AML Through the Emerald Lens: Follow the Yellow Brick Risk Road

🎭 Setting the Stage — The Land of AML

This is a journey every firm is on. The question is whether they are walking it with their eyes open.

👧🏻 Dorothy — The Compliance Officer or MLCO

Dorothy arrives in a strange land with limited preparation, a set of rules she is still learning, and an urgent need to find her way home. She is not the villain. She is not incompetent. She is simply in a situation she did not entirely expect, trying to navigate it with the tools she has.

The compliance officer or MLCO in a small London law firm often finds themselves in exactly this position. The role exists. The obligation to have a nominated officer exists. But the support, training, and structured framework that would make that role genuinely effective? That is what the journey is for.

Under the MLRs, the MLCO is responsible for the firm's compliance with the regulations — including the firmwide risk assessment (FWRA) under Regulation 18, the policies, controls and procedures (PCPs) under Regulation 19, ongoing monitoring, staff training, and the escalation of suspicious activity to the Money Laundering Reporting Officer (MLRO). These are statutory requirements, not guidance notes.

🦁 The Cowardly Lion — The Nervous MLRO

The MLRO is the person to whom all internal suspicious activity reports (SARs) are escalated — and the person who decides whether to submit an external SAR to the National Crime Agency (NCA). It is a role that carries significant personal responsibility, and with that responsibility can come significant anxiety.

The Cowardly Lion knows what courage is required. He feels the weight of the decision. He worries about getting it wrong — about submitting a SAR when he should not, or failing to submit when he should. He worries about what happens if he challenges a partner, or declines a client, or raises a concern that makes him unpopular.

That anxiety is understandable. The MLRO's role sits at the intersection of legal obligation, professional relationship, and personal liability. Under Regulation 21, the firm is required to ensure that its MLRO has the necessary skills, experience and resources to discharge their responsibilities effectively. That is not a box-ticking exercise — it means genuine, documented competence, not just a job title.

A SAR not submitted when it should have been is not a minor oversight. It is a potential breach of section 330 of the Proceeds of Crime Act 2002 — the failure to disclose. That is a criminal offence.

AML Lesson

True courage is not the absence of anxiety. It is the ability to act responsibly in the presence of it. The MLRO who has the right training, the right support, and a clearly documented decision-making framework can make difficult calls with confidence — not because the calls are easy, but because the framework makes the right answer clearer. If the MLRO in your firm is working without that framework, that is a compliance gap.

🤖 The Tinman — The Firm That Ticks Boxes Without Thinking

The Tinman has all the right components. He moves. He functions. He follows the sequence. What he lacks is the heart that makes the process meaningful — the genuine understanding of why each step matters, the culture of compliance that makes the right thing the natural thing.

The SRA has been clear, and its annual reports make this explicit: the most common AML failing in small law firms is not the absence of documentation. It is the absence of genuine implementation. The firmwide risk assessment exists but has not been reviewed since it was produced. The client risk assessment template is in the system but the fee earners do not know how to use it. The training has been completed but the learning has not been applied.

This is the compliance that looks right on paper and fails in practice. It is precisely what a Regulation 21 audit is designed to detect — not just whether the policies exist, but whether they are working. Whether the controls are effective. Whether the recommendations from previous reviews have been actioned.

AML Lesson

Compliance needs more than forms. It needs a culture — a genuine understanding across the firm, from the principal to the newest fee earner, of what the requirements are and why they exist. The LSAG guidance is explicit on this: AML must be embedded in the way the firm operates, not appended to it. Tick-box compliance is not compliance. It is the illusion of compliance — which, as any visitor to the Emerald City eventually discovers, is not the same thing at all.

🧠 The Scarecrow — The Overwhelmed Fee Earner

The Scarecrow is not lazy. He is not indifferent. He wants to help. He simply does not have the knowledge and framework that would allow him to do so effectively. He is standing in a field of regulatory complexity, aware that something is required of him, uncertain what it is.

This is the most common experience for fee earners in small law firms when it comes to AML. They are aware of the requirements in general terms. They know they need to carry out client due diligence (CDD). They know they need to identify and verify clients. They are less certain about what enhanced due diligence (EDD) looks like in practice, when simplified due diligence (SDD) is appropriate, what a client risk assessment should contain for their particular type of matter, and when they need to escalate something to the MLRO.

The SRA's AML Controls Webinar from March 2026 reinforced this consistently: the common failures are not in the existence of procedures but in the application of them — fee earners who do not know what the firmwide risk assessment says, who are applying standard CDD to high-risk matters, who have never been shown what an adequate matter-level risk assessment looks like for the work they are doing.

AML Lesson

With the right training — specific, practical, and tailored to the firm's own policies and the type of work it does — even the most uncertain fee earner can become a genuinely effective participant in the firm's AML framework. The Scarecrow did not lack a brain. He lacked the confidence that came from knowing he had one. Good AML training does the same thing: it does not give fee earners knowledge they did not have. It gives them confidence in applying what they already know, and clarity about where to turn when they are unsure.

The Emerald City gleams from a distance. It looks exactly as it should. It is only when Dorothy and her companions arrive — and pull back the curtain — that the reality becomes visible. Behind the spectacle is something considerably more modest than the promise.

In AML compliance, the Emerald City is the firm that has the documentation without the implementation. The FWRA that was produced in 2019 and has not been reviewed since. The client risk assessment template that was purchased from a legal publisher and applied uniformly regardless of the actual risk of the matter. The training certificates in the file and the fee earner who cannot explain what the firm's CDD procedures require.

The SRA has been increasingly explicit about this distinction. In its AML Annual Report 2024-25, it recorded that while most firms had documentation in place, the proportion whose documentation was effectively implemented and regularly reviewed was considerably smaller. The gap between having a policy and running a compliant practice is where most enforcement action lives.

The Regulation 21 independent audit exists precisely to close that gap — to provide an objective, external assessment of whether the framework is not only adequate in design but effective in operation.

FCA to become single AML supervisor for law firms

The UK Government announced in October 2025 that the Financial Conduct Authority (FCA) will take over AML/CTF supervision of law firms from the SRA and other professional body supervisors. This is not a minor adjustment to an existing system. It is a fundamental restructuring of how legal sector AML compliance is supervised in the UK.

The driver is the FATF mutual evaluation scheduled for August 2027 — at which the UK must demonstrate a credible, consistent, and effective supervisory system. The existing fragmented model, with 22 supervisors across the legal and accountancy sectors, has been assessed as inadequate for that purpose. The FCA's single-supervisor model is the government's response.

For small law firms currently supervised by the SRA, this means a transition from a sector-specific, guidance-led regulator to a supervisor whose enforcement culture is considerably more intensive. 

The FCA has issued penalties running to tens of millions of pounds. The expectations around governance, risk assessment, monitoring, and controls are higher — and the consequences of falling short are more significant.

"Ease on down, ease on down the road." 

The spirit of The Wiz is right: AML compliance does not have to be approached with dread. It can be approached with purpose, with structure, and with the genuine confidence that comes from knowing your framework is sound.

But easing on down is not the same as easing off. The firms that navigate the compliance journey well are not the ones who treat it as a burden to be minimised. They are the ones who treat it as a professional obligation — one that, done properly, protects their clients, protects their practice, and protects the individuals within it who carry personal responsibility for the firm's compliance.

The yellow brick road has a destination. In AML compliance, that destination is not a wizard who can give you what you already have. It is the clear, documented, genuinely effective framework that the regulations require — and the confidence that comes from knowing, when the inspector calls, that your house is in order.