For the last few years, the SRA’s annual AML data collection has been treated by many firms as a compliance formality. Fill in the numbers, hit the deadline, move on. That approach is now genuinely risky.
Here’s why 2026 is different.
The AI Cross-Check
The SRA is deploying AI analytics this year to cross-reference AML declarations across all regulated firms. It will benchmark your data against sector norms, flag anomalies, and spot internal inconsistencies automatically, at scale, across every firm’s submission.
Unusually low SAR numbers. Minimal PEPs. EDD rates that don’t match your practice areas. The algorithm will notice. And with unlimited fining powers now in play under the Economic Crime and Corporate Transparency Act, the consequences of being flagged have never been higher.
Self-reporting as a strategy is over.
The Questionnaire Is Changing Too
Expect deeper questions in 2026, particularly around:
- Source of funds : the SRA has launched a dedicated thematic review here
- High-risk practice areas : conveyancing, immigration, and consultant-led models face more scrutiny
- Digital ID verification how firms use and govern certified verification services is now on the radar
- Sanctions :mandatory for every firm, and not getting shorter
Independent Audits: The Question That’s Coming
The latest Law Society of Scotland’s AML Certificate already asks firms about their independent audit position; when it was last conducted, by whom, and what it found. That is a reliable signal of where the SRA questionnaire is heading.
Under Regulation 21, firms of appropriate size are already required to have an independent audit function. Yet compliance advisers consistently flag that a large proportion of SRA-regulated firms have either never done one or haven’t done one recently. The SRA is well aware of this gap, and an AI cross-checking your questionnaire will be looking for it too.
If your firm can not answer basic questions about its last independent AML audit, that’s both a compliance weakness and an imminent questionnaire problem. Most experts encourages a two-year audit cycle as a minimum, adjusted for risk profile. High-risk firms should be doing them more frequently.
And the FCA Is Coming
In October 2025, the government confirmed the FCA will replace the SRA as the single AML supervisor for professional services. Legislation is expected in this year, with the transition completing in 2027 or 2028.
The FCA supervises banks. Its reporting expectations reflect that. The SRA questionnaire you know today is likely the last in its current form.
What To Do Now
- Capture AML data continuously. Do not reconstruct figures at submission time.
- Commission an independent AML audit if you haven’t recently. It is a regulatory requirement for most firms, and may become a questionnaire question.
- Tailor your firmwide risk assessment. Generic templates will be flagged
- Explain low SAR and EDD rates in writing before you’re asked to
- Watch for the sample questionnaire published before July, it is your earliest warning of new questions
The firms that treat AML as genuine risk management rather than a filing exercise are well placed. The rest have a shrinking window to close the gap.