“...The challenge today is implementation, implementation, implementation – in short, effective and efficient action by the public and private sectors acting in partnership to stop money laundering; to reduce the harm caused by crime and terrorism.” –
David Lewis, former Executive Secretary of the Financial Action Task Force (FATF)
This Keynote speech by David Lewis, FATF Former Executive Secretary was delivered at the 7th International Anti-Money Laundering and Compliance Conference:
'Fighting Financial Crime'
Bratislava, 10-11 December 2019
Tailored AML Solutions for Regulated Law Firms
Overview: Regulation 21(1)(c) Audits
Regulation 21(1)(c) of the Money Laundering Regulations 2017 requires many law firms to conduct an independent internal audit of their AML systems. On this page, we explain what the regulation means, who it applies to, how often audits should be conducted, and how Alexander Christian can support your firm with tailored, proportionate audit services.
What does MLRs say?
Under Regulation 21(1)(c) of the Money Laundering Regulations 2017, firms are required—where appropriate to their size and nature—to establish an independent audit function. But this isn't just a box-ticking exercise.
It's a vital safeguard—designed to ensure your AML framework is more than just policy on paper. An effective independent audit brings transparency, identifies gaps, and strengthens governance.
What does LSAG say?
The Legal Sector Affinity Group (LSAG) 2025 guidance sets out 36 high-level principles for a robust AML framework. Regulation 21(1)(c) is covered under Principle 34, which states:
'The practice must conduct an independent audit of the adequacy and effectiveness of its AML policies, controls and procedures'
Chapter 9.1 provides an overview of internal controls:
'Regulation 21(1) sets out three internal controls which practices are required to adopt where it is appropriate “with regard to the size and nature of its business”. These controls are designed to help businesses that may be larger or more complex than others, by ensuring that there are ways to ensure risks introduced by a practice’s size and/or complexity can be recognised and mitigated. It also will apply to practices engaged in higher risk services as assessed in their PWRA.
'Not all practices are expected to adopt these measures, though if you consider that you do not need to adopt these, you should record your reasoning as to why. You may have to justify to your supervisor how and why you do not meet this requirement, considering how your firm will not benefit from the extra protections that these measures might provide.
'You do not need to implement these internal controls if you do not employ or act in association with any other person (R21(6)) e.g., if you are a sole practitioner who does not employ any staff nor use any agents.
'Factors you may consider when determining whether it is appropriate to apply the controls include:
• The risks documented within, and the outcomes of, your PWRA – including client base, geographic factors, services provided and distribution channels. Please see Section 5 for further information);
• The number of partners or staff your practice has;
• The number of offices your practice has and where they are located (including whether your practice has overseas offices);
• Your client demographic, including where they are based, and services provided to them;
• The risk-profile, nature and complexity of work your practice undertakes;
• The volume and value of the work the practice undertakes; or
• The level of visibility and control that senior management has over operational client matters – this may be considered in light of layers of management hierarchy.'
Enforcement:
The failure to have conducted a Regulation 21(1)(c) has come into sharp focus in July 2025. The legal press has highlighted, two law firm failures to carry out an independent internal AML audit.
Regulated firms are required to comply with the Money Laundering Regulations. However, the failure to obtain a Regulation 21(1)(c) Audit, has not previously been highlighted.
This isn’t a theoretical risk. It’s a regulatory requirement — and failure to comply may result in:
🔍 Increased regulatory scrutiny, including inspections and follow-ups
💰 Fines and other enforcement action, which can damage your firm’s reputation
⏳ Time-bound remediation, often at significant cost and operational disruption
❌ Missed risks, including vulnerabilities to financial crime
📉 Lost opportunity to strengthen your compliance framework before issues arise
The SRA frequently asks for evidence of a Regulation 21 audit early in the inspection process.
If you cannot provide one — or justify its absence — you’re likely to attract further scrutiny and questions about the robustness of your AML controls.
Why this matters?
A Regulation 21(1)(c) audit may be mandatory depending on your firm’s size and risk profile — but even when not strictly required, it is increasingly seen as best practice.
An independent internal AML audit can help your firm:
✅ Uncover blind spots
✅ Strengthen internal systems and controls
✅ Demonstrate sound governance to regulators
✅ Proactively address risks before they escalate
Don’t wait for the regulator to come knocking. A well-timed audit is your opportunity to strengthen your defences, demonstrate compliance, and reduce long-term risk.
