At our latest AML Core Group session, we invited participants to submit their most pressing questions in advance. The result was a candid, practical, engaging discussion covering everything from regulatory change and onboarding challenges to culture, systems, and emerging threats.
The AML Core Group sessions bring together UK legal professionals and compliance experts to discuss the latest developments in financial crime regulation.
We brought together those key questions, our responses and the real-world approaches firms are putting into action.
How are firms preparing for the EU AML package, HMRC registration, and a potential move to FCA supervision?
Firms are grappling with overlapping regulatory change, and many are finding it difficult to keep pace. Despite this, a number of clear priorities are emerging.
First, firms are focusing on embedding AML as a core business process. Compliance is no longer the responsibility of a single team. It needs to be owned across the firm, with real cultural buy-in.
Second, there is a strong emphasis on evidencing compliance. It’s a familiar message, but it bears repeating: if it isn’t documented, it didn’t happen. Regulators increasingly expect firms to show how policies, controls, and procedures are being applied in practice.
Firms are also preparing for more data-driven supervision. With expected changes from the FCA, there is growing focus on how to capture, analyse, and report on AML metrics.
This is driving increased investment in technology. Case management systems, KYC platforms, screening tools, and workflow solutions are becoming essential for recording and demonstrating compliance.
Finally, firms are working to standardise compliance across teams and jurisdictions, which is especially important for those operating across the EU.
In parallel, the FCA’s recent findings on CDD make it clear that firms are expected to independently test and audit their controls, and to actively monitor and evidence compliance with their PCPs.
From an HMRC perspective, any organisation interacting with HMRC on behalf of clients may now be treated as a “tax adviser.” Firms should be identifying those interactions, defining relevant individuals responsible for tax-related work, and appointing a senior responsible owner to oversee registration and reporting while keeping an eye on key deadlines.
What practical differences do you expect between SRA and FCA AML regulation?
A move toward FCA supervision would bring a noticeable shift in approach. The FCA operates with more detailed and prescriptive rules, compared to the SRA’s more principles-based framework. Supervision is also more proactive and data-driven, with regular reporting and thematic reviews.
There is a higher enforcement risk, with less tolerance for technical breaches and a greater likelihood of significant fines.
Firms can also expect a stronger focus on systems, controls, and governance, particularly around documentation and senior management accountability.
Overall, the regulatory burden is likely to increase, with more reporting, monitoring, and ongoing oversight required.
How are firms managing overlapping EU and UK regimes, and what does this mean in practice?
Firms are generally taking one of two approaches.
Some apply the highest common standard across both regimes, using the stricter requirement to ensure consistency and reduce the risk of gaps.
Others segment their approach by jurisdiction, tailoring controls, risk assessments, and onboarding processes depending on where the client or matter sits.
In practice, both approaches introduce complexity. Firms are dealing with increased documentation, duplicated processes, and additional pressure on compliance teams to track and reconcile regulatory differences.
How far should KYC and monitoring go for long-standing clients?
Long-standing relationships do not remove AML risk.
Firms are expected to carry out ongoing monitoring and periodic reassessment, ensuring that their understanding of the client remains up to date. Familiarity should not replace scrutiny.
What does “good” look like for Source of Funds and Source of Wealth, especially in complex cases?
There was strong consensus on this topic, with several key principles emerging.
It’s critical to document the “why,” not just the “what.” Firms should evidence the enquiries made, the reasoning behind decisions, and the overall understanding of the transaction, including why matters may not have been escalated.
Assumptions should be avoided. Funds held in a UK bank account are not inherently clean. Firms need to understand how those funds were generated.
Where information doesn’t align, it should be challenged. Documentation needs to make sense in the context of the client and the transaction, and inconsistencies should prompt further enquiry.
Firms are also focusing on maintaining engagement throughout the lifecycle of a matter, rather than treating checks as a one-off exercise.
Working closely with finance teams is another important step, helping to ensure that incoming funds align with expectations and that any last-minute changes are identified.
Understanding source of wealth remains critical, even for long-standing clients. Firms are asking whether a client’s wealth profile is plausible and continuing to probe where necessary.
Finally, there is recognition that templates and checklists are not enough. Professional scepticism, judgement, and clear escalation processes are important.
How are firms handling risk assessments, onboarding discipline, and sanctions screening in practice?
