For years, many UK law firms viewed Anti-Money Laundering compliance as a “lawyer-led” exercise, principled, interpretive, and often collaborative with supervisors like the SRA or CLC. However, the ground has shifted.
With the recent announcement that the Financial Conduct Authority (FCA) is set to become the single AML supervisor for the legal services sector, the era of “assisted compliance” is ending. The move signals a transition to a more rigorous, data-driven, and enforcement-heavy regime.
1. Guidance toEnforcement: The New Supervisory Reality
Historically, a CLC or SRA AML Audit focused on helping firms remediate errors hence the post audit outcomes letter referencing ‘corrective actions’. The FCA’s approach is fundamentally different. They look for evidence of effectiveness.
A Regulation 21 Independent AML Audit provides exactly that. The right auditor will not just review your written AML Policies, Controls, and Procedures (PCPs); they will stress test how those policies perform in the “real world” of high-value conveyancing, trust formation, and corporate tax advice.
In 2026, baseline compliance is the minimum. The FCA expects “audit-ready” processes that can withstand a deep-dive thematic review or audit at a moment’s notice.
2. The Power of “Independent” Eyes
Regulation 21 requires that an AML audit be conducted by someone independent of the AML function itself. While some firms attempt this internally, the “marking your own homework” trap is a significant red flag for regulators.
Why an independent AML audit is a strategic asset for Partners:
- Neutralising Bias: An external auditor identifies systemic “blind spots” in client onboarding that fee-earners, under pressure to meet targets, might overlook.
- Validating the Firm-Wide Risk Assessment (FWRA): Your FWRA is the “north star” of your compliance. An audit ensures your controls actually align with the risks you’ve identified—preventing the “paper shield” problem where policies exist but aren’t followed.
- Testing Technology: As firms adopt AI-driven ID verification and automated screening, an independent audit validates that these tools are configured correctly and aren’t producing “false negatives.” The auditor should even review your Technology Impact Assessments.
3. What the “FCA-Ready” Audit Looks Like
Under the new regime, a standard file review isn’t enough. A robust Regulation 21 audit should now cover:
- Source of Wealth (SoW) Deep Dives: Testing whether fee-earners are truly corroborating the origin of funds, or simply accepting a bank statement.
- Client Matter Risk Assessment -Level Risk Consistency: Ensuring that the risk rating on the CMRA matches the reality of the transaction.
- Board-Level Accountability: Providing a “root cause” report that allows the MLCO (Money Laundering Compliance Officer) to demand the necessary resources and budget from the partnership.
| Focus Area | What the Auditor Looks For | Why it Matters |
| PCPs | Full alignment with latest LSAG Guidance, including new “Reasonable Measures” tests for Beneficial Ownership and updated High-Risk Third Country lists. | Ensures legal compliance with the latest, approved standards and protects the firm from “strict liability” regulatory breaches. |
| File Reviews | Documented evidence of “Mindfulness” in Due Diligence within the CMRAs. AML Auditors look for the narrative—why a specific Source of Wealth check was deemed sufficient or how a complex structure was “unpacked.” | Proves the firm isn’t just “ticking boxes.” The FCA and SRA now prioritise demonstrable judgment over the mere collection of ID documents. |
| Staff Interviews | A genuine, localised understanding of “Red Flags” specific to the fee-earner’s practice area (e.g., conveyancing vs. trust litigation). | Validates the effectiveness of training. If staff can’t articulate risk in their own words, the firm’s training program is legally “inadequate.” |
| SARs | The quality, logic, and timeliness of internal reports. Auditors check if the MLRO has sufficient autonomy and if “no-reports” on high-risk matters are justified. | Demonstrates a culture of disclosure. A lack of SARs in high-risk departments is often viewed by the FCA as a sign of “wilful blindness.” |
| Technology & Data | Validation of digital ID (eIDV) and screening tools. The auditor tests for “False Negatives” and ensures data is kept in an “audit-ready” state for potential FCA inspections. | As the FCA moves toward data-led oversight, firms must prove their tech tools are correctly configured and that the data feeding them is accurate. |
4. Avoiding the “Cost of Failure”
The stakes for the legal sector have never been higher. With the FCA’s power to impose substantial civil penalties,and even initiate criminal proceedings for systemic MLR breaches, the cost of a Regulation 21 Independent AML Audit is a mere fraction of the potential fines. Beyond the direct penalties, we must consider the ‘domino effect’ of an adverse regulatory finding: the immediate risk to the firm’s Lender Panel status and the inevitable, sharp escalation in Professional Indemnity Insurance (PII) premiums. In the new regulatory era, a failed audit isn’t just a legal headache; it’s a threat to the firm’s ability to trade
5. Next Steps for Your Firm
To prepare for the “changing of the guard” between your current PBS and the FCA:
- Commission a “Gap Analysis” Audit: Use your next Regulation 21 Independent AML audit to specifically look for “FCA-style” failings (data integrity and evidence-based assurance).
- Review your MLRO/MLCO Resources: Ensure these roles have the seniority and time required—independent of their fee-earning duties.
- Formalise the Audit Trail: Ensure all audit recommendations are tracked, remediated, and reported to the Board.
Conclusion
The transition to FCA oversight is a “wake-up call” for the UK legal sector. By embracing the Regulation 21 independent AML audit as a tool for continuous improvement rather than a chore, your firm can turn compliance into a competitive advantage and a mark of professional integrity.