The Solicitors Regulation Authority is sharpening its focus on financial crime compliance with the annual AML data collection exercise. The new questionnaire goes far beyond checking whether firms have policies in place. It demands hard data: when risk assessments were last updated, how many politically exposed persons (PEPs) your firm acted for, the size of client account transactions, the proportion of matters requiring enhanced due diligence, and much more.
For many law firms, pulling together this level of granular information is no small task. That’s why VinciWorks’ compliance software, Omnitrack, has become an essential tool. By automating AML data collection and mapping internal controls directly to SRA reporting requirements, Omnitrack makes it possible to submit accurate responses efficiently, with minimal manual effort and full audit traceability.
The shift from passive to proactive AML oversight
This year’s questionnaire makes clear that the SRA is no longer content with superficial compliance. The exercise is designed to give the regulator a comprehensive picture of how firms are identifying, managing, and mitigating money laundering and sanctions risks in real time. It reflects a broader trend: regulators are moving away from vague self-certification towards evidence-based oversight.
The form begins with a short set of scoping questions. Firms must confirm whether they carry out work in scope of the Money Laundering Regulations 2017. This includes undertaking work such as conveyancing, tax advice, or managing client money. They must also indicate whether they offer trust or company services, and how many Suspicious Activity Reports (SARs) they’ve filed in the past year.
These initial responses determine which sections of the form the firm must then complete. And depending on the scope of the firm’s work, the follow-up questions can run deep.
A closer look at what’s required
Firms that confirm they are within scope of the regulations are asked to provide detailed information about their approach to anti-money laundering. The SRA wants to know whether a firm-wide risk assessment is in place, when it was last updated, and whether it covers the specific risks posed by trust and company service provision. If the firm has AML policies, it must report how recently those were reviewed and whether AML training has been rolled out to relevant staff—defined broadly to include not just fee earners, but also support staff like receptionists and finance teams.
Other questions probe deeper into operational detail. The SRA asks what proportion of the firm’s open matters are within the scope of the MLRs, and what percentage of fee earners engage in that work. The form also seeks data on the highest-value client account deposit the firm has handled in the last year, how often enhanced due diligence has been applied, and how many clients were classified as PEPs. There are also questions about client refunds, specifically those over £5,000, which is a potential red flag for suspicious transactions.
For firms that handle trust or company work, the questionnaire drills down into how that work contributes to firm turnover. It also queries whether high-risk clients, such as PEPs or those based in high-risk jurisdictions, are using the firm’s TCSP services. If so, the SRA wants to know what mitigating measures the firm has taken. This could include senior management approval, scrutiny of the source of funds, or increased transaction monitoring.
Reporting SARs? Expect more scrutiny
Filing even a single SAR means you’ll need to answer a new series of questions. The SRA is not just interested in how many reports were made, but the context: were they information-only or requests for a defence against money laundering? Did they relate to property work, company formation, or tax advice? And what portion of the firm’s SARs involved work that was outside the scope of the money laundering regulations altogether?
The level of detail being requested here reflects the SRA’s increasing alignment with law enforcement priorities, including intelligence gathering and risk-based supervision. Firms are expected not only to report suspicious activity but to understand the patterns and typologies behind that reporting.
Sanctions: now everyone’s problem
The final section of the questionnaire—focused on financial sanctions—must be completed by every firm, regardless of whether they do AML-regulated work. That’s a reflection of how rapidly sanctions compliance has become a top-tier regulatory risk, particularly since the UK expanded its powers post-Brexit and in response to Russia’s invasion of Ukraine.
The SRA wants to know whether firms have assessed their sanctions exposure in writing and whether they have clients with connections to high-risk jurisdictions such as Iran, Russia, North Korea, or Venezuela. It also asks whether firms operate in sectors likely to involve sanctions risks. In particular these high risk sectors include shipping, aviation, trade, or immigration. The SRA is also interested to know how firms check whether new or existing clients are subject to UK sanctions.
Firms must also disclose whether they have acted for any designated persons, with or without a licence from the Office of Financial Sanctions Implementation (OFSI), and whether they are holding frozen assets on behalf of such clients. Firms that have dealt with designated persons are expected to report how many licence applications they’ve made, how much frozen money is held, and how many related reports they’ve submitted to government bodies.
Preparing to respond, and the risk of getting it wrong
During July 2025, the SRA will be asking firms to take part in the data collection exercise, but firms should be preparing now. The breadth and depth of the questions mean this is not something to be left to the last minute. Pulling together all this information manually will be challenging for many firms, particularly those with multiple departments, various systems, or unclear record-keeping responsibilities.
Moreover, the consequences of inaccurate reporting could be severe. The SRA has made clear that it will use the data collected in this exercise to target future supervision and enforcement. Inconsistent answers, missing data, or implausible responses may result in your firm being flagged for audit or follow-up.
How Omnitrack simplifies the entire process
This is where Omnitrack comes in. VinciWorks developed the Omnitrack AML and sanctions suite specifically to help law firms track and report on the very metrics the SRA is now demanding. With Omnitrack, firms can build live registers for client onboarding, risk scoring, due diligence, training, suspicious activity reports, and PEP exposure. The system standardises data input across the firm, ensuring that the information captured is complete, comparable, and easily retrievable when it comes time to report.
Omnitrack also allows for automated workflows, reminders for risk review deadlines, and built-in version control, so you can prove that your policies and assessments are current and compliant. And because the platform aligns with the structure of the SRA questionnaire, your compliance team can generate most of the required answers with a few clicks.
This kind of systemised approach not only reduces the administrative burden, but lowers regulatory risk. While the SRA is scrutinising firm-level data like never before, Omnitrack gives you confidence that you’re not just answering the right questions, but asking the right ones of your own systems.
