51% OF RESPONDENTS SAY COMPLIANCE IS NOT RESPECTED WITHIN THEIR FIRM

According to the report produced by Thirdfort, 150 senior compliance leaders highlighted that many still struggle to operationalise effective AML systems.  This is in part due to

• A lack of respect or understanding within the firm of the role and responsibilities of the compliance team, with 51% of respondents saying that compliance is not respected within their firm, and
• A lack of resourcing for the compliance function. 

Thirdfort issued an online survey that was conducted on 150 compliance professionals, made up of:-

• 50 working at law firms,
• 50 at an accountancy practice and
• 50 people who work at an estate agency in the UK.

The Survey respondents included an equal split between compliance professionals who work in organisations with 1-25 employees, 26-150 employees and more than 150 employees.

All respondents identified themselves as a senior manager, director, or part of the C-suite.

WHAT SHOULD FIRMS DO NOW

• Firms should therefore act now to ensure they are avoiding the key pitfalls for law firms in AML compliance and take practical steps to prevent them. 

THE KEY PITFALLS FOR LAW FIRMS IN AML COMPLIANCE AND PRACTICAL STEPS TO AVOID THEM

WHAT ARE THE PRIMARY AML DEFICIENCIES?

There are many detailed requirements set out in the AML/CTF/CPF RULES and, therefore, myriad ways in which a firm can fail. Still, several common themes are emerging from SRA enforcement action and matters encountered in practice:

• Inadequate firm-wide risk assessments (“FWRAs”) (or sometimes no risk assessment at all): A risk-based approach is inherent in the AML/CTF/CPF RULES, which recognise that it is not a matter of one size fits all.  A firm’s FWRA must be tailored to its business and the nature of its clients and services, and regularly updated.   
• Insufficient client due diligence (“CDD”): CDD requirements extend beyond simply verifying the ID of the client and/or its beneficial owners.  Source of funds and source of wealth checks, which are a fundamental part of CDD, may sometimes be lacking, particularly where CDD is treated merely as a tick-box exercise that hinders the initiation of new work. 
• Weak ongoing monitoring and record-keeping: The need to conduct ongoing monitoring of business relationships is a challenging obligation to discharge in practice.  Many firms have not adequately considered the systems and controls which they can use to assist with meeting their obligations.
• Failure to remain up to date with changes to the AML/CTF/CPF RULES: This is a prevalent issue.  The requirements of the AML/CTF/CPF RULES change frequently, and it is all too easy for these to be missed, particularly when client work is demanding. These changes include, for example, amendments to the list of High-Risk Third Countries, additional risk assessment requirements (new technologies, proliferation financing), verification of statutory registers, politically exposed persons (PEPs) and the duty to report discrepancies in information provided by the client.   
• Failure to provide training to staff: AML/CTF/CPF RULES requires a firm to “take appropriate measures” to ensure that “relevant employees” (a poorly defined term which should be given a broad interpretation) are (a) made aware of the law on money laundering, terrorist financing and proliferation financing (along with applicable data protection requirements) and (b) regularly given training in how to recognise and deal with transactions and other activities or situations which may be related to them.  Training must therefore be given periodically, as is appropriate to the firm and its practice and aligned with updates and changes to the FWRA.
• Confusion over the scope of the AML/CTF/CPF RULES: Not all legal services will be within the scope of the AML/CTF/CPF RULES.  A firm which does not engage in transactional work, such as an employment or litigation boutique, may be thought out of scope, but it is not only real estate, M&A or other financial transactions which are caught.  Those giving tax advice or trust and company services will also be seen.  In any case, the Proceeds of Crime Act 2002 and other legislation apply to all businesses, whether caught by the AML/CTF/CPF RULES or not.

PRACTICAL STEPS

The AML/CTF/CPF RULES are wide-ranging and complex, and there are many ways in which a firm can fail to comply.  However, there are several practical steps and principles which all firms should take on board to ensure they are compliant:    

• Revisit your FWRA frequently: This should be annually and in any case upon the arrival or departure of any partner (at least for small firms) or practice group, in case the change to the practice requires an update to the risk profile of the business and/or the split between in-scope work and that which is out of scope.
• Keep abreast of changes: It is essential to consider at an early stage whether, and to what extent, changes to the regulations will impact your firm and what needs to change as a result.   
• Ensure that policies are tailored to the FWRA: Too often, these are not bespoke to the firm’s practice areas and other matters, which should be identified in the FWRA. One of the key things that SRA inspections focus on is to test whether the policies are tailored to the firm and whether they are reflected “on the ground” through file reviews and staff interviews.
• Appoint a Money Laundering Compliance Officer (MLCO): The AML/CTF/CPF RULES require the appointment of a board member or senior manager as the officer responsible for the firm’s compliance with the AML/CTF/CPF RULES, generally known as a Money Laundering Compliance Officer, where this is “appropriate to the size and nature of the business”.  The SRA’s view is that appointing an MLCO is likely to be appropriate in the “vast majority” of cases, and may not be necessary only in limited circumstances, for example, sole practices or firms which only carry out in-scope work on a very occasional basis. The MLCO role is in addition to the Money Laundering Reporting Officer (MLRO). The MLRO is responsible for receiving internal suspicious activity reports, assessing them, and making external reports to the NCA when appropriate. The MLCO (Money Laundering Compliance Officer) is responsible for ensuring the firm’s overall compliance with AML/CTF/CPF RULES — overseeing policies, procedures, training, monitoring, and regulatory liaison.
• Document your decisions: The extent of many obligations under the AML/CTF/CPF RULES is variable in their scope depending on the size and nature of the firm’s business.  For example, it is unlikely to be appropriate for a small firm that does minimal in-scope work and low-value transactions to appoint external specialists to carry out detailed audits on an annual basis.  As the LSAG guidance makes clear: “If in doubt, write it down”. 

• https://www.lawsociety.org.uk/en/topics/anti-money-laundering/anti-money-laundering-guidance%20%20

• Record your reviews: Firms should keep a log of all reviews conducted, including the FWRA, reviews of policies, controls and procedures, ongoing monitoring of client relationships and others.     
• Scrutinise new products and technologies: This might include AI-based tools, ID verification measures, and any other technologies or practices which you introduce to your services.  These must be risk-assessed, and measures must be taken to mitigate any money laundering or terrorist financing risks that may be posed.  
• Consider whether a “one size fits all” approach to CDD is appropriate: A common approach to compliance with the CDD requirements set out in the AML/CTF/CPF RULES has been for a full-service law firm to treat all matters as falling within the scope of the regulated sector.  However, we are increasingly seeing a shift which is more reflective of a risk-based approach, in which the firm adopts a lighter touch for matters outside of the scope of the AML/CTF/CPF RULES, to devote more resources to those which are within the regulated sector.     
• Don’t neglect training: This is a particular focus of the SRA currently.  Failure to train staff limits the firm’s ability to detect money laundering and can diminish the effectiveness of AML policies.  Consider targeted sessions for partners and/or higher-risk practice areas such as real estate.  
• Don’t “file it and forget it”:  CDD is not a one-off process. AML is a matter-based regime, and CDD should be reviewed when new matters are opened. Where appropriate, a refresh of CDD should be diarised, and client behaviour should be monitored for unusual activity throughout the matter.  Reviews and updates to the risk assessment for a client or matter should be fully recorded. 

Contact us

If you have any questions about these issues in your organisation,  

SOURCES         

https://www.thirdfort.com/lp/uk-compliance-paradox-report/  

https://www.foxwilliams.com/2025/08/18/aml-compliance-key-pitfalls-for-law-firms-and-how-to-avoid-them/