Key takeaways: An Ex Regulator's AML Insights

A fascinating insight from a former regulator

Get ready for more data collection, more nuanced inspections and call to get the basics right


Low Hanging Fruit
Illustrative Reference - Low Hanging Fruit
Get Started Now

On the 10th April 2025, Graham Mackenzie, Director of AML & Economic Crime Risk at Amiqus Resolution, presented a webinar on his AML insights as an Ex Regulator. 


He provide a brief history of Amiqus. 


Founded in 2015 by CEO Callum Murray, Amiqus are a rapidly growing Scottish tech business dedicated to forging trusted partnerships and simplifying complex compliance for the legal sector. Certified by government and trusted by regulators, trust, privacy, and accessibility are core. They empower nine out of ten of Scotland's largest law firms, and a growing number in England and Wales, with cutting-edge biometric verification, electronic IDNV, source of funds and wealth checks, and AML screening – all powered by gold-standard data partners like Onfido and Comply Advantage. As strategic partners to the Law Society of Scotland and other key legal bodies, we've facilitated over 3 million checks, enabling greater access to legal help.

Graham Mackenzie's expertise in compliance is rooted in decades of experience within the financial banking sector, including roles at Royal Bank of Scotland and Lloyds Bank. He then spent eight and a half years at the Law Society of Scotland, serving as Head of Anti-Money Laundering for six and a half of those years, before joining Amiqus Resolution as Director of AML & Economic Crime Risk in December 2024.


At the Law Society of Scotland, he established the supervisory inspection function and its associated processes. As a member of the Legal Sector Affinity Group (LSAG), he chaired the guidance revision group and co-authored significant sections of the revised guidance.


He chaired the UK AML Supervisors Forum, fostering collaboration among 22 professional body supervisors and key government agencies, including HM Treasury, HMRC, and law enforcement


He has a strong working relationship with the SRA and possesses extensive knowledge of the supervisory environment throughout the UK.


He then addressed the drivers behind regulatory functions and provided insights on inspection preparedness. 

Throughout the presentation, he engaged attendees with live polls, comparing their concerns with their perceived readiness


He used a visual analogy of a fruit tree, referring to 'low-hanging fruit' to highlight how easily identifiable vulnerabilities are, and that those are often the first points of inspection. He advised firms on how to avoid becoming 'low-hanging fruit' for regulatory inspections by getting the basics right, focusing on risk assessments, training, and source of funds/wealth checks, all while emphasising the growing importance of data collection


[NB: the picture in this blog is not the slide use for the presentation.]


