employees and even partners can themselves pose AML risks – for example, if someone has undisclosed criminal backgrounds, financial difficulties, or simply a careless approach to procedures, they can become the weak link that criminals exploit. There have been cases of staff in law firms who themselves facilitated money laundering or fraud, leading to severe consequences for the firm and the individual. 

The SRA has made it clear that firms must have internal controls, including employee screening and training, to prevent internal risks. In fact, the Money Laundering Regulations explicitly require appropriate employee screening and training measures (Regulations 19 and 21 MLR 2017). This means checking a person’s background and qualifications before and during employment. The Law Society advises that screening includes verifying references and qualifications and even considering a criminal record (DBS) check for relevant staff. 

Enforcement examples illustrate why. In one case, the SRA fined an individual conveyancing caseworker for deliberately bypassing the firm’s AML procedures – she ignored the requirement to verify source of funds, contrary to training, and was sanctioned £3,500. 

The SRA’s message is twofold: firms must train and supervise their staff, and if an employee willfully breaches AML rules, the SRA can (and will) hold that individual accountable, not just the firm. In the conveyancer’s case, the SRA noted that her “wilful disregard” of AML obligations had the potential to cause harm even if no actual money laundering was proven. 

On a broader scale, the SRA frequently lists “failure to train staff” as a common breach in AML enforcement outcomes. This indicates that some firms still haven’t ensured their team knows and follows the required controls.

Regulatory basis: Regulation 21(1)(b) of MLR 2017 requires relevant firms to screen employees both before hiring and during employment, “as appropriate to their role.” 

Screening means evaluating an employee’s skills, integrity and conduct in the context of AML compliance. 

Additionally, Regulation 24 mandates regular AML training for all relevant employees. The SRA’s Code of Conduct for Firms also obliges firms to ensure compliance by employees with regulatory requirements (for example, Code for Firms 4.3 requires you to train staff on compliance where applicable). 

A firm that doesn’t vet who it employs, fails to educate them on AML duties, or neglects supervision is essentially leaving the door ajar for internal misconduct. 

Protecting against employee-related compliance risks involves both preventative screening and ongoing oversight:

1. Pre-employment screening: Before hiring, especially for roles with access to client money or responsibility for CDD (e.g. accounts staff, fee earners in high-risk work, MLRO deputies), conduct thorough checks. Verify the person’s qualifications (e.g. if they claim to be a certified accountant or compliance officer, confirm it). Take up references and speak directly to referees when possible. If feasible and relevant, obtain a basic Disclosure and Barring Service (DBS) check for criminal records. Many firms now also search a candidate’s name against enforcement registers (like previous SDT findings or financial regulator bans) – a quick way to ensure you’re not hiring someone with a hidden disciplinary history. Document this screening process.
2. Onboarding and training: From day one, new hires should receive training on the firm’s AML policies and their personal obligations. Make it clear that everyone has a role in compliance. For example, a secretary handling client onboarding documents must know how to perform ID checks properly, and a new solicitor should understand how to escalate a suspicious matter. Training isn’t one-off; require all staff to attend annual AML training updates (cover changes in law, sanctions updates, etc.). Keep a log of who has completed training – regulators may ask for evidence. Remember, in one enforcement case, a firm was cited for failing to provide AML training to a partner, showing that even senior lawyers need refreshers. No one is exempt from training due to seniority or role.
3. Employee declarations and monitoring: It can be wise to have staff periodically confirm compliance and disclose any potential issues. Some firms use annual compliance declarations where employees affirm they are not aware of any breaches, have no new criminal convictions, and have followed all procedures. While this relies on honesty, it underscores the culture of accountability. Additionally, monitor staff behavior in relation to compliance: e.g., check if CDD files are consistently complete for each fee earner, or if any employee is routinely ignoring risk assessment processes. Spot checks or internal file audits can reveal if a particular individual is cutting corners.
4. Segregation of duties: Implement checks and balances in processes. For example, require that no single employee can authorise large payments from the client account alone – involve a second person or partner approval. If one fee earner onboards a higher risk client, perhaps a compliance officer or second partner must review the CDD. These measures help catch mistakes or misconduct.
5. Cultivate a speak-up culture: Encourage employees to report internally if they see a colleague doing something against AML rules. This can be sensitive, but an anonymous reporting channel or clear policy can help. Often, coworkers notice red flags (e.g. someone not following ID procedures, or living beyond their means) before management does. Ensure there’s no retaliation for raising concerns.
6. Regular review of staff in sensitive roles: For employees in particularly sensitive positions (MLRO, accounts cashier, senior managers), consider periodic re-screening. This might involve checking if their status has changed (e.g., financial difficulties that appear in credit reports, new directorships that pose conflicts, etc.). Also, confirm they are keeping up with continuing training. The goal is to ensure your trusted gatekeepers remain trustworthy and competent.

