AML Compliance Failures in Law Firms (& How to Avoid Them)

Anti-Money Laundering (AML) compliance isn’t optional for law firms – it’s a legal obligation under the Money Laundering Regulations 2017 (MLR 2017). Legal practices must implement robust systems and controls to identify, assess, and mitigate money-laundering risks in every client relationship and transaction they handle. Regulators have made it clear that “not knowing” your obligations holds no legal weight, and firms can face significant repercussions when compliance standards are not met.

By October 2025, the Solicitors Regulation Authority (SRA) alone issued 35 fines totalling more than £565,000, with penalties exceeding £300,000 for serious breaches of AML obligations. In this environment, every law firm must recognise that weak AML compliance is a business risk with tangible legal and commercial consequences.

Contents

• What Is AML Compliance for Law Firms?
• 8 Common AML Compliance Failures UK Law Firms Must Avoid
• Real Penalties: The Cost of AML Non-Compliance
• How Law Firms Can Avoid AML Compliance Failures
• The Role of Technology in Strengthening AML Compliance
• When to Seek External AML Support
• FAQs

Key Takeaways

• UK firms subject to the MLR 2017 must operate demonstrable, risk-based controls or face real enforcement from bodies such as the SRA, CLC, or FCA. 
• Common breaches include weak CDD, generic firm-wide risk assessments, inadequate source-of-funds checks, missed PEPs, insufficient training, and poor record-keeping.
• Fixes are practical and achievable, but you must be proactive. Engaging support from AML experts like PDA Legal can help improve your approach to compliance. 

8 Common AML Compliance Failures UK Law Firms Must Avoid

In its latest AML Annual Report, the SRA identified recurrent breaches, including failures in firm-wide risk assessments, inadequate AML policies and procedures, poor client verification, and insufficient ongoing monitoring of transactions, all of which have driven enforcement action and referrals.

Let’s take a closer look at the common compliance failures UK firms make:

1. Inadequate Customer Due Diligence (CDD)

Inadequate customer due diligence (CDD) means a firm fails to reliably identify and verify who its clients and beneficial owners actually are. This can occur when identity documents are not properly checked, when verification relies on weak manual processes, or when firms rely on assumptions instead of evidence. 

Not refreshing CDD for long-standing clients is another common trap, since circumstances, ownership, and risk profiles can change over time, leaving a firm exposed. This is something we commonly hear about, and an essential area that the SRA inspect during an AML audit. 

2. Poor Firm-Wide Risk Assessments (FWRAs)

A weak firm-wide risk assessment (FWRA) treats AML risk as generic across the practice. Unfortunately, where assessments are generic, they fail to capture how risk differs by practice area; for example, conveyancing and private client work carry different exposure from large-value corporate transactions. Not tailoring assessment criteria to matters or failing to document how risks were identified and mitigated makes the assessment effectively meaningless.

Failure to review and update FWRAs, especially when the firm takes on new services or clients, only compounds the problem.

3. Not Keeping Policies Up-To-Date With Latest Regulator Guidance

Failing to keep AML policies current with the latest SRA, FCA, CLC, and government guidance leaves firms operating to outdated standards and increases regulatory risk. Guidance changes on matters such as client due diligence and beneficial ownership checks, alongside policies that aren’t updated, create gaps in controls and inconsistent staff practice. 

Regulators expect to see versioned policies and evidence that staff have been briefed on changes; lacking this can lead to adverse findings and mandatory remediation.

4. Weak Source of Funds / Source of Wealth Checks

Weaknesses in source of funds (SoF) and source of wealth (SoW) checks occur when explanations are accepted at face value without compiling evidence, or when unusual or complex money movements aren’t challenged. Examples include allowing large deposits with only a verbal explanation or failing to obtain documentary proof for third-party payments.

Not challenging unusual transactions, such as complex layering or payments from unrelated third parties, creates blind spots. Inadequate evidence collection (e.g. no bank statements or employer letters) undermines the firm’s ability to justify why funds were accepted.

5. Failure to Identify Politically Exposed Persons (PEPs)

Failing to identify politically exposed persons (PEPs) and their close associates exposes firms to greater risk without the extra protections that enhanced due diligence (EDD) should provide. Common failures include not screening against PEP lists at onboarding, confusing PEP definitions, or assuming UK-based clients can’t be PEPs. A lack of ongoing screening means a client who becomes a PEP during a long matter is missed.

Where PEPs are missed, firms often fail to apply EDD – such as senior-level approval, more in-depth source of wealth checks, and more frequent monitoring.

6. Insufficient Ongoing Monitoring

Insufficient monitoring treats AML as a one-time onboarding matter rather than an ongoing duty. Problems surface when there is no transaction monitoring during the lifecycle of a matter, or when staff assume that once a client has been verified, there is no need for further checks. This can lead to missed red flags mid-transaction, such as the use of shell companies or unusual third-party payments.

Effective ongoing monitoring means risk-based reviews, alerting on material changes, and rules to trigger re-CDD or escalation.