Key Points

  • Increased SRA Scrutiny on AML: The presentation emphasises the significant increase in AML supervisory activity by the SRA in England and Wales. This includes a rise in: 
      • file reviews
      • proactive engagements
      • enforcement actions resulting in substantial fines
    • Drivers Behind SRA Activity: Graham stated several factors driving increased scrutiny: 
      • Perception of lawyers as 'key professional enablers' of money laundering
      • The Office of Professional Body AML Supervisors (OPBAS) 
      • The Legal Services Board (LSB), and 
      • OPBAS is part of the Financial Conduct Authority and there is pressure to take a more FCA approach. A potential shift towards  - more stick, less carrot approach. 
      • The upcoming UK government consultation on the future of AML supervision for the legal profession
      • View of (Baroness) Margaret Hodge, the Corruption Champion - 'long-term advocate of the professional enabler tag'
    • SRA has Highlighted two priorities:
      • First Priority: delivery a high professional standard
      • Second Priority: strengthen our risk-based and proactive regulation
    • SRAs Strengthened resolve: 'I think that the recent High Court case, the SDT decision with respect to Dentons would have strengthened their resolve internally too...increased SRA referrals and adverse disciplinary findings at the SDT.'
    • SRA Focus Areas (The "Low-Hanging Fruit"): Graham highlights key areas where the SRA is likely to focus its attention during inspections, drawing a metaphor of "low-hanging fruit" to emphasize the importance of getting the basics right.
      • Policy, Controls, and Procedures (PCPs): Ensuring PCPs covering all key requirements, and are clear and easy to follow is paramount. 
      • The 36 LSAG key compliance principles are a good starting point, 'They are the building blocks to a good AML compliance regime.'
      • SRA Team: 'We are there to do a job just like everyone else and what they can't avoid or unsee is firms just not getting the basics and the fundamentals right. As a former supervisor myself, there is no leeway here. Or judgment call to be made, unfortunately, particularly many years down the line from the 2017 regulations and with so much focus and guidance now out there.'
      • Conveyancing: Identified by OPBAS as high risk, the SRA will likely focus on both high-value/high-margin and high-volume/lower-margin conveyancing transactions, as well as conveyancing with additional risk factors (high-risk business sectors, PEPs, jurisdictional risks).
      • Referencing the open OPBAS Letter to the Regulators:  high value, high margin property transactions, but also high volume lower margin operations. Low margin operations because - 'there may be pressure to cut costs, spend less time...on checking'
      • Data Collection: The SRA will increasingly engage in more granular data collection to understand the types of clients and matters firms handle, informing their risk-based supervisory approach
      • This could look like:  more granular questions in relation to the types of clients, the types of matters you work with and the volume of those. 'Focusing on inherently higher risk areas of practice and inherently higher risk clients and markers as per the SRA Sectoral Risk Assessment. And this is what they will base decisions on regarding their risk-based approach to supervision and therefore who to go and inspect next. Who does more of this type of work? And therefore, which firms are inherently higher risk? I spent quite a bit of time with the SRA going through the LSS's (Law Society of Scotland's) AML certificate, which is a compulsory annual data collection exercise which ask firms detailed questions...their types of clients, the matters they're involved in, the jurisdictions in which they operate, or receive funds from etc that is where the SRA ultimately wants to go to.'
      • Signal to firms: 'Speaking from a supervisory perspective, data collection is a form of supervision in itself. It allows the SRA to signal what they want firms to focus on and also as a mechanism whereby they can ensure firms are understanding, capturing and thinking about key AML risks in their day-to-day business so they can then report figures to the SRA.'
      • Pre-audit Questionnaires: 'I'm aware this approach is already happening in the SRE's pre-audit questionnaires. New questions are being included such as regarding whether the firm undertakes independent audit and file reviews and how it does so. They will expect you to have this type of information to hand in line with your responsibilities under Regulation 18.'
      • If you can't answer their questions: 'I would imagine that if you can't answer their questions, well, that might put you higher up the list for an inspection and expect a knock at the door.'
      • Graham's Tips: 'It's all in their thematic reviews and their warning notices. A risk assessment, the SRA are expecting firms to do better on risk assessments with further granularity in them across firm level risk assessment, but also client and matter level. The risks outlined in the UK National Risk Assessment, and the SRA Sector Risk Assessment should be incorporated into your own Firm Level Risk Assessment and then flow down into your Client Matter ones.'
      • Risk Assessments: To repeat - Firms need to improve the granularity of their firm-wide risk assessment, client and matter risk assessments, incorporating risks outlined in the UK National Risk Assessment and the SRA Sectorial Risk Assessment.
      • Regulatory Expectation could look like: Graham refers to last years, SRA webinar with Mandeep Sandhu, who is the Head of Proactive Supervision at the SRA, he said that this webinar following their Thematic Review, and Warning Notices. 'The SRA would say then that practitioners have had fair warning. They even issued a new risk assessment template which, please forgive a wee bit of a plug here, is now embedded within the Amiqus platform for firms to use.'
      • Training: The SRA has recently undertaken a Thematic Review on Training and has issued guidance. AML training is considered a 'first line of defence,' and the SRA's recent thematic review indicates it will be a focus of scrutiny. Training should be relevant to the firm's specific work
      • Reason: Quoting the SRA Graham says 'AML training is one of the most effective controls against fee earners and firms becoming inadvertently involved in money laundering.' 
      • Graham's tip: 'Again then, the SRA would say practitioners have had fair warning. And going forward then, it is likely to be a focus of regulatory scrutiny.'
      • Source of Funds and Wealth: Hot Topic - source of funds and source of wealth are a significant area of focus for the SRA. Graham stated that the SRA is currently working on a thematic review in this area, which is likely to be followed by more guidance and potentially a warning notice
      • Scrutiny for the SRA: The SRA have noted a significant percentage of files reviewed lacked information or evidence of source of funds.
      • Referencing: SRA stated last year that 25% of files they reviewed did not contain information or evidence of source of funds. Furthermore, even when firms had made inquiries, several lacked an audit trail to demonstrate these inquiries. This was particularly noted in high-risk work such as property purchases and cash transactions, which are already identified as high-risk for money laundering in the SRA's Sectorial Risk Assessment
      • Graham's tip:  He emphasises key elements - information and evidence record keeping in higher risk matters'We're starting to get the picture. Again, then the SRA would say practitioners have had fair warning. Going forward again, source of funds source of wealth is likely, I would suggest nailed on to be a focus of regulatory scrutiny and therefore it's something that you practitioners...should have a look at in terms of your policies, controls and procedures.'
      • Sanctions: With the new regulatory objective of preventing economic crime, the SRA will increasingly focus on sanctions compliance, although this might be more concentrated on larger, city firms with higher risk exposure.
      • Graham's tip: 'Sanctions, another area of focus for the SRA, having been thrust to the forefront of government mines following Russia's illegal invasion of Ukraine. The SRA had been given a new regulatory objective of promoting the prevention and detection of economic crime. Under the Economic Crime and Transparency Act 2023. The definition of economic crime is far wider in scope than money laundering and the LSB is very keen on testing the SRA's adherence to this new objective. As a result, the SRA are increasingly focused on firm's compliance with sanctions legislation. That said, I wouldn't have thought so much across the majority of firms. The SRAs and...sanctions work will more likely to be concentrated on the bigger London or city firms given their risk exposure to sanctions is likely to be higher.'
    • Practical Advice for Firms: Graham provides actionable advice to help firms avoid being the "low-hanging fruit" and prepare for potential SRA scrutiny.
      • Start capturing detailed data on client and matter types using case management systems. That you have this inform should the SRA ask questions.
      • Ensure this data informs the Firm-Wide Risk Assessment.
      • Closely monitor SRA's Outputs: Sectorial Risk Assessments, SRA thematic reviews, webinars, and publications.
      • The SRA are making a series of AML webinars - check the SRA website and LinkedIn page 
      • Prioritise getting the basics right, especially risk assessments, source of funds/wealth checks, PCPs, and related training.