This is about creating a first line of defence from within. The idea is not to treat your people with undue suspicion, but to recognise that human factor risks are real. Whether it’s deliberate wrongdoing or accidental non-compliance, an employee’s actions can jeopardise the firm. 

In summary: Know Your Employee (KYE) is as important as KYC. A firm with robust internal vetting and supervision is far less likely to be “caught out” by an employee’s misconduct – and even if something happens, you’ll be better positioned to show the SRA that you took reasonable steps to prevent and detect it.

5. “If we report an AML breach, we’ll face harsh consequences.”

The Myth: Law firm leaders sometimes believe that reporting AML compliance breaches – whether to the National Crime Agency (NCA) or the SRA – is like inviting trouble. The assumption is that disclosing AML issues will inevitably lead to severe penalties or regulatory action, and therefore it’s better to quietly fix any problems internally, turn a blind eye to red flags, and hope regulators don’t notice.

The Reality: This is a dangerous myth, and could be a criminal offence. Regulators, including both the NCA and the SRA, expect and actively encourage self-reporting. Far from inviting harsh punishment, voluntary reporting can significantly mitigate the consequences faced by a firm. 

Dual AML reporting obligations can arise:

• NCA: Firms have a statutory duty under the Proceeds of Crime Act 2002 (POCA) and Terrorism Act 2000 to submit a Suspicious Activity Report (SAR) promptly whenever money laundering or terrorist financing is suspected. “Failure to disclose” (subject to legal professional privilege) is an offence in its own right.

• SRA: Under the SRA Code of Conduct, significant or persistent AML breaches must be reported to the SRA, particularly if they reflect systemic weaknesses or have potentially facilitated money laundering.

Firms often misunderstand these distinct obligations. They must submit SARs to the NCA to discharge their legal duties related to suspicious transactions, while simultaneously notifying the SRA of any significant regulatory breaches.

Since we know that the SRA takes AML deficiencies seriously – as evidenced by the raft of enforcement actions – then it follows that they must surely reach the threshold of “serious” to trigger self-reporting under the Code of Conduct.

Let’s say you are a new COLP. You are not the MLRO but, when assessing the firm’s current compliance with its AML policy, you become concerned that the firm-wide risk assessment has not been updated since 2017, the corporate team’s approach to source of funds checks is lacking, and the conveyancing department does not have client and matter risk assessments on its files. Any one of these could result in a fine if discovered as part of an SRA inspection. Logic therefore dictates that you must report the matter to the SRA – ideally at the same time you will present them with your plan for putting things right.

Some practical steps for effective AML reporting:

1. Clearly understand your reporting duties: Ensure all staff, especially compliance officers (COLPs, MLCOs and MLROs), know when and how to submit SARs to the NCA and report regulatory breaches to the SRA.

2. Immediate internal escalation: Create a culture where staff promptly escalate potential AML concerns internally, allowing quick assessment and appropriate external reporting.

3. Rapid response and mitigation: Upon discovering a systemic AML breach, take immediate steps to contain, investigate, and rectify the issue. Document these steps thoroughly.

4. Prompt reporting to NCA: If suspicion or knowledge of money laundering or terrorist financing arises, file a SAR asap. Ensure your MLRO is trained and confident in this reporting process.

5. Transparent and early SRA notification: If the breach reflects systemic weaknesses or significant compliance failures, notify the SRA early, clearly outlining the breach, remedial actions taken, and measures implemented to prevent recurrence.

