In this quarter’s VinciWorks AML Core Group meeting, there was a perceptible shift in tone. The AML Core Group sessions bring together UK legal professionals and compliance experts to discuss the latest developments in financial crime regulation. The Core Group discussion that once largely focused on technical compliance issues became a conversation about how law firms operate, make decisions, and manage risk. This was largely due to the realisation that AML is increasingly seen as the foundation on which firms demonstrate their integrity and maintain effective control in a regulatory environment that is becoming ever less forgiving.
AML Core Group meetings are by invitation only. Interested in participating?
The questions on everyone’s minds
Led by Ruth Mittlemann Cohen, head of legal compliance at Vinciworks, the meeting opened with a best practices peer discussion forum based on participant’s most burning AML compliance questions and it offered practical and deeply informative insights from Compliance Office managing director Jen Dunlop.
Among the issues tackled was the move towards supervision by the FCA, how firms are preparing for regulatory developments in EU reforms and how it is prompting firms to rethink not just their systems, but their mindset.
While many firms are still adopting a “wait and see” approach, it’s clear that regulators are no longer satisfied with firms having policies in place. They want to see evidence that those policies are functioning in practice.
That shift means that AML must be embedded as a core business process. It is not something owned by compliance teams but a shared responsibility across the firm. It also means that documentation is becoming critical, not just recording what was done, but why decisions were made. And it means that firms are being pushed towards data-driven compliance, where the ability to gather, analyse, and report information will be essential under a more intrusive supervisory model.
And what about technology?
It was noted that technology is playing a central role in this transition. Smaller firms, in particular, are increasingly adopting KYC platforms, screening tools, and workflow systems as necessary infrastructure to meet rising expectations.
There was also discussion around the practical challenges of operating across jurisdictions. Many firms are choosing to apply the strictest applicable standard across all matters, avoiding the complexity and risk of tailoring compliance by jurisdiction. It is a pragmatic approach and reflects a growing preference for consistency over flexibility.
The session then turned to one of the most scrutinised areas of AML which is client due diligence. As noted in the discussion, much of the practice is well established. Firms apply risk-based approaches, with high-risk clients subject to annual reviews and others reviewed periodically or when circumstances change. Technology is helping to systematise this, ensuring that review deadlines are not missed.
But the real focus of the discussion was the quality of judgement. Participants were reminded that regulators expect firms to go beyond collecting documents. They must build a credible narrative around source of funds and wealth. That means recording the questions asked, the reasoning applied, and the conclusions reached. It also means challenging assumptions, particularly where clients are long-standing.
The danger of familiarity
It was pointed out that familiarity is a risk in itself. Long-term relationships can lead to reduced scrutiny, even as client circumstances evolve. Firms were encouraged to actively compare current transactions with historical patterns and to investigate anything that does not align. The point is that compliance is not about proving that checks were done. It is about demonstrating that they were done with consideration.
The discussion then moved into the practical realities of AML operations. What does an effective AML structure look like? The answer, unsurprisingly, depends on the size and nature of the firm. Some rely heavily on fee earners, others have large, centralised compliance teams. But regardless of structure, certain principles hold true.
Consistency is key and technology is increasingly used to enforce it. Systems that prevent progression without completed onboarding, automated escalation triggers, and integrated risk assessments are all helping to reduce variability in practice. At the same time, firms were reminded that systems alone are not enough. Clear policies, regular training, and strong leadership are essential. Fee earners must understand that they ultimately own the risks on their matters. Their name is on the file, and regulators will expect them to stand behind their decisions.
Governance also plays a crucial role. Regular reporting, file audits, and clear escalation pathways are necessary to ensure that compliance is not just designed well, but operating effectively.
Is culture the hardest challenge?
If systems define how compliance works, culture seems to determine whether it works at all. This part of the discussion focused on the difference between understanding AML requirements and actually applying them in practice.
