New year, new you? If you’re thinking about your AML compliance, assessing your track record of assessing and submitting Suspicious Activity Reports (SARs) is a good place to start.
We do a lot of independent AML audits under Regulation 21. A common theme that runs through them is a generalised lack of submitting SARs. We see a few but these are often outliers, with the firm citing a particularly obvious red flag (allusions to underground banking, clearly dodgy deposits in a bank statement).
We’ve been hearing for years that law firms don’t submit enough SARs. In its 2024-2025 AML report, the SRA reported that they themselves had submitted 19 SARs from the files they had reviewed within their 833 firm inspections. Normally, the SRA review about eight files per inspection, so that totals 6,664 file reviews. On 19, they found enough of a suspicion of money laundering to submit a SAR – so in every 350 files they reviewed.
350 files could well represent just a (small) proportion of your firm’s caseload. So you may have potential SARs hiding in plain sight.
Why don’t people submit SARs? In the spirit of the teenage magazines of the 90s and early 2000s, I invite you to choose your “SAR sign” and learn why it stops you submitting SARs:
The Suspicion Shilly-Shallier
“What counts as a reasonable suspicion of money-laundering?” It’s a question we hear all the time. The answer is that it is not defined in the Proceeds of Crime Act. As such, it is given its everyday meaning: a possibility that is more than fanciful.
What’s more than fanciful? Something that is not purely speculative or imaginative. You do not need to have clear evidence to back something up, but you should be able to explain to the NCA why you think this is suspicious. In many cases, falling back on the fact that something is a known red flag for money laundering will help – for example, high values of cash without a clearly evidenced legitimate source, an unjustified sense of urgency about the transaction, layers of obscurity in terms of the parties or the funding.
You know what red flags are, so lean on them to assess whether something is more than fanciful. Remember, you are only required to report a suspicion: it’s not your job to present a fully investigated and adjudicated case to the NCA.
The Portal Pauser
The “new” NCA portal has been around for almost two years now, but many firms still aren’t signed up to it. Ok, so your reporting may be limited but not having access is going to be yet another obstacle put in your way, particularly if you are pressed for time.
If you haven’t signed up yet, make it your New Year’s resolution to do so. It’s relatively painless and there is some useful guidance listed on the main page here. This portal is more user-friendly than the old one (and certainly more so than the paper-route, which still exists, if you want to try to type your report on pages that look like they’ve been torn out of your Year 9 Maths exercise book).
One tip: think carefully about who will have access to the portal. You should have the main contact (the MLRO) but you should also include other users. It is vital that at least one other trusted individual can access the portal, so they can pick up any messages in case of the MLRO’s absence.
And, if the main contact leaves, ensure you transfer over their access in good time.
Closely linked to the Portal Pauser is the Glossary-Code Can-Kicker. You’ve painstakingly entered all the reporting information, but the last thing you have to do is confirm which glossary codes the suspicion falls under. Don’t overthink it – if you think a code might be relevant, whack it in.
The Firm-Profile Phobic
“We’re low risk for AML” say most firms, most of the time. Just like every buyer and seller will tell you that the transaction is pretty straightforward, or every executor asserts that the estate is a simple one, we’ll take that with a grain of salt.
In our free AML building blocks workshop, we noted that many Firm-Wide Risk Assessments fall all over themselves trying to show they are low risk for AML. But the SRA can spot when this isn’t genuine. For example, they always remind us that conveyancing is inherently high-risk for money laundering, so a firm that does conveyancing work is unlikely to be able to conclude that this is low risk.
If you truly think you are low risk for AML, you might think that coming across a reasonable suspicion that needs reporting to the NCA sits uncomfortably with your risk profile. But don’t worry: coming across a suspicion just means you’ve spotted something (which you are meant to be able to do). It doesn’t necessarily mean that you are engaged in higher risk work, or attracting higher risk clients.
Of course, even if you do undertake higher risk work, that’s no bad thing. Someone needs to buy and sell high value properties, undertake complex corporate transactions and represent clients who are PEPs or from high-risk jurisdictions: that’s why we value access to justice. The point is that your policies, controls and procedures need to reflect this risk and mitigate them appropriately – so a FWRA that claims you are low risk, and systems that are light-touch, aren’t going to cut it.
Indeed, shouting (in appropriately anonymised terms) about SARs you have submitted is a good thing to evidence your risk profile. We saw it, we said something, we sorted it – as the British Transport Police might say, if they reported suspicions of money laundering. Mentioning your SAR experience in your FWRA shows you can spot suspicions and that you do what needs to be done.
The Management Board Malingerer
There is one person who is responsible for making SARs to the NCA: the Money Laundering Reporting Officer (MLRO). If that is you, you must understand your liability. Under sections 331 and 332 Proceeds of Crime Act 2002, the MLRO (Nominated Officer) can commit a specific offence by failing to disclose suspicions of money laundering in both the regulated and unregulated sectors.
Of course, all individuals in the regulated sector can commit an offence by failing to disclose under section 330. The person to whom they need to disclose is the MLRO. Once they’ve done so, however, they can rest easy: it is the MLRO who needs to consider and make the ultimate decision as to whether or not to report.
