Tailor your AML Programme to your unique firm
Seek out a perfect fit - protect your firm from financial crime
Listen to an Ai conversation about why one size does not fit all.
Disclaimer: that this is not legal or regulatory advice,
but a lighthearted look at a fairy tale in the context of AML.
- Tailoring Your Law Firm-s AML Programme.wav00:00
This post is written for: MLROs, MLCOs, and principals of small law firms in London — typically one to ten fee earners — who are responsible for their firm's AML compliance under the Money Laundering Regulations 2017. If you are using a downloaded template as your firmwide risk assessment, or if your AML policies have not been reviewed in the last twelve months, this post is for you specifically.
𓂇 One Size Does Not Fit All
We all know the story. The Prince, searching for the woman whose foot fit the glass slipper, went from door to door across the kingdom. The stepsisters, desperate to claim what was not theirs, tried to force the slipper to fit. It did not. It could not. The slipper was made for one person, with precise dimensions, and no amount of effort or wishful thinking was going to change that.
It is a detail that gets lost in the romance of the fairy tale, but it is the most important one. The slipper was not a generic shoe. It was a perfect, specific fit. And the only person for whom it worked was the person it was made for.
Your AML programme is the same. Not in a poetic sense. In a regulatory, legal, and now increasingly financial sense. A generic template downloaded from a legal publisher and adapted with a few superficial changes is not an AML programme. It is a slipper that fits nobody and the SRA, which has made its position on this very clear in its enforcement decisions, will find that out when it visits.
👗 The Illusion of the Off-the-Shelf Slipper
There is a persistent belief that a template AML programme — provided by a reputable legal publisher, perhaps including a firmwide risk assessment, a set of policies, controls and procedures, and a client risk assessment checklist — constitutes compliance. It is understandable. The documents are professionally produced. They cover the right topics. They reference the correct regulations. They look like what compliance looks like.
They are not what compliance looks like. They are what compliance looks like before it is applied to your actual firm — your specific client base, your particular services, your geographic exposure, your practice areas, your size, your staffing structure, and the specific money laundering and terrorist financing risks that those characteristics generate. Until that application has happened — specifically, thoroughly, and with documented evidence of the thinking behind it — the template is a starting point, not a destination.
"A generic template is like a shoe made for no foot in particular. It may look like the right thing. It will not feel like the right thing when the inspector examines it."
The Money Laundering Regulations 2017 are explicit about this. The risk-based approach that runs through the entire regulatory framework — from the firmwide risk assessment under Regulation 18 to the client and matter risk assessments under Regulation 28 — requires genuine, firm-specific analysis. Not a standard checklist. Not a generic document with the firm's name at the top. A real examination of real risks, documented in a way that demonstrates the firm has actually thought about its specific situation.
👠 The Stepsisters — What the Enforcement Data Actually Shows
The ugly stepsisters did not fail because they were malicious. They failed because they tried to make something fit that was not made for them. The AML failures are the same - not deliberate wrongdoing, but frameworks that were not built for the specific firm using them, applied without the genuine thought and tailoring the regulations require.
The numbers — current SRA enforcement data
The pattern across enforcement decisions is remarkably consistent. Nine out of ten AML cases in Q1 2024 related to deficiencies in establishing proper AML frameworks. Firms were either unable to produce compliant AML documentation on request or failed during on-site inspections and file reviews. The issues were not exotic. They were fundamental: absent client and matter risk assessments, inadequate staff training, policies that existed on paper but were not followed in practice.
Critically — and this is the point that surprises many - a finding of financial crime is not required for a referral for investigation that could lead to enforcement action. It is enough for the SRA's auditor to find that the safeguards were not in place. The firm that has never been anywhere near a money laundering transaction can still receive a substantial fine if its framework is inadequate. The slipper does not have to have been stolen to cause a problem. It simply has to not fit.
