Could this lead to a fine?
It is a regulatory consideration!
đź’ Are You Overlooking This Quiet Risk in Your AML Compliance?
If you’re a law firm, in-scope of the Money Laundering Regulations 2017 (as amended), supervised by the Solicitors Regulation Authority (SRA), you’re likely already juggling risk assessments, client due diligence, and ongoing monitoring. But there’s one requirement that many firms—often unintentionally—overlook:
Regulation 21(1)(c): The requirement to undertake an independent audit function of your AML policies, controls and procedures.
Let’s unpack why this quiet obligation matters—and why ignoring it might be more risky than you realise.
🧾 What Is The Regulation 21(1)(c)?
Put simply, subject to the size and the nature of the business, it requires in-scope firms to establish an independent audit function to:
Examine the adequacy and effectiveness of your AML systems,
Make recommendations, and
Assess how well those recommendations are being implemented.
This isn’t just a box-ticking exercise—
- If it is applicable, it is a legal and regulatory requirement. And non-compliance of a legal and regulatory requirement may have consequences.
- It is an opportunity to review your AML framework and undertake remedial action where necessary.
What is 'size and nature?'
The Law Society of Scotland the AML Regulator for Scottish Lawyers provides some enlightenment:
"When determining whether to apply the controls, you should consider the risks and outcomes of your Practice Wide Risk Assessment (PWRA), including:
- Your client base, geographic factors, services provided, and distribution channels
- The number of partners, staff, and offices, including overseas
- Client demographics and services provided
- The risk profile, nature, and complexity of work
- The volume and value of work
- The level of visibility and control senior management has over operational client matters, considering management hierarchy layers.
- Any guidance by your supervisory authority (r.21(10))"
They also state:
"It is important to note that your practice does not necessarily need to be both of the size AND nature. Considering the nature of the work you complete, regardless of the size of your practice, is encouraged."
🎛️Internal Controls - Chapter 9.1 - LSAG 25
"9.1"General Overview Regulation 21(1) sets out three internal controls which practices are required to adopt where it is appropriate “with regard to the size and nature of its business”. These controls are designed to help businesses that may be larger or more complex than others, by ensuring that there are ways to ensure risks introduced by a practice’s size and/or complexity can be recognised and mitigated. It also will apply to practices engaged in higher risk services as assessed in their PWRA."Not all practices are expected to adopt these measures, though if you consider that you do not need to adopt these, you should record your reasoning as to why. You may have to justify to your supervisor how and why you do not meet this requirement, considering how your firm will not benefit from the extra protections that these measures might provide."You do not need to implement these internal controls if you do not employ or act in association with any other person (R21(6)) e.g., if you are a sole practitioner who does not employ any staff nor use any agents."Factors you may consider when determining whether it is appropriate to apply the controls include:• The risks documented within, and the outcomes of, your PWRA – including client base, geographic factors, services provided and distribution channels. Please see Section 5 for further information);• The number of partners or staff your practice has;• The number of offices your practice has and where they are located (including whether your practice has overseas offices);• Your client demographic, including where they are based, and services provided to them;• The risk-profile, nature and complexity of work your practice undertakes;• The volume and value of the work the practice undertakes; or• The level of visibility and control that senior management has over operational client matters – this may be considered in light of layers of management hierarchy"
🎛️Establishing an Audit Function - Chapter 9.3 - LSAG 25
9.3 Establishing an independent audit function The purpose of an independent audit function is to examine, evaluate and make recommendations regarding the adequacy and effectiveness of the practice’s anti-money laundering and counter-terrorist financing policies, controls, and procedures (PCPs).
Independent audit should not be confused with requirements under R19(3)(e) – the ongoing monitoring and management of compliance with policies, controls and procedures.
9.3.1 Internal or external auditor?
The person/s conducting the audit may not necessarily be external to the practice but must be independent of the function being reviewed.
They should:
• Be independent of the work areas being audited e.g. not the MLRO/MLCO, members of the compliance team or the team that did the original work;
• Have the requisite skills and knowledge in audit and AML/TF in order to be able to adequately carry out their duties.
• Have the authority to access all relevant material (including file materials) to be able to evaluate and report on the adequacy and effectiveness of the PCPs.
• Make recommendations about the PCPs and file remediation if required (in applying these changes, file remediation should retain records of the file pre- and post-the remediation work);
• Monitor the practice's implementation of those recommendations.
