Anti-Money Laundering Annual Report 2024-25

Money laundering is when criminals 'clean' the proceeds (the financial gains) of crime. Criminals transform proceeds into assets, such as houses or businesses, or other seemingly legitimate funds, for example, money in a bank account.

Money laundering makes these proceeds look like genuine sources of income, which criminals can then spend freely and without raising suspicion. Such criminals often make their money from serious crimes like fraud, trafficking people, wildlife or drugs. Often, these funds are used to finance further criminal endeavours. In some cases, laundered money is used to fund terrorism. It is estimated that more than £100bn is laundered every year through the UK or through UK corporate structures. The National Crime Agency (NCA) believes there are approximately 4,500 organised crime groups operating in the UK.

The prevention of money laundering remains a critical priority both in the UK and internationally. This urgency is driven by a range of factors, including:

• the rise in terrorist activity financed through criminal proceeds
• the expansion of global sanctions regimes
• an increasingly complex and volatile geopolitical landscape.

This report outlines our anti-money laundering activity during the 2024/25 fiscal year (6 April 2024 to 5 April 2025), providing key insights into our regulatory approach and highlighting specific areas of focus in our ongoing efforts to combat financial crime.

This report is produced as part of our responsibilities as an AML supervisor and our duty to provide information to the Office for Professional Body Anti-Money Laundering Supervision (OPBAS). This is under regulation 46A of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017(as amended) (MLR 2017). Where throughout this document we refer to 'the regulations,' this refers to the MLR 2017.

We supervise 5,569 firms for the purpose of AML requirements. The money laundering regulations we enforce originate in international standards set by the Financial Action Taskforce (FATF). The EU's Fourth Money Laundering Directive and the Fifth Money Laundering Directive (5MLD) were integrated into UK legislation through amendments to the MLR 2017 in January 2020. Since leaving the European Union, new UK legislation came from recommendations made by the FATF and the UK Government.

We also work closely with other stakeholders to improve the UK's financial crime regime. For example, in June 2024, we responded to HM Treasury's consultation to help improve the effectiveness of the MLR 2017. We also responded to the Legal Service Board's (LSB) Economic Crime Consultation in February 2025 and the Home Office's National Risk Assessment (NRA) consultation in spring 2025.

The regulations set out the categories of businesses whose services may be vulnerable to exploitation by money launderers. They include banks, estate agents and some legal services.

Laundering money through the legal sector

Solicitors and law firms can be targeted by criminals due to their trusted status, their role in handling substantial financial transactions, and their ability to lend legitimacy to the movement of money or assets. Most law firms work hard to prevent and to spot money laundering and take necessary action, but some get involved unknowingly. A very small number may even knowingly cooperate or work with criminals to launder money.

The legal sector also plays a key role in supporting the enforcement of financial sanctions, helping to limit the activities of individuals and businesses subject to those restrictions.

Firms and solicitors may become involved in money laundering, whether intentionally or inadvertently, because of the nature of the legal services they provide.

• The sale and purchase of property allows large amounts of money to be moved and converted in a single transaction. It also involves assets which are attractive because they can produce income through rental payments or serve as residential property.
• Setting up trusts and companies can create structures which allow the true ownership and control of assets to be obscured.
• Money transfers made through client accounts enable funds to be moved, divided, or redirected, often with an added appearance of legitimacy.

Other factors relate to weaknesses in the internal processes and controls firms use, such as:

• failing to carry out appropriate due diligence on a client's source of funds reduces the likelihood of money laundering being detected
• failing to train staff also reduces the likelihood of money laundering being detected and reduces the effectiveness of AML policies, controls and procedures (PCPs)
• failure to carry out the appropriate client due diligence checks (CDD) on conveyancing matters, an area we consider to be high risk for money laundering.

Our work as an AML supervisor

The regulations name professional bodies with responsibilities for AML supervision. The Law Society is the named supervisor for solicitors in England and Wales and delegates regulatory activities to the SRA. This means we must effectively monitor the firms we supervise and take necessary measures, including:

• Making sure the firms we supervise comply with the regulations, and we approve the relevant beneficial owners, officers, and managers to work in those firms.
• Adopting a risk-based approach and basing the frequency and intensity of supervision on our risk assessments of firms.
• Encouraging firms we supervise to report actual or potential breaches of the regulations. We do this by:
  • making it a requirement to report in paragraph 3.9 of the SRA Code of Conduct for Firms
  • providing a secure communication channel for reporting, Red Alert line.

We must take appropriate measures to review:

• the risk assessments carried out by firms (under regulation 18 MLR 2017)
• the adequacy of firms' PCPs (under regulation 19 to 21 and 24 MLR 2017), and the way in which they have been implemented.

We enforce the money laundering regulations mentioned above and carry out our work as an AML supervisor through:

• sharing and receiving information to prevent money laundering with other supervisors and law enforcement agencies
• publishing guidance on the regulations
• proactive supervision – we do this through desk-based reviews and onsite inspections
• investigating potential breaches of the regulations
• taking enforcement action where we identify regulatory breaches
• annual data collection exercises. Last year (2023) we contacted all SRA regulated firms and asked them to provide us with information on their approach to managing financial sanctions risk (this might for example include firms which exclusively carry out litigation work)
• carrying out thematic reviews.

Our proactive supervision

AML

We have increased our supervisory oversight this year. In total, we carried out 935 proactive AML engagements with firms (including thematic engagements) during the reporting period. This represents an increase from the 545 proactive engagements in the last reporting year.

These were broken down as follows:

Of these engagements, 864 involved an assessment of a firm's AML controls through either an inspection, a desk-based review, or an evaluation of the firm's independent audit. The remainder were centred on our thematic review activity.

The six firms we engaged with as part of an onsite investigation did not have an AML compliance outcome. This is because the firms were already under investigation for other breaches of the Standards and Regulations.

Our thematic review on AML training was published in October 2024. The purpose of the thematic review was to assess how firms are complying with the requirement to provide AML training under regulation 24 of the MLR 2017. We liaised with over 70 firms, to better understand how training is delivered and to identify examples of good and poor practice.

We have increased our AML supervisory oversight work year by year. The below table reflects our proactive AML engagement with the profession over the last five years:

Onsite AML inspections and desk-based reviews

For inspections and desk-based reviews by the proactive team, we typically review between ten and twelve files for each firm, depending on the size and nature of the firm. For larger firms, or those doing a high volume of regulated work, we are likely to review twelve files. We reviewed 5,873 files in total in this reporting period.

Our desk-based reviews involve examining:

• firm-wide risk assessments
• a firm's PCPs
• client and matter risk assessments
• a sample of a firm's files to assess compliance with their PCPs and the regulations.

Onsite inspections also include document reviews and typically involve interviews with the firm's Money Laundering Compliance Officer (MLCO) and Money Laundering Reporting Officer (MLRO). In some cases, we also spoke with fee earners. Additionally, we examined firms' independent audit reports, training records, and Suspicious Activity Reports (SARs) logs.

Compliance levels

Of the 935 firms we engaged with, 833 received an AML proactive inspection or a desk-based review. The 833 figure does not include firms where an inspection was carried out as part of an investigation, independent audit or our thematic work - as these firms are not given a compliance rating.

We found the following levels of compliance, showing that almost a third (32.4%) of firms were not compliant.

Supervision actions

Below are the types of steps we take and an explanation, including how we define the compliance level at a firm. These are used throughout the report. We also set out the number of times we have taken these steps during the reporting period.

The figures below do not include the outcomes where we have identified AML issues as part of an onsite investigation. This is because the firms are already under investigation for other breaches of our Standards and Regulations. We have guidance on why we carry out onsite inspections.

In this report, we have set out some findings from our supervisory work by theme, such as firm controls, and the steps we have taken. We often identify more than one issue at a firm, so some firms are included in the figures for several themes throughout the report. This is particularly relevant for matters referred for disciplinary investigations where firms are often referred due to multiple breaches.

When making the decision on an outcome, we consider several factors, such as:

• The extent of the breaches and how widespread the issues are.
• The length of the breach.
• The impact of the breach, for example, if a failure to risk assess files has led to insufficient due diligence being undertaken, or a failure to identify a politically exposed person (PEP).
• Whether there is a systemic lack of compliance, for example, a firm that does not have adequate PCPs and is failing to comply with a significant number of the regulations.