Recent enforcement decisions include: a firm fined £23,035 for failing to undertake client and matter risk assessments on five files; a firm fined £19,383 for failing to complete due diligence in a conveyancing transaction that resulted in a vendor fraud of over £100,000; and — most recently — a firm fined for failing to record client risk assessments over an eight-year period from 2017 to 2025, with investigators finding that 83% of files reviewed lacked the mandatory documentation.
The firms avoiding fines in 2025 are not necessarily larger or better resourced. They are the ones that can prove how AML decisions are made, recorded, and reviewed. That is a capability that comes from a genuinely tailored, genuinely implemented framework — not from a template that has been filed and forgotten.
🪡 Crafting the Bespoke Slipper — What Tailoring Actually Means
A genuinely tailored AML programme is not significantly more complicated to produce than a generic one. What it requires is genuine thinking — about your actual firm, your actual clients, your actual risks — rather than a find-and-replace on a downloaded document. Here is what that thinking looks like across the key elements of a compliant programme.
01 The Firmwide Risk Assessment — Regulation 18
The FWRA is the foundation of the entire framework.
Every other element of your AML programme — your policies, your CDD procedures, your training, your monitoring — should flow from what your FWRA says about the specific risks your firm faces. A FWRA that could have been written for any firm in your sector is not a FWRA. It is a template.
A genuinely tailored FWRA identifies your specific client types and the money laundering risks each presents; your specific services and the vulnerabilities each carries; your geographic exposure — including any cross-border client relationships or transactions; and your delivery channels, including whether clients are met in person or onboarded remotely. It is updated when your practice changes. It is the document your fee earners have actually read and can use to inform their matter-level decisions.
→ Does your FWRA reflect your actual client base — or a theoretical one?
→ Has it been reviewed in the last six-twelve months?
→ Does it address your sanctions exposure — UK, US, UN, and others?
→ Could the a regulator read it and understand your firm's specific risk profile?
02 Policies, Controls and Procedures — Regulation 19
Your PCPs must be proportionate to the risks identified in your FWRA — which means they must be specific to your firm, not general to the sector. PCPs that describe what a law firm should do in theory, without reference to what your firm does in practice, fail to meet the requirement. The SRA consistently finds that template PCPs do not address the nuanced governance requirements that arise from a firm's specific operational context.
The practical test is simple: could a new fee earner at your firm read your PCPs and understand exactly what they are required to do, at what point in a matter, in relation to the specific types of client and transaction your firm handles? If the answer is uncertain, the PCPs need work.
→ Do your PCPs define who performs CDD, at what level, and at what point in a matter?
→ Do they describe the specific escalation route to your MLRO — not a generic one?
→ Are they communicated to all relevant staff — and can you evidence that communication?
→ Do they address the technology your firm actually uses for AML screening?
03 Client and Matter Risk Assessments — Regulation 28
The FWRA sets the firm's overall risk profile. For each individual client and each individual matter, a separate, documented risk assessment must be carried out before the business relationship begins — considering the specific risk factors of that client, that matter, and that transaction.
Generic tick-box checklists with limited recording space are a structural problem. They encourage summary rather than analysis. They record conclusions without the reasoning behind them. They look like a risk assessment until a sophisticated examiner looks at them — at which point it becomes apparent that the decision-making process they were supposed to document has not actually happened.
The SRA found that 83% of files at one recently fined firm lacked any documented risk assessment prior to the commencement of legal work. This is not an isolated finding. It is one of the most consistent themes across enforcement decisions. The client risk assessment must exist, must be completed before work starts, and must document the specific reasoning — not just a tick in a box.
→ Does your risk assessment form have sufficient space to record the actual reasoning?
→ Are risk assessments completed before work commences on every in-scope matter?
→ Do your fee earners understand what constitutes high risk for your specific practice areas?
→ Are risk assessments updated when the matter or client circumstances change?
