Dentons has won part of its appeal in its long-running AML dispute with the SRA, but the case is not over.
The Court of Appeal’s decision in Dentons UK and Middle East LLP v Solicitors Regulation Authority Ltd [2026] EWCA Civ 508 deals with a difficult question for law firms: when does a breach of the Money Laundering Regulations become serious enough to amount to professional misconduct?
That question matters because the judgment does not give either side a complete answer. The court rejected the idea that every AML breach automatically becomes a disciplinary matter. But it also left open the possibility that Dentons’ breach may still be serious enough to amount to professional misconduct.
That puts the focus on seriousness, context and evidence. For firms, the issue is not simply whether an AML process exists on paper. It is whether the firm can show that it properly assessed the risk, took proportionate steps, escalated concerns where needed, and documented its decisions at the time.
In Dentons, that question was particularly significant because the client was high risk and politically exposed, and the issue concerned source of wealth and source of funds checks. Those are not peripheral AML controls. They go to the heart of whether a firm understands who it is acting for and where the money behind the matter may have come from.
The case has now been sent back to the Solicitors Disciplinary Tribunal to decide whether the AML breach crossed the professional misconduct threshold. So the final disciplinary outcome is still unresolved. But for compliance teams, MLROs, COLPs, and senior management, the compliance lesson is already clear: AML breaches are not automatically misconduct, but firms should not assume that failures involving high-risk clients will be treated as minor. It is not enough to identify risks, record that a client is high risk, or rely on inherited knowledge. Firms need to evidence how they assessed risk, what enquiries they made, why those enquiries were adequate, and how decisions were escalated when warning signs emerged.
What was the Dentons case about?
Dentons’ dispute with the SRA arose from work Dentons carried out between 2013 and 2017 for “Client A”, a politically exposed person who had previously been a client of Salans, whose London office Dentons acquired in 2013.
Client A was identified as high risk for money laundering. The SRA alleged that Dentons failed to take adequate measures to establish the client’s source of wealth and/or source of funds, in breach of regulation 14 of the Money Laundering Regulations 2007. The client was later convicted abroad of crimes including embezzlement, and his wife was later the subject of an unexplained wealth order.
The Solicitors Disciplinary Tribunal found that Dentons had breached the Money Laundering Regulations, but only as a finding of fact. It concluded that the breach was not serious, culpable or reprehensible enough to amount to professional misconduct. Because there was no finding of breach of the SRA Principles, Code or professional rules, the Tribunal said it had no jurisdiction to impose a sanction.
The SRA appealed. The High Court allowed the appeal and quashed the Tribunal’s decision. Dentons then appealed to the Court of Appeal.
What did the Court of Appeal decide?
The Court of Appeal rejected the idea that every breach of a legal or regulatory obligation automatically amounts to professional misconduct.
This is an important distinction. If every technical breach of the law were automatically a disciplinary breach, the professional conduct regime would become close to strict liability. The Court of Appeal was not prepared to go that far.
Instead, the court held that there is an inherent seriousness requirement. The question is whether the conduct would be considered sufficiently serious by competent and reputable solicitors to be categorised as professional misconduct.
But that does not mean Dentons won the case outright. The Court of Appeal upheld the quashing of the SDT’s original decision on a narrower basis and sent the matter back to a freshly constituted Tribunal. That new panel will now decide whether, applying the correct seriousness test, the AML breach also amounted to a breach of the relevant SRA standards.
The point is not that Dentons was cleared. Nor is it that any AML breach will automatically amount to misconduct. The judgment sits somewhere in the middle: an AML breach still has to be serious enough to cross the professional misconduct threshold, but where the breach involves a high-risk client, firms should be very cautious about assuming it will be treated as merely technical.
Why high-risk EDD failures are hard to treat as technical
The underlying issue in Dentons was not a minor administrative failing. It concerned source of wealth and source of funds checks for a high-risk politically exposed client.
A missing document on a low-risk matter is one thing. Failing to properly establish source of wealth for a high-risk PEP is another. In the legal sector, source of wealth and source of funds checks are central AML controls. They help firms understand who they are acting for, where the money behind the matter may have come from, and whether legal services could be used to move, protect or legitimise the proceeds of crime.
That is why the seriousness question is so important. In the abstract, it makes sense to say that not every breach of a legal obligation should automatically become professional misconduct. But high-risk client due diligence is different. If a firm has identified a client as high risk, particularly where the client is politically exposed, it will be difficult to treat failures around enhanced due diligence as purely technical.
For firms, the key issue is evidence. A policy, file note or risk certificate may not be enough if the firm cannot show what risk was identified, what questions were asked, what evidence was obtained, whether inherited assumptions were challenged, and why the firm was comfortable continuing to act.
Dentons also shows why “we knew the client” or “the relationship came from another firm” is not a complete answer. Inherited clients can carry inherited risk. A merger, lateral hire or long-standing relationship does not remove the need for current, evidence-based due diligence.
The escalation question for law firms
Dentons also raises a wider issue: how do firms decide when an AML failure needs to be escalated?
It is not always enough to identify that something has gone wrong. Firms also need to assess how serious the issue is, who needs to know about it, what remediation is required, and whether it should be reported to the SRA.
That concern fits with the SRA’s own thematic review of compliance officers, published in December 2025. The SRA found that 36 compliance officers across 25 firms had received 1,377 internal reports over three years, but only nine were subsequently referred to the SRA. The review also found that only half of compliance officers had read the SRA’s reporting and notification guidance, and only 19% had read the enforcement strategy.
That data is relevant in the context of Dentons. If the key question is whether a breach is serious enough to amount to professional misconduct, firms need a reliable way to make that assessment. It cannot be based on instinct, optimism, or a general preference to keep matters internal.
A seriousness assessment should be documented. It should take account of the client’s risk profile, the nature of the breach, the potential harm, whether there is a pattern of similar issues, whether remediation has happened, and whether the regulator should be notified.
What firms should take from Dentons
The practical lesson from Dentons is not that firms should panic about every AML error. The Court of Appeal has made clear that not every breach will amount to professional misconduct. But the judgment should not be treated as a comfort blanket either.
For law firms, the case should prompt a review of how AML seriousness is assessed. That includes how high-risk clients are reviewed, what evidence is required for source of wealth and source of funds, when inherited knowledge can be relied on, how concerns are escalated, how decisions to continue acting are recorded, and when internal breaches become reportable.
The most important point is that firms need to be able to evidence their judgement at the time. Regulators, tribunals and courts are unlikely to be persuaded by vague assurances that “the risk was considered”. They will want to see what was considered, by whom, on what evidence, and why the firm decided its response was adequate.
Dentons highlights the gap between technical AML compliance and defensible AML compliance. A firm may be able to show that some process existed. The harder question is whether that process worked when it was tested by a high-risk client, incomplete evidence, internal disagreement or uncomfortable facts.