Enforcement tools

Following evidence of a serious breach of our rules by a firm or solicitor, we can issue a sanction or refer the matter to the Solicitors Disciplinary Tribunal (SDT). There are caps on the financial penalties the SRA can impose in different circumstances, and we have no power to strike off a solicitor. We will therefore refer the matter to the SDT where we think the seriousness of the matter indicates that an appropriate sanction would exceed the SRA's power to fine or justify a decision to strike off a solicitor.

In line with our fining guidance, we can impose financial penalties up to certain levels depending on the circumstances. We can impose a fine of up to £250m on an Alternative Business Structure (ABS), also known as a licensed body, and up to £50m on managers and employees of an ABS. After this date, the limit increased to £25,000.

Where appropriate, we can also resolve a matter through a regulatory settlement agreement (RSA). Under an RSA, the facts and outcome are agreed by both parties. These allow us to protect both consumers and the public interest by reaching appropriate outcomes swiftly, efficiently and at a proportionate cost.

For less serious matters, we have internal outcome options which include closure with guidance, a letter of advice or a letter of warning where breaches have been identified. We can also rebuke or fine a firm or individual, or put conditions on their practising certificate or firm authorisation, limiting what they can do in their role or firm.

We publish the details of our decisions, including RSAs, on our website. To meet our duty to act in the public interest, we seek to redact or anonymise any information that cannot be published. This might be where information is confidential, legally privileged, or might prejudice other investigations or legal proceedings. For example, information about an individual's health will often be confidential.

Thematic work

Regulation 24 MLR 2017 requires training to be provided to all relevant employees, as well as any third parties firms use to deliver their services. In this reporting period, we undertook a thematic review on AML training to better understand how firms were complying with the requirements.

We have always reviewed AML training as part of our inspection process. As part of this thematic, we also engaged with the profession outside of our onsite inspections. This included:

• hosting roundtable events with 65 of the largest firms we supervise, alongside a small group of sole practitioners where training was discussed in detail
• meeting with firms who have an international presence to see if there were differences in terms of training practices
• meeting with a group of sole practitioners to better understand the way in which they receive training
• meeting with other regulators to understand training expectations within their profession
• meeting AML training providers from across the industry to understand how they develop their training packages.

Anti-money laundering (AML) training is one of the most effective controls to prevent fee earners and firms becoming inadvertently involved in money laundering. Staff awareness has long been recognised as a key AML and counter terrorist funding (CTF) control.

Staff are the first line of defence against money laundering, so training is vital. It is important staff are equipped with the relevant knowledge and skills to identify money laundering and terrorist financing risks.

In response to our findings from the thematic review, we published:

• A thematic report setting out our findings. The report includes a good practice guide, as well as outlining different training methods.
• An 'AML training checklist' to help firms with what to look out for when developing a training package.

Work with larger firms

We also engaged with some of the largest firms in England and Wales as part of our supervision process. These engagements are part of our wider AML programme and informed by the OPBAS source book.

Review of independent audits

Regulation 21 MLR 2017 sets out the requirement to establish an independent audit function. The purpose of an independent audit is to examine the adequacy and effectiveness of a firms AML controls and procedures.

We expect large firms to regularly carry out independent audits, given the size and nature of their practices. An effective audit will make recommendations as to how PCPs can be improved and how well a firms controls are working.

In this reporting period, we started a three-year cyclical programme to review the outcomes of large firms' last independent audits.

We reviewed the independent audits of 25 firms.

The purpose of our review is to:

• assess if a firm's independent audit process is compliant with the MLR 2017
• query any concerns that had been identified by the auditor and
• assess if the recommendations in the audit have been met.

Depending on the outcome of our review, a more in-depth review may be carried out by the Proactive Supervision Team or the AML Investigation Team to look at the firm's wider controls.

Where no issues are identified, no further action is taken.

We found that:

• All 25 firms had an independent audit process.
• Some 22 out of 25 firms had carried out an independent audit within the last two years.
• Most audits we reviewed (24 out of 25) involved a review of both AML policies, controls and procedures and a sample of files. Our opinion is that it is difficult to evidence the effectiveness of AML controls without a review of files.
• All 25 firms had met the recommendations from their most recent independent audits, indicating an overall improvement in compliance. However, six firms were referred for a desk-based review or inspection by the AML Proactive Supervision Team. This is because the audits had identified issues with the firms' AML controls, for example, missing client due diligence (CDD) on files.
• None of the firms were referred to the AML Investigations Team because we did not identify any breaches or serious concerns.

AML data collection exercise

In August 2024, we carried out a data collection exercise aimed at all SRA-regulated firms. This exercise enabled us to ensure the accuracy of our supervisory data, gain a clearer understanding of future resourcing needs, and build a more detailed picture of the size, scale, and nature of the supervised population and the precise nature of the work each firm or sole practitioner undertakes. The data collection exercise covered:

• areas within AML scope
• trusts and company services
• sanctions
• suspicious activity reports.

Under the regulations, we must risk profile firms and monitor risks as discussed in this report. We look at a range of factors to determine risk, including regulatory history and size. Where appropriate, our risk model also considers mitigation, such as AML controls.

Firms and individuals we regulate that fall in scope of the regulations

As of 5 April 2025, 5,569 firms fall within the scope of the money laundering regulations. This represents around two-thirds of the total firms we authorise (9,149).

As an AML supervisor, we have a duty to make sure that the firms we supervise comply with the regulations and have appropriate controls in place to prevent money laundering.

The table below details the number of firms we supervise which fall within scope of the regulations. This includes the number of firms we supervise for AML purposes, where there is just one solicitor or registered European lawyer (REL) practising at the firm. This is the figure we report to HM Treasury and our oversight supervisor, OPBAS. The definitions are different to our definition of a sole practitioner, who may employ staff or work in conjunction with others.

Number of beneficial owners, officers and managers

Under the regulations, beneficial owners, officers and managers (BOOMs) must be approved by us. They must obtain a Disclosure and Barring Service check and submit it to us when they first become a BOOM or take on a new role. The table below shows the total number of BOOMs we regulate as of 5 April 2024.

Number of money laundering related reports received

We receive reports about potential breaches of the regulations and money laundering activity from the profession and consumers. We monitor media and other reports for potential breaches, and receive intelligence from the NCA, other law enforcement bodies and government agencies. The number of reports also include where we have identified a potential breach of the regulations ourselves, for example, through an AML onsite inspection at a firm, or a desk-based review of the firm's AML controls.

We investigate suspected breaches of the money laundering regulations, the sanctions regimes, cases of suspected money laundering and breaches of the Solicitors Accounts Rules. The table below shows the number of reports we have received year on year.

The number of reports received in 2024/25 has increased compared to the previous year. While referrals from external sources have remained consistent, there has been a notable rise in cases originating from our AML Proactive Supervision team—driven by a higher volume of onsite inspections and desk-based reviews.

Types of reports received

We record the reasons why a report has been made. Often, reports have more than one suspected breach requiring investigation, and these can change during the life of a matter as we receive and assess more information.

These were the most common reasons for the AML reports we received:

Number of money laundering related matters resulting in an internal outcome

Where we see that firms or individuals have failed to comply with the money laundering regulations, we can take enforcement action. We refer more serious matters, or where the recommended fine is above £25,000 for recognised bodies and sole practitioners, to the independent Solicitors Disciplinary Tribunal (SDT).

For less serious matters, our internal outcome options include closure with guidance, a letter of advice or a letter of warning where breaches have been identified, where we remind the individual or firm of their responsibilities, both regulatory and legislative. We can also rebuke or fine a firm or individual, or put conditions on their practising certificate or firm authorisation, limiting what they can do in their role or firm.

The table below shows the number of money laundering matters resulting in an internal outcome.

The increase observed between April 2024 and April 2025 corresponds with a rise in money laundering-related reports received during the same period, which nearly doubled to a total of 426. This, in part, is owed to the increased number of inspections and desk-based reviews we have carried out over the last five years.

Below is a breakdown of the type of outcomes in the year 2024/25:

More information on the type of decisions we can make, and their purpose, can be found in our enforcement strategy.

Since our fining powers have been increased from £2,000 to £25,000 (in July 2022) for recognised sole practices and recognised bodies (firms where all the managers are lawyers), we have seen more fines being dealt with in-house. We are anticipating that this trend will continue. Please see our fining guidance.

In 2024/25 we issued 15 fines through SRA adjudicators totalling £292,133. These can be broken down as follows:

In addition, we agreed 58 Regulatory Settlement Agreements totalling £661,200. These are as follows:

Number of money laundering-related cases brought to the SDT

In more serious matters, we prosecute a firm or an individual at the SDT. The SDT has powers that we do not, including imposing unlimited fines, and suspending or striking solicitors off the roll. We also refer firms and individuals to the SDT, where the recommended fine is above £25,000 (this is usually the case for firms with large turnovers, or high earning individuals).

