Anti-Money Laundering annual report 2022-23

Published 13 October 2023

Foreword by Paul Philip

Over the past year, we have been reminded time and again of the importance of preventing economic crime. This ranges from ensuring compliance with financial sanctions against Russia following its illegal invasion of Ukraine to stopping local drug dealers from laundering their profits by buying houses.

The victims of economic crime are all around us, and we cannot allow criminals to enjoy the proceeds of their crimes. We recognise the valuable role legal services have to play in preventing these being transformed into assets or hidden from authorities.

We continue to prioritise our role as an anti-money laundering supervisor. In the past year, we have increased the resources we dedicate to preventing and detecting financial crime. This means we have been able to perform proactive inspections of 177 firms and performed 73 desk-based reviews.

Through our proactive work, we generally seek to provide advice and ensure firms are complying with their obligations. That said, where we find serious or widespread issues, we will take robust enforcement action.

In the last year, we have brought enforcement action against a combined total of 47 firms and individuals. This includes £137,402 in fines (either levied by us or the Solicitors Disciplinary Tribunal), one individual suspended, and one individual subject to controls being placed on their employment. In the most serious cases, where we suspect money laundering has taken place, we make reports to the National Crime Agency. In the last year, we submitted 24 suspicious activity reports relating to assets totalling more than £75m.

We have also increased our work to ensure that all solicitors understand and meet the obligations of the financial sanction regime. We have undertaken a programme of work to understand the risk that firms both within and outside the scope of the money laundering regulations are exposed to.

We also undertook a thematic review of law firm compliance with the financial sanctions regime. As a result of this, we issued guidance explaining the requirements of the financial sanctions legislation, setting out risks and red flags, and outlining what we think a good control framework looks like. We additionally carried out spot checks on 23 firms to gather information about how they complied with the sanctions regime.

Over the coming year, we will increase our work in this area, including undertaking proactive sanctions inspections and desk-based reviews to check how well firms are managing their risk and whether they are complying with licences issued by the Office of Financial Sanctions Implementation. Where we find sanctions breaches, we won’t hesitate to take enforcement action.

I would like to thank those firms that engaged with us in a constructive manner as part of proactive supervision and thematic reviews. As well as all those firms that take preventing economic crime seriously and have robust procedures and controls in place. Despite most firms taking their responsibilities seriously, we continue to see a significant minority of firms that don’t give preventing money laundering sufficient care, attention or resources. As set out in the report, there remains a number of firms that are still not getting the basics of their firm-wide risk assessment, policies, controls and procedures, and customer due diligence right. The main requirements of the 2017 money laundering regulations have been in place for six years and there is no excuse for firms to be no longer getting the fundamentals right.

I would urge all firms to ensure that they are dedicating appropriate resources to preventing money laundering and fostering a culture in which everyone takes this important risk seriously. Preventing money laundering is a responsibility shared by everyone working in a firm, irrespective of whether you are a senior leader, a fee earner, or a member of the accounts team.

SRA CEO, Paul Philip
October 2023

Open all

Money laundering is when criminals 'clean' the proceeds (the financial gains) of crime. Criminals transform proceeds into assets, such as houses or businesses, or other seemingly legitimate funds, for example, money in a bank account. In some cases, laundered money is used to fund terrorism.

Money laundering makes these proceeds look like genuine sources of income, which criminals can then spend freely and without raising suspicion. Such criminals often make their money from serious crimes like fraud, or trafficking people, wildlife or drugs.

Organised crime costs the UK economy more than £100bn every year, and the National Crime Agency (NCA) believes there are 4,500 organised crime groups operating in the UK. This, along with a rise in terror attacks in the last 10 years and an increasingly complex and uncertain global backdrop, is why combatting money laundering is an international and UK priority, with UK legislation in place.

The information in this report details our work in this area and highlights key information on specific areas of our AML work for the 2022/23 fiscal year.

We produce this report as part of our responsibility as an AML supervisor and our duty to report information to the Office for Professional Body Anti-Money Laundering Supervision (OPBAS) under regulation 46A of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017(as amended) (MLR 2017). Where throughout this document we refer to 'the regulations', this refers to the MLR 2017.

For this purpose, we are reporting on the fiscal year (6 April 2022 to 5 April 2023). From 2018 to 2020, we have reported in line with our previous corporate reporting fiscal year, which runs from 1 November to 31 October.

The Solicitors Regulation Authority (SRA) is the regulator of solicitors and law firms in England and Wales. We work to protect members of the public and support the rule of law and the administration of justice. We do this by overseeing all education and training requirements necessary to practise as a solicitor, licensing individuals and firms to practise, setting the standards of the profession and regulating and enforcing compliance against these standards.

We are the largest regulator of legal services in England and Wales, covering around 90% of the regulated market. We oversee some 160,000 practising solicitors and around 9,500 law firms. We supervise 6,007 firms for the purpose of AML requirements.

The money laundering regulations we enforce come from the international standard-setting body, the Financial Action Taskforce (FATF), and EU directives. This includes the Fourth Money Laundering Directive and the Fifth Money Laundering Directive. These directives were brought into UK legislation through the MLR 2017. In the future, following our exit from the EU, new UK legislation is more likely to come from recommendations made by the FATF and the UK Government.

The regulations set out the business types which offer services that could, potentially, be targeted by money launderers. They include banks, estate agents and some legal services.

Laundering money through the legal sector

Solicitors and law firms are attractive to criminals because they process large amounts of money, are trusted, and can make the transfer of money or assets appear legitimate. Most law firms work hard to prevent and to spot money laundering and take necessary action, but some get involved unknowingly. A very small number may even knowingly cooperate or work with criminals to launder money.

The legal sector also plays a key role in upholding the financial sanctions regime, restricting what individuals and businesses that are subject to sanctions can do.

Here are some ways in which firms and solicitors become involved with money laundering, either knowingly or unknowingly:

  • Conveyancing – criminals use the proceeds of crime to buy houses to live in, rent or sell.
  • Setting up shell companies or trusts – solicitors and law firms are integral to such transactions.
  • Misusing client accounts – criminals will seek to misuse law firm client accounts to ‘clean' laundered money.
  • Failing to carry out proper due diligence – money laundering can take place if firms and solicitors do not carry out sufficient checks on a client's source of funds.
  • Failing to train staff – so that they know how to spot potential money laundering and who to report it to.

Our work as an AML supervisor

The regulations name professional bodies with responsibilities for AML supervision. The Law Society is the named supervisor for solicitors in England and Wales and delegates regulatory activities to us. This means we must effectively monitor the firms we supervise and take necessary measures, including:

  • making sure the firms we supervise comply with the regulations, and we approve the relevant beneficial owners, officers, and managers to work in those firms
  • adopting a risk-based approach and basing the frequency and intensity of our supervision on our risk assessments of firms
  • encouraging firms we supervise to report actual or potential breaches of the regulations. We do this through:

We must take appropriate measures to review:

  • the risk assessments carried out by firms (under regulation 18 MLR 2017)
  • the adequacy of firms' policies, controls and procedures (under regulation 19 to 21 and 24 MLR 2017), and the way in which they have been implemented.

We enforce the money laundering regulations mentioned above and carry out our work as an AML supervisor through:

  • sharing and receiving information to prevent money laundering with other supervisors and law enforcement agencies
  • publishing guidance on the regulations
  • proactive supervision – we do this through desk-based reviews and onsite inspections
  • annual data collection exercises – last year we wrote to all firms within scope of the MLRs 2017 to provide us information about the work their firm did to help us assess the risk posed by those we supervise. This year we contacted all firms not within the MLRs 2017 and asked them to provide us with information on their approach to managing financial sanctions risk
  • investigating potential breaches of the regulations
  • taking enforcement action where breaches of the regulations are proved.