04 Client Due Diligence — Regulation 28
Know your client — not just their name and address, but who they are, what they do, the nature of the business relationship, and the source of the funds involved. Standard CDD applies to most clients. Simplified due diligence is available only in limited, specifically documented circumstances. Enhanced due diligence is required for higher-risk clients — including politically exposed persons (PEPs), clients from high-risk third countries, and complex or unusually large transactions.
The SRA's enforcement decisions show consistent failures in source of funds and source of wealth checks — particularly in property transactions, where the origin of purchase funds is not always traced back to the ultimate source. CDD is not a one-off exercise at the start of a retainer. It is an ongoing obligation that must be updated as the matter develops and as the risk profile changes.
→ Does your CDD process require source of funds checks on every in-scope transaction?
→ Are your procedures for PEPs documented specifically — not addressed generically?
→ Do your fee earners know when to apply EDD — and what EDD looks like in practice?
→ Is ongoing monitoring built into your matter management — not just the onboarding stage?
05 Sanctions Exposure
Sanctions compliance is an area that many small London law firms treat as a minor footnote in their AML programme. It is not. The sanctions regimes applicable to UK law firms include the UK's own autonomous sanctions legislation, UN Security Council resolutions, and in relevant circumstances US Treasury OFAC designations. The obligation to screen clients against applicable sanctions lists applies regardless of the size of the firm and regardless of whether the firm has had any previous encounter with a sanctioned individual.
The question of how often screening is performed — and against which lists — must be answered in your PCPs. Performing a one-off check at onboarding is not sufficient. Sanctions designations can change. A client who was not designated when they instructed you may become designated during the course of the retainer. Your procedures must address this.
→ Does your risk assessment form have sufficient space to record the actual reasoning?
→ Are risk assessments completed before work commences on every in-scope matter?
→ Do your fee earners understand what constitutes high risk for your specific practice areas?
→ Are risk assessments updated when the matter or client circumstances change?
06 Training Regulation 24
All relevant employees must receive regular AML training — appropriate to their role, their level of responsibility, and the specific risks the firm faces.
The SRA has been increasing its scrutiny of training in recent reviews, and the common finding is that training exists in form but not in substance: it covers the regulatory requirements in general terms but does not address the firm's specific policies, the specific red flags relevant to the firm's practice areas, or the specific escalation procedures that apply.
A fee earner who has completed an annual online AML module but cannot explain what the firm's FWRA says about its primary risk areas, or who does not know the name of the MLRO and the internal reporting procedure, has received training that does not meet the requirement. Training must be documented, role-specific, and evidenced.
→ Does your training address your firm's specific policies — not just the regulations in general?
→ Can all relevant staff identify the red flags specific to your practice areas?
→ Do all staff know the internal reporting procedure and the identity of the MLRO?
→ Is training documented and dated — so it can be produced to the SRA on request?
07 The Independent Audit - Regulation 21(1)(c)
Regulation 21(1)(c) requires firms to examine the adequacy and effectiveness of their AML framework through independent audit — and to act on the recommendations that audit produces. The independence requirement is significant: an audit conducted by the person responsible for the framework being audited does not meet the standard. For small firms where internal independence is structurally impossible, external audit is not an option — it is the answer.
The independent audit is the mechanism by which the firm tests whether its framework works in practice, not just on paper. It assesses whether the FWRA is adequate for the firm's actual risk profile; whether the PCPs are being followed; whether the training is effective; whether the matter risk assessments are being completed correctly and at the right point; and whether previous audit recommendations have been implemented.
A firm that has never had an independent audit — or whose last audit did not examine file-level compliance — is operating on the assumption that its framework is working. That assumption may be correct. Without the audit, it cannot be evidenced.
→ When was the last independent audit of your AML framework?
→ Did it include file-level review — or only documentation review?
→ Were recommendations made — and were they implemented and evidenced?
→ Is the audit conducted by someone genuinely independent of the framework being audited?