In 2024/25 the number of outcomes at the SDT totalled fourteen, returning to the average numbers between 2018 and 2021.

Below is a breakdown of the outcomes at the SDT for 2024/25:

Fines at the SDT amounted to £545,650 and are broken down as follows:

All fines received are paid to HM Treasury.

Themes from enforcement action

In the year 2024/25, there were 137 internal outcomes and 14 outcomes at the SDT, a total of 151. This is an increase from 78 in 2023/24 and 47 in 2022/23.

An increase in resource and the number of proactive reviews and inspections has led to a higher number of referrals to investigations. There were nine regulatory settlement agreements in 2023/24 and 58 in this reporting year.

We continue to see breaches where firms have inadequate AML controls. The most common are where firms fail to:

• carry out risk assessments on clients and/or their matters (pursuant to Regulation 28 of the MLRs 2017)
• have a compliant firm-wide risk assessment (pursuant to Regulation 18 of the MLRs 2017)
• have adequate AML policies, controls and procedures (pursuant to Regulation 19 of the MLRs 2017)

We have also seen an increase in the number of file related breaches where firms fail to:

• carry out source of funds checks (pursuant to Regulation 28(11)(a) and Regulation 35 of the MLRs 2017)
• carry out or record ID and/ or verification checks of clients (pursuant to Regulation 28(2) of the MLRs 2017)

Understanding the source of funds to be used in a transaction is a fundamental part of the risk-based approach. Being clear around the legitimacy of the source of funds greatly reduces the risk of money laundering. Firms need to do more in this area and check source of funds more often, especially when higher risk elements are present in the transaction or where monies are coming from a third party.

Reoccurring issues we have identified include a failure to:

• apply enhanced customer due diligence and enhanced ongoing monitoring
• recognise work that brings the firm into scope of the regulations, which then carries all the legislative requirements of being 'in-scope' and the necessity to have in place mandatory AML controls
• have sufficient regard for our issued warning notices, red flag indicators (as highlighted by FATF) in transactions and sector wide guidance (such as LSAG)

We have identified three key themes that we believe contributed to these breaches:

• Inadequate importance, at senior levels within firms, placed on having robust and compliant AML controls in place. For example, adequately risk assessing the firm's exposure to money laundering and terrorist financing or putting adequate PCPs in place.
• Inadequate supervision or training of fee earners on the regulations and thereafter the firm's PCPs.
• Having systems and processes that allow events to happen unchecked, such as receipt of funds or moving to the next stage in the transaction (rather than an automated 'stop' being put to a transaction when an element of customer due diligence has not been performed).

Enforcement action case studies

Case study one

We conducted a desk-based review on a firm in April 2024. We identified that the firm:

• did not have in place a documented firm-wide risk assessment (FWRA), pursuant to Regulations 18(1) and 18(4) of the MLRs 2017
• failed to establish and maintain appropriate policies and procedures, pursuant to Regulation 20 of the MLRs 2007
• failed to establish and maintain policies, controls and procedures, pursuant to Regulation 19(1)(a) of the MLRs 2017.

During the investigation the firm brought itself into AML compliance, and the firm was issued with a financial penalty of £12,194 in line with our fining guidance.

Case study two

A firm submitted a self-report to the SRA. We identified that a fee earner had:

• made payments from the client account to a third party which was not in relation to the delivery of regulated services. This resulted in the client account being used to provide banking facilities, breaching Rule 3.3 of the SRA Accounts Rules 2019 and Principle 2 of the SRA Principles 2019
• received a significant sum of money from a third-party firm of solicitors and failed to obtain adequate information relating to the source of funds as required by Regulation 28 of the MLRs 2017.

It was found that the conduct was unlikely to be repeated and that there was no ongoing risk. A letter of advice was issued

Case study three

We carried out an inspection which resulted in a referral to the AML Investigation team. It was found that the firm failed to:

• have in place a documented firm-wide risk assessment between 2017 and 2023, pursuant to Regulations 18(1) and 18(4) of the MLRs 2017
• have fully compliant policies, controls and procedures (PCPs) between 2017 and 2024, pursuant to Regulation 19(1)(a) of the MLRs 2017. They also failed to regularly review and update their PCPs pursuant to Regulation 19(1)(b)
• conduct client and matter risk assessments between 2017 and 2023 pursuance to Regulations 28(12) and 28(13) MLRs 2017.
• ensure all relevant employees revived AML training and maintain records in writing, pursuance to Regulation 24 of the MLRs 2017.

The firm brought itself into compliance and agreed to a Regulatory Settlement Agreement for £22,345.

Suspicious Activity Reports (SARs) play a vital role in supporting law enforcement to tackle financial crime as well as help trace illicit funds and assets.

We have a legal obligation to submit SARs to the NCA if we have knowledge or form a suspicion of money laundering or terrorist financing through our work.

This reporting period we have submitted 19 SARs to the NCA concerning suspicions of money laundering involving more than £148 million in suspected criminal proceeds. The number of SARs made during this reporting period shows a small decrease compared with the previous reporting period (23 in 2023/24). The value of the suspected criminal property involved has almost doubled over the same period, up from £75 million.

SARs detail suspect transactions, arrangements, and behaviours spanning 2017 to 2025 and were identified through our investigation and pro-active work.

From those 19 SARs submitted by us in this reporting year, the main money laundering red flags and risk areas are:

• failing to conduct appropriate due diligence and source of funds checks on clients and third parties
• property conveyancing transactions (both residential and commercial)
• funds from countries and or clients which pose a higher risk for money laundering including Politically Exposed Persons (PEP’s)
• funds linked to fraud – for example vendor fraud and dubious investments
• transactions with no underlying legal work or legitimate explanation
• conducting work outside of the firm’s usual business activities
• office accounts being used to facilitate suspect money movements
• overly complex and opaque transactions
• clients or third-party funding not in keeping with income or documents produced
• use of documents which appear false or altered.

SARs continued to highlight property conveyancing as the most prominent area of money laundering risk within the legal profession, with 73% of all SARs involving a conveyancing-related instruction. Our reports outlined instances of suspicions linked to completed transactions as well as aborted or abandoned instructions. In some cases, funds were not exchanged or partially exchanged; however, the surrounding circumstances nonetheless raised concerns indicative of potential facilitation or attempted laundering of criminal proceeds.

In some instances, we identified and reported suspect transactions and behaviours involving fraud, as well as laundering the proceeds of fraud. For example, certain cases involved vendor fraud, where properties were sold without the knowledge or consent of the legitimate owners, resulting in fraudsters or their associates unlawfully receiving the proceeds of sale.

In a small number of cases suspicious transactions were conducted through law firm’s office bank accounts, involving substantial sums The office bank account is generally used for the day to day running and expenditure of a firm, therefore may be perceived as a less obvious place for suspected illicit money transfers.

Some of the suspicious activity involved firms operating outside the scope of the MLR 2017 such as those specialising in litigation and claims firms.

Additionally, we have seen what appears to be infiltration type activity at two firms, which has featured in our SARs. This involves groups or individuals acquiring, operating, or assuming a level of control at firms after which suspicious transactions were identified.

Suspicious Activity Reports and firms’ risk tolerance

Firms are obliged to report suspicious activity to the NCA under the Proceeds of Crime Act 2002 (POCA) or Terrorism Act 2000 (TACT). The report is made where information of concern has come to the firm during the course of its business.

Where we conducted an inspection in the reporting year, we reviewed a sample of SARs firms have submitted to the NCA.

We reviewed a total of 111 Defence Against Money Laundering (DAML) SARs and 66 information SARs submitted by 89 firms.

A DAML can be sought from the NCA when a reporter suspects that the property they plan to handle may be linked to criminal activity. Proceeding without clearance could result in committing one of the main money laundering offences under POCA. A person does not commit one of those offences if they have received ‘appropriate consent’ (a DAML) from the NCA. Information SARs are submitted simply to notify law enforcement to potential instances of money laundering or terrorist financing.

We found that most of the SARs we reviewed were written in a clear manner and contained sufficient levels of detail.

However, we did feedback to firms where we found the following issues with the quality:

• Seven SARs we reviewed did not contain a description of the suspected criminal property.
• Seven SARs did not contain any information around the future intentions for the client relationship.
• Three of the SARs we reviewed did not include details of the reason for suspicion in the narrative.
• Three SARs did not contain any information about the services the firm were providing to the client.