6. Cooperate fully with regulators: Maintain openness, respond promptly to follow-up questions from regulators, and provide all requested documentation. Demonstrating proactive remediation and cooperation can significantly influence the regulator’s response.

6. “The regulators are only really interested in the risk assessment for our firm. Individual matter risk assessments aren’t as important.”

The Myth: Some firms mistakenly believe that doing a one-time Practice-Wide Risk Assessment (aka Firm-Wide Risk Assessment) is sufficient, and that they do not need to conduct risk assessments for each client or matter. They might have a generic firm AML risk assessment document and assume that covers everything. The myth is essentially ignoring the requirement for matter-specific risk evaluation, perhaps due to misunderstanding the regulations or viewing it as unnecessary form-filling. 

The Reality: Both the law and the SRA are unequivocal: each client and matter within scope of the MLR 2017 must be risk-assessed as part of the AML process. It is a mandatory requirement under Regulation 28 of MLR 2017 that you assess the particular risks of every client relationship and matter. 

The Firm-Wide Risk Assessment is a high-level look at your business’s inherent risks and controls (required by Reg 18). But on the ground level, whenever you take on a new client or piece of work, you must consider that specific scenario’s risk factors (client identity, service type, geographic risk, transaction value, etc.) and document a risk assessment for it. Failing to do so is one of the most common and cited failures in SRA AML audits. 

In fact, the SRA’s 2023/24 AML report found that inadequate client/matter risk assessments were persistently an area of non-compliance. They even issued a template for matter risk assessment to help firms comply.

Enforcement cases underscore the point. A Hertfordshire firm, for example, was fined £25,000 by the SRA for failing to conduct client risk assessments on multiple files. Even though the firm claimed it had considered risks informally, the lack of documentation and procedure was a breach. The SRA treats absence of a matter-specific risk assessment as a serious compliance gap because it implies the firm isn’t genuinely applying a risk-based approach. 

Regulatory basis: Regulation 28 of MLR 2017 explicitly requires firms to conduct a risk assessment of the client and the purpose of the transaction, taking into account information obtained from CDD. 

In practice, this means once you’ve gathered your client’s details and the matter details, you assess the risk level of that client/matter before proceeding with or during the CDD process. 

The law also requires ongoing monitoring (Reg 28(11)), which includes updating risk assessments if new risks emerge. 

This is backed up by the SRA’s Warning Notice on Client and Matter Risk Assessments, which says that each client and each matter needs a documented risk assessment. 

Adopting a systematic approach to client and matter risk assessments will ensure you meet this requirement:

• Use a standard template or checklist: Develop a simple risk assessment form to be completed at client inception (and updated as needed). The form should capture key risk factors: client identity/type (individual vs. company, PEP status, etc.), client’s geographic connections, nature of the retainer, value of transactions, complexity of payment arrangements, any third parties, etc. The SRA has provided a sample template which can be adapted. The form should allow fee earners to rate the risk (e.g. Low/Medium/High) and state why. For example: “Client is a UK resident teacher buying a house with mortgage – Low risk; no red flags” or “Client is an offshore company owned by PEP investing in property – High risk, will apply EDD.”
• Integrate it into client onboarding: Make it a mandatory part of opening a new matter. Many firms build a risk assessment into their client inception workflow or software – you can’t proceed to full client sign-up until the assessment is done and approved. If you have an MLRO or compliance team, consider requiring sign-off on high-risk matters. The point is to force the conscious evaluation of risk at the start.
• Consider both client and matter factors: Sometimes a low-risk client might be doing a high-risk transaction or vice versa. Your assessment should weigh both. For example, an existing long-term client might suddenly engage your firm in setting up an offshore trust – the matter itself elevates risk. Conversely, a high-risk client (say a PEP) might be seeking a service that is routine and low value – still likely high overall risk, but the nature of the matter could mitigate some concerns if, for instance, no client money is handled. Document these nuances.
• Determine due diligence measures based on risk: The outcome of the risk assessment isn’t just a label – it should drive your actions. If a matter is rated high risk, ensure you apply enhanced due diligence (EDD): obtain additional verification documents, dig into source of wealth, increase monitoring, and involve senior management in approvals. If it’s low risk, you might do the standard required checks and no more. The key is the rationale is on file. If the SRA asks “why didn’t you do X for this client?”, you can point to the risk assessment that justified the approach.
• Include ongoing risk review: Risk is not static. Build in triggers for re-assessment. For instance, add a reminder in long matters (perhaps every 6 or 12 months) to review if the risk has changed. Or if something significant changes – e.g. the client’s circumstances change, a new party gets involved, or a payment comes from an unexpected source – update the risk assessment. Some firms time their ongoing monitoring to take place just before the point of no return (e.g. completion, transfer of funds).
• Ensure compliance across the team: Train fee earners on how to do these assessments meaningfully. Often, templates get rote answers if people don’t understand their importance. Use case studies in training: show an example of a good risk assessment versus a poor one. Emphasise that these forms are there to protect them and the firm – not just paperwork. Some firms have implemented quality control where a compliance officer samples matter risk assessments to ensure they make sense and are properly filled in. Feedback is given if, say, someone marked a clearly high-risk case as “low” without basis. Consider adopting that oversight until the culture of risk assessment is solid.
• Leverage technology: If you have many matters, an electronic workflow can help track that every file has a risk rating. Some practice management systems allow you to generate risk reports (e.g. list of all high-risk matters for the MLRO to review). This can be useful for management information and ensuring nothing slips through the cracks.