7. Inadequate AML Training

Inadequate training is often a “tick-box” annual course that doesn’t equip fee earners with role-specific skills. When training is generic or infrequent, staff may not recognise red flags or may be unsure how and when to escalate concerns to the MLRO. This increases the chance that suspicious matters are mishandled or ignored.

Good training, such as that offered by PDA Legal, is practical, role-targeted, scenario-based, and refreshed regularly. It should cover how to identify common red flags in the firm’s main practice areas, the internal escalation process, and real-world examples relevant to the firm’s work.

8. Poor Record Keeping

Poor record keeping shows up as missing or incomplete audit trails and inconsistent storage (e.g. some files held locally, others in shared drives). When records are incomplete, firms cannot demonstrate compliance during SRA inspections or justify decisions (for example, why EDD checks were not applied). This only increases a firm’s exposure to fines and remedial action, as explained next.

Real Penalties: The Cost of AML Non-Compliance

The SRA’s enforcement activity repeatedly exposes the same weak spots, such as the failure to submit timely Suspicious Activity Reports (SARs). These themes aren’t theoretical – they shape the regulator’s investigations and are the basis for disciplinary measures. 

Here are just a few of the most notable examples of the cost of AML non-compliance:

Financial Penalties

Fines are the “headline” cost, but they are only part of the financial hit. Enforcement might entail civil penalties and regulatory fines, as well as large legal and advisory bills to respond to investigations. For many firms, the biggest short-term burden is the urgent remedial work, which can divert resources away from business development.

In 2025, the Financial Conduct Authority (FCA) issued staggering fines for serious AML breaches and insufficient risk management. Examples include:

• Barclays PLC was fined £42,000,000
• Monzo Bank was fined £21,091,300
• Simpson Thacher & Bartlett LLP was fined £300,000

Reputational Damage

AML failures damage the firm’s reputation in ways that are hard to repair. Clients are cautious about working with firms that have been publicly criticised or sanctioned. Losing client instructions or being excluded from referral networks can cut revenue for months or even years. Equally damaging is the internal impact; staff and partners may find it harder to recruit or retain top talent if the firm is perceived as weak on governance and risk.

Stress & Disruption Caused By SRA Investigations

An SRA investigation can be intensely disruptive. It consumes staff time, forces changes to workflows, pauses or delays live matters, and can trigger internal disciplinary processes. The uncertainty and reputational spotlight also create pressure on senior management and may cause client exits. Even if enforcement doesn’t result in the harshest of sanctions, the operational drag – lost hours and the emotional toll on staff – is real and measurable.

How Law Firms Can Avoid AML Compliance Failures

Although the risks of AML compliance failures are adverse, there are several ways to overcome them, such as:

Strengthen Risk-Based Approaches

Create a risk-based framework that’s both practical and demonstrable:

• Segment By Service Line: Map risk by practice area (conveyancing, private client, corporate, trusts, litigation) and by client type and transaction size.
• Matter-Level Scoring: Apply a simple risk score on every new matter (e.g. low / medium / high) with clear triggers for EDD or senior approval.
• Catalogue Controls: For each risk tier, list required controls (e.g. enhanced ID checks, SoF evidence, senior sign-off, ongoing monitoring frequency).
• Review Ownership: Assign a named owner (often the MLRO or AML Compliance Officer) to review the firm-wide risk assessment quarterly and after any new service or jurisdictional change.
• Safely Store Evidence: Keep dated, signed records showing how the assessment was reached and what mitigations were implemented.

Improve CDD & EDD Processes

Make verification consistent, proportionate, and easy for fee-earners to follow:

• Standardise Onboarding: Use matter processes and controls that require minimum CDD fields and a checklist for documents/evidence required by risk category.
• Define thresholds for EDD: Ensure that staff are clear as to the risk triggers that automatically escalate to EDD.
• Use Reliable Verification Methods: Combine documentary checks with electronic ID/verification (explained later) and robust beneficial-ownership checks. Document the method used and the outcome.
• Third-Party Payments: Require contractual and documentary proof for third-party payments and introducers; mandate enhanced checks where necessary.
• Decision Rationale: Require narratives to be recorded on all matters that set out the fee earner’s consideration of risk and CDD levels, and their justification.

Implement Ongoing Monitoring

Treat AML as continuous, not a one-off onboarding tick-box:

• Periodic Reviews: For all clients, and especially those presenting medium/high-risk attributes, schedule periodic reviews and record the review outcome.
• Transaction Monitoring Rules: Define red flags and automated alerts for unusual payment patterns or instruction changes; route alerts to the MLRO for investigation.
• Event Triggers: Re-run PEP/sanctions screening and re-check beneficial ownership on material events, such as a change of ownership.
• Escalation Workflow: Create a documented escalation process for suspicious activity, addressing who investigates, timescales, SAR submissions, and records.

Invest in Staff Training

Make training relevant, frequent, and role-specific so staff can act confidently:

• Role-Specific Modules: Provide short, practical training for fee-earners and other relevant staff, and include practice-area examples.
• Scenario-Based Learning: Use real (anonymised) case studies and interactive scenarios that require a decision and an explanation.
• Regular Refreshers: involve short refreshers every 6 to 12 months and immediate briefings when rules or guidance change.
• Clear Escalation Rights: Train staff on exactly when to escalate and who can approve exceptions. Make it clear that they will be supported for raising genuine concerns.

