For years, many newly established law firms felt they had a “grace period” before falling under the intense gaze of an SRA AML Audit. The logic was simple: without years of historical data or a track record of completed data questionnaires, these firms sat comfortably in a middle-of-the-road risk category.
However, the latest OPBAS (Office for Professional Body Anti-Money Laundering Supervision) Report for 2024/25 has just recommended that this honeymoon period is coming to an end.
If you are a new law firm, especially if you are focused on conveyancing, or planning a startup, here is why you are likely to hit the SRA’s radar much sooner than you expected.
1. The “Default Medium” Risk Trap is Being Fixed
The OPBAS report reveals a specific critique of a legal sector supervisor (widely understood to be the SRA) regarding its AI risk modeling.
The report notes that because the AI model lacked historical data on new firms, it defaulted them all to a “medium risk rating.” In practice, this meant new firms were unlikely to be prioritised for a review or audit within their first two years of operation.
The Shift: OPBAS has explicitly flagged this as a “concern about potentially unidentified or unmanaged risks.” They have advised of the need to find ways to “proportionately sample new firms” much earlier.
The Takeaway: You can no longer rely on being “too new” to be noticed. The SRA is being pushed to conduct “validation” reviews on startups to ensure that “medium risk” isn’t actually “high risk” in disguise.
2. From “Set and Forget” to “Check-In” Culture
OPBAS have encouraged the implementation of “proportionate regular supervisory follow-ups or check-ins.”
Historically, supervision may be reactive (triggered by a report) or cyclical (happening every few years). The new direction suggests a more “active” supervisory relationship from Day 1.
What this looks like: Expect more “light-touch” engagement earlier in your firm’s lifecycle, for example; requests for AML policy snippets, or introductory supervisory calls. The goal is to move away from a “two-year silence” to a “continuous monitoring” stance.
3. The End of AML Information Silos
One of the most striking sections of the report focuses on Intelligence Sharing. OPBAS is clearly frustrated that while supervisors understand the importance of sharing data, the “practical delivery remains challenging.”
To fix this, the report highlights a shift toward:
- Actionable Intelligence: They want data sharing that “demonstrably leads to interventions and disruptions.”
- Dedicated Intelligence Analysts: OPBAS praises bodies that employ specialist analysts to hunt for red flags across different data sets.
- Multi-Agency Gateways: There is a heavy emphasis on sharing information between law enforcement, other supervisors, and government departments.
Why this matters for new firms: If a partner in a new firm has a history with a previous entity that raised eyebrows, or if the firm’s bank flags suspicious activity, that information is now far more likely to be “proactively” funnelled to the SRA via these enhanced gateways. The “clean slate” of a new firm is no longer a shield if intelligence from your past, or your financial partners, being shared in real-time.
4. Preparation for the “FCA Era”
The report drops a significant hint about the future: PBSs (like the SRA) need to sharpen their intelligence sharing as industry moves towards “transition to FCA supervision.” As the FCA takes a central role. The FCA has a famously low tolerance for data gaps. Consequently, the SRA is under pressure to prove it has a handle on its entire “supervised population” and that includes the newcomers.
Summary: What should new firms do?
If you are in your first 24 months of practice, the “wait and see” approach to AML compliance is now high-risk.
- Front-load your AML compliance: Ensure your firm-wide risk assessment and AML policies and your digital client matter risk assessments are robust from Day 1, not Day 730.
- Expect a “Check-in”: Prepare for the possibility of an SRA touchpoint within your first year.
- Data Integrity: Ensure your internal records are SRA and even FCA AML audit-ready. If the SRA’s AI can’t find data on you, they are now being told to come and find it manually.
The “two-year gap” is closing. In the eyes of the SRA, being new is no longer an excuse to be invisible.