About CQS Conveyancing

Reg 21 Independent AML Audit : The Real Work Begins After

by

Simon Seaton
in

5 Immediate Actions for Law Firms Following a Reg 21 Independent AML Audit

You’ve just crossed the finish line of your Regulation 21 Independent AML Audit. The report is in your inbox, and the temptation to file it away and return to “business as usual” is strong.

However, the stakes for law firms have changed. With the FCA now taking on oversight of the legal sector under the Single Professional Services Supervisor (SPSS) model, the independent AML audit is no longer just a check-up it is your primary defence against a much more interventionist regulator.

Here are the five non-negotiable steps your firm must take immediately to remain compliant and “FCA-ready.”

1. Formal Board Review: Documenting the “Why”

Under the new regime, the FCA expects to see evidence of Senior Management Responsibility. It is no longer enough for the MLCO to handle the audit findings in isolation.

  • The Action: Schedule a formal Board meeting to review the report.
  • The FCA Angle: The FCA’s “Fit and Proper” expectations for Beneficial Owners, Officers, and Managers (BOOMs) mean that if you choose not to implement an auditor’s recommendation, you must document a clear, risk based justification. A “dissenting note” is a valid compliance tool, but a lack of documentation is seen by the FCA as a governance failure.

2. Launch a “Live” Remediation Tracker

The FCA’s supervisory style is data-driven. They move away from the SRA’s traditional “periodic review” toward continuous effectiveness.

  • The Action: Move beyond a static PDF. Create a Remediation Tracker that lists every deficiency, the assigned “Owner,” and the specific evidence of the fix (e.g., “Updated FWRA approved by Board on 14/05/26”).
  • The Goal: If you face an SRA AML Audit or FCA AML Audit tomorrow, your tracker proves that you are proactive rather than reactive.

3. Align with the FCA’s “Effectiveness” Standard

Historically, firms focused on having the right AML policies. The FCA focuses on outcomes.

  • The Action: If your audit found that your Firmwide Risk Assessment (FWRA) was technically correct but didn’t prevent a “client matter risk assessment level” failure, you must bridge that gap.
  • The Nuance: Review your audit findings against the FCA’s Financial Crime Guide. If your “ongoing monitoring” was flagged as weak, don’t just rewrite the paragraph in your policies, implement a spot-check system that proves the monitoring is actually happening.

4. Move from General to “Surgical” Training

The FCA has little patience for “tick-box” annual training videos. They look for evidence that staff actually understand the risks specific to their department.

  • The Action: If your Reg 21 independent audit identified gaps in Source of Wealth (SoW) evidence within your conveyancing team, run a targeted workshop for that specific group.
  • The Evidence: Retain the signed attendance logs and the specific case studies used. This demonstrates to the supervisor that your training is Regulation 24 compliant and risk-responsive.

5. Remediate “Symptomatic” File Failures

If the auditor’s random sampling found missing Customer Due Diligence (CDD) on three files, it’s a symptom of a larger system risk.

  • The Action: The MLRO must oversee the immediate “clean-up” of those specific files.
  • The Strategy: The FCA often uses “Skilled Person” reviews (Section 166) where they force firms to pay for external consultants to fix files. By remediating these files now, you prove that your internal controls are capable of self-correction, reducing the likelihood of a forced (and expensive) intervention.

Comparison: What has changed with FCA Oversight?

FeatureSRA (Traditional)FCA (The 2026 Reality)
PhilosophyGuidance and PrinciplesData-led and Interventionist
Fining PowerHistorically capped (now rising)Unlimited and revenue-based
Focus“Do you have an AML policy and FWRA ?”“Can you prove they works?”
Sanction ToolFines and WarningsProhibition notices and Personal Liability

The Bottom Line

The window between receiving your Reg 21 Independent AML Audit report and your next regulatory touchpoint is your only chance to modernise. The transition to the SPSS model means that “good enough” is no longer the standard.