Our proactive supervision

In total, we had 273 proactive engagements with firms during the reporting period, which were broken down as follows:

Rolling programme of inspections As part of an onsite investigation Desk-based review Thematic work Sanctions screening exercise
136 15 73 26 23

The purpose of the thematic work and sanctions screening exercise was to gather information around how firms complied with the sanctions regime. Therefore, in those engagements we didn't assess overall compliance with the money laundering regulations.

Onsite inspections and desk-based reviews

For both types of inspections, we typically review between four to eight files for each firm, depending on the size and nature of the firm. For larger firms, or those doing a high volume of regulated work, we are likely to review eight files. We reviewed 1,245 files in total.

On occasion, we may also ask to see further files, if we have not been able to complete our assessment on the ones selected. For example, if there are files that show a client matter closed quickly after being opened, or where we may have identified a trend but need to see more files to check our initial findings.

Our desk-based reviews involve examining:

  • firm-wide risk assessments
  • a firm's AML policies, controls and procedures
  • client and matter risk assessments
  • a sample of a firm's files to assess compliance with their AML policies, controls and procedures and the regulations.

This, to a large extent, mirror what we do onsite.

The onsite inspections also involve interviewing the firm's Money Laundering Compliance Officer (MLCO), Money Laundering Reporting Officer (MLRO) and two fee earners (if applicable to the size and nature of the practice) using our AML questionnaire.

Compliance levels

Of the 224 inspections and desk-based reviews we carried out, we found the following levels of compliance:

Compliant Partially compliant Not compliant
Desk-based reviews 8 39 26
Inspections 35 76 40
Total 41 115 68

Supervision actions

Below are the types of steps we take and an explanation, including how we define the compliance level at a firm. These are used throughout the report. We also set out the number of times we have taken these steps during the reporting period.

Actions taken Compliance level at firm What this involves Step taken with number of firms
Guidance issued Compliant Standard required in the regulations has been met. This includes cases where no changes or minor changes are necessary and we issue guidance or share best practice. 41
Letter of engagement Partially compliant – where there are some elements of a firm's controls that need improving, but there is some good practice and the firm is generally doing well at preventing money laundering. We engage with some firms to help them refine their processes and bring them into full compliance. When we talk about our process of engagement with a firm, this is where corrective action is required in one or more areas but is not so widespread that it requires a compliance plan. Depending on the extent of action, we need evidence or confirmation from the firm that this has been rectified before we conclude our contact. We can, and do, refer firms for a disciplinary investigation if they fail to act on our letter of engagement. 94
Compliance plan Partially compliant – in a number of areas or where the level of non- compliance is significant. A compliance plan sets out a series of actions that firms need to take, and by when, to bring them back into compliance with the regulations. We monitor the firm to make sure it has carried out all the actions. We require evidence that action has been taken. We can, and do, refer firms for an investigation if they fail to follow the plan. 21
Referred for investigation Non-compliant – examples include failure to carry out customer due diligence (CDD), no firm-wide risk assessment in place, out-of-date policies or a failure to train staff on the regulations. We open an investigation into the firm, which may result in a sanction. Where necessary, we will also set up a compliance plan. 68

In this report, we have set out some findings from our supervisory work by theme, such as assessing risk, and the steps we have taken. We often identify more than one issue at a firm, so some firms are included in the figures for several themes throughout the report. This is particularly relevant for matters referred for disciplinary investigations where firms are often referred due to multiple breaches.

When making the decision on engagement or a referral, we consider a number of factors, such as:

  • The extent of the breaches and how widespread the issues are.
  • The impact of the breach, for example, a failure to risk assess files has led to insufficient due diligence being undertaken, or a failure to identify a politically exposed person (PEP).
  • Whether there is a systemic lack of compliance, for example, a firm that does not have adequate policies, controls, and procedures and is failing to comply with a significant number of the regulations.

Sanctions we can apply

If there has been a serious breach of our rules by a firm or solicitor, we can issue a sanction.

The range we can impose is limited. For example, up until July 2022 we could only issue a fine of £2,000 to regulated firms or individuals. After this date, the limit increased to £25,000. However, we can impose a fine of up to £250m on an Alternative Business Structure (ABS), also known as a licensed body, and up to £50m on managers and employees of an ABS.

We are also not able to strike off a solicitor, such a sanction can only be imposed by the courts, most commonly the Solicitors Disciplinary Tribunal (SDT).

Since June 2023, we have also been able to issue fixed financial penalties of up to £1,500 for firms. These apply to a small number of lower-level breaches of our rules to enable compliance with our more administrative requirements to be dealt with more effectively and in a timely way. An example of misconduct which may result in a fixed penalty could include failing to comply with a regulatory request for information. For example, failing to respond to a declaration of how your firm complies with AML requirements or the financial sanctions regime.

Where appropriate, we can also resolve a matter through a regulatory settlement agreement (RSA). Under an RSA, the facts and outcome are agreed by both parties. These allow us to protect both consumers and the public interest by reaching appropriate outcomes swiftly, efficiently and at a proportionate cost.

We publish the details of our findings and sanctions, including RSAs, on our website. We withhold any confidential matters from publication, where this outweighs the public interest in publication (for example, details of an individual's health condition).

Firms and individuals we regulate that fall in scope of the regulations

Around 6,000 firms (6,007 as of 5 April 2023) fall within the scope of the money laundering regulations. This represents around two-thirds of the total firms we authorise (9,518).

As a professional body supervisor, we have a duty to make sure that the firms we supervise comply with the regulations and have appropriate controls in place to prevent money laundering.

The below table details the number of firms we supervise which fall within scope of the regulations. This includes the number of firms we supervise for AML purposes, where there is just one solicitor or registered European lawyer (REL) practising at the firm. This is the figure we report to HM Treasury and our oversight supervisor, OPBAS. This is different to our definition of a sole practitioner, who may employ staff or work in conjunction with others.

Firms subject to the regulations 2021/22 2022/23
Number of firms where there is more than one solicitor/REL practising at the firm. 5,124 4,816
Number of firms were there is just one solicitor/REL practising at the firm 1,284 1,191
Total number of firms we regulate that fall within scope of the regulations 6,408 6,007

Number of beneficial owners, officers and managers

Under the regulations, beneficial owners, officers and managers (BOOMs) must be approved by us. They must get a Disclosure and Barring Service check and submit it to us when they first become a BOOM or take on a new role. The table below shows the total number of BOOMs we regulate as of 5 April 2022

2021/22 2022/23
Number of BOOMs 23,349 23,275

Number of money laundering-related reports received

We receive reports about potential breaches of the regulations and money laundering activity from a number of sources, including the profession and consumers. We monitor the media and other reports for potential breaches, and we also receive intelligence from the NCA, other law enforcement bodies and government agencies.

The number of reports also includes where we have identified a potential breach of the regulations ourselves. This could be, for example, through an AML onsite inspection at a firm or a desk-based review of the firm’s AML control environment.

We investigate suspected breaches of the money laundering regulations and cases of suspected money laundering.

The table below shows the number of money laundering-related reports received each year:

2018/19 (SRA financial year) 2019/20 (SRA financial year) 2020/21 2021/22 2022/23
197 196 273 252 249

Types of reports received

We record the reasons why a report has been made. In 2022/23, there were 249 money laundering-related reports, with 522 reasons attached – compared to the previous year where there were a similar number of reports (252) but only 393 reasons. This shows we are investigating more potential breaches of different sections of the regulations than before and recording the same better.

