In the legal sector, an SRA AML Audit isn’t just a possibility; it’s a regulatory reality. With the Solicitors Regulation Authority sharpening its focus on the disconnect, the gap between a firm’s written policies and what staff actually do on the ground, having a robust SRA AML Audit checklist is no longer optional.
As of January 2026, the stakes have risen. The SRA plans to use AI based data validation, following the FCA approach, to spot inconsistencies. The move toward a single supervisory regime under the FCA by 2027 means firms must prove their AML compliance systems are mature and data driven.
Here is your essential checklist to navigate an SRA desk based review or onsite inspection.
Governance and Regulation 21 Independence
The SRA will start penalising firms that fail to separate their operational work from their oversight. A thematic reviews will be underway on this area soon.
- Independent AML Audit: Under Regulation 21, does your firm have an independent audit function? If you are a mid to large firm, this must be an objective review of your AML systems.
- Officer Appointments: Ensure you have formally appointed a Money Laundering Reporting Officer and a Money Laundering Compliance Officer.
- Screening: Are you screening relevant employees for integrity? This must now be an ongoing process, not just a one time check at the point of hire.
The Firm Wide Risk Assessment
This is the first document an SRA AML auditor will demand. If it looks like a generic template, it will be flagged.
- Tailoring: Does the FWRA reflect your actual client base, geographic reach, and specific service lines?
- Proliferation Financing: Since 2023, firms are required to include a specific assessment for proliferation financing risk. Ensure this is updated for 2026.
- National Priorities: Does your firmwide risk assessment mention current high risk factors like professional enablers or the misuse of corporate structures?
Client and Matter Risk Assessments
The most common point of failure in SRA AML audits is the missing or incomplete file level risk assessment.
- The Every File Rule: A CMRA must be completed for every matter in scope.
- Narrative Evidence: Avoid simple Yes/No tick boxes. The SRA wants to see a brief written rationale explaining why a matter is rated Low, Medium, or High risk.
- Ongoing Monitoring: If a transaction changes, is there evidence that the risk assessment was updated?
Source of Funds and Wealth
In 2026, taking the client’s word for it is the fastest way to fail an AML audit.
- Evidence vs Explanation: You must have physical evidence like bank statements or payslips that proves where the money came from.
- SoW for High Risk: For high risk matters, you must also understand the client’s total wealth, not just the funds for that specific transaction.
Sanctions Compliance
As of January 28, 2026, the UK has moved to a single consolidated sanctions list.
- Updated Screening: Ensure your software or manual checks are pointing to the new consolidated list.
- Ownership and Control: Are you looking beyond the named client to the beneficial owners? Auditors will check if you’ve screened the individuals who actually control a corporate entity.
Staff Training and Awareness
If an SRA AML auditor interviews your junior fee earners, will they know who the MLRO is?
- AML Training Records: You need logs showing what was taught, when, and importantly evidence of a knowledge test.
- Red Flag Recognition: Staff should be able to articulate Red Flags specific to their department.
Next Steps
Don’t wait for a 10 day notice letter from the SRA to start your preparation. A mock audit or a gap analysis of your current files is the best way to identify weaknesses before the regulator does.