In 2019, the NCA reported that some SARs received from the legal sector were of poor quality due to firms providing inadequate information. We have seen improvements in this area, but we encourage firms to continue referring back to the NCA guidance when submitting SARs, to ensure they contain all relevant information.

Firms should include as much information as possible, such as phone numbers, email addresses and company numbers, if available. This information is useful to law enforcement in investigating crime.

Poor quality SARs can lead to unnecessary delays, particularly where a DAML has been sought. This can make it difficult for firms to explain delays to clients.

Failure to make a disclosure to the NCA in appropriate circumstances can be a criminal offence and proceeding with a transaction in the absence of consent may result in the commission of a principal money laundering offence.

Our warning notice on SARs sets out that we expect all firms and individuals regulated by us to comply with the NCA guidance in relation to submitting consent SARs.

We also encourage firms to watch our joint webinar with the NCA to understand when they should report concerns to us and how to submit a good quality SAR.

This section of our report concentrates on the measures taken by firms to assess the level of risk, both at firm level (as required under regulation 18) and client and matter level (as required under regulations 28(12) and 28(13)).

Firm-wide risk assessments

The Firm-Wide Risk Assessment (FWRA) serves to identify the money laundering risks to which a firm is currently exposed or may become exposed. Based on this assessment, firms are expected to implement proportionate policies, controls, and procedures (PCPs) to effectively mitigate those risks. The FWRA is a fundamental component of a firm's anti-money laundering framework and plays a critical role in safeguarding against financial crime.

Over the last few years, we have seen an improvement in the quality of FWRAs which reflects the thought, effort, and time that many firms put into these documents. Nonetheless, there are still a proportion of firms with FWRAs that are not compliant. We would urge firms to review and update this key document. We have provided information below that should help firms to do that.

When we undertake an AML inspection or desk-based review, we require firms to provide us with a copy of their FWRA. During the reporting period, we called in a total of 833 FWRAs for review. Despite the requirement to have a FWRA being in place for over seven years now, 19 firms did not have a FWRA. They were referred for investigation.

Of the remaining 814 FWRAs we reviewed, we found the following levels of compliance:

During the reporting period, 47% of the Firm-Wide Risk Assessments (FWRAs) reviewed were assessed as compliant an improvement from 43% in the 2023/2024 period. A further 9% were found to be non-compliant, broadly consistent with the 8% recorded in the previous cycle.

Feedback was issued to firms where FWRAs were either partially compliant or non-compliant. The key areas of feedback are outlined below. In some cases, specific risk areas were not adequately addressed within the FWRA. It is common for firms to receive feedback across multiple areas even if they are deemed compliant, which accounts for the total number of feedback points exceeding 814.

There were several themes which featured within the non-compliant FWRAs. These include:

• Some firms only putting in place a FWRA after we asked to see it. This is despite some of these firms having previously confirmed to us in January 2020 that they did have a FWRA in place.
• Using a template but not completing it correctly (for example, using a checklist or not including enough detail) or failing to tailor it to the firm.
• Failing to cover the five key risk areas required under regulation 18 MLR 2017 in sufficient detail.
• Failing to have a FWRA which is suitable to the size and nature of their practice.
• Many firms failed to expand on the risks identified, for example, we saw firms stating they often operated in high-risk jurisdictions but not setting out and assessing the applicable jurisdictions.
• Many documents focused on what the firm does not do (for example, setting out that the firm does not offer trust formation services or act for politically exposed persons). The focus should be on the AML risks the firm is exposed to in its day-to-day business.

It is important that the FWRA is reviewed regularly and updated, where necessary. We found that some firms had not done this. A FWRA is a living document and should be regularly updated, for example:

• when AML legislation changes or we update our sectoral risk assessment
• where firms provide a new service or act in a new area of law
• where firms make changes to the way they work, for example if they introduce a new client verification system.

Good practice

We identified a lot of good practice through our reviews of FWRAs during the reporting period.

We continue to see an improvement in the use of templates where firms had adapted and tailored the templates to cover the risks in detail and in a way specific to the firm. We have highlighted poor practice in previous reports, where firms had used templates but had not edited the standard text to make it relevant to their firm.

In some examples we saw, it was clear the person undertaking the FWRA had worked closely with various teams and partners across the business to assess the risks. The advantage of this was that all areas of the business were feeding into the FWRA. It also helped to demonstrate a risk-based approach, as something which would be low risk in one business area may be considered high risk elsewhere.

Some firms also made use of quantitative data and statistics to help analyse their AML risks. For example, using information gathered from internal SARs or the percentage value of work in specific areas of work and how this equates to potential risk for the firm. We consider this to be good practice as it forms part of a risk assessment framework.

We expect firms to be compliant in this area. Over the years we have provided a variety of resources to help firms draft an effective firm risk assessment if they don't already have one.

• Our sectoral risk assessment setting out common risks.
• A checklist to help firms prepare for a firm risk assessment.
• An updated FWRA template.
• Two webinars on FWRA – link to most recent webinar.

Proliferation financing risk assessment

From 1 April 2023, firms must risk assess and document their exposure to proliferation financing (PF). This is a requirement under regulation 18A of the MLR 2017. This assessment can be done as part of the FWRA or as a standalone assessment. We found that 646 of 833 (78%) firms had a proliferation financing risk assessment.

We have previously highlighted the need for firms to conduct a PF risk assessment.

We review client and matter risk assessments (CMRA) on files as part of a desk-based review and onsite inspection.

CMRAs help prevent money laundering by making sure firms consider the risks posed by each client and matter. They inform the correct level of client due diligence (CDD) required to mitigate those risks. CMRAs are required under regulation 28(12) and 28(13) of the MLR 2017.

During the reporting period we reviewed 5,873 files. We found:

• Some 950 files (16%) did not contain a CMRA, as required under the regulations, or the CMRA was incomplete.
• That 39% of CMRAs we reviewed were ineffective. For example, these forms did not assess AML risks, instead focusing on operational risks.
• Where the CMRA was deemed to be effective, we found that the firms files were far more likely to be compliant.
• On a small number of files (5%) we disagreed with the risk rating on the CMRA. We felt the risk rating on these files should have been higher than what was recorded.

A lack of a CMRA on file was the most common reason firms were referred for investigation in this reporting period. Of the 270 firms who were deemed to be non-compliant following an onsite inspection or desk-based review, 135 firms (50%) were referred for a lack of CMRAs on files. We found 111 of those firms had a process in place but it was not being followed (44 on inspections and 67 on DBRs) showing a disconnect between the policies, controls and procedures and what is happening at matter level.

We expect files in scope of the MLR 2017 to contain a CMRA. Where a CMRA is missing, these files were be assessed as being non-compliant.

Our thematic review (report with good practice guide, warning notice and client and matter risk assessment template) has highlighted these issues to the profession. However, we feel that there is still room for improvement for some firms in this area.

We continue to see firms using overly simplistic, template-based Client Matter Risk Assessment (CMRA) forms, where fee earners merely indicate whether a matter is high, medium, or low risk. In many instances, these forms lack explanatory notes or justification explaining how the risk rating was reached. It is important that the rationale for the risk level and level of due diligence is clearly recorded, along with what actions the fee earner will take to mitigate those risks.

Many matter risk assessment forms we looked at did not reflect their FWRA. For example, one firm considered receiving funds from abroad to be high risk in the FWRA. When we reviewed the matter risk assessment, the file was assessed to be low risk by the fee earner. The reason for this discrepancy was not recorded.

We also found that on occasions, firms did not have a uniform approach to the way in which they risk assessed clients or matters. This manifested itself in different ways, the most common being that CMRAs were available for certain matters but unavailable on others.

This section concentrates on the customer due diligence measures (CDD) firms must apply to mitigate against any money laundering risks under regulations 27 and 28 of the MLR 2017. Overall, we are observing good practice in this area.

CDD is a key requirement of the MLR 2017 and one of the most effective controls firms can put in place to protect against money laundering. CDD requires firms to take a holistic approach to have a comprehensive view of the risks associated with a particular client or parties to a matter or client. This section of the report focuses on the obligation to identify and verify clients and conduct source of funds checks.

Firms must have processes in place to identify and verify their client's identities. Identification of a client or a beneficial owner is simply being told or otherwise coming to know a client's identifying details, such as their name and address. Verification is obtaining evidence which supports this claim of identity.