    Q & A

    There was a general question and answer session. 


    Disclaimer:  See our disclaimer below.

    Question: What is a PCP?

    Answer: It is an AML policy control and procedure. It's the holistic term for all your firm's policies in the AML space, your risk assessments, your Suspicious Activity Report templates, and could even include training.

    Question: Is it satisfactory to use the SRA template for client and matter risk assessments?

    Answer: Yes, the SRA has a client matter risk assessment template available on their website and it is also embedded within the Amiqus platform

    Question: What can you do if your firm-wide assessment has not been in place since 2017 and this was only implemented a few years ago?

    Answer: If you've now implemented the firm-wide risk assessment and it is relevant and up to date, that is a positive step.

    While the SRA may inquire about the delay if they find it wasn't in place earlier, self-identifying and rectifying the issue and ensuring the assessment influences your firm's policies is a stronger position to be in

    Question: When adopting technology to support your onboarding processes, what factors do you need to consider?

    Answer: Many factors, including the client experience and ease of use, privacy and data protection elements, and the underlying data feeds used by the provider. It's important to vet the providers and ensure the quality of their data

    Question: How likely are you to be fined for past breaches where you didn't have a sufficient client and matter level risk assessment until recently but now the SRA templates are in place?

    Answer: Unfortunately, Graham stated no guarantee the SRA would overlook past breaches, as fines have been levied for historic issues. 

    However, self-identifying the issue and taking corrective action may lessen the severity of any consequences. 

    If there were systemic breaches, there's an obligation to report them to the SRA

    Question: What kind of questions will the MLRO be asked at an investigation visit?

    Answer: Fundamentally, questions about the suspicious activity reporting regime, such as describing an information SAR or the circumstances for a defence against money laundering. 

    More broadly, they might ask about inherent risks to the profession (awareness of LSAG guidance and the SRA sector risk assessment), risks specific to your practice, and the mitigating policies and procedures you have in place. 

    They will also likely ask about staff training and the MLRO's qualifications

    Question: Can you give an example of bad or insufficient training?

    Answer: Examples include off-the-shelf training that isn't relevant to your firm's specific circumstances and client matters. Also training that is basic and not interactive, preventing discussion and deeper understanding. Training should be relevant to your firm.

    Question: If you have an existing client who's financing a purchase totalling cash from savings, how far back do you have to go to obtain bank statements? Or what other period, as there is a lack of guidance in this fundamental point

    Answer: It is not about a specific timeframe but more about what you can ascertain from the bank statements. You need to come to a reasonable conclusion and document it as to why you believe the client (or third party) legitimately accumulated those funds. Look at the holistic picture presented by the statements, including transactional activity, to see if it aligns with their claimed savings.

    Its about reasonable judgement and documenting your rationale, not necessarily a fixed number of months

    Question: From your experience, are firms always insisting on wetting certified copies of trust documents and or company constitutional documents?

    Answer: there's a move towards digital solutions, such as secure upload facilities. While the legal sector may still use wet ink copies, he thinks that that the trend is towards electronic formats, especially given the rise in fraud with physical documents.  