🧵Crafting Your Bespoke Slipper: A Tailored AML Programme
As an illustrative point for this blog post, we will briefly review the nuanced and firm-specific nature of effective AML documentation and implementation:
- Ensuring Effective AML Implementation. AML governance requires strict adherence to mandatory requirements, including seeking supervisory authority approval, appointing an MLRO, and meeting specific reporting deadlines. However, the practical application of governance requirements must be tailored to the unique size, nature, client demographics, and geographic scope etc of your law firm. For instance, the the budget and allocation of resources, will vary significantly between an international firm and a local practice. While templates may cover the mandatory regulatory elements, they often fail to address the nuanced governance requirements stemming from your firm's specific operational context, potentially leaving critical risks unmitigated.
- Bespoke Firm-Wide Risk Assessment: Ensuring Robust AML Compliance Through Tailored Analysis. A generic risk assessment is inadequate. Your firm must conduct a thorough, firm-specific, and up-to-date risk assessment to identify and assess the unique Money Laundering and Terrorist Financing risks it faces. This granular assessment will directly inform the development of tailored 'Policies, Controls and Procedures,' ensuring the implementation of a robust and effective AML program that reflects your firm's specific risk profile and operational context.
- Bespoke PCPs: Ensuring Robust Compliance Through Nuanced Policies and Controls. The requirement to establish and maintain "Policies, Controls, and Procedures" (PCPs) necessitates a tailored approach that directly reflects the specific Money Laundering and Terrorist Financing risks identified in your firm's firm-wide risk assessment. This underscores the fundamental importance of nuance: generic templates, devoid of firm-specific considerations, will fail to provide the robust compliance framework required to effectively mitigate your firm's unique risks.
- Beyond Generic Templates: Tailoring CDD to Your Firm's Unique Risk Profile. Your firm's risk assessment is the cornerstone of your CDD framework. Your "Policies, Controls, and Procedures" must define who CDD is performed on (individuals or entities), at what level, how, when, and with what frequency, all informed by your specific risk assessment. Your firm's stance on reliance, monitoring, complex transactions, anonymity, and Politically Exposed Persons should be explicitly detailed, reflecting your unique risk appetite. What constitutes high risk for one firm may be lower for another, demanding a bespoke solution.
Practical Client & Matter Risk Assessments: Tailoring for Effective Risk Management. To effectively manage risk, each client and matter requires a unique, in-depth assessment. Be cautious regarding generic checklists, and tick box mentality, that could limit critical thinking. The unintentional consequence could be the obscuring of threats. Limited recording space, could have the unintended consequence of summarising and thus hindering the recording of crucial decision-making processes. Implement procedures that identify risks specific to each engagement, informing tailored mitigation strategies and contributing to a comprehensive firm-wide risk overview.
- Effective Transaction Monitoring: Establish systems to monitor transactions for suspicious activity.
- Bespoke Reporting Framework: Ensuring Compliance Through Tailored Procedures. Effective escalation and external reporting demand a tailored approach that transcends standard templates. Your firm must develop procedures that are aligned with its specific operational workflows, communication protocols, and regulatory obligations. These procedures should clearly outline the specific steps for internal reporting to the Money Laundering Reporting Officer (MLRO), as well as external reporting to government agencies and the supervisory regulator, ensuring timely, accurate disclosures that are compliant with the law.
- Practical Technology Integration: Tailoring for Operational Relevance. Your firm's technology use in AML should be documented for practical application. Avoid generic descriptions. Instead, detail how the technology functions within your specific operational context, including its role, data sources, and the scenarios where it's employed.
- Comprehensive, Tailored AML Training: Meeting the Specific Needs of Your Staff and Practice. To ensure effective compliance, AML training must move beyond basic regulatory awareness. It should be tailored to the specific roles, responsibilities, and risks faced by your staff and your practice. Document the deployment of training, ensuring it covers core legislation, reporting requirements, legal professional privilege, data protection, and, crucially, red flags and risk indicators that are directly applicable to each staff member’s daily tasks. This tailored approach ensures practical application and enhances compliance awareness.