Conducting CDD goes beyond identifying and verifying the client's identity using a reliable independent source. It also includes:

• Identifying an ultimate beneficial owner (where applicable) who may not be the client and taking reasonable measures to verify their identity.
• Understanding the purpose and intended nature of the business relationship or transaction.
• Taking a risk-based approach to determine the level of checks that is required for a client or matter. For example, a high-risk client or matter will require additional checks to a low-risk client or matter.
• Scrutinising transactions including the source of funds, where necessary, to ensure that the transaction is consistent with the firm's knowledge of the customer, the customer's business and risk profile.

Firms must also carry out regular ongoing monitoring of a business relationship, paying particular attention to:

• any indication that the identity of the client, or beneficial owner has changed
• any transactions which are not reasonably consistent with your knowledge of the client
• any change in the purpose or nature of the relationship
• any other matter which may affect your assessment of the money laundering or terrorist financing risk in relation to the client.

We assess firms' CDD processes when we review files as part of an onsite inspection or desk-based review.

Findings from file reviews

We found that:

Out of 5,873 files, 368 files (6%) did not contain evidence that the client had been identified and verified. These documents were missing in 208 files for desk-based reviews and 160 files for onsite inspections.

The high level of compliance shows that firms are taking their CDD obligations seriously. We saw some good examples of ways firms were conducting CDD. These include:

• Explaining to clients at the early stages why CDD is required, to set expectations and foster cooperation.
• System led controls preventing matters being worked on until CDD is in place.
• File checklists to help ensure the appropriate CDD has been obtained before working on a file.
• Regular file reviews to ensure the CDD process is being followed across the firm.
• Making use of open-source information to search for adverse media on clients

We also identified some examples of firms not complying with their CDD obligations properly. For example:

• We continued to see occasions where the client's identity was not independently verified because the fee earner or someone at the firm knew the client personally.
• Inadequate identification and verification of corporate clients. On occasions, firms would only take copies of ultimate beneficial owners' identification and verification documents. Often, it was unclear whether this information had been verified against the company registry.
• Firms failing to investigate alerts which have appeared such as potential matches to politically exposed persons (PEPs) or designated individuals.

There is no provision in the MLR 2017 for waiving CDD requirements based on long-standing or personal relationships. Taking this approach will not satisfy the requirement to undertake independent verification.

It is essential to establish the identity of the instructing party and to understand the ownership and control structure of any entities involved in the transaction on which the firm is acting. This is particularly important with entities involving ultimate beneficial owners. The better you know your client and understand your instructions the better placed you will be to assess risks and spot suspicious activities. It is important to keep records of company due diligence that is carried out on file, this will enable you to spot any changes as part of your ongoing monitoring obligations, and evidence the enquires you made to understand the company structure.

Failure to do so properly may lead to the firm breaching the requirements of the MLR 2017, the UK sanctions regime and/or open your firm to reputational risks.

Nearly 90% of firms we met with carried out CDD on all clients, not just those in scope of the MLR 2017. This approach offers a practical advantage: by applying full AML checks universally, firms can transition clients from non-AML services to AML-regulated services—commonly referred to as passporting—without the need to conduct additional checks. However, this benefit is only realised where firms have a clear and robust process in place to ensure that the transition prompts appropriate AML considerations and that the checks already carried out remain valid and up to date.

We also found that 90% of firms we met with used technology, including electronic identification and verification (eIDVA), to help with their CDD checks.

The majority of firms said that they use eIDVA to help verify identity checks, as well as adverse media and sanctions screening. Several firms also used eIDVA to help contribute towards their ongoing monitoring obligations, as some providers will send updates where adverse media or sanctions are recorded against names.

Just over a third (35%) of firms we met with explained they often test the technology they use for accuracy. Often, this involved screening names which were added to different sanctions lists to see whether any results were returned.

Where firms are using technology, they must develop an in-depth understanding of the tools they choose to incorporate to fulfil their regulatory obligations. An electronic report is only as good as the understanding of the person reviewing the report. It should also be highlighted eIDVA checks are not a substitute for a client and matter risk assessment.

Further information on the use of technology can be found under section 7 of the LSAG AML Guidance.

Understanding the source of funds in a transaction is fundamental to understanding the risk of every transaction. Failing to identify where funds have come from or obtain evidence of the source of funds (where necessary), could put your firm at risk of committing an offence under the Proceeds of Crime Act 2002.

Firms must have processes in place to ensure that the funds used in a transaction are from a legitimate source. This will help identify and mitigate potential money laundering risks. If you are clear around the legitimacy of the source of funds, the risk of money laundering is greatly reduced.

Findings from our proactive work

We provided feedback on source of funds/wealth to 41% of firms who received an onsite inspection or desk-based review. As gatekeepers for the profession, having adequate source of funds controls in place can prevent the firm being used to launder money.

Of the 5,873 files we reviewed, 5,026 files required source of funds/wealth checks to be completed. We found 10% of these files did not contain any source of funds checks, despite being required.

Where we deemed files to be non-compliant, 20% of these contained source of funds/wealth issues.

Where documents had been gathered, the source of funds had not been scrutinised in 18% of files we looked at. For example, we occasionally found firms would take a copy of their client's savings account statement, which shows the availability of the funds for a residential property purchase. Often, these firms would have little understanding of how the funds in the account had accrued.

In 8% of files we reviewed, we found the information gathered as part of firms' source of funds checks did not match information contained on the ledger. Unexpected changes to the way a transaction is being funded is a potential red flag. Where identified, firms should consider whether there is a reasonable explanation for these changes.

Understanding and documenting source of funds/wealth should be approached as an opportunity to protect your firm from being used for money laundering.

The type of documentation you accept to verify source of funds/wealth should depend on the level of risk presented by the client and or matter. The higher the risk, the more comprehensive the documents you obtain should be.

This section of our report focuses on how firms ensure their staff are complying with AML policies, controls and procedures.

Monitoring compliance will help identify whether the policies and procedures the firm have implemented are effective in identifying and mitigating risks. It will also help identify whether staff are aware and understand the AML procedures the firm have put in place. The requirement to monitor compliance with policies is set out under regulation 19(3)(e) MLR.

There are various ways in which firms can monitor compliance with AML policies. These include:

• Undertaking regular file reviews.
• File checklists to be completed before opening or closing a file.
• Reports to be provided to senior management on AML compliance.
• Ongoing supervisor checks for open matters.

We assess how firms are complying with regulation 19(3)(e) when carrying out our onsite inspections. We observed a higher proportion of compliant files for firms who were carrying out regular file reviews. We also found:

• Some 77% of firms we inspected were carrying out internal file reviews. In some cases, the findings of these reviews informed training or development needs across the firm.
• Roughly a third of these (33%) did not consider source of funds as part of the firms ‘internal file review process, instead only focusing on whether the correct client due diligence (CDD) was undertaken. Where source of funds isn’t considered, we consider the review to be less effective.
• A small number of file reviews we looked at were ineffective. These reviews focused solely on operational factors, such as whether the correct legal advice had been provided. These reviews neglected to check whether AML processes had been followed correctly and therefore did not comply with regulation 19(3)(e).
• Some firms had developed file review forms which varied between departments. These forms were often tailored to department specific risks and stages. For example, conveyancing file review forms often contained a section to ensure appropriate source of funds information had been obtained.

Independent audits

Under regulation 21 MLR 2017, where appropriate to the size and nature of its business, firms must establish an independent audit function. The purpose of an independent audit is to examine the adequacy and effectiveness of a firm’s AML controls and procedures.

We ask firms to provide copies of any independent audits and review these as part of the onsite AML inspection process¹.

We found just under half (48%) of firms had carried out an independent audit. Many of these audits (79%) had been carried out within the last two years.

We found that nearly a third (32%) of these audits were not compliant with regulation 21 which means they did not include file reviews. A compliant audit should include a review of both the firm's AML policies and a sample of client files, as this provides a more reliable means of assessing whether the policies are being properly implemented and followed.

We observed that firms with a compliant independent audit had a higher rate of overall compliance than firms who had not conducted an audit at all.

'Independent' does not necessarily mean engaging a specialist agency or consultancy, though that is an option. Firms should make sure that, as a minimum, those with responsibility for maintaining their AML framework are not those auditing it. As well as an external entity, this could for example be:

• a senior member of the firm who does not carry out regulated work
• an MLRO from another firm
• an office manager with no regulatory or fee-earning role
• a reciprocal arrangement between small firms to review each other’s compliance

Notes

1. Please note this differs from the independent audit work we carry out with larger firms, as set out earlier in this report.

