Introduction

When the Government announced in October 2025 that the Financial Conduct Authority (FCA) would take over supervision of AML compliance from the SRA the general response of the profession was one of relief. The consensus seemed to be that "surely the FCA can't do a worse job". The SRA's approach to AML was (and still is) very unpopular with a relentless focus on policies, procedures and forms rather than the detection of actual money laundering.

In fact, the SRA's Anti-Money Laundering Annual Report 2024-25 somewhat gives the game away with its laser focus on how many audits it has conducted, what sanctions were levied and the number of firms found procedurally non-compliant. Nowhere in the report will you find any reference to how much money laundering was detected or prevented. It's like Vauxhall publishing their annual report without mentioning the word 'car'. 

Timeline

Those expecting a quick transition to the FCA will be disappointed as we are talking years rather than months. It is likely to be 2029 before the new legislation is fully implemented with the FCA running the show. Before then, perhaps as early as 2027 we might see some dual SRA/FCA joint supervision as transitional arrangements. That should be fun. Let's hope that any firm found non-compliant doesn't receive a double whammy of regulator fines. 

So how have the SRA reacted?

The SRA have been living and breathing money laundering for the past half-decade or so. The thought that having its AML baby taken away from it would lead to the SRA being a little less bullish on that front hasn't materialised. In fact, if anything it has increased. We have experienced an uptick in activity over the past few months. Fortunately, we know what we are doing, so the outcomes have been excellent. 

The Desk-Based Review (DBR)

The vast majority of AML audits are DBRs. The first warning you will receive is a letter from the SRA. They will require you to complete a questionnaire and provide the documents requested in their letter along with a completed questionnaire. The give you 10 days to return this information. They will normally request:

• Your Practice-Wide AML Risk Assessment (PWRA)
• Your AML policies and procedures 
• Your template client/matter AML risk assessment
• A list of fee earners undertaking regulated work (i.e. Probate and Conveyancing)
• A list of open matters  identified as high AML risk (only if you are able)

They will select the files they want to see and let you know in a week or so. You will only need to extract certain elements of the files and email them to the SRA. That will include evidence of ID, your client/matter risk assessment, evidence of source of funds, client cate information and the ledger card. Usually this is a sample of six or so files, and always conveyancing purchase files. 

Following their review they will send you a long letter detailing their findings. Be warned, the SRA raise no positive findings so don't expect positive strokes from the feedback. The SRA only report things they didn't like regardless of how petty they are. The important thing at the end of the day is what corrective action are they requiring from you. They almost always want something doing. For example, they might ask you to ensure that your fee earners have been given training on some aspect of AML such as source of funds. Or this might require additions to your AML policy. In extremis, of course, they can order you to pay a fine.

The On-Site Audit

This is a much more stressful event. They start in a similar fashion to the DBR in that you receive a letter and you need to return documents and the questionnaire. However, they require much more information such as your training records and AML course material. They will agree an audit date with you - often this will be 2-3 months hence. 

On the audit day you will provide the open and closed files they want to see. They will commence with an opening meeting to describe the conduct of the day. They will review the files in some detail. They will interview the MLRO - be warned, this interview will last 2-3 hours so the MLRO will need to carefully prepare. They will need to be particularly fluent with their AML Policy and PWRA. They will also usually interview 2-3 fee earners for say 20-30 minutes each. 

At the end of the day they will summarise their initial findings. Their full report will follow in a few weeks. 

How to succeed: your documentation

All firms should have a comprehensive AML policy in place covering AML and Sanctions. You can't cut corners on this as the SRA expect your policy to cover a wide range of requirements such as ID verification, risk assessment, PEPs, ongoing monitoring etc. It is important that you have had such a policy in place since the introduction of the MLR 2017. A lot of firms cannot demonstrate this so we recommend maintaining an amendment record showing the progressive updating of the policy.

A critical element is having a detailed Practice-Wide Risk Assessment (PWRA). One side of A4 wont cut it. Believe me, there's a lot of one page risk assessments around! The SRA expect it to cover as a minimum:

• Client risks
• Jurisdiction risks
• Services risks
• Transaction risks
• Methods of delivery risk

You need to develop the above into a robust assessment of the AML/Sanctions risks that your firm faces. For example do you see your clients or are they all remote? Do you deal with overseas transactions or clients? Are your services higher risk (e.g. conveyancing) or low risk (e.g. Probate). Do you have a local client base or do you work with national referral fees? Again, a PWRA needs to have been in place since the introduction of the MLR 2017. You should keep copies of superseded PWRA to demonstrate compliance. 

Whatever the format, take the time to ensure that your PWRA is bespoke to your firm. The SRA will blanch at the sight of a Blue Peter "here's one that I prepared earlier" with 20 pages of AI-generated boilerplate.

Our experience is that far too many firms have been unaware of the need to have a robust AML Policy and PWRA and might only have drafted these documents in the past year, or less. The SRA will take a dim view of this so you will be running the risk of a significant fine. 

How to succeed: your files

Having undergone large numbers of SRA audits, our top tips are as follows:

1. Most firms have migrated to biometric ID verification tools such as Infotrack and Thirdfort. We recommend this as it is a much more effective and efficient method.
2. Ensure that you are using a good client-matter AML risk assessment form. Our template version is being used by hundreds of firms and works very well. We would discourage you from using the SRA's version on their website - it is terrible piece of design
3. Always provide a narrative on your client-matter AML risk assessment form. It doesn't need to be of epic proportions but should explain the rationale for your overall risk rating. 
4. Always seek to conduct an interim AML risk assessment say at exchange and completion stages and mark it on the file.
5. With regard to source of funds, we recommend the use of a source of funds questionnaire that clients can complete and return. The SRA are very pedantic about source of funds so please ensure that there is evidence to show that you have traced the monies back to source.

The JRS Difference

With our huge experience of negotiating these audits with our clients you can be confident that we know what we are doing. What we would say is that contacting us just after receiving an audit letter from the SRA is a little late in the day. Whilst we can help point you in a direction that is fully compliant, it is too late to do anything about the files that the SRA will be examining. Therefore, it is preferable to get us involved in advance of an audit. If you haven't yet had an SRA audit it is highly likely you will be selected in the next six months so please Contact Us now if you are not fully confident about your AML compliance.