- Bespoke Internal Controls: Ensuring Relevance Through Tailored Audits and Screening. To ensure effectiveness, your firm's internal controls must be tailored to its unique size and nature. This means an independent AML audit that goes beyond a standard checklist to assess the adequacy and practical effectiveness of your firm-specific Policies, Controls, and Procedures (PCPs). Furthermore, employee screening, both pre-employment and ongoing, should be customised to mitigate the specific risks associated with your firm's operations and personnel. This tailored approach ensures that internal controls are not merely compliant, but truly effective.
- Risk-Informed Record Keeping: Customising for Compliance and Security. Effective record keeping goes beyond basic storage. It requires a tailored approach that addresses your firm's specific data protection and AML compliance obligations. Your procedures should be informed by your firm's risk assessment and operational realities, ensuring both security and regulatory adherence.
🔮 The Fairy Godmother Moment — Except it does not work like that
In the story, the Fairy Godmother transforms Cinderella. The gown appears. The carriage arrives. The glass slipper is produced, perfectly fitted, entirely ready. Cinderella does not do the work. The magic does it for her.
An independent AML audit does not work like that. And it is worth being precise about this — because the distinction matters both for what a firm should expect from an audit, and for what the regulations actually require.
The auditor examines. They assess the adequacy and effectiveness of the firm's AML framework against the requirements of the Money Laundering Regulations 2017. They identify gaps, weaknesses, and areas where implementation has fallen short of what the policies require. They produce a report. They make recommendations.
What they do not do is implement those recommendations. That is the firm's work. The transformation — if it happens — is produced by the MLRO, the principal, and the fee earners who take the audit's findings seriously and act on them specifically. The auditor provides the light. The firm walks towards it.
This matters because the SRA, when it reviews a firm's AML framework, will ask not only whether an independent audit has been carried out but whether the recommendations from that audit have been implemented. A firm that can produce an audit report from two years ago — but whose file reviews still show the same gaps that were identified at the time — has not met the requirement.
Consider this fictitional situation:
A small London law firm — a general practice with a busy conveyancing and private client caseload — has an AML programme in place. It has a FWRA, a set of PCPs, and a client risk assessment form. The MLRO is the principal. Staff have completed annual online AML training. On paper, the framework looks adequate.
Relevant persons cannot delegate responsibility for their AML obligations.
An independent file review tells a different story. The matter risk assessments on conveyancing files are completed after exchange rather than before commencement. The source of funds checks are recorded as "funds from savings" without further documentation. The PEP screening is performed once at onboarding and not updated during the matter. The training records confirm completion but do not document what was covered.
The audit produces specific recommendations. The firm receives them. If those recommendations are implemented — the risk assessment process revised, the source of funds procedure updated, the training documentation improved — the firm is in a substantially better position than it was. (However, there is still no guarantee that past inadequacies, will not lead to regulatory internal referrals and fines.)
If the report is filed and the practice continues as before, the audit has changed nothing of substance. The slipper still does not fit. The only difference is that the firm now has a document that proves it knew.
The Fairy Godmother moment in AML terms is not the audit itself. It is what the firm does with the audit. The glass slipper — the genuinely tailored, genuinely implemented, demonstrably effective framework — is the result of the firm's own work in response to what the audit found. The auditor provides the roadmap. The firm makes the journey. That is a more demanding version of the story than the fairy tale. But it is the accurate one — and it is the one that holds up when the SRA examiner arrives.
⏰ The Clock Strikes — Why 2027 Changes the Stakes
In the fairy tale, the clock striking midnight is the moment when everything changes. The carriage becomes a pumpkin. The gown disappears. Cinderella must leave — or face the consequences of the illusion being revealed.
For small London law firms, 2027 is shaping up to be a similar moment — not because the compliance requirements will change at midnight, but because the supervisor who will be examining them will.
