Over the past six months, the SRA has fined 59 law firms a combined £600,000 for failing to comply with some of the most basic AML obligations required under the Money Laundering Regulations 2017.
The enforcement action reveals a pattern of compliance neglect across the legal sector, with many firms failing to implement even the most fundamental safeguards designed to prevent money laundering and terrorist financing.
AML compliance is no longer a box-ticking exercise for law firms. It is a core business risk that regulators are scrutinising with growing intensity.
The same failures, repeated again and again
A review of the SRA’s findings reveals similar shortcomings across the 59 firms.
The most common breaches included the absence of firm-wide risk assessments, inadequate AML policies and procedures, failures to conduct Client and Matter Risk Assessments, and insufficient controls for identifying and managing money laundering risks. In several cases, firms were unable to demonstrate that they had properly assessed the source of client funds or scrutinised transactions appropriately.
Three firms received the maximum £25,000 fine the SRA can impose without referring a case to the Solicitors Disciplinary Tribunal. The details of the breaches are pretty revealing.
An inspection of files at William Heath & Co found that none contained a Client and Matter Risk Assessment. In several matters, the firm had also failed to properly examine client transactions or establish the source of funds.
Meanwhile, BRR Law had failed to conduct CMRAs for eight years. According to the SRA, this resulted in a poor understanding of client and matter risks and inadequate scrutiny being applied throughout that period.
HMG Law was found to have failed to maintain up-to-date records of money laundering and terrorist financing risks, neglected to review and update its AML controls, and did not conduct the required matter-level risk assessments.
These are not technical breaches hidden deep within complex regulations. They represent failures to carry out the foundational elements of an effective AML programme.
A compliance culture problem
Perhaps the most concerning aspect of the SRA’s findings is that many of these failings appear to reflect broader cultural issues rather than isolated administrative oversights.
Risk assessments, policy reviews, source of funds checks and matter-level risk evaluations are not new regulatory requirements. They have been central components of AML compliance for years.
Yet the enforcement outcomes suggest that some firms continue to view compliance as a static obligation rather than an ongoing process requiring continuous attention, investment and oversight.
This approach creates significant vulnerabilities because policies become outdated, risk assessments fail to reflect evolving threats and staff become uncertain about their responsibilities. And then critical warning signs are missed.
When compliance becomes disconnected from day-to-day practice, firms expose themselves to both regulatory action and the very financial crime risks the regulations are designed to prevent.
Will future enforcement be even more painful?
While £600,000 in fines is significant, some commentators believe the legal sector has yet to experience the full force of AML enforcement.
Compliance experts have warned that if supervision of legal sector AML compliance were to move towards the FCA, firms could face a dramatically different regulatory landscape.
The SRA’s current approach has generally focused on transparency, remediation and proportionate penalties. An FCA regime, by contrast, is often characterised by larger financial sanctions, stronger deterrence measures and a greater willingness to make examples of firms that fall short.
Some experts have even suggested that quality accreditations could become aggravating factors in future enforcement actions, particularly where firms have presented themselves as operating to enhanced compliance standards while failing to meet basic AML requirements.
In other words, the badges intended to demonstrate excellence could potentially increase regulatory scrutiny if underlying controls are found wanting.
What should law firms do now?
The latest wave of fines demonstrate that AML compliance failures rarely emerge overnight. They develop gradually through neglected processes, outdated documentation, insufficient training and weak oversight.
Law firms should use these enforcement outcomes as an opportunity to reassess their own compliance frameworks.
Firm-wide risk assessments should be reviewed regularly and updated whenever risk profiles change. AML policies, controls and procedures must be living documents rather than files sitting untouched on a shared drive. Every matter should be subject to an appropriate, documented risk assessment before work begins. Source of funds and source of wealth checks should be proportionate, evidence-based and consistently applied.
Just as importantly, compliance responsibilities should not sit solely within the risk team. Fee earners, partners and management all play a role in identifying and managing financial crime risks. Ongoing training and clear accountability remain essential components of an effective compliance culture.
The real cost of non-compliance
For the firms involved, the true cost of the fines extend beyond the financial penalties.
Regulatory findings can damage reputation, erode client trust, increase insurance costs and consume significant management time. In severe cases, compliance failures can trigger investigations, disciplinary proceedings and lasting commercial consequences.
The latest enforcement action demonstrates that regulators continue to focus on AML compliance as a priority area. While the number of fines may have fallen compared with previous periods, the underlying message has not changed.
The legal sector remains a gateway through which criminals seek to move illicit funds. Regulators expect firms to act as a critical line of defence.