Often, reports have more than one suspected breach that need investigating and these can change during the life of an investigation as we get more information. These were the most significant reasons for the AML reports we received:

Specific matter reason Count
Failure to have proper AML policies and procedures 61
Failure to carry out a source of funds check 60
Failure to carry out a risk assessment on client/matter 58
Failure to carry out a firm-wide risk assessment 48
Failure to carry out/complete initial CDD 47

Number of money laundering-related matters resulting in a SRA outcome

Where we see that firms or individuals have failed to comply with the money laundering regulations, we can take action. We refer more serious matters to the SDT.

For less serious matters, SRA outcomes include a letter of advice or rebuke, where we remind the individual or firm of their regulatory responsibilities. We can also fine a firm or individual, or put conditions on their practising certificate, limiting what they can do in their role.

2018/19 2019/20 2020/21 2021/22 2022/23
14 21 16 43 39

In 2021/22, we had a large number of cases where firms had failed to respond to a data gathering exercise. In the last year there are no enforcement cases based purely on a failure to respond, and the larger number relates to increased enforcement of AML issues.

During 2022/23, we issued 23 fines, totalling £61,600. We made 43 decisions in total relating to money laundering concerns. Below is a breakdown of the type of outcomes:

SRA outcomes Count
Fine 23
Letter of advice 11
Rebuke or reprimand 3
Finding and warning 1
Condition on firm's authorisation 1

Read more about on the type of decisions we make, their purpose, and our Enforcement Strategy.

Going forwards we expect to see more fines being dealt with within the SRA as we use our new fining powers. This includes being able to fine individual solicitors up to £25,000.

Number of money laundering-related cases brought to the SDT

In more serious matters, we prosecute a firm or an individual at the SDT. It has powers that we do not, including imposing unlimited fines, and suspending or striking solicitors off the roll.

2018/19 2019/20 2020/21 2021/22 2022/23
14 13 13 8 8

Below is a breakdown of the outcomes at the SDT for 2022/23:

SDT decision Count
Fine 6 (totalling £75,802)
Suspended for a period / Control of employment 2

Themes from enforcement action

In total, there were 47 enforcement outcomes in relation to money laundering.

In over half of the cases, the most common area for breaches were firm-wide AML controls. Most frequently, we saw firms failing to have a compliant firm-wide risk assessment (FWRA) in place, with many of those enforcement cases where the firm had made an incorrect declaration to us in 2020 that they had a compliant FWRA. Some of these cases also included elements of inadequate policies, controls and procedures and staff training.

Of the remaining outcomes, the majority related to the buying and selling of property and poor customer due diligence. These generally involved inadequate identification and verification of clients (both individual and corporate) at the outset, followed by failings in assessing and identifying the risks at client/matter level. We also saw a failure to perform ongoing monitoring of the transactions and to undertake source of funds checks.

Understanding the source of funds to be used in a transaction is a fundamental part of the risk-based approach. If someone understands whether the source of funds are legitimate, the risk of money laundering is greatly reduced. While we have seen a slight improvement, firms need to do more in this area and check source of funds more often than we are seeing them do, especially in high-risk transactions.

Other issues we identified, seen in previous years and repeated again, were:

  • failures to apply enhanced customer due diligence and enhanced ongoing monitoring
  • failure to recognise work that brings the firm into scope of the regulations
  • failing to have sufficient regard for our issued warning notices, red flag indicators (as highlighted in a FATF report) and sector wide guidance.

We have identified three key themes that we believe contributed to these breaches:

  • Inadequate importance placed on having robust and compliant AML risk assessments, policies, controls and procedures. This is often because of a lack of attention to this at senior levels at firms.
  • Inadequate supervision or training of fee earners on the regulations and on the firm’s policies, controls and procedures.
  • Having systems and processes that allow events to happen unchecked, such as receipt of funds or moving to the next stage in the transaction (rather than an automated ‘stop’ being put to a transaction until customer due diligence has been completed).

Emerging themes

We are currently investigating a number of cases for failure assess risk at client or matter level. We are seeing that that this has either not been done at all or has been done poorly. For example, the risk was not correctly assessed, or a tick box approach was adopted without giving any real thought to the risks involved. We expect further enforcement outcomes in the coming year on these types of cases.

We are also seeing an increased number of cases relating to breaches of the sanctions regime, specifically sanctions placed on Russians and Russian entities. We are developing with Office of Financial Sanctions Implementation (OFSI) an approach to these cases where there is evidence of serious professional misconduct. We expect some enforcement outcomes in the coming year.

We submit a suspicious activity report (SAR) to the NCA if we identify a suspicion of money laundering through our work.

The number of SARs made during the last reporting period remained largely the same compared with the previous reporting period (24 in 2022/23 compared with 20 in 2021/22).

2018/19 (SRA financial year) 2019/20 (SRA financial year) 2020/2021 2021/2022 2022/2023
19 26 39 20 24

From what we have seen in our suspicious activity reporting during the period, there were no significant shifts either in terms of new trends or emerging threats. From the analysis we have done on the SARs submitted by us over the last 12 months, the main money laundering risk areas are:

  • property conveyancing (both residential and commercial)
  • misuse of the client account
  • transactions with no underlying legal purpose
  • sums of money being broken down and remitted or received in multiple transactions
  • involvement of funding and or clients from high-risk countries
  • tax evasion.

A lack of due diligence and source of funding checks are nearly always present. As well as instances of legal professionals not considering any money laundering risks when carrying out work for existing or longstanding clients.

Suspicious Activity Reports and firms’ risk tolerance

Where we conducted an inspection onsite during the reporting period, we have also reviewed a sample of SARs submitted by the firm to the NCA over the past two years.

Our findings have not been indicative of significant quality issues in SARs submitted by firms. Most of those we reviewed (from 26 firms) were written in a comprehensible manner.

Our most consistent finding is that 54% of firms did not include glossary codes in their SAR narratives as recommended by the NCA.. The inclusion of glossary codes helps triage of SARs to the correct area of law enforcement. We also found that 19% of firms did not include a description of the criminal property.

42% of firms also missed out phone number and email address detail in their submissions. This information is useful to law enforcement in investigating crime. Where available, firms should include this information when submitting SARs.

In autumn 2021, we held a free webinar with the NCA to help firms understand when they should report concerns to us and how to submit a good quality SAR.

We were encouraged to see firms were not afraid to turn away clients due to the money laundering risks they posed. We found firms would commonly turn away clients for the following reasons:

Clients attempting to provide forged documents (for both client due diligence (CDD) and as part of source of funds/source of wealth information).

  • Being unable to complete satisfactory CDD
  • Unclear source of funds/source of wealth
  • Evasive clients
  • Clients who were attempting to rush transactions for no good reason
  • Clients linked to cryptocurrency, where source of funds was unclear.
  • Adverse media articles which suggest the clients are linked to crime.
  • Money for transactions coming from high risk jurisdictions where it is difficult to identify the source of funds.
  • Clients linked to sanctions.

This section of our report concentrates on the measures we have seen taken by firms to assess the level of risk, both at firm level (as required under regulation 18) and client and matter level (as required under regulations 28(12) and 28(13)).

Firm-wide risk assessments

The purpose of a FWRA is to identify the risks a firm is or could be exposed to. Then, appropriate policies and procedures should be put in place to mitigate the risk. It is a crucial document for preventing money laundering and forms the backbone of firms’ AML controls.