    Question: [This question related to probate] Where the family brings you deceased's most recent bank statements, do we have to request earlier statements and if so, how far back?

    Answer: Graham indicated that he would be more interested in how the deceased accumulated the wealth being handed down. It's not about a specific timeframe, but whether you can come to a reasonable assessment that the wealth was accumulated legitimately and there's no indication of proceeds of crime.

    Bank statements can provide useful information to help form this assessment.

    Question: I'm still not clear if there are regular savings of say £500 a month with no suspicious circumstances, how many statements do I need to see showing these payments?

    Answer: It depends on the value of the deposit, but if you can see the individual earns a good wage and have been putting aside £500 a month, you don't necessarily need to account for every single payment up to a large deposit. Seeing a sequence over a few months along with an understanding of their employment history can be sufficient for a reasonable judgment. However, you must document your rationale and reasoning.

    Question: Do you have any insight into how the SRA choose firms to visit? We were visited last year.

    Answer: It's primarily a risk-based approach. The SRA uses data collection to understand where the risks lie in their supervised population, looking at factors like the types of clients and matter firms handle, particularly in higher-risk areas like conveyancing. This helps them identify firms that are inherently higher risk. However, there will likely be an element of randomness in their visits to ensure they are also monitoring firms they deem to be lower risk.

    Question: Will the SRA ask to see training records during an AML inspection?

    Answer: Yes. Graham surmised that they will, especially given the recent thematic review on training. They will likely want to see that all relevant staff have undertaken the required training, as this is a key regulatory requirement.

    Question: The concept of independent and reliable source. It's challenging and changing it is indeed. Our firm always in the past has insisted on...having certified documents, but this is not user friendly and sometimes challenging for clients. From your experience, our...always insisting on wetting certified copies of trust documents and or company constitutional documents?

    Answer: Graham agreed that the concept is challenging and changing. Regarding the insistence on wet certified copies he felt there would be a move towards digital solutions and less reliance on hard copy documents. 


    'The way of the world increasingly is...to become more electronic. But I think that inevitably the legal sector is still using wet ink...so if that's what you've got, that's what you've got to supply.'

    Tips On Not Being Low-Hanging Fruit: 

    Graham emphasises that AML regulations are a top priority for the SRA, who are actively increasing their scrutiny and enforcement. Law firms must ensure they have robust policies, procedures, training, and risk assessments in place, particularly in high-risk areas like conveyancing and concerning source of funds and wealth. Failing to get the basics right and being unable to demonstrate compliance will likely make a firm a target for SRA inspection and potential enforcement action. 

    Overall, Graham stresses the SRA's increasing scrutiny of source of funds and wealth verification. Firms must ensure they have adequate policies, procedures, and record-keeping to demonstrate this verification process, particularly in high-risk areas, and focus on making a reasonable, documented assessment based on the available information rather than adhering to arbitrary timeframes for obtaining financial records. Failing to properly address source of funds could make a firm a 'low-hanging fruit' for SRA investigation.

    Everything that Graham had to say had relevance and importance. 

    Further reading:

    SRA - Website

    SRA - Your AML Obligations

    SRA corporate strategy 2023-2026 - 4 Priorities

    OPBAS open letter to the Regulators - PDF of Letter

    Baroness Hodge - Government webpage

    LSAG - 2023: Chapter 3 houses the 36 Principles of a robust AML Programme

    LSAG - 2025: Chapter 3

    Amiqus - Website

    LinkedIn Contact for Graham Mackenzie - Presenter, Former Head of AML at the Law Society of Scotland, Director of AML & Economic Risk at Amiqus Resolution

    Our Services

    At Alexander Christian we offer the following services: 

    • Mock AML Audits
    • Regulation 21 Audits
    • AML Staff Interviews
    • AML File Reviews
    • Focused Area Reviews

    Contact Us

    We are currently offering a free 15-minute conversation without obligation. 

    Contact us for a chat about your needs. 

    Disclaimer: 

    If you require legal or regulatory advice regarding your specific needs and circumstances you should seek legal and regulatory advice from a firm that specifically provides this. Our understanding of the Q&A could be wrong, or misunderstood. No guarantee or warranty is provided. Always seek the advice from a professional who is competent to respond to your specific questions. We are not responsible for any reliance placed on this post, we are not responsible for your actions or inactions. 


    See Disclaimer page

    Categories -
    AML
    Tags -
    AML Sanctions Legal Regulation Best Practice Guidance Due Diligence Identification Verification Key takaways