At our recent VinciWorks AML Core Group meeting, a clear picture emerged of how the AML landscape is shifting for UK law firms. The discussion moved beyond technical compliance and focused on how firms are responding in practice to regulatory transition, increased supervisory scrutiny, and growing operational complexity.
The questions below reflect the real issues compliance teams are grappling with right now: preparing for the transition from SRA to FCA supervision, anticipating changes to the MLRs, managing EU and international developments, and embedding effective client due diligence and governance across increasingly complex firms.
AML Core Group meetings are by invitation only. Reach out here if you are interested in participating.
They also highlight a shared concern around practical implementation such as how policies, technology, data, and people actually work together under pressure, and how MLROs can demonstrate credible, defensible decision-making when challenged by regulators.
These questions reflect what effective AML compliance looks like in 2026, not just on paper, but in day-to-day practice.
- Regulatory transition / supervision
How are firms preparing for FCA AML supervision, and what practical impact do they expect it to have?
Firms are preparing for a more intensive, outcomes-focused supervisory model, with greater emphasis on evidence, governance, and senior accountability. Practically, firms expect more thematic reviews, deeper testing of controls, and less tolerance for informal or undocumented practices.
What are firms beginning to do by way of gap analysis pre-FCA?
Most are benchmarking current frameworks against FCA-style expectations, focusing on governance, escalation processes, risk ownership, and documentation. Particular attention is being paid to MLRO effectiveness, SAR decision-making, and firm-wide risk assessments.
How should law firms balance ‘wait and see’ against early AML readiness when the move from SRA to FCA?
A full redesign is premature, but foundational readiness is essential. Firms should strengthen governance, clarify accountability, improve documentation, and test controls now, while leaving flexibility for final regulatory detail.
Has the SRA asked to review your MLRO annual report, and are you seeing increased focus on this ahead of the transition to FCA supervision?
Yes, there is increasing scrutiny of MLRO annual reports, particularly around whether issues are clearly articulated, escalated, and acted upon. Regulators are looking for evidence of challenge and follow-through, not just reporting.
When do you think we will see the updated MLR in early 2026?
Most expect publication in Q1 or early Q2 2026, with changes aligning UK rules more closely to international standards and addressing transparency, supervision, and enforcement powers rather than wholesale reform.
What strategies have worked for managing AML compliance across multiple jurisdictions with conflicting regulatory requirements?
A global baseline plus local overlays model works best. Firms apply the highest common standard firm-wide, with documented jurisdiction-specific deviations where required, supported by strong central oversight.
What further AML changes do you see coming on the horizon?
Greater focus on effectiveness over form, more individual accountability, enhanced scrutiny of professional enablers, expanded use of data and analytics by regulators, and closer alignment with EU and FATF expectations.
- EU AML
How is your firm preparing for the EU AML package?
Firms are mapping which entities and activities fall within scope, assessing data-sharing implications, and preparing for more centralised EU supervision via AMLA, particularly for cross-border work and higher-risk clients.
- Client due diligence and onboarding
Is anyone looking at AI providers to help with initial background checks on clients?
AI tools are being used for triage and efficiency, not decision-making. Firms remain clear that risk assessment and acceptance decisions must remain human-led and defensible.
What about refreshing an ID, when the passport is still valid and e-verification does ongoing monitoring?
Most firms are moving to a risk-based refresh, relying on ongoing monitoring unless there is a trigger event, risk change, or regulatory requirement to re-verify.
How do you politely cease acting for a client whom you have filed a SAR against?
Firms rely on neutral, non-specific disengagement language, citing professional or commercial reasons, and carefully avoiding any reference that could amount to tipping off.
How do you deal with aborted fees when the advice does not proceed and the CDD information has not been provided?
Best practice is to pause billing until minimum CDD is completed, or document clearly why limited work was permissible under the regulations before disengagement.
How do you convince your US partners of the necessity to complete AML checks to the level required by the SRA?
By framing AML as a regulatory and firm-wide risk, not a jurisdictional preference, and clearly explaining personal and firm-level consequences of non-compliance.
How do you deal with the rise of online utility bills when it comes to proof of addresses?
Most firms now accept online-only documents if sourced directly, verifiable, recent, and supported by secondary checks where risk is higher.
How far back do other firms go when requesting historic documents to verify source of funds or source of wealth?
Typically 3–6 months for SoF, and longer for SoW depending on the narrative. The focus is on plausibility and consistency, not arbitrary time limits.
What are the main processes firms follow to get comfort on source of wealth and source of funds?
A documented narrative supported by independent evidence, risk-based corroboration, and escalation where explanations are incomplete or inconsistent.
The LSAG guidance has shifted around verifying ultimate beneficial owners. Where have firms landed in practice?
Most firms now verify UBOs where risk justifies it, even if not strictly mandated, particularly for complex structures or higher-risk jurisdictions.
Do firms identify and verify discretionary beneficiaries who have received or may receive a payment, even where the firm is not advising on or involved in the payment?
Increasingly yes, where there is a realistic expectation of benefit and a material AML risk, applying a proportionate, risk-based approach.
Is early time recording allowed before CDD checks have been completed and if so, what are the parameters?
Time recording is generally permitted, but chargeable work must not proceed beyond limited exceptions, and controls must ensure no substantive advice is delivered pre-CDD.
Is everyone obtaining the trust regulation document before completing client due diligence?
Yes, this is now widely treated as standard practice, particularly where the trust is UK-registrable or presents elevated risk.
- Policies, procedures and best practices
How have firms managed to keep policies and procedures updated with the constantly changing AML environment?
Through scheduled reviews, regulatory horizon scanning, and clear ownership rather than ad hoc rewrites.
How do you sanctions check all suppliers, both matter-related and firm-wide suppliers?
By applying tiered screening based on risk and materiality, with automated tools for core suppliers and enhanced checks for higher-risk relationships.
Do you have effective ways of embedding AML policies and procedures so they are consistently followed in practice?
Targeted training, practical guidance, senior role-modelling, and integrating AML checks into workflows rather than relying on standalone policies.
How are firms ensuring that the firm-wide risk assessment is a “living document”?
By linking it to onboarding decisions, incident reviews, and regular updates following regulatory or business changes.
- Technology, data and tools
How effective are current technologies, including AI, at reducing AML risk without increasing false positives or poor-quality alerts?
Effective when well-calibrated and governed, but over-reliance without tuning often leads to alert fatigue and reduced effectiveness.
Could you share insights on the strengths and limitations of existing onboarding and screening systems?
They are strong on scale and consistency, but weaker on context, judgment, and complex structures. Human oversight remains critical.
- MLRO role, governance and capability
Do you have any good networks, forums or resources you would recommend for newly appointed MLROs?
LSAG materials, sector-specific forums, peer networks, regulator publications, and structured MLRO training programmes remain essential for staying current and supported.
Taken together, these questions reflect a profession at a genuine inflection point. AML compliance for UK law firms is no longer just about technical adherence to the rules, but about demonstrating judgement, governance and credibility under increasing regulatory scrutiny. As supervision evolves, expectations rise, and technology reshapes how firms operate, the value of shared insight and practical experience becomes even more important. These questions are intended to prompt open discussion, challenge assumptions, and support firms in building AML frameworks that are not only compliant, but also robust, defensible and ready for what lies ahead.
In this volatile regulatory environment, the need for firms to adopt agile systems that can keep pace. This is why we developed Omnitrack, our workflow optimisation platform. It includes our AML Client Onboarding and Legal Compliance Suite solutions, all customisable to client process. Learn more here.
