Preventing Money Laundering and Financing of Terrorism

Download the full thematic review (PDF 40 pages 1.2MB)

Download the summary report (PDF 10 pages 1.3MB) or read below.

Read our risk assessment: Anti-money laundering and terrorist financing

Summary report


The legal profession plays a vital role in tackling money laundering which is considered to be one of the greatest risks both society and the profession faces.

The newly implemented Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) requires firms within scope to adopt a greater risk based approach to Anti Money Laundering (AML) and Countering the Financing of Terrorism (CFT) compliance.

In July 2017, following the introduction of the MLR 2017, we began visiting 50 firms. During the visits we met with the management at each firm, interviewed 50 fee earners and reviewed 100 client matters. The firms were made up of 25 large firms and 25 medium and smaller firms (including two sole practitioners)

Headline summary

  • Overall, most firms we visited are taking appropriate steps to understand and reduce the risk of money laundering, and to comply with the new regulations.
  • We were also encouraged that some firms are going beyond the minimum requirements, for example to test training and compliance.
  • We found examples of good practice, including having a variety of ways to establish the source of a client’s funds and wealth.
  • Yet we did find areas of concern. Not all firms were keeping records of their decisions, and many had not made progress with putting a firm-wide risk assessment in place. We recognise that they had been given limited opportunity to implement the new regulations, but we expect firms to move towards compliance as a matter of urgency.
  • Firms are generally carrying out appropriate customer due diligence (CDD).
  • There were also a small number of firms who have a significant amount of work to do to improve both processes and practice. This is a serious issue. If firms fail to comply we will take regulatory action, and following our review have referred six firms into our disciplinary processes.

Summary of findings by area


  • Most firms we visited had appropriate systems in place to reduce the risk of money laundering and terrorist financing.
  • From 2018, many firms will be required to register a Money Laundering Compliance Officer (MLCO) with us. Encouragingly, many firms had already considered and identified their likely nominees.
  • Forty-eight firms had an AML/CFT compliance policy. We were encouraged that 45 firms had reviewed their AML/CFT policies in the last 12 months and 34 firms had reviewed the policy within the last month.
  • It was disappointing to note that only 11 firms said they had a firm-wide risk assessment in place and just a further six firms were in the process of implementing one. This is a requirement under the MLR 2017 and firms must take urgent steps to comply.

Develop and improve – Self assessment questions for firms

  • Have you appointed a MLCO?
  • Who is your deputy Money Laundering Reporting Officer (MLRO)? How would others know?
  • What support do you provide to the MLRO and the deputy?
  • Have you updated your AML and CFT policies following the MLR 2017?
  • Have you created a written firm risk assessment? Does it highlight the risks your firm faces and the mitigation you have taken?
  • Is it easy for all staff to access and understand these policies?
Monitoring & Enforcement
  • Could you prove staff understand and follow your policies?
  • What do you do if staff fail to follow your policies?

Risk based approach

  • Most firms had an appropriate understanding about the risks their firms faced. We encourage firms to consider the risks at a firm and department level.
  • Although some firms must still make changes to meet the new obligations, we were generally satisfied by the plans and timescales we saw. It is important that firms prioritise these changes and in particular the newly required written risk assessment for the firm.
  • Forty-six firms performed risk assessments on new matters and 21 firms said they recorded those assessments in writing. Of the 100 files we reviewed, there was evidence that the level of risk was assessed on only 69 of these files which was less than we would have liked to have seen. All firms should consider keeping written records of decisions, risk assessment processes and what due diligence was undertaken for each client/matter.