We have found that most firms now have a FWRA in place. Over the last few years, we have also seen an improvement in the quality of FWRAs which reflects the thought, effort, and time that many firms put into these documents. Nonetheless, there are still a very significant proportion of firms with FWRAs that are not compliant, so we would urge firms to review and update this key document. We have provided information below that should help firms to do that.

During the reporting period, we called in a total of 224 FWRAs to review as part of AML inspections and desk-based reviews. The eight firms that failed to provide their FWRA were referred for investigation.

Of the remaining 216 documents we reviewed, we found the following levels of compliance:

Compliant Partially compliant Not compliant
Desk-based reviews 30 35 4
Inspections 75 61 11
Total 105 96 15

Just under half (49%) of the FWRAs we looked at during the reporting period were compliant, which was very similar to the previous reporting period.

Similarly, 7% of the FWRAs we looked at during the reporting period were non-compliant, the same as the previous reporting period.

We provided feedback to firms where their FWRA were partially or not compliant. The main areas of feedback we provided are shown below and include occasions where we have provided feedback where the risk area has been missed. Often, feedback will have to be provided on several areas, which is why these figures do not total 216.

Area of feedback Number of times feedback provided (desk-based review) Number of times feedback provided (inspections) Total number of times feedback provided

Assessment of transaction risk

Firms did not sufficiently explore transactional risk, such as how many high-value transactions the firms deal with, the typical size and value of a transaction, whether transactions are large or complex, and the type of payments accepted, for example, cash payments or payments from third parties.

32 44 76

Assessment of product/service risk

Many firms are failing to list all the services they provide that are within scope of the regulations. A cross check against the firm's website and information we gather during our practising certificate renewal exercise shows a disconnect between the FWRA and the products and services listed. We would also often see firms focusing on the services they do not provide, as opposed to the risks attached to the services they do provide.

23 41 64

Assessment of delivery channel risk

Firms did not assess how they deliver their services. It was difficult to determine from the risk assessments reviewed whether firms meet their clients, if they offer services that are not face-to-face, and, if they do, how they deliver those services, for example, by email or video meetings.

27 36 63

Geographic risk

There was a lack of detail on where the firm's clients and transactions are based and if any of the firm's clients have overseas connections. Most risk assessments focused only on setting out the likelihood of dealing with a client from a high-risk jurisdiction and failed to address the geographical locations the firm does deal with and if these are local or national.

29 47 76

Assessment of client risk

Firms failed to set out the type of clients they deal with. For example, whether these clients are individual or companies, if any of the companies have complex structures, whether the clients are predominantly new or longstanding clients, and if any clients pose a higher risk, such as politically exposed persons (PEPs).

32 40 72

Further tailoring to firm's size and nature

In some cases, firms provided an FWRA that was not suitable, given the size and nature for their practice. These documents were often completed on templates that were predominately specimen text, which had not been tailored to the firm. While there is nothing inherently wrong in using a template, firms must ensure this has been uniquely tailored to your practice.

23 38 61

There were several themes which featured within the non-compliant FWRAs. These include:

  • Several firms only put in place a FWRA after we asked to see it. This is despite some of these firms having previously confirmed to us in January 2021 that they did have a FWRA in place.
  • Not providing a FWRA but instead providing an alternative document, such as an AML policy.
  • Providing an operational risk assessment, which looks at business risks rather than AML risks.
  • Using a template but not completing it correctly (for example, using a checklist or not including enough detail) or failing to tailor it to the firm.
  • Failing to consider all services the firm provides.
  • Many firms failed to expand on the risks identified, for example, we saw firms stating they often operated in high-risk jurisdictions but not setting out and assessing the applicable jurisdictions.
  • Many documents focused on what the firm does not do (for example, setting out that the firm does not offer trust formation services or act for PEPs), instead of focusing on the AML risks present in its day-to-day business.

It is important that the FWRA is reviewed regularly and updated, where necessary. We found that some firms had not done this. A FWRA is a living document and should be regularly updated, for example:

  • when AML legislation changes or we update our sectoral risk assessment
  • where firms provide a new service or act in a new area of law
  • where firms make changes to the way they work, for example if they introduce a new client verification system.

Good practice

We identified a lot of good practice through our reviews of FWRAs during the reporting period.

In some of the best examples we saw, it was clear the person undertaking the FWRA had worked closely with various teams and partners across the business to assess the risks. On more than one occasion, we saw firms had undertaken separate AML risk assessments for separate business areas/offices within their practice. The advantage of this was that all areas of the business were feeding into the FWRA. It also helped to demonstrate a risk-based approach, as something which would be low risk in one business area may be considered high risk elsewhere.

Some firms had used templates to good effect. We have previously highlighted poor practice, where firms had used templates but had not edited the standard text to make it relevant to their firm. However, some of the best examples of FWRAs we saw during the reporting period were firms that had used a template as a starting point. These firms had adapted and tailored the templates to cover the risks in detail and in a way specific to the firm.

Some firms also made use of quantitative data and statistics to help them analyse their AML risks. For example, using information gathered from internal SARs. We consider this to be good practice.

Client/matter risk assessment findings

Flowing from FWRA, client/matter risk assessments prevent money laundering by making sure firms consider the risks posed by each client and matter, and whether firms can perform the correct level of CDD to mitigate those risks. Client and matter risk assessments are required under regulation 28(12) and 28(13).

We had concerns about whether firms were undertaking client/matter risk assessments, as well as the quality of those assessments and whether they then led to risk based CDD.

During the reporting period, we reviewed 1,245 files. Of these, 21% did not contain a client/matter risk assessment, as required under the regulations. Where firms failed to undertake client/matter risk assessments, they were referred for an investigation.

Other key findings were:

  • 27% client/matter risk assessments we reviewed did not reflect the firm’s FWRA.
  • 43% client/matter risk assessments did not clearly show when enhanced due diligence (EDD) was necessary.
  • 51% client/matter risk assessments reviewed during our file reviews were ineffective. We saw examples where this did not contain a risk rating, the rationale for selecting a particular risk rating was not clear, or the form did not assess AML risks. We also found some fee earners followed their own risk assessment process rather than the one set out by the firm, and we often found this to be ineffective.

This remains an area where improvement is needed. As well as setting out below some insight that should help firms take the necessary steps, we have also therefore undertaken a thematic review into client/matter risk assessments and have published a thematic report and example client/matter risk assessment to help firms in this area.

We also found some firms used a centralised team and/or support office to gather CDD before passing the matter on to fee earners. While there is nothing inherently wrong in this approach, fee earners should still make sure they satisfy themselves that the CDD conducted is adequate for any risks posed by the client and the matter. As well as reviewing the initial CDD conducted, fee earners should review this on an ongoing basis to assess any changes in risk.

Poor practice

We continue to see firms using a template matter risk assessment form but then not completing it correctly or not completing one on every matter. Some forms were very basic and tick box in nature, where fee earners only had to mark whether a file was high risk, medium risk, or low risk.

Often, these forms did not feature any commentary or justification where the fee earner could say how they had arrived at the risk level. It is important that the rationale for the risk level and level of due diligence is clearly recorded, along with what actions the fee earner will take to mitigate those risks.

Similarly, many forms we looked at failed to set out high risk factors, which fee earners need to consider when assessing the level of risk with the client or matter. These forms also failed to alert the fee earner to when EDD was required. This is concerning, as matters subject to EDD are typically the highest risk.

Many matter risk assessment forms we looked at did not reflect their FWRA. For example, one firm considered all cash purchases in property matters to be considered high risk in the FWRA. When we reviewed the matter risk assessment, this was assessed to be low risk by the fee earner.