Pressure is a major factor. Fee earners are often reluctant to slow down transactions or raise concerns, particularly where commercial considerations are at play. As a result, compliance can slip not due to negligence, but through competing priorities.
The proposed solutions were both practical and cultural. Policies must be usable, embedded into workflows, and supported by training that reflects real scenarios. Firms should remove unnecessary discretion, build in safeguards, and reinforce expectations through both incentives and accountability.
But perhaps most importantly, there needs to be a shift in mindset. Compliance should not be seen as an obstacle, but as a safeguard for the firm and for the individuals within it.
The discussion briefly touched on emerging threats, particularly the rise of AI-enabled fraud. As identity manipulation becomes more sophisticated, firms are responding by adopting multi-layered verification processes and increasing human oversight. Technology can assist, but it cannot replace judgement. In many cases, intuition, the sense that something does not quite add up, remains a critical line of defence.
AML news round-up: rising expectations
Vinciworks compliance manager Naomi Grossman followed with key AML updates which noted that AML enforcement is entering a tougher, more proactive phase. Under the Money Laundering Regulations 2017, regulators like the SRA are now focused on how controls operate in practice, not just whether they exist. Firms must evidence judgement, particularly around source of funds, risk assessments, and ongoing monitoring.
With a likely shift to supervision by the FCA, firms should expect more intrusive, data-driven oversight, higher penalties, and increased compliance costs. At the same time, desk-based reviews and intelligence-led supervision mean firms can be scrutinised without any trigger event. Essentially, expectations are rising, and firms need to be ready to demonstrate AML compliance in action.
A new feature: Case studies
One of the most powerful moments in the session came from the case studies. Not because they involved dramatic failures, but because they didn’t. No scandals. No suspicious transactions. No obvious red flags. And yet, enforcement still followed.
In both examples, firms had allowed their AML frameworks to drift. Policies were not updated. Risk assessments became outdated or in one case, did not exist at all. Responsibility was unclear, oversight was weak, and compliance quietly slipped down the priority list.
What triggered regulatory action was not an event, but a review. A routine, desk-based assessment that uncovered gaps which had gone unnoticed internally for years.
It was a sobering reminder that in today’s environment, firms do not need to fail spectacularly to face consequences. They just need to fall behind.
A conversation about culture
The session concluded with a fireside chat featuring Pearl Moses, from Setfords Law and the author of “Owning Up to Mistakes”, a book on ethics- and culture-focused compliance. The session brought the discussion back to the most fundamental point, AML is about people.
Pearl noted that the regulatory focus has shifted decisively towards behaviour. It is no longer enough to have policies. Firms must show that those policies influence how people act.
That requires trust. Staff must feel able to raise concerns without fear. Compliance teams must be seen as partners, not obstacles. And leaders must model the behaviours they expect to see. Cultural change is not quick or easy. But without it, even the best-designed systems will fail.
The value of the core group
Despite some hesitation to speak openly, a challenge acknowledged during the session, engagement remained high. Participants were clearly absorbing the discussion, reflecting on their own practices, and identifying areas for improvement.
That is, ultimately, the value of the AML Core Group. It provides a space not just to learn, but to think. To step outside the pressure of day-to-day work and consider whether current approaches are sustainable in a rapidly changing environment.
AML Core Group meetings are by invitation only. Interested in participating?
If there was one key message to take from the session, it is that AML is no longer a background function. It is a central pillar of how law firms operate, and regulators are treating it accordingly. The firms that adapt and embed compliance into their culture, invest in systems, and take ownership of risk will be well placed for what comes next.
For those that do not, the risk is not just regulatory action. It is falling behind without realising it. And as the case studies made clear, that is exactly how problems begin.
In this volatile regulatory environment, the need for firms to adopt agile systems that can keep pace. This is why we developed Omnitrack, our workflow optimisation platform. It includes our AML Client Onboarding and Legal Compliance Suite solutions, all customisable to client process.