Develop and improve – Self assessment questions for firms

  • Does each file have a written record of the AML/CFT risk?
  • Do you consider and review the client, the transaction and the funds in each matter?
  • How do you acknowledge and monitor the unique AML/CFT risks in different work areas?
  • How do you control and monitor high risk matters?
Customer due diligence
  • Firms are obliged to continually monitor CDD and most firms dealt with these requirements well. Overall, we were satisfied by the approach of firms to this area.
  • Although the MLR 2017 has introduced significant changes, firms largely appear to be dealing with this area soundly.
  • When we spoke to firms, the majority said they renewed CDD at regular intervals. For life events, such as change of name, change of gender, or change of address, only 34 firms said they would renew CDD - a lower proportion than we expected.
How do firms collect CDD about clients?
Document ID 39, AML checking agency 22, Companies House information 16, Online search engine 5, Sanctions check if seperate to AML checking agency 1

Develop and improve - Self assessment questions for firms

  • Does each file show how you have identified and verified the client?
  • How do you identify a Politically Exposed Person, a family member or close known associate?
  • Do your staff access the sanctions list?
  • Can you monitor how frequently CDD is undertaken on high risk clients?
  • Can you show how and when you undertake ongoing monitoring?
Source of funds and wealth
  • Most firms understood the distinction between funds and wealth and we were pleased to see the depth of the fee earner’s investigations.
  • Five firms had difficulties separating the concepts of source of funds and source of wealth, and did not distinguish them. Firms must understand and record where funds will be provided from and how those funds were obtained.
What evidence is gathered by firms?
What evidence is gathered by firms?

Develop and improve – Self Assessment questions for firms

  • What is the difference between source of funds and source of wealth?
  • Does each file record in writing where/who funds are from and how they were originally created?
  • Do the fee earners understand the client, the transaction and the funds? If not, how do they continue to monitor and assess this information during the lifetime of the transaction?
  • AML and CFT training was undertaken regularly and fee earners were universally positive about the firms’ approach. Firms must continue to update their training and consider whether specific individuals require enhanced training.
  • We expect firms to consider how relevant and useful their training is. We saw good examples of firms tailoring training to address the specific risks that their staff faced in different areas of practice.
  • Forty firms said that AML/CFT training was compulsory for all staff including accounts and secretarial staff. Some firms delivered training to individuals based on their level of exposure to AML/CFT.
  • Thirty-six firms said they undertook testing to make sure that staff members understood the training. Testing knowledge is significant. It encourages individuals to invest time and effort in to the training and provides firms with an overview of where further training may be necessary.
  • Forty-three firms kept records of staff attendance at AML/CFT training. Keeping a written record of attendance at AML/CFT training serves as a useful way of recording what AML/CFT training has been given to staff and will show the steps the firm has taken.

Develop and improve – Self Assessment questions for firms

  • Who is the vulnerable link at your firm and are they trained?
  • Does the training relate to the specific risks at your firm?
  • How long can a member of staff avoid AML/CFT training?
  • Do you record if people have completed training? If so, when do you review the record?
  • Does the MLRO review and contribute to the training?
Suspicious Activity Reports
  • Many firms had developed effective internal processes and demonstrated appropriate AML/CFT risk tolerances. Most MLROs took appropriate steps to safely record and store the decisions they took.
  • There was no typical number of Suspicious Activity Reports (SARs) and the nature of our visits did not allow us to make qualitative assessments about the number of reports made. However, firms should continue to challenge themselves and consider the implications of the volume of internal reports that are made. We consider the challenges and opportunities of the modern-day profession should inevitably lead to internal queries from fee earners.

Develop and improve – Self Assessment questions for firms

  • Are you registered with SAR online?
  • Do all staff understand tipping off?
  • Can you show which matters have not been referred to the National Crime Agency and why?
  • In the event of an emergency how would referrals be made and/or reviewed?

The future

This project only presents a snapshot of how law firms are doing, and is only part of our ongoing work in this area.

There is no substitute for reading and understanding the MLR 2017. The AML and CFT obligations are required by law for those firms in scope and they must be followed. We also encourage firms to go beyond the minimum requirements of the MLR 2017 and consider best practice.

We expect all relevant firms to prioritise complying with the new AML and CFT requirements. Firms must take steps to comply with the new obligations as soon as possible and in the meantime be in a position to show progress and future plans.

Inevitably, our review found a small number of firms that we consider not to have appropriate systems and practices. These issues ranged in scale. We will continue to work with these firms to address the areas of concern. In six of the most serious cases we have referred firms into our disciplinary process. We will take appropriate action against individuals and firms who fail to meet the minimum standards and fail to comply on an ongoing basis.