We also reviewed a number of risk assessment forms which assessed the wider risk to the business as a whole. For example, reputational risk and whether the client had the ability to pay fees, as opposed to the AML risk. These forms would not constitute a client or matter risk assessment as needed under the regulations.

Good practice

Some of the best examples where when the matter risk assessment form set out the factors that fee earners must consider when assessing client or matter risk.

We were also pleased to see examples of any risks identified being reviewed at appropriate intervals, for example before key dates in a matter or when additional information is received regarding a client or matter. The firm would then check that the information presented did not change the level of risk present in relation to the client or matter.

This included matter risk assessments completed in a way that reflects the firm’s FWRA. For example, if it states that conveyancing is high risk, the matter risk assessment is then completed in line with that. But commentary could be provided to explain why a particular matter was not considered high risk, eg due to length of relationship with a client, value of a transaction or source of funds checks completed.

We also saw some good examples where firms used different matter risk assessment templates, depending on the type of work being carried out. For example, whether the matter was transactional or non-transactional. These templates contained guidance for fee earners around the various risks that could be present.

One firm adopted a client or matter risk assessment form that set out various risk factors which must be considered by fee earners. Each of these factors provided a risk weighting. Where a certain risk threshold was met, the fee earners had to gain approval from the MLCO to proceed with the matter.

Similarly, at some firms, there was a genuine effort to collaboratively assess risk by fee earners and the risk team. The fee earner would initially complete the risk assessment before passing it on to the risk team. The risk team would then go back to the fee earner with any risks they identified and highlight any further information the fee earner would need to obtain in order to mitigate the risks.

Firms may be at risk of being used to evade sanctions. It is therefore important that fee earners are aware of all parties involved within a transaction, including any beneficial owners, to ensure they are complying with the sanctions regime.

Around a quarter (26%) of the AML policies we reviewed failed to mention what steps a fee earner should take to make sure their client is not subject to financial sanctions. While this does not necessarily need to be included in an AML policy, firms should record their approach to complying with sanctions somewhere in writing.

This finding is concerning, given the importance of the financial sanctions regime, and its prominence in the media over the reporting period. We have published sanctions guidance and undertook at thematic review into compliance during the reporting period.

We have undertaken a suite of work, including a series of urgent actions in response to the Russian invasion of Ukraine. These include:

  • We carried out desked based reviews on 23 high-risk firms, where we identified through open-source research that they have exposure to the Russian market, to assess compliance with the financial sanctions regime by screening their client list against the list of Russian designated persons.
  • We reviewed firms’ approach to sanction compliance, during our rolling programme of inspections and investigations to ensure firms’ compliance with the money laundering regulations. We introduced questions asking firms about their sanctions controls while carrying out an onsite AML inspection.
  • As a result of the inspections and investigations, we published guidance to help firms comply with the financial sanctions regime. This sets out details of the regime, red flag indicators and our expectations of what a good control regime looks like.
  • Between April and June 2023, we ran an exercise requiring more than 3,000 law firms to provide us with information on their approach to managing financial sanctions risk. This included direct emails communication with firms, supporting press releases, social media and online content. We will use the information to help assess the financial sanctions risk faced by all firms we regulate.
  • We wrote to several Members of Parliament who made allegations of law firms breaching the sanctions regime, asking for further information in order to investigate any misconduct.
  • We visited the firms named in Parliament in relation to money laundering or sanctions breaches to assess their anti-money laundering procedures and controls.

We undertook a significant awareness raising exercise around the sanctions regime. We have regularly used our SRA Update e-bulletin to provide information to the profession on the latest financial sanctions updates and highlight materials being published by the government, ourselves and others. We have had at least one story in every edition of the bulletin between November 2022 and June 2023.

Providing support and guidance to firms on financial sanctions has also been a key element of our events and webinar programme over the past 12 months. This has seen more than 1,000 people join our live webinars and events on sanction-related issues, and a further 1,500 viewers to-date watching recording of the sessions. We have also delivered keynote sessions on the subject at a number of virtual and face-to-face external events, including our annual Compliance Officer Conference and LegalEx 2022.

At our Compliance Officer Conference, we held a dedicated main hall session on how firms should comply with sanctions and financial crime regulations. This face-to-face event was also broadcast online and drew a combined audience of more than 1,200 people. Attendees heard from several speakers, including representatives from OFSI and individuals working within law firms who could offer practical insights.

We issued new guidance on complying with the UK’s financial sanctions regime in November 2022. And published press releases promoting OFSI’s latest updates on trust services and general licence arrangements in both December 2002 and June 2023.

We also proactively engaged with the media on a range of related issues over the past 12 months, resulting in more than 80 stories appearing across the news, financial and legal press which also mention the SRA.

Sanctions screening exercise

We spot checked 23 firms that we identified as having exposure to the Russian market – inclusive of those above – to assess compliance with the financial sanctions regime. During this exercise, we required these firms to provide a copy of their client list. Once provided, we screened their client list against OFSI consolidated list (Russian regime).

Where we identified positive matches, we asked firms to provide details on what steps they have taken. Only one firm was identified as acting on behalf of a designated person without following the appropriate steps. This came to light following an onsite AML inspection. We are currently investigating this matter.

Sanctions thematic

We expect all firms we regulate to have appropriate controls in place to comply with sanctions legislation, including undertaking regular and appropriate checks of the sanctions lists.

The requirements of the financial sanctions regime on the legal sector are not new, and we have always highlighted the requirements of reporting and freezing assets. Russia’s invasion of Ukraine has placed a greater importance on this area of work. As such we have, and continue to place, an increased focus on preventing and detecting sanctions breaches by our regulated population.

In light of this, we carried out a thematic review into this area, to produce guidance to help the legal industry comply with sanctions requirements. To produce this guidance, we used the input of subject matter experts from across the legal industry.

We visited 26 firms, including industry leaders who provide advice to both designated persons and to law firms on sanctions and compliance. The information we gathered from these visits fed into our sanctions guidance, published in November 2022.

Sanctions findings from onsite AML inspections During the reporting period, we introduced a number of questions to understand what controls firms had in place to help them comply with the UK sanctions regime. We found:

  • 10% of firms did not check whether new clients were designated persons.
  • 47% of firms did not check whether existing clients were designated persons.
  • Only 20% of firms checked whether counterparties involved in matters were designated persons.
  • Only 21% of firms were aware of the steps they must take should they encounter a designated person.

There is a strict liability on behalf of firms to comply with the sanctions regime. It is therefore important to check whether new and existing clients are subject to sanctions. Firms should also consider whether counter parties to transactions are designated persons.

The vast majority of firms used e-verification providers to carry out these checks. However, we also observed a small number of firms which screen clients manually and free of charge via the OFSI consolidated list on His Majesty’s Treasury website.

A report must made to OFSI when someone knows or suspect that:

  • a breach of the sanctions has occurred
  • that a person is a designated person
  • you hold frozen assets.

Sectoral risk assessment

Our updated sectoral risk assessment discusses sanctions in detail. In this, we have explained we expect the sanctions regime to continue to expand, so all firms should be familiar with the requirements. Sanctioned individuals and businesses are likely to seek to instruct firms with weaker controls.

This section concentrates on the on-going monitoring measures we have seen taken by firms as required under regulations 28(11) and, in some cases, regulation 33(4) and 33(5).

On-going monitoring is a key requirement of the MLRs 2017 and one of the most effective controls firms can put in place to protect against money laundering. Firms must continually monitor their clients, to ensure knowledge remains consistent with their customers' risk profile. This will help identify and mitigate potential money laundering risks.

