The SRA’s most current AML report marks a clear shift in enforcement. More inspections, more failures, and far less tolerance for underperforming compliance.
Here’s what the findings actually show, and what firms should be doing about it.
The numbers are difficult to snub. In the year to April 2025, the SRA carried out 935 proactive AML engagements, up from 545 the year before. Of the 833 firms reviewed, nearly one in three were non-compliant, and a further 54% were only partially compliant.
That leaves fewer than one in seven firms fully compliant with their AML obligations.
This is not incremental improvement. It’s systemic underperformance in an area where the regulatory, financial, and reputational stakes are only increasing.
What the SRA found
The report identifies several areas of consistent weakness across the firms it reviewed. None of them are new. What’s changed is the SRA’s tone, the specificity of its findings, and its willingness to act.
Risk assessments are still failing in practice
Up to 39% of reviewed files did not effectively assess AML risk. Firm-wide risk assessments exist on paper but aren’t being applied at client level. High-risk matters are progressing without the senior oversight they require. Defective AML policies, controls and procedures contributed to a significant proportion of enforcement outcomes.
The SRA has been explicit: it expects risk assessments to inform decisions, not just document them.
Identity verification is inconsistently applied
Documents are missing from files. Checks are relaxed for familiar clients. Enhanced due diligence is not being triggered when risk indicators are present.
Emerging threats, including deepfake ID fraud and remote onboarding risks, are exposing gaps in already inconsistent processes.
Source of funds checks are being treated as a formality
The SRA’s thematic review found that, across more than 5,800 client files reviewed, 11% lacked source of funds checks entirely and 18% showed inadequate scrutiny.
Firms are collecting documents but not reviewing them. The distinction between source of funds and source of wealth is still not being applied consistently, even in higher-risk matters.
Ongoing monitoring remains the most overlooked obligation
For many firms, AML compliance still ends at onboarding. There is no structured mechanism to revisit matters, reassess risk, or refresh PEP and sanctions checks as circumstances change.
The SRA has identified ongoing monitoring as one of the most effective controls available, and one of the most consistently absent.
Training and governance weaknesses underpin the gaps
Template policies are not aligned to real-world practice. Training is not consistently refreshed or embedded. Governance structures, including MLRO oversight, do not always translate into effective day-to-day compliance.
An intensifying direction
The scale of supervisory activity tells its own story. Scrutiny is increasing, and it’s not slowing down. The SRA engaged with nearly twice as many firms in 2024-25 as the year before, and it has signalled clearly that all firms should expect attention.
At the same time, enforcement is intensifying. Combined AML penalties exceeded £1.5 million in 2024-25, the highest total yet based on SRA enforcement outcomes. The number of cases referred to the Solicitors Disciplinary Tribunal rose sharply, and criminal enforcement is no longer theoretical.
The message is clearly that AML compliance is no longer a paper exercise.
The more significant shift however, is structural. The government has confirmed that the Financial Conduct Authority will become the single professional services supervisor for AML, replacing the SRA and other supervisory bodies. The SRA will continue supervising AML through 2026 while legislation is prepared, but the direction of travel is already clear.
The FCA’s approach is more data-driven, and backed by broader enforcement powers. Firms that treat 2026 as a year to prepare for FCA-level scrutiny will be far better positioned than those that wait.
What firms should be doing now
The SRA’s findings point to a clear set of priorities for firms that want to stay on the right side of compliance.
- Fix your risk assessment framework first
The firm-wide risk assessment should reflect how the firm actually operates: its client base, transaction types, and geographic exposure. It should be actively used, not filed and forgotten.
Matter-level risk assessments should be completed before work progresses, include clear reasoning, and link back to the firm-wide view.
- Stress-test your identity verification process
Are all relevant parties being verified? Are enhanced checks triggered at the right time? Is there a clear and auditable record?
As fraud risks evolve, reliance on manual document checks is becoming increasingly difficult to defend.
- Move beyond “box-ticking” on source of funds
Receiving documentation is not the same as assessing it. Firms must actively review what is provided, question inconsistencies, and document their conclusions.
Source of funds should be standard on every file; source of wealth should be assessed in higher-risk matters.
- Build ongoing monitoring into your workflow, properly
This requires a defined process, not good intentions. Whether through scheduled file reviews, case management prompts, or automated re-screening, firms need to ensure monitoring actually happens and that changes trigger reassessment.
- Strengthen training and governance from the top down
AML training should be current, relevant, and regularly refreshed. Policies should reflect how the firm actually operates, not generic templates.
Governance structures must support consistent application of AML controls across the firm.
Our 2026 AML guide
If this raises questions about where your firm stands, Mastering AML Compliance in 2026 provides a practical starting point.
It covers everything from risk assessments and identity verification to source of funds, Safe Harbour, the DVS Trust Framework, and the role of technology, written specifically for conveyancers who need practical guidance, not regulatory theory.
OneSearch AML is a digital AML and KYC platform built specifically for conveyancers. To find out more, visit onesearch.direct/products/onesearch-aml.