Implementing matter-specific risk assessments might seem burdensome initially, but it quickly becomes second nature. It can be as brief or detailed as needed. For a straightforward will for a longstanding local client, a few ticked boxes and one sentence may suffice (“Known local client, no red flags, low risk”). For a complex deal, the assessment will be longer. The key is that you have thought about it and recorded it. Remember, the absence of a documented risk assessment is a glaring violation in the eyes of the regulator – one that is easily avoidable. 

7. “We’ve never had a regulatory inspection, so we must be a low AML risk.”

The Myth: This is a complacency-driven myth – the notion that silence implies everything is fine. Many firms have not yet been subject to an SRA AML inspection or any kind of in-depth compliance audit, but the SRA is thought to be planning around 800 per year. It’s easy to assume that since the regulator hasn’t knocked on the door, your policies and procedures must be acceptable. Some might even think the SRA only audits firms it suspects of issues, so being un-audited means you’re low-risk or off their radar.

The Reality: Not being audited proves nothing about your compliance status. The SRA uses a mix of risk-based targeting and random sampling in its supervisory approach. Many firms that thought they were compliant have been found wanting when eventually inspected. The absence of prior scrutiny could simply be due to the SRA’s scheduling and focus areas, not because your firm is perfectly compliant.

The SRA’s recent proactive supervision stats are telling: in 2023-24 they carried out 545 AML compliance engagements (inspections or desk-based reviews) – double the number from the previous year. Of those firms reviewed, only 110 (about 22%) were found fully compliant; 284 (52%) were only partially compliant, and 118 (over Twenty percent) were not compliant at all. 

These included firms who, prior to the audit, might have assumed everything was fine. The point is that a clean history (no audits, no complaints) is not a guarantee of actual compliance – it may simply mean non-compliance hasn’t been detected yet.

Regulatory basis: Under the Money Laundering Regulations, the SRA (as a professional body supervisor) is obligated to supervise and monitor firms’ compliance (Reg 46 and Sch.4). No news from the SRA is not an endorsement. Additionally, the SRA Code for Firms 2.1 requires firms to maintain effective governance – an implicit requirement is that you should self-audit and ensure you are compliant, rather than waiting for SRA validation.

