Skip to searchSkip to main content
Alexander Christian
Alexander Christian
Anti-Money Laundering Audit Services to Regulated Firms and Family Law
  • Regulation 21 Internal Independent Audits  

    Regulation 21(1)(c) Audits

    Ignore them at your peril | Non-Compliance | Fines | Remedial Action
Services / Anti-Money Laundering /
AML Internal Audit
/

“...The challenge today is implementation, implementation, implementation – in short, effective and efficient action by the public and private sectors acting in partnership to stop money laundering; to reduce the harm caused by crime and terrorism.” – 
David Lewis, former Executive Secretary of the Financial Action Task Force (FATF)

This Keynote speech by David Lewis, FATF Former Executive Secretary was delivered at the 7th International Anti-Money Laundering and Compliance Conference: 

'Fighting Financial Crime'
Bratislava, 10-11 December 2019

Tailored AML Solutions for Regulated Law Firms

Overview: Regulation 21(1)(c) Audits

Regulation 21(1)(c) of the Money Laundering Regulations 2017 requires many law firms to conduct an independent internal audit of their AML systems. On this page, we explain what the regulation means, who it applies to, how often audits should be conducted, and how Alexander Christian can support your firm with tailored, proportionate audit services.

What does MLRs say?

Under Regulation 21(1)(c) of the Money Laundering Regulations 2017, firms are required—where appropriate to their size and nature—to establish an independent audit function. But this isn't just a box-ticking exercise.

It's a vital safeguard—designed to ensure your AML framework is more than just policy on paper. An effective independent audit brings transparency, identifies gaps, and strengthens governance.

What does LSAG say?

The Legal Sector Affinity Group (LSAG) 2025 guidance sets out 36 high-level principles for a robust AML framework. Regulation 21(1)(c) is covered under Principle 34, which states:


'The practice must conduct an independent audit of the adequacy and effectiveness of its AML policies, controls and procedures'


Chapter 9.1 provides an overview of  internal controls:


'Regulation 21(1) sets out three internal controls which practices are required to adopt where it is appropriate “with regard to the size and nature of its business”. These controls are designed to help businesses that may be larger or more complex than others, by ensuring that there are ways to ensure risks introduced by a practice’s size and/or complexity can be recognised and mitigated. It also will apply to practices engaged in higher risk services as assessed in their PWRA. 


'Not all practices are expected to adopt these measures, though if you consider that you do not need to adopt these, you should record your reasoning as to why. You may have to justify to your supervisor how and why you do not meet this requirement, considering how your firm will not benefit from the extra protections that these measures might provide. 


'You do not need to implement these internal controls if you do not employ or act in association with any other person (R21(6)) e.g., if you are a sole practitioner who does not employ any staff nor use any agents. 


'Factors you may consider when determining whether it is appropriate to apply the controls include: 


• The risks documented within, and the outcomes of, your PWRA – including client base, geographic factors, services provided and distribution channels. Please see Section 5 for further information); 

• The number of partners or staff your practice has; 

• The number of offices your practice has and where they are located (including whether your practice has overseas offices); 

• Your client demographic, including where they are based, and services provided to them; 

• The risk-profile, nature and complexity of work your practice undertakes; 

• The volume and value of the work the practice undertakes; or 

• The level of visibility and control that senior management has over operational client matters – this may be considered in light of layers of management hierarchy.'

Enforcement:

The failure to have conducted a Regulation 21(1)(c) has come into sharp focus in July 2025. The legal press has highlighted, two law firm failures to carry out an independent internal AML audit.


Regulated firms are required to comply with the Money Laundering Regulations. However, the failure to obtain a Regulation 21(1)(c) Audit, has not previously been highlighted. 