Reasons why regulated law firms consider independent audits?

✅ Regulatory requirement
Under Regulation 21(1)(c) of the Money Laundering Regulations 2017, firms must — where appropriate — establish an independent audit function to review the adequacy and effectiveness of their AML policies, controls, and procedures.
✅ Demonstrating commitment to AML Compliance
An independent audit sends a strong signal to stakeholder that your firm takes AML responsibilities seriously and is committed to operating with integrity and transparency.
✅ Continuous Improvement
Beyond compliance, audits provide an opportunity to identify inefficiencies, close gaps, and refine AML processes, supporting an agile and evolving compliance framework.
✅ Alignment with robust internal controls
An audit may help strengthen your firm's internal controls
An external, independent audit offers fresh perspective — helping uncover blind spots that internal teams may overlook due to familiarity, assumptions, or resource pressures.
Typical Triggers for an Independent AML Audit:

- Preparing for a regulatory inspection
- Addressing internal concerns around AML controls
- Seeking assurance before onboarding a new MLRO or senior management
- Reassessing risk exposure after changes in firm structure or services
- Aligning with the 36 LSAG High-Level Compliance Principles
Who Should Have an AML Regulation 21 Audit?
Under Regulation 21(1)(c) of the Money Laundering Regulations 2017, firms are required to conduct an independent internal audit of their AML policies, controls, and procedures “where appropriate with regard to the size and nature of the business.” While this requirement is technically risk-based, the Solicitors Regulation Authority (SRA) has repeatedly indicated that such an audit is strongly recommended for most regulated firms — not just large ones.
Even smaller firms may be expected to commission an audit if they are engaged in high-risk work, such as conveyancing, trust and company services, or international transactions. The key test is not size alone, but whether the firm’s activities expose it to a heightened risk of money laundering or terrorist financing. Failing to carry out an internal audit in these circumstances could be interpreted by the SRA as a compliance failure — particularly if the firm cannot justify its decision.
Frequency of an Regulation 21(1)(c) Audit
The Money Laundering Regulations 2017 (MLR 2017) do not set a mandatory frequency for Regulation 21 audits. Instead, firms are expected to take a risk-based approach.
When deciding how often to conduct an independent AML audit, consider:
Your firm’s overall AML risk profile
Results of previous internal or external audits
Significant changes in legislation, guidance, or your firm’s services
Internal changes such as mergers, onboarding new staff, or expansion into higher-risk work
The Legal Sector Affinity Group (LSAG) 2025 guidance, states:
“You should take a risk-based approach to determining the frequency of an independent audit. It may be appropriate to undertake audits at regular intervals, e.g., annually. "You should consider whether an audit is required based on the time elapsed and the changes to the practice’s risk profile, structure and services provided since the last audit.”
“This is particularly relevant should a practice take over or merge with another business.”
“For those areas/clients or matters which pose the highest risks (as per your risk assessments) you should consider undertaking a targeted audit of these areas, on a more frequent basis than the wider practice.”
Firms should also keep clear records of their audits and responses:
- The scope of the audit and sampling basis used“Practices should keep a record of all audits and make this available to their supervisors as requested – this should include:
- The records audited, what was checked and by whom
- The findings and recommended actions of the audit
- Records of senior management/Board discussions regarding the findings of the audit
- The practice’s response and implementation of actions (and any reasoning for not implementing those recommendations).”
Potential Benefits
Benefit | Description |
---|---|
✅ Compliance | Satisfies MLR 2017 Regulation 21(1)(c) |
✅ Governance | Demonstrates sound internal control |
✅ Risk Management | Identifies weaknesses and blind spots |
✅ SRA Preparedness | Avoids surprises during inspections |
✅ Continuous Improvement | Supports refinement of your AML framework |
Our Process

In brief illustration of the process:
- Discovery & Scoping
- Document Review
- Interviews & Testing
- Report & Recommendations
- Optional Follow-Up Support
We have set out an illustration of our process here, but as our services are bespoke
Considering a Regulation 21 Audit?
Let’s Talk — No Pressure
Book a free, no-obligation 15-minute call with Alexander Christian. We'll help you plan your next steps.