We assess firms' ongoing monitoring obligations when we review files as part of an onsite inspection or desk-based review. We also review AML policies, controls and procedures to ensure firms have a documented ongoing monitoring process.

On-going monitoring goes further than keeping CDD documents to up to date. It also includes:

  • Scrutinising transactions to ensure the source of funds remains consistent with a firm's knowledge of the client and the transaction.
  • Reviewing client/matter risk assessments to ensure the information recorded has not changed.
  • Screening clients for matches against sanctions lists, links to PEPs and adverse media.

We discuss firms' on-going monitoring procedures as part of our onsite inspections. Our findings during the reporting period show various ways in which firms meet their on-going monitoring obligations.

Some of the most effective controls we saw included:

  • Alerts built into firms' case management systems which notify users that CDD is due for review. In some cases, work cannot continue until updated CDD has been obtained.
  • Reviewing risk assessments at certain stages of a transaction, for example, prior to completion in a property matter, to ensure the source of funds has not changed. Regular file reviews for longstanding clients to ensure CDD has not expired. The nature of work is also reviewed to ensure the level of risk remains consistent. On-going alerts from e-verification systems where there are potential matches against PEPs, sanctions lists or adverse media.

Many firms explained that the fee earner is responsible for ongoing monitoring throughout the life of the matter. Any changes to client's circumstances or transactions should be flagged by fee earners.

Fee earners are the first line of defence. We would agree they are best placed to identify any unusual changes to client's circumstances or transactions. This should be part of a formal ongoing monitoring process, where checks are documented.

A small number of firms did not have a formal on-going monitoring process. There were also concerns identified on the client files we reviewed for these firms. These issues may have been identified by the firm if they had a process in place and these were subsequently referred for investigation.

This section of our report concentrates on the controls, in particular, the AML policies firms must put in place to mitigate against any money laundering risks.

AML policies controls and procedures (PCPs)

We reviewed the PCPs put in place by 217 firms and found the following:

Compliant Generally compliant Non-compliant
Desk-based reviews 16 43 13
Inspections 44 67 34
Total 60 110 47

We have highlighted below are some of the most significant themes and common missed areas within firms AML PCPs:

Area Deficiency in percentage of PCPs we reviewed during desk-based reviews (approx.) Deficiency in percentage of PCPs we reviewed during inspections (approx.)
Assessment and mitigation of the risks associated with new products and business practices (5MLD) 61% 70%
Reporting discrepancies to Companies House 57% 42%
Taking additional measures, where appropriate, to prevent the use for money laundering or terrorist financing of products and transactions which might favour anonymity 47% 39%
Information on the firm's stance on reliance (on another person to carry out CDD). 43% 33%
Checking the sanctions register/complying with the sanctions regime 43% 25%
High-risk third countries / high-risk jurisdictions 37% 37%
Simplified due diligence 32% 31%
How to identify and scrutinise complex, unusually large or unusual pattern transactions 22% 29%

Discrepancy reporting to Companies House

Under regulation 30A, firms must inform Companies House of any discrepancies in their information about beneficial ownership. We found that this information was not included in 48% of the AML policies we reviewed.

Any discrepancy must be reported to Companies House as soon as reasonably possible.

Simplified due diligence

Simplified due diligence (SDD) was one of the most significant areas we provided feedback on (32%). Many policies contained conflicting information around what SDD is, or not mentioning it at all.

Regulation 37 allows SDD to be carried out where a firm determines that the business relationship or transaction presents a low risk of money laundering or terrorist financing, taking into account the FWRA.

SDD is the lowest permissible form of due diligence and can only be used where the firm has determined that the client presents a low risk of money laundering or terrorist financing.

It is important to note that, while there is no obligation on firms to apply SDD, it is something they may wish to consider adopting, in the appropriate circumstances. However, a firm’s approach to SDD must be set out in its policies and procedures. This is so fee earners know whether they can apply it or not.

If firms do permit SDD, they will need to set out the circumstances and the checks they would expect to see, as CDD will still need to be applied albeit to a lesser extent, and fully documented.

Further guidance on SDD can be found in the Legal Sector Affinity Group (LSAG) AML Guidance 2023.

Reliance

Reliance was another common area we provided feedback on. Reliance has a specific meaning within the regulations and relates to the process under regulation 39 where, in certain circumstances, firms may rely on another person to conduct CDD, subject to their agreement.

We found that the vast majority of firms (96%) did not use reliance or permit other firms to rely on CDD they had collected. The firm’s stance on reliance, however, was missing from 38% of AML policies we reviewed.

A firm’s stance on reliance must be documented within their policies and procedures so fee earners know whether it permitted by the firm.

Identifying and scrutinising patterns of transactions

Under regulation 19(4), firms must have in place controls which identify and scrutinise:

  • transactions that are unusually large or complex
  • unusual patterns of transactions
  • transactions which have no apparent legal or economic purpose.

We found that many firms mentioned these factors within their AML policy. However, very little explanation was given as to what a large or unusually complex transaction looks like for that firm.

Each individual firm will have their own measure as to what constitutes unusually large or complex transactions.

Firms’ AML policies should outline a list of potential red flags that fee earners must be aware of. These red flags should be tailored to the firm. We accept that it is impossible to list every possible red flag, given that criminals are constantly adapting their methods to launder money. However, the inclusion of a non-exhaustive list will help fee earners identify transactions that may be out of the ordinary.

Products or transactions favouring anonymity

The regulations are clear that firms must set out their position on whether they offer services that favour anonymity. If this is a service firms offer, they must make sure their AML policy contains a section which sets out mitigating actions for their fee earners. In many cases, we provided feedback on including a section within their AML policy to take additional measures when dealing with products or transactions that may favour anonymity.

High-risk jurisdictions

We found that many firms failed to identify high-risk jurisdictions or comment on their approach to them.

While it may be unusual for some practices to come across overseas clients, firms must make sure their fee earners are aware of any high-risk jurisdictions so they can exercise caution. They must ultimately identify matters that need EDD.

Regulation 33(1)(b) of the regulations requires firms to apply EDD measures in circumstances where high-risk third countries are involved. It is therefore important firms identify where their clients, client entities or the transactions they are working on are linked to, and whether they are high risk jurisdictions.

Other themes

We were concerned to see almost half of firms did not update their AML policies annually. On occasions, these policies referred to outdated legislation or outdated government agencies. This is an area where there needs to be improvement.

Firms must review their AML policies regularly to ensure they comply with the current legislation. We will consider taking further action where policies have not been maintained or kept up to date. For example, 5% of firms we inspected had not updated their AML policy and were referred to our investigations team for this and other issues we identified.

We also found a tendency for firms to use ‘off-the-shelf’ AML policies, which had not been tailored to the firm, and/or were not being applied in practice by fee earners. A firm’s AML policy should be specific to the firm. It should be used to guide fee earners on what steps they need to take to mitigate risks. We will take further action where policies have not been followed and breaches of the regulations have been identified.

Findings from file reviews

To make sure policies have been followed and firms are carrying out CDD, we review client files. This includes reviewing several elements:

  • identification and verification: checking if the client is who they say they are, or in the case of a company, who controls it
  • client and matter risk assessments: understanding the transaction/matter and establishing the risk presented by the client and their transaction
  • source of funds checks: establishing where the money for the transaction comes from
  • ongoing monitoring: making sure the information is still correct, the level of risk is still within the firm’s tolerance, and whether further checks need to be undertaken.

To monitor compliance across the firm, we sample a mixture of open and closed files, and a variety of clients from individuals to trusts and companies. We also select files from the different practice areas that fall within scope of the regulations to give us a wider picture of compliance across different departments of the firm.