This isn’t a theoretical risk. It’s a regulatory requirement — and failure to comply may result in:

  • 🔍 Increased regulatory scrutiny, including inspections and follow-ups

  • 💰 Fines and other enforcement action, which can damage your firm’s reputation

  • Time-bound remediation, often at significant cost and operational disruption

  • Missed risks, including vulnerabilities to financial crime

  • 📉 Lost opportunity to strengthen your compliance framework before issues arise


The SRA frequently asks for evidence of a Regulation 21 audit early in the inspection process. 


If you cannot provide one — or justify its absence — you’re likely to attract further scrutiny and questions about the robustness of your AML controls.

Why this matters?

A Regulation 21(1)(c) audit may be mandatory depending on your firm’s size and risk profile — but even when not strictly required, it is increasingly seen as best practice.

An independent internal AML audit can help your firm:


✅ Uncover blind spots
✅ Strengthen internal systems and controls
✅ Demonstrate sound governance to regulators
✅ Proactively address risks before they escalate


Don’t wait for the regulator to come knocking. A well-timed audit is your opportunity to strengthen your defences, demonstrate compliance, and reduce long-term risk.

Alexander Christian - Tailored AML Solutions

Reasons why regulated law firms consider independent audits?

Alexander Christian - reasons to consider an independent internal  anti-money laundering audit

✅ Regulatory requirement 

Under Regulation 21(1)(c) of the Money Laundering Regulations 2017, firms must — where appropriate — establish an independent audit function to review the adequacy and effectiveness of their AML policies, controls, and procedures.

✅  Demonstrating commitment to AML Compliance
An independent audit sends a strong signal to stakeholder that your firm takes AML responsibilities seriously and is committed to operating with integrity and transparency.

✅  Continuous Improvement
Beyond compliance, audits provide an opportunity to identify inefficiencies, close gaps, and refine AML processes, supporting an agile and evolving compliance framework.

✅  Alignment with robust internal controls
An audit may help strengthen your firm's internal controls

Unbiased - second sight
An external, independent audit offers fresh perspective — helping uncover blind spots that internal teams may overlook due to familiarity, assumptions, or resource pressures.

Typical Triggers for an Independent AML Audit:

Alexander Christian - Potential Triggers for an Internal Regulation 21  Audit

There may be many reasons for a regulated firm to decide on an Internal Regulation 21 Audit, the following are some examples:

  1. Preparing for a regulatory inspection
  2. Addressing internal concerns around AML controls
  3. Seeking assurance before onboarding a new MLRO or senior management
  4. Reassessing risk exposure after changes in firm structure or services
  5. Aligning with the 36 LSAG High-Level Compliance Principles


Alexander Christian - Tailored AML Solutions

Who Should Have an AML Regulation 21 Audit?

Under Regulation 21(1)(c) of the Money Laundering Regulations 2017, firms are required to conduct an independent internal audit of their AML policies, controls, and procedures “where appropriate with regard to the size and nature of the business.” While this requirement is technically risk-based, the Solicitors Regulation Authority (SRA) has repeatedly indicated that such an audit is strongly recommended for most regulated firms — not just large ones. 


Even smaller firms may be expected to commission an audit if they are engaged in high-risk work, such as conveyancing, trust and company services, or international transactions. The key test is not size alone, but whether the firm’s activities expose it to a heightened risk of money laundering or terrorist financingFailing to carry out an internal audit in these circumstances could be interpreted by the SRA as a compliance failure — particularly if the firm cannot justify its decision.

Frequency of an Regulation 21(1)(c) Audit

The Money Laundering Regulations 2017 (MLR 2017) do not set a mandatory frequency for Regulation 21 audits. Instead, firms are expected to take a risk-based approach.

When deciding how often to conduct an independent AML audit, consider:

  • Your firm’s overall AML risk profile

  • Results of previous internal or external audits

  • Significant changes in legislation, guidance, or your firm’s services

  • Internal changes such as mergers, onboarding new staff, or expansion into higher-risk work


The Legal Sector Affinity Group (LSAG) 2025 guidance, states:

“You should take a risk-based approach to determining the frequency of an independent audit. It may be appropriate to undertake audits at regular intervals, e.g., annually. "You should consider whether an audit is required based on the time elapsed and the changes to the practice’s risk profile, structure and services provided since the last audit.”