Maintain Robust Documentation

If it’s not recorded, it didn’t happen – documentation is your evidence in an inspection or investigation:

• Centralised Storage: Store CDD, SoF/SoW evidence, risk assessments, and SAR decision notes in a single, searchable location with audit trails.
• Standard Record Keeping on Matter Files: Implement standardised forms for CDD checklists, SoF/SoW logs to ensure consistency.
• Retention & Version Control: Apply a retention schedule aligned with MLR 2017 and ensure versioned policies so you can show what was in force at any given date.
• Audit Readiness: Run quarterly internal spot checks and an annual independent review to validate record completeness and the quality of rationale for high-risk acceptances.

The Role of Technology in Strengthening AML Compliance

Digital AML tools augment your AML toolset and can help to reduce risks posed by human error. Well-established automation significantly cuts administrative burden by accelerating onboarding, flagging risk changes in real time, and generating ready-made audit trails for inspections. 

Crucially, technology supports consistent application of AML controls across teams and offices, promoting confidence that every matter is assessed to the same standard, regardless of who handles it or where it is processed. Popular examples of digital AML tools include:

• Electronic ID Verification (eID/V): Automated identity and address verification using trusted data sources, biometric checks, and document authentication.
• Electronic Know Your Customer Checks (eKYC): Automated KYC checks that examine a client’s identity to assess their potential for criminal connections
• PEPs & Sanctions Screening: Real-time and ongoing screening against domestic and international PEP, sanctions and watchlists, with alerting for status changes.
• Beneficial Ownership Checks: Tools that identify and verify ultimate beneficial owners and complex ownership structures.
• Source of Funds/Wealth Checks: Digital collection and review of evidence, with risk-based prompts and escalation triggers.
• Ongoing Monitoring & Alerts: Automated monitoring of client and transaction risk throughout the lifecycle of a matter.
• Automated Audit Trails: Time-stamped records of checks performed, decisions made, approvals granted, and reviews completed.

When to Seek External AML Support

Even well-run firms reach points where impartial expertise and extra capacity make the difference between managing risk and being exposed. Below are practical circumstances when bringing in external AML support is advisable:

When Internal Resources Aren’t Enough

Short-term capacity gaps and complex or cross-border instructions often overwhelm internal teams. External advisers provide an immediate, experienced resource to ensure deadlines, CDD, and escalation duties are met without compromising compliance.

Independent AML Audits & Gap Analyses

An objective AML audit highlights gaps that internal staff can overlook. External reviews test policies, sample matters, assess record-keeping, and report prioritised actions with practical next steps. These independent reports are useful internally for planning and externally to reassure regulators that the firm is proactively addressing weaknesses.

Support During SRA Inspections

Inspections are high-pressure and document-intensive. External advisers can help organise evidence, support staff on regulator engagement, and assist with remedial action plans. Having an expert advisor’s support helps speed resolution, should any issues arise.

Ongoing Compliance Support for Growing Firms

As firms scale, simple checklists become inadequate. External partners can help design scalable frameworks, including matter-level risk scoring and role-specific training programmes, so growth doesn’t introduce new compliance gaps. They can also provide retainer arrangements tailored to the firm’s size and risk profile.

Turn AML Compliance Into a Strength, Not a Burden

Consulting outside expertise doesn’t mean relinquishing control – it can provide credible evidence of due diligence and build internal capability. PDA Legal offers pragmatic AML advisory, training, and audit support with an emphasis on fixing the most pressing issues first.

To discuss more about what we offer and how we can support your firm, simply get in touch with our AML experts today. 

CONTACT US

FAQs

What are AML obligations for solicitors?

Solicitors must take a risk-based approach to preventing money laundering and terrorist financing by putting in place and operating policies, controls, and procedures required by the MLR 2017. This includes:

• Conducting firm-wide and matter-level risk assessments
• Undertaking proportionate CDD and EDD where appropriate
• Verifying beneficial ownership
• Carrying out ongoing monitoring
• Appointing nominated officers (e.g. MLRO)
• Maintaining records
• Reporting suspicions to the National Crime Agency

These duties are set out in the MLRs and explained in SRA guidance for firms.

What happens if you fail AML compliance?

Regulatory failure can lead to serious consequences, including financial penalties issued by the FCA or SRA, conditions placed on a firm’s practising rights, legal exposure under POCA, and increased supervisory scrutiny. 

How often should AML training be completed?

At a minimum, all relevant staff should receive high-level AML refresher training annually, with new starters trained at induction before they handle regulated work. 

In addition, firms must provide role-specific, practical training for fee-earners, MLROs, and front-line staff, and refresh training more frequently where risk or role requires it. The Legal Sector Affinity Group (LSAG) guidance and recent SRA thematic work make annual refreshers the baseline while stressing that training must be role-appropriate and demonstrably effective.