Don’t wait for the regulator to tell you what’s wrong. Implement an internal compliance audit program to regularly test your own firm’s adherence to key requirements:

• Periodic file reviews: Sample a selection of client files (especially in high-risk areas like conveyancing or international matters) on a regular basis – say, quarterly. Check each file for all the AML essentials: Is there a client risk assessment on file? Was CDD completed before the transaction? Is there source of funds evidence for relevant transactions? Was ongoing monitoring documented? Essentially, perform the same kind of review an SRA inspector would. If you find missing pieces, address them immediately and consider if it’s an isolated slip or a systemic issue requiring retraining or process change.
• Policy and document review: At least annually, review your firm’s AML policy, firm-wide risk assessment, and related documents (sanctions policy, training log, etc.). Regulations, risks, and best practices evolve – ensure your documentation is up to date. For example, the National Risk Assessment might identify new threats; your Firm-Wide Risk Assessment should be updated to reflect any new services or changes in your client base. Document that you performed this review (even a short memo of updates made). 
• Simulate an SRA visit: This can be a useful exercise. Imagine the SRA gives you 2 weeks’ notice of an audit. What documents and evidence would they request? Typically, it will include your Firm-Wide Risk Assessment, a list of clients/matters and their risk ratings, sample CDD files, training records, your AML policy, and maybe an organisation chart. Gather those as if you were responding. This often highlights if something is missing or hard to find. If you struggle to compile the evidence, that indicates an area to improve record-keeping. Being audit-ready at all times is the goal – not in a paranoid way, but as a natural outcome of consistent compliance work.
• Address findings and learn: Treat internal audits as constructive. If you discover non-compliance issues internally, don’t just patch the single instance – ask why it happened and how to prevent it. For example, if you find a file without a risk assessment, maybe the process for opening files needs adjustment or that fee earner needs retraining. If several files from one department have issues, maybe that department head needs to enforce procedures more stringently. Use the findings to refine your systems. And of course, if the issue is serious (e.g., you find an entire segment of clients with no CDD due to a process flaw), consider whether this triggers a self-report to the SRA (tying back to Myth 5). It’s better they hear it from you with a solution in hand than discover it on their own.
• Commission an independent audit: Regulation 21 MLR 2017 requires firms to consider having an independent audit function. Most firms within scope are expected by the SRA to conduct an independent AML audit (by an external consultant or your internal audit function if one exists). Doing this exercise every couple of years can be invaluable. The auditor can provide an unbiased check of your compliance and suggest improvements. This pre-empts what the SRA might find, allowing you to fix issues in a less pressured environment.

In summary, the fact that the SRA hasn’t come knocking yet should not lull you into thinking “we must be fine.” It should instead motivate you to ensure that when they do, you can be confident. The SRA’s proactive supervision model means your number could come up simply as part of their routine risk-based scheduling. And as enforcement data shows, when they do look, they often find something – not because firms are maliciously non-compliant, but because AML compliance has many moving parts and SRA inspectors know where to look. 

8. “We’ve known the client for years – they’re not a risk.”

The Myth: A common assumption in legal practices is that long-term or well-known clients pose little to no money laundering risk. Firms often think, “We’ve acted for this client for over a decade, we know their business inside out,” or “They’re a local business owner we’ve seen grow from day one – surely there’s no risk here.” 

This belief can lead to complacency: skipping due diligence updates, not probing the source of funds, or treating ongoing monitoring as unnecessary. The underlying myth is that familiarity equals low risk, or even no risk.

The Reality: Longevity of a client relationship is not a risk exemption under the Money Laundering Regulations 2017 (MLR 2017). Regulation 28(11) specifically requires ongoing monitoring, which includes scrutinising transactions and keeping documents, data, or information obtained for due diligence up to date. 

Familiarity can in fact be a risk blind spot. Criminals often exploit professional relationships of trust to introduce illicit funds into the system. A client once low-risk may shift into higher-risk activity over time – e.g. expanding into high-risk jurisdictions, engaging in complex corporate structures, or suddenly conducting unusually large transactions.

The SRA has raised repeated concerns about firms failing to refresh due diligence on long-term clients. In its 2023 AML Thematic Review, the SRA noted that “a significant number of firms were unable to demonstrate how they ensured that long-standing clients remained within their assessed risk category.” In several enforcement cases, firms were sanctioned not for failing to verify identity, but for failing to notice red flags because of assumed trust.

Case study: In 2022, a small firm was fined £16,500 by the SRA for failing to question a long-standing client who began instructing the firm on large property deals with complex offshore structures. The firm had completed CDD over ten years earlier and failed to conduct ongoing monitoring or update risk assessments. The client was later linked to international fraud investigations.