This section of our report concentrates on controls, in particular, the AML policies firms must put in place to mitigate against any money laundering risks.

AML policies, controls and procedures

We reviewed the policies, controls and procedures (PCPs) put in place by 823 firms. 10 firms did not have PCPs in place when we carried out a desk-based review or an onsite inspection. They were referred for further investigation.

We found the following levels of compliance:

We have highlighted below are some of the most significant themes and common missed areas within firms AML PCPs:

Risks associated with new products and business practices

Under regulation 19(4)(c) MLR 2017, firms' PCPs must assess and mitigate against risks associated with new products and new business practices. In practice, this means that when a firm adopts new technology, it must take appropriate measures to address any money laundering or terrorist financing risks the adoption of this new technology may cause.

This also applies to any new products or business practices introduced at the firm. If there are no new products or business practices to assess this should still be documented to show that this requirement has been considered.

Discrepancy reporting to Companies House

Under regulation 30A MLR 2017, a firm must inform Companies House of any material discrepancies between the information it holds about a person with significant control or registrable beneficial owner of an overseas entity, and the information on the Companies House register. We found that this information was not included in 329 of the 823 AML policies we reviewed.

Any material discrepancies must be reported to Companies House as soon as reasonably possible.

Identifying and scrutinising patterns of transactions

Under regulation 19(4) MLR 2017, firms must have in place controls which identify and scrutinise:

• transactions that are unusually large or complex
• unusual patterns of transactions
• transactions which have no apparent legal or economic purpose.

We found that many firms mentioned these factors within their PCPs. However, very little explanation was given as to what a large or unusually complex transaction looks like for that firm. Each individual firm will have their own measure as to what constitutes unusually large or complex transactions.

Firms' PCPs should outline a list of potential red flags that fee earners must be aware of. These red flags should be tailored to the firm. We accept that it is impossible to list every possible red flag, given that criminals are constantly adapting their methods to launder money. However, the inclusion of a non-exhaustive list will help fee earners identify transactions that may be out of the ordinary.

Reliance

Reliance has a specific meaning within the regulations and relates to the process under regulation 39 MLR 2017. In certain circumstances, firms may rely on another person to conduct CDD, subject to their agreement. Reliance does not necessarily mean obtaining certified copies of documentation from other regulated professionals for due diligence purposes.

A firm's stance on reliance must be documented within their policies and procedures, so fee earners know whether it is permitted by the firm. If reliance is not permitted, this should still be included to make the position clear.

We found most firms had decided to not make use of this provision under the regulations. If firms chose to make use of regulation 39 reliance, the appropriate controls must be in place.

Simplified due diligence

Simplified due diligence (SDD) is a common area of feedback we provided to firms. Numerous policies either lacked any reference to SDD or included conflicting definitions and guidance.

Regulation 37 allows SDD to be carried out where a firm determines that the business relationship or transaction presents a low risk of money laundering or terrorist financing, taking into account the FWRA.

SDD is the lowest permissible form of due diligence and can only be used where the firm has actively determined that the client presents a low risk of money laundering or terrorist financing.

It is important to note that, while there is no obligation on firms to apply SDD, it is something they may wish to consider adopting, in the appropriate circumstances. However, a firm's approach to SDD must be set out in its policies and procedures. This is so fee earners know whether they can apply it or not.

If firms do permit SDD, they need to set out the circumstances and the checks they would expect to see, as CDD will still need to be applied albeit to a lesser extent, and fully documented.

Products or transactions favouring anonymity

The regulations are clear that firms must set out their position on whether they offer services that favour anonymity. If this is a service firms offer, they must make sure their AML policy contains a section which sets out mitigating actions for their fee earners. In many cases, we provided feedback on including a section within PCPs to take additional measures when dealing with products or transactions that may favour anonymity.

High-risk jurisdictions

We found that many firms failed to identify high-risk jurisdictions or comment on their approach to them.

While it may be unusual for some practices to come across overseas clients, firms must make sure their fee earners are aware of any high-risk jurisdictions so they can exercise caution. They must ultimately identify matters that need EDD.

Regulation 33(1)(b) of the regulations requires firms to apply EDD measures in circumstances where high-risk third countries are involved. It is therefore important firms identify where their clients, client entities or the transactions they are working on are linked to, and whether they are high risk jurisdictions.

Sanctions

Firms may be at risk of being used to evade sanctions. PCPs should mention what steps a fee earner should take to make sure their client is not subject to financial sanctions. It is important that fee earners are aware of all parties involved within a transaction, including any beneficial owners, to ensure they are complying with the sanctions regime and regulation 33(6)(ii) of the MLR 2017.

Firms may choose to document their approach to complying with the sanctions regime within their AML policy document or as a separate sanctions policy.

We have undertaken a suite of work in this area in the reporting period. Please see the sanctions section of this report for full details.

Other issues

We noted there is still a tendency for firms to use 'off-the-shelf' AML policy documents, which have not been tailored to the firm, and/or are not being applied in practice by fee earners.

A firm's AML policy should be specific to the firm. It should be used to guide fee earners on what steps they need to take to mitigate risks for their firm. We will take further action where policies have not been followed, and breaches of the regulations have been identified.

Introduction

We have continued to develop our sanctions work to keep firms up to date with latest developments and share best practice with them.

We have:

• Completed another data collection exercise with all firms to understand their exposure to sanctions risk and the controls they have in place.
• Continued to review controls during our AML inspections and FI investigations.
• Completed more on-site inspections to assess the sanctions controls firms have in place and review their compliance with any sanctions licence terms and conditions used when acting for a designated person.
• Published and routinely updated guidance clarifying legislative requirements, highlighting key risks and red flags, and providing insight into the characteristics of an effective control framework.

Law firms remain at risk of being used to evade sanctions, so fee earners must continue to be aware of all parties involved within a transaction, including any beneficial owners, to be certain they are complying with the sanctions regime.

Our AML inspections showed that 82% of the AML policies we reviewed in this reporting year, the steps a fee earner should take to make sure their client is not subject to financial sanctions. We view this as a key control that all firms would benefit from having in place, so sanctions control checks will remain an integral part of our proactive AML inspections.

Given the continued importance of the financial sanctions regime, we have once again featured sanctions updates on our website throughout the year including a revision of our published sanctions guidance, regular mentions in the SRA update and in March 2025 a sanctions webinar.

Our proactive supervision

As part of the 2024 data collection exercise, we asked all the firms we regulate a series of questions. This included a series of questions to help us understand how exposed the profession is to the risk of sanctions and how many firms carry out work in this area. We asked firms to confirm if they:

• Assessed their firm’s exposure to sanctions risk in writing – 86% of firms had done so.
• Had clients with links to a sanctioned country – 14% reported such connections.
• Provided advice or services in legal areas with heightened sanctions risk – 28% offered these services.
• Checked whether new clients are subject to UK sanctions – 83% confirmed they carry out these checks
• Had undertaken work for a designated person in the past 12 months – fewer than 1% had done so
• Held frozen assets belonging to a designated person – fewer than 1% reported holding such assets
• Reported a sanctions breach in the past 12 months – fewer than 1% had submitted a report

In total we had 432 proactive engagements with firms in relation to financial sanctions, an increase from 398 in the previous year. This activity spans all firms we regulate, not only those supervised under the money laundering regulations. The breakdown of these engagements is as follows:

Sanctions inspections

We carried out 47 financial sanctions inspections. Only those firms who did not have a financial sanctions inspection in the previous year were selected. During the inspections we assessed:

• the controls firms had in place to mitigate their sanctions risks
• compliance with the sanctions regime and reporting and licensing requirements set out by the Office of Financial Sanctions Implementation (OFSI).

Of the 47 sanctions inspections we conducted, we found the following levels of compliance:

As you can see from the table above, we engaged with two firms to improve their controls and had to refer six for further investigation. One inspection did not proceed as we clarified during the pre-inspection process that the firm had not acted for a designated person, did not hold any frozen assets and had not made any reports to OFSI.

Overall, we found most firms did have good controls in place. If we gave guidance to or engaged with a firm, we always signposted them to our published sanctions guidance. Two key areas we issued guidance or engaged with firms on were:

• screening clients
• improvements to their FWRA and policies, controls and procedures (PCPs).

In five of the six firms we referred for investigation, our referrals related to either a breach of a licence or a failure to report frozen funds correctly. We found that although these firms had PCPs in place, these policies were either not followed or were not strong enough to prevent the breach. One firm was referred for not reporting holding frozen assets.

