Skip to main content

Independent AML Audits - What Law Firms Need to Know About Regulation 21

26 November 2025
A woman in a grey sweater typing on a laptop on top of a wooden table, surrounded by documents.

More than £100 billion is laundered through or via UK structures every year, a staggering figure that underscores why the legal sector remains under intense regulatory scrutiny.

To combat this, Regulation 21 of the Money Laundering Regulations (MLR 2017) requires firms to establish an independent audit function to assess the adequacy and effectiveness of their anti-money laundering (AML) policies, controls, and procedures, including regular reviews of client files.

Yet the Solicitors Regulation Authority (SRA) reports that, as of April 2025, 5,569 firms fall within the scope of these regulations, and worryingly, around one in three AML audits reviewed by the SRA lacked the required file reviews.

An Independent AML Audit (IAA) isn’t just a regulatory requirement; it’s an opportunity to evaluate your firm’s AML framework, identify weaknesses, and demonstrate a culture of compliance. So if your firm is among those regulated, it’s worth asking: when was your last IAA conducted, and did it truly test the effectiveness of your AML processes?

In this article, we’ll explain what an Independent AML Audit involves, why it’s required under Regulation 21, and how to ensure your audit meets and exceeds SRA expectations.

Contents

To arrange a compliant independent audit that meets Regulation 21 requirements, contact PDA Legal today.

What Is Regulation 21 (MLR 2017)?

Regulation 21 of the Money Laundering Regulations requires firms to establish an independent audit function with responsibility “to examine and evaluate” the adequacy and effectiveness of the firm’s anti-money-laundering (AML) policies, controls and procedures, make recommendations for improvement and monitor implementation of those recommendations.

The requirement applies to firms that fall within the scope of the MLR 2017. While Regulation 21 is qualified by the phrase “where appropriate with regard to the size and nature of its business”, the SRA has made clear that most firms carrying out regulated work should have an independent audit function – in practice, the regulator expects audits (including file reviews) for firms whose business and risk profile mean the MLRs apply to their matters.

What Is a Regulation 21 Audit?

A Regulation 21 audit under MLR 2017 is an independent check of a firm’s anti-money laundering systems to ensure they comply with UK law and can effectively detect and prevent money laundering and terrorist financing.

The Regulation 21 audit is designed to:

  • Assess whether a business’s AML systems and controls are adequate and effective.
  • Ensure the firm is complying with the MLR 2017 obligations.
  • Identify weaknesses or gaps in risk assessment, customer due diligence (CDD), and monitoring procedures.

Who Can Perform the Audit?

The term “independent” in Regulation 21 is about remaining independent from the function being reviewed, not necessarily from the firm as a whole. An independent audit cannot, therefore, be conducted by the firm’s Money Laundering Reporting Officer (MLRO), any AML Officers or (usually) any compliance managers, but it could be conducted by someone who does not have a day-to-day responsibility for file handling within the firm.

There are two common approaches:

  • Internal Auditors: An experienced manager or a separate internal compliance team can perform the audit, so long as they are independent of the AML compliance function being tested and can demonstrate suitable expertise in auditing, and that they occupy a suitably high level of authority to be able to access information and cannot be ignored.
  • External Auditors: An independent third party (typically a specialist AML auditor or consultancy such as PDA Legal) provides stronger objective assurance and avoids any perception of conflict.

What Does the Audit Cover?

A compliant Regulation 21 independent audit should review both the firm’s written framework and how it operates in practice. This entails not only the perusal of documents, but also discussion with AML Officers, fee earners and support staff. At a minimum, this should include:

  • AML Policies: Review the firm’s written AML policy for completeness, legal alignment, clarity of roles, and escalation routes.
  • Customer Due Diligence (CDD) Processes: Test ID/verification procedures, risk-based client onboarding, enhanced due diligence where required, and ongoing CDD training.
  • Risk Assessments: Examine the client, matter, and firm-wide risk assessments to ensure they are meaningful, up to date, and drive controls.
  • Staff Training: Check the adequacy, frequency, and record-keeping of AML training, and whether training is targeted to role and risk.
  • Transaction Monitoring: Assess systems and practices for identifying unusual or suspicious transactions, including any automated monitoring and manual checks.
  • Suspicious Activity Reports (SARs): Review SAR-related policies, thresholds for escalation, and whether SARs are being made appropriately and in line with guidance.
  • Record Keeping: Verify that records are retained for required periods, are retrievable, and that log/audit trails exist for key decisions.
  • MLRO / MLCO Responsibilities: Test that the MLRO or Money Laundering Compliance Officer (MLCO) has a clear remit, sufficient seniority, receives appropriate reports, and acts on them.
  • Testing & Monitoring of Controls: Carry out sample file reviews and control testing to assess whether PCPs are operating effectively in practice – not just on paper – and include follow-up of previous audit recommendations.
IAA Highlights – FREE Download

Who Is Subject to a Regulation 21 Audit?

Under Regulation 21 of the MLR 2017, the audit is required for “relevant businesses”, which are broadly defined as businesses at risk of being used for money laundering or terrorist financing. For law firms and solicitors, this typically means:

  • Law firms and individual solicitors who carry out certain “regulated activities,” such as:
    • Conveyancing transactions (buying or selling property on behalf of clients)
    • Handling client money (receiving or transferring funds)
    • Establishing or managing companies or trusts
    • Providing investment advice or services
    • Providing tax advice or services
  • Other relevant professionals in legal services who may be exposed to financial crime risks, such as those advising on high-value transactions or handling complex corporate structures.
  • Financial institutions, including banks, insurers, and investment firms—these are included for completeness, but law firms will focus on their own sector-specific obligations.
  • Certain accountants and estate agents, who, like solicitors, are required to implement robust AML controls due to the nature of the transactions they handle.

Exemptions and Considerations

  • Smaller firms or sole practitioners may sometimes be exempt from a full Regulation 21 audit if their risk exposure is low. For example:
    • Firms that do not handle client money
    • Firms that do not engage in property transactions, company formations, or other high-risk activities
  • However, even if a firm is exempt from a full audit, it must still maintain adequate AML policies and procedures and carry out risk assessments in line with MLR 2017.

The requirement to undergo a Regulation 21 audit depends less on the size of the firm and more on the type of activities it carries out and the money laundering risk those activities present. Firms engaging in higher-risk services will almost always need an independent review of their AML systems.

What Are the Benefits of an Independent AML Audit?

AML audits conducted by an external independent auditor provide a number of significant benefits over those conducted by in-house teams. Let’s assess these benefits:

  • Increased Client Confidence: An independent audit shows you don’t “mark your own homework”, reassuring clients that their transactions and interests are protected.
  • More Efficient Resource Use: Outsourcing the audit frees your team to focus on fee-earning tasks, whilst the dedicated auditor delivers uninterrupted testing.
  • Expert Insights: Specialist auditors spot gaps and recommend practical improvements to policies, processes, and controls that inexperienced internal reviewers may miss.
  • Faster Completion: Experienced auditors work more quickly and with less disruption, delivering a timely, accurate assessment of compliance.
  • Reduces Internal Conflict: An external reviewer removes perceived bias and the discomfort that can come from peer reviews.
  • Regulatory Reassurance: A third-party audit gives added confidence that your AML procedures meet Regulation 21 and are defensible to regulators.

Does My Law Firm Need a Regulation 21 Audit?

SRA-regulated firms and CLC-regulated firms, along with any other whose work falls within the scope of the MLR, fall into the scope of requiring an audit.

The regulations, somewhat unhelpfully, state that law firms only need to perform an AML audit “where appropriate with regard to the size and nature of its business”.

This ambiguity has historically caught many firms out, whilst also enabling a small number of less scrupulous firms to use it as an excuse to intentionally avoid audits. As a result, the SRA are taking measures to both educate and clamp down on non-compliance.

In relation to size, the SRA states that Regulation 21 should be interpreted as follows:

“Only at the very smallest practices will a Regulation 21 audit not be appropriate to the firm’s size. All other practices who carry out regulated work must establish an audit function.”