Technology is playing a central role. Many firms are using case management systems integrated with electronic ID and verification tools. These systems help improve efficiency while also ensuring consistency in onboarding and risk assessment processes.
Workflows are increasingly being used to enforce discipline. For example, preventing matters from progressing until KYC, sanctions checks, and risk assessments are complete.
Automation is also helping to ensure that high-risk matters are flagged and referred appropriately, reducing the risk of steps being missed.
What does an effective AML team structure look like today, especially post-M&A or during growth?
There is no single model that works for every firm.
Smaller firms often rely on fee earners to carry out much of the AML work, while larger firms may have dedicated AML teams with multiple specialists.
The right structure depends on the size, complexity, and risk profile of the firm but clarity around roles and responsibilities is critical in all cases.
What tools or automation have truly improved AML processes and what hasn’t?
While specific tools vary, there is clear agreement that well-implemented technology can be transformative.
The biggest gains are seen where systems are integrated into day-to-day workflows, supporting consistency, reducing manual error, and creating clear audit trails.
However, technology alone is not a solution. Its effectiveness depends on how well it is implemented and adopted within the firm.
How do you ensure strong escalation, ownership, and consistency across AML processes?
Firms are focusing on a combination of structure, culture, and oversight.
Clear, practical policies and procedures are essential, supported by regular training to ensure staff understand both what they need to do and why it matters.
Ownership remains important. Even in firms with centralised onboarding teams, fee earners must take responsibility for their matters as they know the client and the context best.
Technology is helping to drive consistency by embedding controls into workflows, while regular file audits are being used to test whether procedures are actually being followed.
Strong leadership also plays a key role. Firms that embed a top-down culture of compliance and encourage openness around raising concerns are better positioned to manage risk.
Clear escalation routes are essential, along with proper documentation of decisions, triggers, and outcomes.
An important and often overlooked factor is incentives. Many firms still do not reward good compliance behaviour, which can undermine its perceived importance.
Finally, governance remains key, with regular reporting to boards or risk committees to identify trends and address inconsistencies.
How do you drive real engagement from fee earners on CDD and risk assessments?
Engagement remains a challenge across many firms, particularly where commercial pressures are high.
The most effective approaches involve making compliance part of everyday workflows, rather than an additional burden, and ensuring that processes are practical and easy to follow.
How do you close the gap between understanding AML requirements and actually following them?
This gap is rarely about a lack of policies. It’s all about implementation.
Time pressure and billing demands can discourage staff from asking questions or escalating concerns.
Firms are addressing this by making procedures more user-friendly, embedding them into workflows, and involving staff in refining what works in practice.
Training is becoming more scenario-based, focusing on real examples rather than theory.
There is also a move toward reducing discretion, with mandatory escalation triggers and system controls that prevent processes from being bypassed.
Regular file audits, both internal and independent, help reinforce expectations and accountability.
Ultimately, firms are recognising the need for both incentives and consequences by rewarding good practice while addressing poor compliance.
How are compliance teams managing growing workloads?
While there is no single solution, firms are increasingly relying on a combination of technology, process optimisation, and clearer allocation of responsibilities to manage rising demands.
How are firms handling cross-border AML challenges and diverging high-risk country lists?
Cross-border work continues to introduce complexity, especially where regulatory expectations differ.
Firms need to remain agile, keeping track of evolving risk indicators and ensuring their frameworks can adapt to changing requirements across jurisdictions.
How are firms responding to emerging threats like AI-enabled identity fraud?
Firms are taking this threat seriously.
The starting point is understanding how AI is changing the risk landscape by making fraud more convincing and harder to detect.
In response, firms are strengthening identity verification processes through multi-layered checks, cross-referencing data sources, and assessing whether information aligns with a client’s broader profile.
Importantly, the human element remains critical. AI-driven fraud often exploits gaps in judgement, so oversight and professional scepticism are essential.
Some larger firms are also developing specialist teams to handle complex or high-risk identity cases.
What does this all mean in practice?
Across all of these discussions, one theme stands out: AML compliance is becoming more operational, more data-driven, and more embedded in day-to-day business activity.
Firms that are succeeding are those that move beyond simply having policies in place and focus instead on how those policies are applied, evidenced, and continuously improved in practice.