The two key issues we identified when referring a firm were:

• Late reporting on the use of a general licence
• Frozen funds held by a firm were not reported correctly to OFSI

Where a breach of a licence was identified, we confirmed that all relevant firms had submitted a report to OFSI. In one inspection, we referred a matter to our investigation team due to non-compliance with our Accounts Rules; however, no breach of financial sanctions was found in that case. Although the frequency of sanctions updates has stabilised the range of sanctions targets continue to broaden and change. It is important that firms working in this area should ensure they have allocated sufficient resource to manage sanctions matters. To mitigate the risk of a licence breach, it is important that firms continue to do the following.

• Monitor sanction regimes for updates to identify changes to sanctions licences and expiry dates.
• Where firms identify changes, they should consider amending existing controls and procedures if required, such as adjusting diary alerts and signing up for notifications from OFSI.
• Ensure there is sufficient management and oversight of sanctions matters. This should include oversight of licence terms and conditions, reporting to OFSI, and monitoring all payments from or to the client.
• Make sure that any search to identify funds held by a designated person is thorough and should have management oversight and control.

Exposure to sanctions and designated persons

During the reporting period, we inspected 47 firms. We found that 34% of these firms had represented a designated person but did not routinely offer sanctions advice or operate in this field. This means that their engagement with the designated person was incidental to their standard practice. This was an increase from 25% of the firms we inspected last year. This increase highlights the importance of firms making sure that they are screening clients for sanctions on an ongoing basis.

Overall, we found these firms had:

• acted for 93 designated persons in the last 24 months
• applied for 43 specific licences
• worked under a general licence 209 times
• helped a client apply for a licence 155 times
• helped a client challenge their designation person status nine times
• reported a firm's breach of the sanctions regime three times to OFSI
• reported a breach on behalf of a client 21 times
• held frozen funds in the sum of £3,207,334, for 27 designated persons over a total of 32 matters.

Best Practice

We observed the following best practice:

• Having a written risk assessment in place helps understand a firm’s exposure to financial sanctions risk.
• Having a policy in place for fee earners outlining the steps to take upon encountering a designated person—regardless of the firm's risk assessment or whether it typically provides sanctions advice—proved essential. We observed instances where firms not actively engaged in sanctions work unexpectedly came across a designated person while handling a matter.
• Screening all clients (including ultimate beneficial owners) and counterparties for sanctions.
• Devoting sufficient resource to keep up to date with sanction regime changes.
• Providing sanctions training to all staff at a level that was appropriate to their role.

For those firms actively providing sanctions advice:

• Due to the complexity of this area, advice was only being given by those who are experts within the firm
• Increased central oversight and controls on all sanctions matters with cooperation and coordination between matter experts, compliance teams, and finance teams.
• Specific procedures and controls in place to ensure they meet licence terms and conditions such as payment routes and reporting requirements.
• Through our work, we observed that not all firms have implemented these measures. We also found that attention to detail is vital in avoiding breaches related to licence reporting.

Onsite inspection - file reviews

We carried out 99 file reviews to assess how well due diligence controls work. We found:

• most matters contained evidence of client identification, with only three files with no evidence
• Five of the matters did not have sanctions screening results on file. However, the client had notified the firm that they were designated persons and seeking advice.
• All matters had source of funds evidence on file or details on when it was appropriate to carry out these checks.

We also assessed firms' compliance with licence terms and conditions. We found that:

• thirty-eight firms complied in full
• four firms did not comply in full
• four firms did not have any matters with a licence to assess. This was due to various reasons. For example, some firms ceased acting for a client upon their designation, while others provided sanctions advice to clients who were not designated persons.

Overall, we found that even the firms that had not complied with the licences' conditions, did have controls in place. However, they breached the sanctions regime rules in the following ways:

• By failing to report the use of a general licence within the set time limit. The reason for the failure was often linked to timescales changing and the licence being renewed or where a general and specific licence were being used for one client with different reporting requirements.
• By failing to identify the total amount of frozen funds held for a designated person when compiling the frozen asset return for OFSI.

This highlights the continued importance of:

• Keeping up to date with changes to the regime and licences and reviewing existing controls and procedures to ensure they remain fit for purpose.
• Increased oversight and more checks and controls in place for sanctions matters and specifically to ensure the firm is meeting any licence terms and conditions.
• Ensuring any payments, in or out, are covered in full by a licence – it is crucial for fee-earners, compliance and finance teams to work together to manage this risk.

Sanctions controls

We found that all firms had assessed the sanctions risks relevant to their operations, established controls to mitigate those risks, and showed a clear commitment to preventing breaches. Sanctions legislation does not dictate the specific methods of compliance—only that compliance is required. Firms in scope of the MLR 2017 have a prescribed set of controls they must follow. From our review, we noted that firms in scope of the MLR 2017 had better controls for mitigating sanctions risk than those who were not in scope.

Challenges with sanctions

In our discussions onsite, firms highlighted the following challenges:

• Staying informed about updates to sanctions regimes and understanding the interaction between UK, UN, US, and European frameworks. Some 16 of the firms we inspected reported having a client who became subject to sanctions during the course of their retainer.
• Understanding ownership and control within complicated corporate structures. Some 16 of the firms we inspected reported having a client in which a designated person held a minority shareholding or interest.
• If OFSI grant a licence, firms may still need to engage with their bank or insurer to ensure the matter can progress.

Sanctions controls check – AML Inspections

We continue to review sanctions controls on each AML inspection. During this reporting year we carried out sanctions controls checks on 309 AML inspections.

Since issuing our sanctions guidance in 2022, we note the following this year:

• Ninety-two percent of firms did check whether new clients were designated persons.
• Seventy-nine percent of firms did check whether existing clients were designated persons.

We provided feedback to 38 firms on either their sanctions screening processes, sanction controls or both. So, 12% of firms needed advice on how to improve their controls.

These results were broadly in line with the previous reporting year and illustrate the importance of continuing to share best practice and guidance with the profession.

Sanctions controls check – Forensic Investigations

Our Forensic Investigations (FI) team also conduct sanction controls checks on investigations they carry out. The FI Team assessed sanctions controls at 77 firms – 42 of which we do not supervise under the MLR 2017.

Widening the scope of the sanctions controls checks beyond an AML Inspection allows us to check controls on our wider regulated population and not just those firms we supervise under the money laundering regulations.

Overall, we found that:

• Seventy-nine percent of firms had assessed their sanctions risk in writing
• Eighty-three percent of firms had written procedures in place to follow if they discovered a client was a designated person
• Seventy-four percent had provided sanctions training to their staff
• Seventy-four percent of firms did check if their clients were subject to sanctions.

Guidance and Support

We have continued to update our guidance to provide support for firms and raise awareness about sanctions risks across the legal profession. For example, we:

• Regularly use our SRA Update e-bulletin to provide information to the profession on the latest financial sanctions updates and highlight materials being published by the government, ourselves, and others. Most recently we have promoted:
• OFSI's first-ever Legal Services Threat Assessment
• Updates to UK sanctions regime that were part of coordinated international efforts to restrict activities that undermine Ukraine's sovereignty and territorial integrity
• Promoted sanction articles in 10 of the 12 bulletins issued between July 2024 and June 2025.
• Held a 'Sanctions: Insights and updates' webinar in March 2025. This shared trends and findings from our proactive sanctions work and highlighted common challenges solicitors face as well as sanctions red flags. A total of 895 individuals registered for this event.

Using the information gathered from the different strands of our proactive work we have:

• Updated our guidance to help firms comply with the financial sanctions regime. Setting out details of the various sanctions regimes, red flag indicators and our expectations of what a good control regime looks like. Our most recent change in May 2025 was to update ownership percentages.

Emerging risks

We assess emerging risks through a range of sources, such as:

• through our investigative work
• reports from law enforcement agencies or other authorities
• the National Risk Assessment by the UK government
• our proactive inspections of firms.

At least twice a year we discuss emerging risks with our MLRO and Intelligence colleagues, comparing notes on findings from proactive reviews and investigations. We also consider any risks that we may have encountered during our external engagements, or that have been reported in the media.

In July 2025, we updated our sectoral risk assessment, highlighting emerging risks in the legal sector.

Sanctions

The pace of change in relation to sanctions has generally stabilised over the past year. We have, however, continued to take measures to make sure that firms understand the risks and, where applicable, the obligations posed by sanctions.

We also found that HM Treasury’s recent Legal Sector Threat Assessment reflected what we have seen when inspecting and reviewing firms. In particular, we noted that the majority of breaches of sanctions were for failures to comply with reporting under a licence.

