CLOSE

close

CLOSE

EN

From policy to practice: Insights from the AML Core Group

  • Rising scrutiny, tougher enforcement and the compliance gaps law firms can no longer ignore. We discussed it all

In this quarter’s VinciWorks AML Core Group meeting, the discussion kept returning to the same point: AML compliance is no longer business as usual for law firms. It’s now at the top of the regulatory agenda.

The AML Core Group sessions bring together UK legal professionals and compliance experts to discuss the latest developments in financial crime regulation. This time, one thing was clear. The regulatory horizon may look uncertain but expectations on law firms are not. SRA scrutiny is intensifying, enforcement activity is increasing and the much-discussed FCA transition is still looming in the background. Now is not the time to ease off AML compliance.

AML Core Group meetings are by invitation only. Reach out here if you are interested in participating.

Led by Ruth Mittleman Cohen, head of legal compliance at Vinciworks, and drawing on a lively best practices peer discussion forum and practical and deeply informative insights from Compliance Office managing director Jen Dunlop, the session offered a grounded, experience-based view of what AML compliance really looks like heading into 2026. It was rounded out with regulatory updates from Vinciworks compliance manager Naomi Grossman, a session from Jen on the top things firms should be focusing on around AML now and a discussion group that focused on participants’ poll results on how they view AML issues as we go into 2026. 

The questions everyone is asking

The session opened with a facilitated discussion built around the questions that law firms are grappling with right now. These were the questions submitted by participants and cover the AML issues on law firm’s’ compliance officer’s minds. They’re not abstract regulatory queries, but the kinds of questions MLROs and compliance teams are dealing with daily. These are questions like: 

  • How confident are we that our AML policies actually drive behaviour on files?
  • Where are the biggest gaps between what our procedures say and what fee-earners do?
  • Are staff escalating concerns or working around them under time and fee pressure?
  • How do we evidence judgement, not just process, to a regulator?
  • What does “good” really look like in source of funds and ongoing monitoring?

The tone was open and honest. Many firms acknowledged that while frameworks are in place, consistency and confidence in application remain a challenge, particularly in higher-risk or fast-moving matters.

Policies on paper vs. reality on files

One of the strongest recurring themes was the growing gap between AML policies and what actually happens day-to-day. The SRA’s upcoming focus in 2026 will be on how policies, controls and procedures (PCPs) are applied in practice, not whether they technically exist. Thematic reviews have consistently highlighted:

  • Weak or undocumented client and matter risk assessments
  • Poor source of funds analysis
  • Policies that are approved, filed away, and rarely used
  • Little evidence of monitoring, testing, or consequences for non-compliance

Jen noted that a 100-page policy that no one reads is worse than a shorter, practical document staff actually use. Effective AML policies should reflect how the firm genuinely operates, be written in clear, usable language, be embedded into workflows, training and onboarding and, significantly, be tested against real files and real decisions.

Firms were also encouraged to think seriously about how they monitor compliance and what happens when staff don’t follow the rules. Increasingly, best practice includes linking AML behaviour to appraisals, pay reviews and performance management.

Regulatory update: A tough AML climate

Despite persistent speculation about the transfer of AML supervision from the SRA to the FCA, and the strong, unified opposition from across the legal sector, firms were strongly advised not to adopt a “wait and see” mindset. Any transition remains some way off (potentially around 2027), and in the meantime the SRA remains firmly in charge and firmly active.

The SRA’s latest AML annual report paints a sobering picture:

  • Almost one-third of firms were found non-compliant
  • A further 54% were only partially compliant
  • Only a small minority met expectations in full

This is translating into more proactive engagement, desk-based reviews, and inspections and increasingly, enforcement action rather than guidance alone. Over a three-month period, the SRA issued £550K in fines across 46 firms, including penalties for historic breaches that firms had self-reported.

It was noted that cooperation helps, but it doesn’t erase regulatory consequences. Firms are expected to identify, fix, and evidence compliance issues before the regulator does.

COLP and COFA realities

AML governance remains uneven across the sector, and the SRA’s thematic review of COLP and COFA roles exposed some uncomfortable truths:

  • 50% of compliance officers cited time pressure
  • Only 44% felt valued by their firms
  • Many juggle compliance with fee-earning and management roles
  • Succession planning is rare, and training is inconsistent

The SRA’s current consultation proposes separating ownership and compliance roles to improve independence. Even if not all firms are caught by the proposals, it’s clear that compliance can no longer sit with one overstretched individual.

The top 5 AML issues facing firms right now

Jen highlighted the five AML pressure points that law firms are facing now.

1. Policies that exist but aren’t lived

Firms widely agreed that having AML policies is no longer enough. The real risk lies in policies that are technically compliant but not embedded into daily decision-making.