Regulatory basis: Under Regulation 28(11) of the MLR 2017, firms must conduct ongoing monitoring of the business relationship. This includes scrutiny of transactions, ensuring that they are consistent with the firm’s knowledge of the customer and their risk profile, and keeping CDD information up to date. The SRA Code of Conduct also requires solicitors to act with integrity and uphold public trust – which includes not turning a blind eye to risk indicators, regardless of personal familiarity.

Here are some suggestions for taking familiarity bias out of the equation:

• Reassess long-standing clients periodically: Set a regular cycle (e.g. annually or every two years depending on risk level) to review client due diligence, particularly for those engaging in high-value or high-complexity work. Don’t rely on “we know them” – re-check ownership structures, source of funds, and identify any new jurisdictions or business activities. Tip: Use a simple CDD refresh form that includes updated identity checks, beneficial ownership, and recent transactional behaviour.

• Apply transactional scrutiny: Even for familiar clients, scrutinise individual transactions. Ask: Is this consistent with what we know of their legitimate business activities? Are there red flags (e.g. last-minute changes to payment details, third-party payers, unusual urgency)? Tip: Keep a transaction checklist aligned with the risk profile of the matter and the client.

• Don’t skip risk assessments: Perform a client and matter risk assessment every time – regardless of the length of the relationship. A low-risk client in an employment law matter might still pose risk in a new corporate transaction. Tip: Refer to the SRA’s Client and Matter Risk Assessment template and ensure longevity is not used as a justification to downgrade risk scores without objective justification.

• Train staff against familiarity bias: Include specific scenarios in AML training where staff must challenge assumptions based on long-standing relationships. Make it clear that personal trust or prior experience is not a substitute for proper documentation and scrutiny. Tip: Use anonymised real-life examples in training to reinforce how well-known clients can be high-risk.

• Document everything: If you decide a client remains low risk, document how you reached that conclusion – including evidence of updated CDD and why no new red flags were identified. Tip: Maintain an audit trail showing dates of last reviews, rationale for ongoing relationship monitoring frequency, and evidence of staff escalation procedures.

• Update Firm-Wide Risk Assessment accordingly: If your firm regularly relies on long-standing client relationships, consider whether that cultural tendency increases your risk. You may need stronger internal policies on refresh cycles or supervisory checks. Tip: Amend your Firm-Wide Risk Assessment) to include the risk of “familiarity bias” and plan mitigating controls.

9. “We onboarded this client in a low-risk area, so we don’t need to do AML checks again.”

The Myth: A frequent assumption is that if a client initially instructs the firm in a low-risk area like employment law, they pose minimal or no money laundering risk across the board. The reasoning often goes: “We onboarded them for straightforward redundancy advice,” or “They’ve only needed us for staff contracts – there’s no complexity here.” This myth creates a “passporting” effect – where a client is allowed to access other, potentially riskier services without updated checks, just because they originally entered through a low-risk door.

The Reality: Client risk is dynamic – not static. A matter in employment law may be low risk, but that same client could later instruct on a merger involving overseas buyers, complex structures, or high-value transactions. If the firm hasn’t updated due diligence or re-assessed the client at that point, they’re effectively “passporting” them into a high-risk area under a low-risk label. This is a breach of both the Money Laundering Regulations 2017 and SRA expectations.

Passporting creates a major vulnerability. A client who was perfectly legitimate for a minor employment issue may now be acting for a new company, have new beneficial owners, or be operating in a high-risk jurisdiction – all without the firm realising it. Regulation 28(11) requires ongoing monitoring and risk-based reassessment, not a one-time gateway check.

In its 2023 AML Thematic Review, the SRA warned that firms were failing to re-evaluate clients who moved into different legal services. In several disciplinary cases, firms were fined not for onboarding failures, but for failing to reassess risk when the client’s instruction type changed significantly.

Case study: In 2023, a mid-sized regional firm acted for a long-standing employment law client who later asked the firm to assist in a share purchase involving offshore entities. The client had undergone no updated due diligence. The firm failed to flag that the purchasing company was based in a high-risk jurisdiction and used a nominee structure. The SRA fined the firm £21,000 for failing to conduct updated risk assessments and treating the client’s original employment law CDD as sufficient across all matters.

