AML compliance is not just about checking individual clients. Every firm in the regulated sector must also have a set of firm-level obligations in place that are documented, approved, and actively maintained.
Here is what the law actually requires, and what good governance looks like in practice, in just 5 minutes.
Why is AML compliance more than just client checks?
When people think about AML compliance in conveyancing, they tend to focus on client-facing checks such as verifying identity, understanding source of funds, and screening for PEPs and sanctions. These obligations are real and important, but they sit on top of a layer of firm-wide requirements that must be in place first.
The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 impose obligations on the firm as an entity, not just on individual fee-earners dealing with specific matters. Getting these foundations right is critical, as the SRA’s supervisory findings consistently show that weaknesses at firm level tend to flow directly into weaknesses at matter level.
What is a firm-wide AML risk assessment and why does it matter?
The starting point is Regulation 18, which requires every firm in the regulated sector to carry out and document a firm-wide risk assessment. This is a written analysis of the money laundering and terrorist financing risks the firm is exposed to, taking into account its size, client base, the services it offers, the geographic areas it operates in, and the types of transactions it handles.
The assessment must be approved by senior management and kept up to date. It is not a one-off exercise. It should be reviewed whenever the firm’s circumstances change materially, and at regular intervals regardless.
This matters because it sets the context for everything that follows. It defines what higher and lower risk look like for the firm, which in turn informs how individual client and matter risk assessments should be approached.
Who is responsible for AML compliance in a law firm?
Every firm in the regulated sector must appoint a Money Laundering Reporting Officer (MLRO). This is a named individual, typically a senior person within the firm, who is responsible for receiving internal reports of suspicious activity, deciding whether to submit a Suspicious Activity Report to the National Crime Agency, and overseeing the firm’s AML compliance more broadly.
The MLRO role carries real responsibility. The individual appointed needs sufficient seniority, authority, and access to information to carry out the role effectively. In smaller firms, this is often a principal or partner. In larger firms, it may be a dedicated compliance professional. In all cases, the appointment must be documented and properly supported, rather than treated as a formality.
What AML policies, controls and procedures are required?
Regulation 19 requires firms to establish and maintain written AML policies, controls and procedures. These should cover how the firm identifies and verifies clients, how it assesses risk, how it monitors ongoing matters, how suspicious activity is reported internally, how staff are trained, and how compliance is audited.
The policies do not need to be lengthy, but they do need to be meaningful. The SRA has identified cases where firms have adopted template policies without tailoring them to their actual practice, which fails the requirement. Policies should reflect how the firm operates in reality, and staff should understand and follow them in practice.
What AML training do staff need to receive?
All relevant staff must receive regular AML training. This includes not only fee-earners, but anyone involved in client onboarding, financial transactions, or file management. Training should cover what money laundering is, what the firm’s obligations are, how to identify suspicious activity, and how to report concerns internally.
Training also needs to be kept current. A one-off session delivered several years ago is not sufficient. Firms should be able to demonstrate when training was delivered, who received it, and what it covered.
When is an independent AML audit required?
Larger firms, or those with a higher-risk profile, are required under Regulation 21 to have their AML policies and controls independently audited. This does not necessarily mean appointing an external auditor. In some firms, it can be an internal function that sits outside the compliance team.
The key requirement is independence. The purpose of the audit is to assess whether the firm’s AML framework is actually working in practice, rather than simply existing on paper.
Taken together, firm-wide AML obligations form the foundation of effective compliance. A documented risk assessment, a clearly defined MLRO role, tailored policies, regular training, and independent oversight are not separate requirements but parts of a single system.
Where firms fall short is often not in having these elements in place, but in failing to connect them or keep them active. The regulatory expectation is clear: these controls should shape how the firm operates day to day, not exist as static documents created to satisfy a requirement.