“This is particularly relevant should a practice take over or merge with another business.”

“For those areas/clients or matters which pose the highest risks (as per your risk assessments) you should consider undertaking a targeted audit of these areas, on a more frequent basis than the wider practice.”


Firms should also keep clear records of their audits and responses:

“Practices should keep a record of all audits and make this available to their supervisors as requested – this should include:

- The scope of the audit and sampling basis used
- The records audited, what was checked and by whom
- The findings and recommended actions of the audit
- Records of senior management/Board discussions regarding the findings of the audit
- The practice’s response and implementation of actions (and any reasoning for not implementing those recommendations).”


Regulation 21 audits are not a one-off task. They should be repeated in line with your firm’s changing risk profile, structure, and service offerings. 

Most importantly, your firm should document its rationale for the chosen audit frequency — especially if challenged by your regulator.
Alexander Christian - Tailored AML Solutions

Potential Benefits

BenefitDescription
✅ ComplianceSatisfies MLR 2017 Regulation 21(1)(c)
✅ GovernanceDemonstrates sound internal control
✅ Risk ManagementIdentifies weaknesses and blind spots
✅ SRA PreparednessAvoids surprises during inspections
✅ Continuous ImprovementSupports refinement of your AML framework

Our Process

Alexander Christian - Regulation 21(1)(c) Independent Internal AML Audit - the process

In brief illustration of the process:

  1. Discovery & Scoping
  2. Document Review
  3. Interviews & Testing
  4. Report & Recommendations
  5. Optional Follow-Up Support


We have set out an illustration of our process here, but as our services are bespoke

Alexander Christian - Tailored AML Solutions

Considering a Regulation 21 Audit? 
Let’s Talk — No Pressure

Book a free, no-obligation 15-minute call with Alexander Christian. We'll help you plan your next steps.


📞 Call us on 020 4578 4684
✉️ Or contact us online to get started

Alexander Christian - Here to help

Frequently Asked Questions

"A journey of a thousand miles begins with a single step."

What is a Regulation 21(1)(c) AML audit?

It’s an independent internal audit of your firm’s anti-money laundering (AML) policies, controls, and procedures, required by Regulation 21(1)(c) of the Money Laundering Regulations 2017“where appropriate to the size and nature of the business.”
It’s not just about ticking a box — the audit must critically assess how effective your AML framework is in practice.

Is a Regulation 21 audit mandatory for all law firms?

Not all firms are automatically required to carry out a Regulation 21 audit — but many are. The requirement applies where appropriate, based on your size, structure, and risk exposure.
For example, firms offering high-risk services (such as conveyancing or trust and company work) or handling complex international transactions are likely to fall within scope — even if they’re small.

How do I know if my firm is required to have a Regulation 21 audit?

You should review:

  • Your firm-wide risk assessment (FWRA)

  • Your service lines (e.g. conveyancing, trust & company services)

  • Your client base, including any international elements

  • Your staff numbers and management structure

Even if you're a small practice, if your risk profile is elevated, a Regulation 21 audit may be expected by the SRA.

What are the risks of not having a Regulation 21 audit?

Failure to comply can result in:

  • Regulatory scrutiny or enforcement action

  • 💰 Fines or public disciplinary action

  • 📉 Reputational damage

  • Time-sensitive remediation requirements

In July 2025, the legal press highlighted firms that failed to commission required audits — signalling this is a rising priority.


How often should we carry out a Regulation 21 audit?

There’s no set frequency in the regulations — you should take a risk-based approach.
Typically:

  • High-risk firms might audit annually

  • Lower-risk firms may audit every 18–24 months

  • You should reassess if there are material changes, such as:

    • A firm merger or acquisition

    • New service offerings

    • A new MLRO or compliance lead

The LSAG 2025 guidance advises that firms document their rationale and keep detailed records of all audits and follow-up actions.