Regulatory basis: Under Regulation 28(11) of the MLR 2017, firms must monitor business relationships and ensure due diligence information remains accurate and appropriate to the client’s evolving risk profile. This includes applying a risk-based approach at the matter level – meaning that different legal instructions from the same client can and often do warrant separate assessments.

Passporting is a recognised blind spot, so put in place controls:

• Treat new instructions as new risk events: When a client moves from one legal service area to another, particularly from low-risk to potentially high-risk (e.g., employment to corporate/commercial), reinitiate your client and matter risk assessments. Tip: Flag “instruction type change” as a mandatory reassessment trigger in your AML policy.

• Update due diligence with every material change: Moving from advising on a staff grievance to handling a business acquisition is a material change. Update your CDD accordingly – verify new ownership, funding sources, and check for high-risk jurisdictions or PEPs. Tip: Use a “change of matter scope” checklist to ensure all red flags are reassessed.

• Assign different risk scores by matter: Don’t assign a single risk level to a client for their entire relationship. Each matter should carry its own risk profile. Tip: Use your practice management system to log separate matter-based risk assessments.

• Train against “passporting bias”: Include training modules that highlight the risks of allowing a low-risk matter to serve as a free pass for high-risk instructions. Tip: Use anonymised real-world examples from disciplinary cases to reinforce the point.

• Build in system safeguards: If your firm handles multi-discipline instructions, consider workflow checks that block matter opening without updated risk reviews when client instructions significantly shift. Tip: Create automated alerts when an existing client opens a new matter in a flagged high-risk area.

• Document rationale at each transition point: When you conclude that a new instruction does not raise new risks, make sure this is recorded and justified – with clear references to updated client profiles. Tip: Maintain a “matter transition log” to track client movement across service lines and your response.

A client’s initial contact point should never define their entire risk profile. What begins as a minor transaction can evolve into something with significant financial crime exposure. By assuming past simplicity guarantees future safety, firms risk violating core AML principles.

Conclusion – Reframing the AML myths

In summary, these nine AML myths continue to circulate in practice – and they are not harmless. Tackling them head-on is not only a matter of regulatory compliance and doing your bit to combat financial crime, but of protecting your firm from potentially unlimited fines.

By rethinking the myths, firms can shift toward best practice. Here’s how each of those flawed beliefs can be flipped into a robust compliance mindset:

1. Every firm, regardless of size, must have formal AML documents and controls. Even the smallest practice needs a written firm-wide risk assessment, policy, and procedures that are tailored to its specific services and risks.

2. AML compliance goes beyond ID checks – it requires a full, risk-based approach. Verifying identity is just the start. Understanding the client’s risk profile, source of funds, and transaction rationale is essential.

3. Firms should assess sanctions risk across the whole transaction, not just their own client. Where there’s a chance that a third party could be subject to sanctions, appropriate checks must be carried out.

4. Law firms must vet, train, and monitor their own people as part of their AML controls. Staff at all levels can pose a risk, and compliance systems must include employee screening, oversight, and a culture of accountability.

5. Self-reporting AML breaches to regulators is not only expected – it can mitigate outcomes. Proactively disclosing issues to the SRA or NCA shows professional awareness, integrity and helps reduce potential sanctions.

6. Matter-level risk assessments are a core requirement and must be done for every relevant instruction. Each client and each new matter must be risk assessed individually – this is not optional under the MLR 2017.

7. A lack of past inspections is no proof of compliance – internal review is essential. Being prepared for regulatory scrutiny at all times is part of good governance, and internal audits are the best way to stay ahead.

8. Longstanding client relationships must still be risk assessed and monitored. Familiarity should never be a substitute for documented due diligence and updated CDD. Risk can evolve over time.

9. Each new instruction should trigger a fresh assessment of client risk – even for existing clients. Client risk is contextual. A low-risk employment matter today doesn’t mean a high-value corporate deal tomorrow is also low-risk.

About the authors:

Jonathon Bray is director of Jonathon Bray Limited, a compliance consultancy for UK law firms.

Jonathan Coleman is Head of Global Sales at FirstAML, a digital platform helping professional services firms streamline AML compliance.