Identification and verification

In general, firms were doing this aspect of CDD well. However, from 1,245 files reviewed, we found 14% were missing identification and verification documents – 177 in total. These documents were missing in 51 files for desk-based reviews and 126 files for onsite inspections. We also found:

  • there were no CDD documents contained on the file, or it was missing certain CDD documents
  • ID was only obtained for one individual out of several individuals involved in the transaction
  • the firm had not obtained information on the ultimate beneficial owner of a company or recorded whether they had checked the appropriate company registry to verify this information
  • in some cases, we found that fee earners had waived CDD on the basis of longstanding or personal relationships. Taking this approach will not satisfy the requirement to undertake independent verification, though these factors may inform a risk-based approach and the level of checks needed.

Source of funds and source of wealth checks

This is another area we have seen an improvement from firms, although we still feel more could be done. We provided feedback on source of funds/source of wealth issues identified on files to almost 30% of firms that had undergone either an AML inspection or desk-based review.

Thirty-three firms were referred to our investigations team for further action after source of funds/source of wealth issues identified, amongst other AML failures. There were several reoccurring themes we identified when reviewing the files. These include:

  • Firms taking copies of bank statements from clients but making few enquiries to understand how the funds in these accounts have been accrued.
  • Firms making a written note of how the transaction will be funded but not obtaining any documents in support.
  • In some cases, after our request to view the files, firms would provide us with written confirmation of how the transaction was to be funded. This information had not previously been recorded (for example, on the matter risk assessment).

Overall, we found there is a lack of source of funds information and evidence available on files. Understanding the source of funds is crucial to understanding the risk of the transaction. While several firms were able to provide an explanation of the enquiries they made, on a large proportion of files there was no audit trail.

The Legal Sector Affinity Group (LSAG) guidance has been updated and now provides further detail on source of funds information and evidence. We will continue to signpost firms to this guidance. We will also continue to remind firms of their ongoing obligations to monitor transactions and scrutinise source of funds where necessary.

Enforcement action case studies

Case study one

We investigated a firm through an onsite forensic inspection to review the firm’s overall AML compliance. The investigation identified areas of concern in relation to the firm’s compliance with the MLRs 2017 and the MLRs 2007, among other SRA standards and requirements.

Our investigation highlighted the firm did not have in place a compliant firm-wide risk assessment. And the firm had previously made an incorrect declaration to us (January 2020) that its risk assessment was compliant when it was not.

At the time of inspection, the firm did not have in place compliant AML policies, controls, and procedures. It subsequently put in place compliant policies, controls and procedures following the inspection.

An onsite file review revealed the firm failed to scrutinise two transactions effectively, including, where necessary, the source of funds, and had failed to perform ongoing monitoring.

The file reviews also identified a firm had failed to keep copies of any documents obtained to satisfy the CDD requirements. Records must be kept for five years, up to a maximum of 10 years.

The firm failed to take appropriate steps to ensure that all relevant employees at the firm received appropriate training. Our investigation established that it didn’t keep training records and that it failed to deliver effective training to its employees and the MLRO.

The firm also breached the requirement to have an independent audit, which may have picked up the other failings that we discovered.

The firm admitted all breaches and accepted that its conduct showed a disregard for statutory and regulatory obligations placed upon it and that such had the potential to cause harm, by facilitating dubious transactions that could have led to money laundering (and/or terrorist financing).

The matter was resolved by way of an RSA and the firm accepted a fine of £20,000 and payment of £1,350 costs.

Case study two

On 13 February 2023, the SDT approved an Agreed Outcome in relation to two solicitors.

One of the solicitors, a sole practitioner, was fined £5,000 and ordered to pay costs of £9,722.50. The other solicitor, employed by the firm, was fined £7,501 and ordered to pay costs of £12,500. He also admitted recklessness.

Our investigation found the solicitor failed to act upon a series of red flags for money laundering on two property transactions. In the first transaction, he missed several red flags during the transaction:

  • the property’s price increasing from £25,000 to £625,000 in only two years without an adequate explanation
  • the proceeds of sale were retained in client account for three months and distributed piecemeal to third parties
  • the client gave three different spellings of his own name in two emails
  • £76,000 of the deposit was moved around in a circle with no obvious or legitimate explanation.

In the second transaction he failed to spot further red flags:

  • the sale proceeds were retained and distributed in piecemeal fashion over several months to third parties
  • one of two clients spelled their name differently in different contexts.

Additionally, the client changed his instructions just prior to exchange and asked for the proceeds of the sale to be paid to a company. This bore a name of a restaurant, whereas the client had previously advised he worked in construction.

Had he conducted due diligence correctly on the third parties, the solicitor would have discovered that this company was owned by the purported purchaser. The inference from this is that the purported purchaser and purported seller conspired to defraud the lender of the loan payment of £433,200.

Post completion, HM Land Registry highlighted to the firm that one of its two clients had provided documents with two different dates of birth and mobile numbers, and that both had significantly different signatures. The explanation given was that they had ‘consciously changed their signatures just prior to obtaining new passports’ which was unlikely.

Such red flags ought to have prompted the firm and both solicitors to carry out further checks, but they failed to do so. The Land Registry ultimately cancelled the registration owing to its concerns.

In an agreed outcome, we accepted that there was an attempt to apply customer due diligence measures in the first transaction. This included meeting the clients in person and obtaining identification documentation. However, the solicitor didn’t scrutinise or verify the information that he had been provided with.

The solicitor apologised for his incompetent conduct and breaching the SRA Accounts Rules. He admitted acting recklessly in both transactions by failing to adequately conduct ongoing monitoring, carrying out client and matter risk assessments, and failing to conduct CDD. He had also shown disregard of our warning notices

The solicitor admitted all the allegations against him. This included:

  • failing to run his business in accordance with proper governance and sound financial and risk management principles
  • retaining client funds for longer than was necessary
  • authorising the movement and payment of the proceeds of property sales to third parties in circumstances. This amounts to the provision of a banking facility and with disregard for our warning notices.

Case study three

An individual was a manager in a conveyancing department and an employee of a regulated firm. She was fined £3,500 for failing to follow the firm’s internal AML policies on two conveyancing matters. The firm referred the individual to us after completing its own investigation following rumours of a former client being arrested.

Our investigation revealed that she failed to follow the firm’s internal AML policies, controls and procedures which required her to investigate source of funds as part of the firm’s ongoing monitoring obligations.

We found that between June and July 2021, she had acted for clients personally known to her in two separate residential conveyancing matters where she failed to adequately investigate the clients’ source of funds. The client was operating as an unregulated Foreign Exchange (FOREX) business, without FCA approval.

We imposed a fine of £3500, and she was found to have direct responsibility for the breaches, and that her conduct had the potential to cause harm to others.

Case study four

We investigated because of a self-report from the firm relating to a commercial property sale for client Mr H.

Mr H provided bank details to the firm, not in his own name but that of a third-party company. The solicitor who was the fee earner for the transaction made no enquiries into the identity of the third-party company.

The sale contract stated the deposit monies were held by the seller as agent. The firm received the deposit money from the buyer’s solicitors, and the solicitor requested one of the firm’s directors, also its MLCO and MLRO, to transfer the deposit to the seller.

On the same day, the firm transferred the deposit of £67,857 from its client account to the third-party company’s bank account. Soon after, it transpired that the person who instructed the firm was a fraudster, impersonating the real Mr H. It notified the relevant authorities, and the property transaction did not complete.

As a result of this, the solicitor admitted that he failed to conduct ongoing monitoring and sufficient scrutiny into the third-party company’s bank account details. And that he authorised the payment from the firm’s client account to the third-party bank account. He admitted the breach was serious and caused harm to the seller, who lost their deposit at the time, although they were subsequently refunded by the bank.