This is why the independence of the MLRO must be honoured. Do not be swayed by anyone else into not reporting. Seek guidance, but be clear that the ultimate decision – and liability – is yours.
Pressure can come from management boards: they are often Firm-Profile Phobics, not least if they think that reporting SARs might show a higher risk profile which, in turn, may affect the next insurance premium. Guard against this. Reporting SARs shows you take a proactive approach to risk management and that you have strong systems in place. This is music to the ears of any professional indemnity insurer, and should be to your board as well.
The DAML Ditherer
Spotting and assessing the suspicion is one thing, but deciding whether or not you want to continue with the instruction is another. If you do, you will need to ask for a defence against money laundering (DAML) as part of the SAR you make.
Ask the fee-earner if they want to continue with the matter and the answer is likely to be yes. It’s their client, they want to do a good job – and, of course, they want it reflected in their end-of-the-month figures.
However, it is not the fee-earner’s decision. Together with the COLP (and others), the MLRO should consider carefully if continuing with the matter is within the firm’s risk appetite and capabilities. If so, the DAML must be carefully drafted. Break down exactly what actions you need to take to conclude the matter and ask for permission for every single one. If facts or circumstances change, don’t rely on a DAML that has already been issued: you will need to go back to the NCA and update the actions to ensure you are fully protected.
The NCA has also reminded us that the person at their end who is reviewing your DAML may well not be a legal specialist. Explain fully, in layperson terms, what you are planning to do and avoid even basic legal jargon, such as “we wish to complete the purchase of the property”. Instead, explain that completion means transferring the ownership of the property, and receiving the specific funds to be transferred onto whatever party.
You are not necessarily obliged to continue with an instruction. If you can and do decide to disinstruct, remember that this does not absolve you from needing to make a SAR. The SRA has noted that the legal profession is particularly limited in their use of “information-only SARs”. If you disinstruct because the suspicion meant that the matter doesn’t sit well with you, you should make a SAR (privilege considerations aside). If your experience with SARs is limited, this isn’t a bad way to get to grips with the portal and the glossary codes.
The Privilege Procrastinator
This is a tricky one. On the one hand, breaching privilege to make a SAR is not permitted; on the other hand, the narrative about privilege has possibly been over-emphasised. We even see firms’ AML manuals stating “we are highly unlikely to ever be able to make a Suspicious Activity Report, due to privilege”.
This is wrong. Privilege is vital but the majority of bread-and-butter suspicion cases (those relating to transactional matters) are unlikely to fall under legal advice privilege, litigation privilege or privileged circumstances.
Official guidance on privilege and SARs is limited, with the oft-repeated statement that you should seek legal advice. Practically though, you first need to establish yourself whether or not privilege may be a consideration – both whether it hypothetically would come into play, and second whether it actually does (remember it doesn’t if the communication between you and your client is to further criminal activity, the “crime fraud” exception). If you are not someone with much experience of privilege generally, seek advice from a colleague in the first instance before racking up Counsel’s fees.
The Criticism Cold Feet
We’re not just criticised for not submitting SARs; the ones we do submit just aren’t good enough. Over the years, we’ve heard both from the NCA and the SRA that the quality of SARs in the legal profession are often poor. It might be:
- how they are written (too brief, inarticulate, all capitals)
- anonymising information (you are permitted to breach confidentiality when reporting SARs)
- not clearly documenting the suspicion, the criminal property or what consent you want.
The SRA published a Warning Notice on poor-quality SARs, first in 2014 and most recently updated in 2025, with the comforting reminder that “failure to comply with this warning notice may lead to disciplinary action, criminal prosecution or both”. Given the paucity of SAR reporting in the legal profession, you might think that coming in heavy-handed to those who are trying to report, albeit not very well, could be counter-productive.
Don’t let it put you off, though. The NCA do have some good guidance and, as with DAML Ditherers, aim to make your report clear, comprehensive and ultimately simple.
The Colleague Captive
Arguably the most dangerous of the SAR signs. Is it your colleagues who are stopping you from making SARs – because they are not reporting to you?
If so, your message must be: you want these suspicions to come to you. Yes, you don’t want to be bothered by trivial things but you must ram home “what are red flags”.
A good AML policy lists out red flags, broken down by practice area. A really valuable training session is red-flag focused – what they are, and why they could be indications of money laundering. That will enhance day-to-day practice and means that even unusual suspicions can be caught. Link it to a reminder of how your internal reporting procedure works, with a clear reminder of the criminal liability for failing to disclose, plus the professional obligations we have to spot and stop money laundering.
This is a message that feeds into people’s client and matter risk assessments too. There are no prizes for designating every matter low risk. Staff must genuinely recognise when a matter is higher risk, and know what they need to do – report it and work with the MLRO and others to consider if and how the risks can be mitigated.
Convinced to make a change? Tick off this simple checklist and make sure your SAR sign doesn’t hold back your SAR success:
- Portal access to make life that bit easier;
- Perception change – reporting shows you are on top of the risks;
- Suspicion and privilege refresher so you are confident in your assessments;
- Red flag and internal reporting training; and
- Practice, practice, practice – get those SARs in!