Participants highlighted:

  • Policies that are too long or legalistic to be practical
  • Limited linkage between policies, training and workflows
  • Little evidence of monitoring or testing against real files

There was strong consensus that regulators are now far more interested in how policies are used, not how well they are drafted.

Source of funds checks were repeatedly identified as the most fragile area of compliance.

Common challenges included:

  • Collecting evidence but failing to analyse it
  • Accepting explanations without challenge
  • Inconsistent documentation of judgement and rationale
  • Fee-earners lacking confidence to probe further

Professional scepticism and documentation of decision-making are now critical, particularly where matters appear low risk on the surface.

3. Ongoing monitoring is still being missed

While initial CDD is generally well understood, ongoing monitoring continues to fall through the cracks.

It was noted that:

  • Risk profiles change during matters, but reviews don’t always follow
  • Monitoring is often treated as a concept rather than a process
  • There is uncertainty over when and how to revisit risk assessments

Those with stronger controls build review checkpoints into matter workflows, rather than relying on ad hoc reminders or individual judgement.

4. Governance pressure on compliance roles

Governance challenges featured heavily, particularly around the sustainability of COLP, COFA and MLRO roles.

Issues raised included:

  • Compliance officers juggling multiple roles
  • Limited time, authority or visibility
  • Over-reliance on one individual to “own” AML risk
  • Lack of succession planning or resilience

It was noted that AML governance cannot sit in isolation and must be supported by senior leadership, clear reporting lines, and shared responsibility across the firm.

5. Sanctions risk is growing and less forgiving

Sanctions risk surfaced repeatedly as an area where firms feel exposed.

Concerns included:

  • Complex ownership and control structures
  • Under-confidence in escalation routes
  • Over-reliance on screening tools
  • Uncertainty around when to stop acting or self-report

It was agreed that sanctions decisions require human judgement, clear documentation, and firm-wide understanding, not just system alerts.

What the polls revealed

Live polling during the session reinforced much of the discussion and revealed telling patterns across firms:

  • Confidence in AML policies drops sharply when firms assess file-level application
  • Source of funds and ongoing monitoring are consistently rated as highest-risk areas
  • Many firms acknowledge limited formal monitoring or testing of AML controls
  • Few firms currently link AML behaviour to performance, pay or KPIs

The polls confirmed that the gap between framework and practice is widely recognised but not yet consistently addressed.

Breakout sessions: from shared frustration to practical ideas

The breakout discussions gave firms space to talk candidly about what they are trying, what’s failing, and what’s helping.

Practical ideas shared included:

  • Centralising AML queries to improve consistency
  • Enhancing matter risk assessment forms to support ongoing monitoring
  • Closer collaboration between compliance and finance teams
  • Using system controls (such as billing pauses) to enforce CDD completion
  • Refocusing training on judgement and escalation, not just rules

A recurring theme was the importance of curiosity, asking better questions of clients, of files, and of internal processes, rather than defaulting to checklists.

Less theory, more evidence

The AML Core Group discussion reinforced the simple truth that regulators are no longer interested in what firms say they do, only in what they can evidence.

Strong AML compliance now depends on:

  • Practical, usable policies
  • Confident, well-trained staff
  • Clear governance and senior engagement
  • Documented judgement, not just completed forms
  • A culture where raising concerns is supported, not penalised

AML compliance is no longer about having the right answers. It’s about asking the right questions. Perhaps the most important message of the day was cultural rather than technical. A sustainable AML framework depends on senior leaders visibly championing compliance, staff feeling confident and safe to raise concerns, training that is tailored by role, department and risk, not generic, balancing commercial pressure with regulatory obligations and rewarding good compliance behaviour, not just fee generation.

As Jen noted, firms are often quick to measure billing targets, but slow to reward sound compliance judgement. That imbalance is increasingly hard to justify and increasingly risky.

Speculation about FCA supervision will continue but it’s important not to let uncertainty become a distraction. The SRA is active, enforcement-focused, and increasingly data-driven. Firms that embed AML into day-to-day decision-making, invest in governance, and evidence how their controls work in practice will be best placed, whatever regulatory changes come next.

In this volatile regulatory environment, the need for firms to adopt agile systems that can keep pace. This is why we developed Omnitrack, our workflow optimisation platform. It includes our AML Client Onboarding and Legal Compliance Suite solutions, all customisable to client process. Learn more here. 

Recommended
AML compliance in 2026: What UK law firms are asking now

AML compliance in 2026: What UK law firms are asking now
From policy to practice: Insights from the AML Core Group

From policy to practice: Insights from the AML Core Group
£160,000 OFSI penalty: how a spelling variant slipped through Bank of Scotland’s Russia sanctions controls

£160,000 OFSI penalty: how a spelling variant slipped through Bank of Scotland’s Russia sanctions controls