An outcome was reached by an RSA. The solicitor agreed to pay a fine of £3,000 and costs of £1,350. He cooperated fully throughout the course of the investigation and had shown insight into what went wrong and expressed remorse. We expect that this will make the solicitor more alert to potential markers of fraud in the future.

Emerging risks

We assess emerging risks through a range of sources, such as:

  • our investigative work
  • reports from law enforcement agencies or other authorities
  • our proactive inspections of firms
  • data collection exercises.

The last 12 months have seen a continuation of existing risks. The changed legal landscape post-Covid-19, which normalised remote clients to a far greater degree, has continued to bed in. The war in Ukraine continues with little sign of an end, leading to heightened risks of sanctions breaches.

The legislative landscape has also continued to evolve in ways which directly affect the profession and its AML compliance. During the reporting period Schedule 3ZA of the MLR 2017, which sets out high risk third countries, has been updated three times. A Register of Overseas Entities has been established, resulting in further requirements for many firms, but also a potentially useful source of CDD.

The Russian and Belarussian sanctions regime has been extended to legal advisory services, and two general licences have been issued in this regard. We expect this trend of rapid change to continue with the upcoming passage of the Economic Crime and Corporate Transparency Bill through Parliament.

A fast-moving legal and regulatory landscape naturally requires firms to be proactive to remain compliant by updating their systems and practices regularly.

Sanctions

This area continues to develop rapidly. In the past year, we have seen several changes which directly impact the legal sector:

  • a general licence allowing firms to receive legal fees from sanctioned clients, subject to reporting obligations
  • an extension to the sanctions regime, prohibiting trust services for persons connected with Russia
  • a further restriction on providing legal services relating to prohibited activities
  • a general licence allowing firms to give legal advice on divestment from Russian clients and investments.

We continue to provide advice and support to the profession in compliance with the sanctions regime, as well as liaising with the government about developments in this area.

For most firms, this comes down to:

  • correctly identifying designated persons
  • avoiding providing them with prohibited services without proper licensing from the Office of Financial Sanctions Implementation
  • making sure all reporting obligations are fulfilled.

Firms in scope of the MLR 2017 are likely to be in a better position to achieve this, as they will already be familiar with the process of identifying clients and assessing risk. Many will have systems and software which will automatically scan sanctions lists.

Firms not in scope of the money laundering regulations aren't required to have the same levels of customer due diligence controls in place. We have carried out an exercise targeting the c.3,500 firms which are out of scope of the MLR 2017. We contacted all of these firms requesting information about their awareness and procedures relating to sanctions. Those which have given answers which cause concern about their understanding of the regime have been sent letters setting out their obligations and our expectations. We will also be undertaking inspections to some of these firms over the next year.

Conveyancing and dubious investment schemes

The two areas where we continue to see the most risks relating to money laundering are conveyancing, including vendor fraud (where fraudsters try to sell a property without the consent or knowledge of the owner) and dubious investment schemes.

This has been a consistent pattern over multiple years and one that should cause firms to consider conveyancing as a high-risk activity and apply due diligence and ongoing monitoring. This is reflected in our sectoral risk assessment that we publish for firms.

Risk assessment

A recurring theme throughout our thematic work has been that firms have not been risk assessing individual clients and matters, as required by regulations 28(12), 28(13) and 33(1). We have addressed this on an individual basis where we have seen it, and also highlighted it regularly in our publications. Despite this, we have consistently seen firms failing to undertake good client and matter risk assessments in our proactive work.

This year, we have taken the following action to tackle this issue:

  • undertaking a thematic review focusing on client and matter risk assessments and reporting on the outcome
  • producing a template client risk assessment for firms to use and adapt as they see fit, refreshing our previous firm-wide risk assessment template
  • producing a warning notice on client risk assessments. This makes clear that failure to comply can be used as grounds for disciplinary action.

We will continue to monitor this issue to determine whether these measures have been effective.

Work out of scope of the MLRs

We have also considered the risk of money laundering posed to those firms and solicitors whose work lies out of scope of the MLR 2017. For example, this includes firms specialising in litigation, family law, employment law or landlord and tenant law. These firms may handle large sums of money in the course of their work, and as a result could be vulnerable to exploitation. Our guidance outlines the provisions of the Proceeds of Crime Act 2002 and how they apply to firms. It sets out best practice and reporting obligations.

We set out the areas where we think there is the greatest risk of money laundering in our sectoral risk assessment.

Areas of focus and the year ahead

We will continue to be a robust and proactive anti-money laundering supervisor and will deal with instances of non-compliance using the most appropriate supervisory tool.

We know however that there is more to do. During the next reporting period, we will continue to gather data to inform our proactive approach to sanctions alongside our anti-money laundering work. With that in mind, we have already begun work to increase the AML directorate's resources so we can deal with investigations more swiftly and expand our proactive programme of work.

We are also strengthening our quality assurance work, both in our investigations team and proactive team. This will make sure we adopt a consistent approach to issues of non-compliance and continually build our own knowledge of issues encountered.

In the coming year, we will continue to focus on:

  • taking a risk-based approach to firms and desk-based reviews, to gain a richer understanding of AML systems, processes and procedures in place
  • helping firms put strong controls in place to prevent money laundering and bringing enforcement action against firms that are not meeting their responsibilities under the regulations
  • providing targeted and timely guidance for firms, both through publications and direct engagement such as webinars
  • monitoring the areas mentioned above, under emerging risks, and considering what next steps we might need to take.

Under the regulations, we must risk profile firms and monitor risks as discussed in this report. We look at a range of factors to determine risk, including regulatory history and size. Where appropriate, our risk model also considers mitigation, such as AML controls.

We continue to use our AI-based risk model. This considers additional information provided to us by firms in the past year, among other insights. This will help refine our risk assessment and future approach to supervision. We will also feed the results of data collection exercises into this model. This will enable us to draw data from as wide a range as possible which will help us maintain the effectiveness and success of the AI-based risk model.

Our AML resources

Money laundering regulations and who they apply to

What does my firm need to do?

How we regulate money laundering

Sectoral Risk Assessment - Anti-money laundering and terrorist financing

Anti Money Laundering annual report 2021-22

Make changes to your Anti-Money Laundering authorisation

Money Laundering Governance: Three Pillars of Success

AML and sanctions webinars

AML: enforcement trends – September 2023

Government sanctions regime: how all firms can stay compliant – May 2023

Compliance Officers Virtual Conference 2022

AML: How to do a firm-wide risk assessment – June 2022

AML officers: what they need to know - February 2022

Our sanctions resources

Tell us about your firm’s approach to financial sanctions

Financial sanctions and Russia

Guidance and support

Government sanctions regime - how all firms can stay compliant

Sanctions regime guidance helps firms stay compliant

Complying with the UK sanctions regime

Other relevant sector guidance

Proceeds of crime guidance

Published by the Legal Sector Affinity Group

Legal Sector Affinity Group Guidance – Part 1

Legal Sector Affinity Group – Part 2 (barristers, Trust or Service Company Providers and Notaries)

Barristers – to be read independently of Part 1

TCSPs – to be read in conjunction with Part 1

Notaries – to be read in conjunction with Part 1

Published by the National Crime Agency

Guide to submitting better quality SARs

SARs Online User Guidance

SARs FAQs

SARs Glossary Codes

Produced by HM Government

UK National Risk Assessment

Use www.sra.org.uk/aml-annual-report-2022-23 to link to this page.