The FCA takes over from the SRA for AML supervision
The UK Government announced in October 2025 that the Financial Conduct Authority will take over AML supervision of law firms from the SRA, as part of a wider reform of the AML supervisory regime ahead of the FATF mutual evaluation scheduled for August 2027. The anticipated timeline runs from draft legislation in autumn 2026 through Royal Assent mid-2027, with full FCA supervision of all in-scope professional services firms expected by 2029.
The implications for small London law firms are significant and specific. The SRA, for all the increasing vigour of its recent enforcement, operates as a sector-specific, guidance-led regulator. The FCA does not. The SRA caps fines at £25,000. The FCA has issued penalties running to tens of millions of pounds. The FCA's expectations around documented effectiveness — its insistence on being able to see not just that a framework exists but that it works — are considerably higher than anything the SRA has applied to date.
A firm that arrives at FCA registration with an inadequate, out-of-date, or template-based AML framework is not beginning a new supervisory relationship from a neutral position.
It is beginning it from a position of demonstrated non-compliance with requirements that have been in force since 2017. The time to address that is before the transition, not after it.
What this means right now for small London law firms
The current obligations under the MLRs 2017 do not pause during the transition period. Every requirement that applies today — firmwide risk assessment, client and matter risk assessments, CDD, ongoing monitoring, training, independent audit — continues to apply throughout the transition and beyond. The transition changes who is watching. It does not change what is required.
The most effective preparation for FCA supervision is not to research FCA expectations. It is to ensure that the current framework is fully compliant, genuinely tailored, and demonstrably implemented. A firm that meets the current SRA standard — properly and in substance, not in form — will be in the strongest possible position when the FCA takes over.
That is the bespoke slipper. Built correctly. Fitting perfectly. Ready for the next ball — whoever is judging the fit.
✨ The Happy Ending — What a Compliant Firm Looks Like
Cinderella's story ends well not because the slipper fits by chance — but because the slipper was made for her specifically, and the fit is exact. The same is true for AML compliance. The firms that fare best under regulatory scrutiny are not the ones who have the most elaborate documentation. They are the ones who can demonstrate, specifically and practically, that their framework was built for their firm — and is working in the way it was designed to.
A compliant small London law firm has a FWRA that was last reviewed within the past twelve months and reflects the actual risk profile of the actual practice. Its client and matter risk assessments are completed before work commences on every in-scope matter, with documented reasoning rather than ticks in boxes. Its PCPs describe what the firm's staff actually do — not what staff at a theoretical law firm might do. Its training records are specific, dated, and evidenced. Its MLRO has the skills, experience, and documented authority to discharge the role effectively. And its Regulation 21 independent audit has been completed recently, with the recommendations implemented and evidenced.
That firm, when the SRA or — in time — the FCA visits, can answer every question from a position of confidence. Not because nothing will ever be found, but because the framework is genuinely there — tailored, implemented, and documented. The slipper fits because it was made to fit.
Do not let your firm become a cautionary tale. The glass slipper was not generic. Neither should your AML programme be.
AML Compliance Services for Small London Law Firms
Alexander Christian provides independent AML compliance support for small law firms in London — typically practices of one to ten fee earners, dealing with conveyancing, private client, family, or general practice work.
Mock AML Audit
An informal audit that goes through the rigours of the formal process — giving your firm a clear picture of where attention is needed before the regulator asks the same questions. Includes file review and framework assessment.
Regulation 21 Independent Audit
A formal independent audit of your firm's AML framework — examining adequacy, effectiveness, and compliance with recommendations. Produced to the standard required for regulatory purposes under Regulation 21(1)(c).
AML File Reviews
A structured review of client files against your firm's policies, controls and procedures — identifying gaps in CDD, risk assessment, and ongoing monitoring at the matter level, where most enforcement action originates.
Staff Interviews
Assessment of how AML policies are understood and applied across the firm — examining training effectiveness, escalation pathways, SAR awareness, and whether the framework is genuinely embedded in practice.