📞 Call us on 020 4578 4684
✉️ Or contact us online to get started

What is a Regulation 21(1)(c) AML audit?
It’s an independent internal audit of your firm’s anti-money laundering (AML) policies, controls, and procedures, required by Regulation 21(1)(c) of the Money Laundering Regulations 2017 — “where appropriate to the size and nature of the business.”
It’s not just about ticking a box — the audit must critically assess how effective your AML framework is in practice.
Is a Regulation 21 audit mandatory for all law firms?
Not all firms are automatically required to carry out a Regulation 21 audit — but many are. The requirement applies where appropriate, based on your size, structure, and risk exposure.
For example, firms offering high-risk services (such as conveyancing or trust and company work) or handling complex international transactions are likely to fall within scope — even if they’re small.
How do I know if my firm is required to have a Regulation 21 audit?
You should review:
Your firm-wide risk assessment (FWRA)
Your service lines (e.g. conveyancing, trust & company services)
Your client base, including any international elements
Your staff numbers and management structure
Even if you're a small practice, if your risk profile is elevated, a Regulation 21 audit may be expected by the SRA.
What are the risks of not having a Regulation 21 audit?
Failure to comply can result in:
❌ Regulatory scrutiny or enforcement action
💰 Fines or public disciplinary action
📉 Reputational damage
⏳ Time-sensitive remediation requirements
In July 2025, the legal press highlighted firms that failed to commission required audits — signalling this is a rising priority.
How often should we carry out a Regulation 21 audit?
There’s no set frequency in the regulations — you should take a risk-based approach.
Typically:
High-risk firms might audit annually
Lower-risk firms may audit every 18–24 months
You should reassess if there are material changes, such as:
A firm merger or acquisition
New service offerings
A new MLRO or compliance lead
The LSAG 2025 guidance advises that firms document their rationale and keep detailed records of all audits and follow-up actions.
What’s the difference between a Regulation 21 audit and a mock AML audit?
A Regulation 21 audit is a formal, regulatory requirement for certain firms and must be independent.
A mock audit is an optional, preparatory tool used to simulate the process, identify weaknesses early, and build readiness.
We offer both.
What does your Regulation 21 audit process involve?
Our typical audit process includes:
Discovery & Scoping – understanding your firm’s risk profile and goals
Document Review – examining AML policies, controls, and procedures
Staff Interviews & File Testing – assessing how policies are applied in practice
Audit Report – with findings, recommendations, and follow-up support if required
We also offer implementation reviews to help you act on our findings effectively.
Can I delay the audit or provide justification for not doing one?
However, delaying without clear reasoning can backfire — and absence of an audit often raises more red flags than it avoids.
Book your appointment
Key Blog Posts
Some blog posts you may find interesting
LSAG 25
Key Takeaways to the latest version of the LSAG Guidance
Key Takeaways from an Ex-regulator
Insights from a Former Regulator
OSFI Legal Services Threat
April 2025, OSFI published their Threat Assessment
Key Takeaways
Key Blog Posts
Some blog posts you may find interesting
Reg 21(1)(c)
No Regulation 21(1)(c) audit could signal a breach of the MLRs
Mock Audits
Preparation
Blogs
Read our blogs
A Glossary of Acronyms and Phrases
Acronym or phrase | Meaning |
AML | Anti-Money Laundering |
LSAG | Legal Sector Affinity Group Guidance |
Money Laundering Regulations MLRs MLR 2017 | The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 |
Regulation 21(1)(c) | This refers to the requirement on relevant persons to have independent internal audit process as set out in the Money Laundering Regulations |
Disclaimer
The information contained in this post is not legal or regulatory advice and is not intended to be construed as such.
No warranty is provided as to the completeness or accuracy of the contents of this website.
If you require individual legal or regulatory advice seek such advice from a source qualified to provide that to you upon them considering on a professional basis your individual circumstances. Disclaimer
Book your appointment today!
Compliance Doesn’t Have to Be Complicated
Whether you're seeking an audit, or other AML service, we’re here to make compliance feel clear, manageable, and even empowering.
No jargon. No pressure. Just support tailored to your business.
💬 Complete the form below, and we’ll help you take control of your AML responsibilities with confidence.
Contact Us
See our Privacy Page
See our Client Due Diligence Page
See our Pre-onboarding Page
See our Fees Overview Page
Call Us: 020 4578 4684