It’s a compliance horror story just waiting to happen. A firm receives notice of an inspection from the SRA. In response, they quickly pull together their AML policy or firm-wide risk assessment, convert it to a PDF, and send it off.
The PDF, of course, was created that morning.
And therein lies the problem.
The SRA’s question is simple: can you prove this policy existed before we contacted you?
For firms managing compliance policies in Word documents and manually converting them to PDF when needed, the answer is often no. And no proof means no defence.
Word documents, weak evidence
You might think, “But we’ve had this policy for ages!” And that’s likely true. But PDFs don’t care about your intentions—they care about timestamps. When you convert a Word doc to a PDF, it takes on a brand new creation date. That metadata is visible to anyone who checks. So if your PDF says it was created the day after the SRA contacted you, you’ve just created suspicion where there might have been none.
Even if the policy was drafted months ago, without proper version control or an audit trail, you can’t prove it.
What evidence does the SRA care about?
The SRA doesn’t expect firms to be perfect, but it does expect systems that are robust, documented, and demonstrably in place before a problem arises. Enforcement actions show that it’s not just the absence of policies that draws fines, but the inability to prove their existence or use.
Recent cases include:
- Hunters Solicitors LLP: Fined nearly £25,000 for failing to maintain compliant AML policies and firm-wide risk assessments over three years.
- A London firm (ABS): Hit with an £80,000 fine for lacking client/matter risk assessments, policies, and independent audit documentation.
- Multiple small firms: Collectively fined over £57,000 in 2024 alone for failure to demonstrate AML compliance, even where policies likely existed—but couldn’t be evidenced.
These aren’t isolated mistakes. They’re systemic failures in documentation, governance, and audit readiness.
Three ways to reduce metadata risk
If you’re sticking with Word and PDF workflows (for now), here’s how to mitigate the risk:
Use an internal version control table
Include a clear table in the document itself showing version number, date, editor, and summary of changes.
Keep tracked-change versions
Don’t just overwrite your policy. Save each version separately—“Policy_v1_Jan25.docx”, “Policy_v2_Mar25.docx”, and so on. These time-stamped Word files serve as evidence of updates.
Publish PDFs only at the point of publication
When finalising a new version, create a PDF, store it, and retain the Word doc as source. Don’t wait until inspection day to hit “Save As PDF”.
But there’s a better way.
The Omnitrack alternative: Audit trail included
Rather than trying to patch up legacy workflows, many firms are moving to VinciWorks’ Omnitrack platform. Omnitrack eliminates the metadata problem entirely. Instead of juggling Word versions and PDFs, you get:
Live version control: Every update to a policy or risk assessment is logged, time-stamped, and stored.
Proof of creation: Audit trails show who created, viewed, and acknowledged a policy—down to the minute.
Automatic reporting: At the touch of a button, you can produce exportable logs proving compliance before the SRA ever knocked.
Suppose a firm updates its AML policy on 15 May 2025. In Omnitrack the system logs a new version being created on 15 May 2025, assigns version 3, and the prior version shows version 2 creation on 10 Feb 2025.
If the SRA inspects on 20 May 2025, the firm exports the audit report showing version 3 existed on 15 May. That beats any debate over PDF timestamps.
Omnitrack v Word approach to compliance
| Risk area | Traditional Word/PDF workflow | Omnitrack audit‑trail approach |
| Version validation | Depends on internal version tables and tracked versions; PDFs lose metadata | Full immutable audit trail; automatic version history |
| Timing proof | Manual retention of older Word docs; PDFs show conversion date | Systemwide timestamp; SRA‑grade verifiable logs |
| Efficiency | Manual processes, error‑prone | Instant reporting, minimal admin |
| Compliance evidence | Potential gaps; reliant on paper/electronic file management | Robust, consistent, tamper‑evident record |
Don’t let metadata undermine your compliance
In the legal world, details matter; and in compliance, evidence is everything. The simple act of converting a Word doc to PDF can cast doubt on your entire compliance framework if you can’t prove when a document was created.
Omnitrack was built for this exact challenge. In a world where regulators expect proof—not promises—it gives law firms the confidence to say: “Here’s the policy, and here’s when it was created, reviewed, and read.”
No grey areas. No metadata traps. Just compliance, done right.
