AML compliance has moved firmly to the front of the agenda for UK law firms. With the Solicitors Regulation Authority taking a more assertive stance and the courts broadening the scope of what constitutes money laundering an independent AML audit is the most important step they can take right now.
The Regulatory Mood Has Changed
Regardless of whether it is the SRA or the FCA (in the future), regulators do not limit their investigation as to whether your firm has an AML policy, they want to know whether that policy actually works. The SRA’s shift toward outcomes-focused enforcement is partly driven by pressure from the Financial Action Task Force, as the UK looks to demonstrate its effectiveness ahead of future international reviews.
Case law has sharpened the picture. The Court of Appeal’s decision in R v Anwoir made clear that prosecutors don’t need to pinpoint a specific predicate offence. Circumstantial evidence can be sufficient. And R v Da Silva set a notably low bar for what counts as “suspicion,” meaning solicitors face a broader obligation to consider whether a transaction warrants a suspicious activity report.
The uncomfortable truth is that many firms believe their systems are adequate until an external reviewer looks closely and finds otherwise.
What the SRA Is Actually Looking For
The SRA has shown it’s prepared to scrutinise AML systems even in sophisticated, high-value transactions. The investigation into Dentons UK and Middle East LLP being a notable example. Whether or not misconduct is found, the process itself signals that no firm is above scrutiny.
Standard client identity checks are no longer enough. The Money Laundering Regulations 2017 require firms to dig into the source of funds and, in higher-risk situations, the source of wealth and to keep monitoring the relationship throughout, not just at onboarding.
This is precisely where an independent AML audit adds value. Internal teams are often too close to their own processes to spot gaps. An external reviewer brings objectivity, benchmarks your firm against current regulatory expectations, and identifies weaknesses before the SRA does.
The Case for Independent AML Audits
An independent audit isn’t just a defensive measure it’s one of the clearest signals a firm can send that it takes AML obligations seriously. Here’s what a well-structured audit should cover:
- Policy and procedure review: Are your AML policies up to date, proportionate to your risk profile, and actually followed in practice?
- Client due diligence testing: Are onboarding processes consistently applied? Are source of funds and source of wealth enquiries being made where required?
- Ongoing monitoring: Is the firm reviewing client relationships over time, or treating onboarding as a one-off exercise?
- Firmwide risk assessment: Is it a living document that shapes decisions, or a template filed away and forgotten?
- Training and awareness: Can fee earners and support staff identify red flags? Do they know how to escalate concerns?
- MLRO effectiveness: Is the nominated officer resourced, empowered, and genuinely independent in their function?
Firms that commission independent AML audits proactively are far better placed when the SRA comes knocking. Regulators look more favourably on firms that can demonstrate they identified and addressed their own weaknesses rather than waiting to be told.
Which Areas Face the Most Exposure
Property, corporate, and trust work remain the highest-risk practice areas. Complex funding structures and layered ownership arrangements make these natural targets for misuse and therefore natural targets for regulatory attention. An independent AML audit of these specific practice areas, even if conducted separately from a firmwide review, can be a highly effective way to manage concentrated risk.
Leadership, Not Just Compliance Teams, Must Own This
One of the clearest trends in recent enforcement is the upward shift in accountability. MLROs can’t carry this alone — senior leadership is expected to set the tone and take real ownership of AML risk. When things go wrong, regulators increasingly treat failures as institutional rather than individual, and the reputational fallout can be as damaging as any financial penalty.
Commissioning an independent AML audit is also a leadership decision. It demonstrates that the firm’s partners and senior management are engaged with AML risk, not delegating it entirely to a compliance function.
Practical Steps Firms Should Take
- Commission an independent AML audit — ideally by a specialist with experience of SRA enforcement and current MLR 2017 expectations
- Act on audit findings promptly and document the steps taken
- Revisit AML policies and benchmark them against current SRA guidance
- Strengthen due diligence at onboarding — and make sure it doesn’t stop there
- Build genuine ongoing monitoring into client relationship management
- Review historic files in high-risk areas where earlier work may not meet today’s standards
The Takeaway
AML compliance has become a core operational risk for law firms, not a peripheral concern. An independent AML audit is one of the most effective tools available to understand where your firm truly stands, demonstrate good faith to regulators, and get ahead of enforcement before it finds you. Firms that treat this as a genuine priority, rather than a reaction to pressure, will be far better positioned in an environment where scrutiny is only increasing.