• Have direct access/report findings directly to the practice’s Senior Management; and
• Where audit is conducted by an internal partner/member of staff, they must be prepared to make an internal report to the MLRO should they have knowledge/reasonable suspicion that a matter has involved the Proceeds of Crime.
Where a practice seeks the services of an external auditor/consultant – they should be satisfied regarding the specific AML/financial crime knowledge, skillset and experience of that person/ organisation, to ensure the adequacy and effectiveness of the audit undertaken
Sampling of client/matter files should be undertaken on a risk-based approach - in accordance with the risks identified, and the outcomes of, the PWRA. Sample sizes must be sufficient to demonstrate effective assurance of the practice’s PCPs, across all locations, client/matter types.
🎛️Frequency - Chapter 9.3.2 - LSAG 25
"9.3.2
"How often should an independent audit be conducted? You should take a risk-based approach to determining the frequency of an independent audit. It may be appropriate to undertake audits at regular intervals, e.g., annually. You should consider whether an audit is required based on the time elapsed and the changes to the practice’s risk profile, structure and services provided since the last audit.
"This is particularly relevant should a practice take-over or merge with another business. For those areas/clients or matters which pose the highest risks (as per your risk assessments) you should consider undertaking a targeted audit of these areas, on a more frequent basis than the wider practice.
"Practices should keep a record of all audits and make this available to their supervisors as requested – this should include
• The scope of the audit and sampling basis used.
• The records audited, what was checked and by whom.
• The findings and recommended actions of the audit.
• Records of senior management/Board discussions regarding the findings of the audit; and
• The practice’s response and implementation of actions (and any reasoning for not implementing those recommendations."
Justifying to your regulator
The Law Society of Scotland provides some helpful assistance:
"My practice is not the appropriate size and nature. What do I do?
Should you determine that your practice does not need to implement these controls, the rationale behind this decision should be clearly documented. You may need to justify to us, as your supervisor, why your practice does not meet this requirement and explain how it will not benefit from the additional protections these measures provide."
🚨 What’s the Risk of Doing Nothing?
Choosing not to undertake a Regulation 21 audit—or failing to document why you’re exempt—can leave your firm exposed in several ways:
Regulatory scrutiny: The SRA now actively checks for evidence of an independent audit.
Missed red flags: Without a fresh pair of eyes, issues may go unnoticed until they become serious.
Reputational harm: A poor AML inspection outcome can affect client trust and public image.
Financial penalties: In a recent disciplinary decision, the SRA mentioned that a firm failed to carry out an independent AML audit, reinforcing just how seriously this obligation is taken.
Guidance-backed expectations: Chapter 9 of the Legal Sector Affinity Group (LSAG) 2025 Guidance provides clear detail on when and how Regulation 21(1)(c) applies, including expectations around independence, frequency, and risk-based approach. It's essential reading for firms unsure of their obligations.
✍🏼 Take further advice and document, document
Some points you may wish to consider
Assess whether you meet the criteria for an independent audit. (If you’re unsure, seek specialist legal and regulatory advice.)
If you don’t need an audit, document the rationale clearly—and review it regularly.
If you do need one, schedule a review that is:
Truly independent,
Risk-based, and
Tailored to your firm’s size and structure.
Even if you think you're doing everything right, an outside perspective can provide reassurance—and help spot improvements you may have missed.
✉️Contact Us
We may be able to help you, contact us for an informal chat.
ℹ️Sources
Other blogs
Mock Audits
Why an Anti-Money Laundering Audit may be useful?
Phrases and Acronyms
Helpful information
|  Phrase or Acronym |  Meaning |
| LSAG, LSAG 25 |  The Legal Sector Affinity Group Guidance updated 23 April 2025 |
|  MLR 2017 |  Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 |
|  MLCO | Money Laundering Compliance Officer |
|  MLRO |  Money Laundering Reporting Officer |
| PCPs | Policies, Controls and Procedures |
|  PWRA (also known as FWRA) | Practice Wide Risk Assessment Firm Wide Risk Assessment |
|  Regulation 21(1)(c) | Regulation 21(1)(c) relates to the requirement upon regulated persons to have a internal audit function subject to the size and nature of the their business
|
Disclaimer
This post is not legal or regulatory advice nor is it to be interrupted as such. If you seek legal and regulatory advice you seek it from a specialist legal or regulatory provider.
See our Disclaimer page