Our 2024 data collection exercise gave us a valuable insight into the way firms are affected by the sanctions regime. It also allowed us to limit our sanctions checks to those firms who are directly affected, and to take a risk-based approach.

Conveyancing

Conveyancing, in particular residential conveyancing, remains the area of greatest risk. Over the past year, 73% of the Suspicious Activity Reports (SARs) we submitted were linked to residential property transactions.

Property sales and purchases enable the movement of substantial sums in a single transaction. They involve assets that can generate income, appreciate in value, and can serve as residences. These characteristics make conveyancing especially appealing to money launderers.

This trend has persisted over several years, reinforcing the need for firms to treat conveyancing as a high-risk activity.

Vendor fraud continues to rise compared to previous years, involving attempts by fraudsters to sell properties and collect the proceeds without the genuine owner's awareness or consent. Implementing strong client due diligence remains the most effective safeguard against a firm’s inadvertent involvement in such schemes.

Technology

New technology presents risks on various fronts, for example:

• Cyber security. Firms should be aware not only of their own cyber security but also that of any third-party providers they may use.
• New funding platforms will present new challenges in establishing the legitimacy of the funds in transactions.
• AI continues to develop in new ways and can be used to both combat and aid money laundering. The use of video and audio deepfakes presents new issues in dealing with remote clients, making identification and verification even more important.

Any use of new technologies must, under the MLR 2017, be preceded by an assessment of the risks they may introduce and effective mitigation of these risks where possible.

Re-emerging issues

We have seen an increase in basic, straightforward types of misconduct. Some issues we have seen include:

• failure to notice discrepancies between the client and their photo ID
• failure to notice that a client was established in a high-risk country because this had not been identified by e-verification
• failure to notice that the client's source of funds did not match the account they gave
• poor CDD having been signed off by multiple parties without proper scrutiny
• incorrect recording of client funds, such as cash misdescribed as mortgage monies.

This highlights that, to be effective, CDD must not only be collected but analysed to ensure the information presented remains consistent with your knowledge of the client. Merely collecting and retaining documentation without scrutinising the information will not help protect the firm.

Changing firm business models

We have seen an increasing number of firms adopting a decentralised business model. Typically, this might involve firms taking on individual solicitors as consultants, who then handle their own independent caseload while making use of the firm’s resources and insurance. Often the consultant works from home as well.

This model can be of benefit to both firms and solicitors, but there can be difficulties in ensuring that a good standard of AML practice is carried out firmwide. Consultants may enter the firm with different levels of AML knowledge and will certainly have different practices from their previous firms.

Firms adopting a decentralised model should make sure that a consistent level of AML knowledge is present at onboarding and on an ongoing basis, and that this is regularly checked. Regular AML training should be provided to these fee earners, to ensure processes are being followed consistently. Decentralised firms may need to adopt a more interventionist approach to file reviewing and auditing to achieve this.

Other risks

We set out the areas where we think there is the greatest risk of money laundering in our sectoral risk assessment which also reflects the National Risk Assessment.

Success measures

Through our success measures work, we measure how well firms are doing in three areas. These are firm-wide risk assessments, AML policies and due diligence.

We found that:

• Compliance levels on firm-wide risk assessments decreased from 60% last year to 47% this year.
• Compliance levels across AML policies have decreased from 51% last year to 37% this year.
• Compliance levels for adequacy or identification and verification checks slightly decreased from 96% to 95% this year.

We believe these decreases are likely due to the substantial increase in the number of firms we've reviewed and inspected, many of which were being assessed for the first time. Our AML proactive inspections are not cyclical, so comparisons over time are not like-for-like. Whenever we identify non-compliance, we ensure that appropriate corrective action is taken.

Communications and engagement

As part of our proactive approach to AML compliance and guidance, we run awareness campaigns across the year. AML regulation can be complex, and the feedback we receive tells us that people appreciate proactive communications.

We engage with the profession through various channels including our own social media platforms and participation in sector events. AML sessions consistently draw the highest interest at our annual compliance conference, which last year welcomed more than 1,200 in-person attendees. There were an additional 11,000 views of the virtual conference a week later.

Given the number of questions we receive through live webinars on varying topics we hosted a live questions and answers webinar in May 2024 to give firms the opportunity to put questions in real time to our panel of AML experts. We have received positive feedback on how useful and practical the webinar was from attendees.

In this reporting year, we also held dedicated webinars on:

• sanctions
• enforcement
• AML for sole practitioners.

In addition to webinars, we have also focused on improving the way we communicate with the sector. We have:

• Developed an insight-driven AML basics campaign to help increase compliance with, and understanding of, AML regulation.
• Reviewed existing communications and tested new approaches, to understand what type of content gets greater engagement and response from the profession.
• Increased our video content, answering most common questions, responding to what the profession wants to know.
• Produced more first-person pieces from AML staff, lifting the lid on supervision and inspection.

We have already seen results, with increased engagement across social media, achieving an average engagement rate of 6%, against an industry-wide AML average of 2%.

Following the completion of a thematic on source of funds, we will be producing additional communications and targeted campaigns in this area.

We have also responded to the following consultations:

• HM Treasury: Improving the Effectiveness of the Money Laundering Regulations
• Legal Services Board: Guidance for new Regulatory Objective on Economic Crime
• HM Treasury: National Risk Assessment 2025

Our publications last year included:

• Guidance on sham litigation
• Thematic Review of AML Training
• Updated sanctions guidance.

We also regularly update our AML Q&A page.

Data Collection

During July and August 2025, we continued our data collection exercise aimed at all firms we regulate. This covers:

• areas within AML scope
• trusts and company services
• sanctions
• suspicious activity reports.

Under the regulations, we must risk profile firms and monitor risks as discussed in this report. We look at a range of factors to determine risk, including regulatory history and size. Where appropriate, our risk model also considers mitigation, such as AML controls.

Areas of focus and the year ahead

In the coming year we will continue to focus on: 

• Taking a risk-based approach to inspections and desk-based reviews, informed by annual data-gathering exercises, to gain a richer understanding of AML systems, processes and procedures in place.
• Helping firms put strong controls in place to prevent money laundering by way of our sectoral risk assessment, published guidance and bespoke advice following proactive reviews.
• Taking a risk-based approach to sanctions inspections and continuing to monitor external changes and develop or update our guidance as appropriate.
• Bringing enforcement action against firms that are not meeting their responsibilities under the regulations.
• Providing targeted and timely guidance for firms through a programme of lunchtime webinars focused on different AML and related topics.
• Using AI technology to monitor firms’ self-declared AML status, checking what services are offered to the public and comparing them to our records.
• Monitoring the areas mentioned above, under emerging risks, and considering what next steps we might need to take.

Our AML resources

Money laundering regulations and who they apply to

What does my firm need to do?

Your AML obligations

How we regulate money laundering

Sectoral Risk Assessment - Anti-money laundering and terrorist financing

Anti Money Laundering annual report 2021-22

Anti Money Laundering annual report 2022-23

Make changes to your Anti-Money Laundering authorisation

Money Laundering Governance: Three Pillars of Success

Firm wide risk assessment guidance

Client and matter risk assessment warning notice

Client and matter risk assessment thematic report

Client and matter risk assessment template

AML and sanctions webinars

AML for sole practitioners - May 2025

AML enforcement - May 2025

Sanctions: Insights and updates - March 2025

AML Questions and Answers webinar – May 2024

Client and matter risk assessment webinar – February 2024

AML: enforcement trends – September 2023

Government sanctions regime: how all firms can stay compliant – May 2023

Compliance Officers Virtual Conference 2022

AML: How to do a firm-wide risk assessment – June 2022

AML officers: what they need to know - February 2022

Our sanctions resources

Tell us about your firm’s approach to financial sanctions

Financial sanctions and Russia

Guidance and support

Government sanctions regime - how all firms can stay compliant

Sanctions regime guidance helps firms stay compliant

Complying with the UK sanctions regime 

Other relevant sector guidance

Proceeds of crime guidance  

Published by the Legal Sector Affinity Group

Legal Sector Affinity Group Guidance – Part 1

Legal Sector Affinity Group – Part 2 (barristers, Trust or Service Company Providers and Notaries)

Barristers – to be read independently of Part 1

TCSPs – to be read in conjunction with Part 1

Notaries – to be read in conjunction with Part 1

Published by the National Crime Agency

Guide to submitting better quality SARs

SARs Online User Guidance

SARs FAQs

SARs Glossary Codes

Produced by HM Government

UK National Risk Assessment