Other indicators of requiring an audit can include:

  • You handle high volumes or high-value transactions
  • You’ve had regulatory scrutiny, inspection findings, or “near misses”
  • Your AML controls are mainly template-based or out of date
  • Record-keeping, SAR quality, or transaction monitoring is inconsistent
  • The MLRO/MLCO function lacks seniority, capacity, or a clear remit

How Long Does a Regulation 21 Audit Take?

As mentioned earlier, law firms should not prepare for an independent audit. This means that the lead-time, from deciding to instruct an audit to it being conducted, can be very short; it does not need to be something that has a large ‘build-up’.

The time needed to conduct a valid independent audit generally depends on the size of the legal practice being audited, how organised the firm is, and how many issues are found. However, as a rough guide based on the audits we conduct at PDA Legal, the desktop portion (‘Stage 1’) and the visit portion (‘Stage 2’) of AML audits usually take around 3 to 4 days, conducted over 3 to 6 weeks, depending upon the scheduling agreed with the firm. This can be broken down as follows:

  • Stage 1, Remote Desktop Review: We conduct a remote desktop audit, typically completed in one day off-site, and issue an initial report.
  • Initial (Stage 1) Report & Pause: After the initial report, we allow at least two weeks before the on-site stage so the firm can review findings, and we tailor the scheduling of the on-site portion (Stage 2) of the audit.
  • Stage 2, Site Visit: We normally spend one to two days on-site, or remotely, examining documents, perusing matter files and speaking with staff and managers, including an early feedback meeting, then move straight to collating our findings.
  • Report Creation: We typically spend one day finalising the written report.
  • Post-Visit Meeting: We follow up with a meeting, a week or two later, to discuss findings and answer any questions following the firm’s reading of the report.
  • Stage 3, Follow-up review: A documented review of the firm’s progress in taking action on the guidance provided following the audit, usually 3 to 6 months after Stage 2.

How Often Is a Regulation 21 Audit Needed?

In the UK, the money laundering regulations do not state how often an audit should take place. Instead, it depends on the size of the firm, the areas of law practised, the risk profile of the firm, any SRA concerns, and so on. However, as a rule of thumb, any firm that handles conveyancing matters should typically aim for an independent audit every 12 to 24 months.

By requesting to join our free legal best practice group, you will receive our monthly regulation and risk compliance news summaries. This helps you stay informed of updates from regulatory bodies such as the CLC and how they might impact your law firm.

What Common Failings Should Your Firm Be Aware Of?

According to the SRA 24/25 AML Annual Report, some of the top failings identified included:

  • Failure to perform risk assessment on client/matter – 162 reports
  • Failure to carry out a Source of Funds (SoF) check – 101 reports
  • Failure to have adequate/ effective PCPs (Reg 19) – 99 reports
  • Failure to have any firm-wide risk assessment (Reg 18) – 65 reports
  • Failure to have adequate firm-wide risk assessment (Reg 18) – 57 reports

Other notable issues identified included:

Whilst you can access document templates online, we would recommend against using them from ‘off the shelf’. This is because every law firm or practice is unique, and therefore, generic checklists or templates will not only leave gaps and fail to take stock of the firm’s own risk profile, but can also increase the likelihood of missing something important, which can ultimately lead to non-compliance and risk.

Book Your Independent AML Audit With PDA Legal Today

Although opting for an external auditor for your Regulation 21 audit is often the wisest choice for firms of all sizes, it is still important to find the right auditor – one which is highly trained and knows exactly what to target.

With over 25 years of experience, PDA Legal is one of the UK’s leading providers of independent AML audits, helping firms strengthen their posture in the fight against financial crime. To get started, simply contact us today for a free consultation.

Book Consultation

Latest Articles

More Articles
Get in touch for a free no obligation quote today
Contact Us
Law Society Lexcel Assessor. Legal Practice Quality Mark.
Cyber Essentials logo
Information Commissioner's Office logo
ISO logo
Legal Aid Agency logo