What’s the difference between a Regulation 21 audit and a mock AML audit?

  • A Regulation 21 audit is a formal, regulatory requirement for certain firms and must be independent.

  • A mock audit is an optional, preparatory tool used to simulate the process, identify weaknesses early, and build readiness.

We offer both.







What does your Regulation 21 audit process involve?

Our typical audit process includes:

  1. Discovery & Scoping – understanding your firm’s risk profile and goals

  2. Document Review – examining AML policies, controls, and procedures

  3. Staff Interviews & File Testing – assessing how policies are applied in practice

  4. Audit Report – with findings, recommendations, and follow-up support if required

We also offer implementation reviews to help you act on our findings effectively.

Can I delay the audit or provide justification for not doing one?

Only in limited, justified cases. If your firm genuinely falls outside the requirement (e.g. sole practitioner, low-risk work), you must document your reasoning and be ready to justify it to your regulator.

However, delaying without clear reasoning can backfire — and absence of an audit often raises more red flags than it avoids.




Book your appointment 

Key Blog Posts

Some blog posts you may find interesting

Alexander Christian - Key Takeaways
LSAG 25
LSAG 25

Key Takeaways to the latest version of the LSAG Guidance

Alexander Christian - Key AML Take aways
Key Take Aways from an Ex- Regulator
Key Takeaways from an Ex-regulator

Insights from a Former Regulator


Alexander Christian - Key Takeaways
OSFI - Legal Threat Assessment
OSFI Legal Services Threat

April 2025, OSFI published their Threat Assessment

Key Takeaways

Key Blog Posts

Some blog posts you may find interesting

Alexander Christian - Regulation 21(1)(c) AML Audit
A potential compliance risk
Reg 21(1)(c)

No Regulation 21(1)(c) audit could signal a breach of the MLRs

Alexander Christian - Mock AML Audit
Being prepared
Mock Audits

Preparation 


Alexander Christian - Anti-Money Laundering Blogs
OSFI - Legal Threat Assessment
Blogs

Read our blogs


A Glossary of Acronyms and Phrases


 Acronym or phrase Meaning
 AMLAnti-Money Laundering
 LSAGLegal Sector Affinity Group Guidance 
 Money Laundering Regulations 
MLRs
MLR 2017
 The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017
 Regulation 21(1)(c)This refers to the requirement on relevant persons to have independent internal audit process as set out in the Money Laundering Regulations 

Disclaimer

The information contained in this post is not legal or regulatory advice and is not intended to be construed as such. 

No warranty is provided as to the completeness or accuracy of the contents of this website.

If you require individual legal or regulatory advice seek such advice from a source qualified to provide that to you upon them considering on a professional basis your individual circumstances. Disclaimer

Book your appointment today!

Compliance Doesn’t Have to Be Complicated

Whether you're seeking an audit, or other AML service, we’re here to make compliance feel clear, manageable, and even empowering. 

No jargon. No pressure. Just support tailored to your business.


💬 Complete the form below, and we’ll help you take control of your AML responsibilities with confidence.

Contact Us

  • Please state your title e.g. Mr, Mrs, etc
  • Please insert your first name
  • Please insert your middle name(s)
  • Please insert your last name
  • Please insert your date of birth
  • Please insert your UK mobile number.
  • We only work with UK based clients.
  • We only work with UK based clients.
  • Please insert your email address.
  • Please leave a short massage
  • Privacy Policy *
    Please read the Privacy Policy before you submit the form
  • Client Due Diligence *
    Please read the Client Due Diligence Policy
  • Pre-onboarding Procedure *
    Please read the Pre-onboarding Procedure

See our Privacy Page

See our Client Due Diligence Page

See our Pre-onboarding Page

See our Fees Overview Page

Call Us:  020 4578 4684