Skip to searchSkip to main content
Alexander Christian | London
Alexander Christian | London
Law Firm | Business Consultancy
Business / Anti-Money Laundering: Overview /
AML File Reviews
/

AML FILE REVIEWS · SMALL LAW FIRMS · LONDON

Your AML policy says the right things. Do your files?

The SRA consistently finds that the most common AML failures in law firms are not in the documentation. They are in the files. Written policies exist. Client and matter risk assessments are either missing, generic, or not matched to the actual risk. Client Due Diligence (CDD) is incomplete or inconsistently applied. We provide independent file reviews that examine what is actually happening in practice — and tell you what we find.

Book A Scoping Session

WHAT A FILE REVIEW EXAMINES

Client risk

Are client risk assessments being completed, documented, and applied to the level of CDD carried out — or are they generic, undated, or absent?

Matter risk

Is the risk of each matter being assessed separately from the client — and is the assessment reflecting the actual transaction rather than a default rating?

CDD in practice

Is customer due diligence complete, proportionate, and evidenced on file — or is it concentrated at the start of the relationship and not revisited?

WHERE AML FAILURES ACTUALLY LIVE 

The gap between written policy and file practice

Most firms have AML documentation. Many firms' files tell a different story. Understanding that gap — honestly and systematically — is where independent review adds the most value.

The SRA's AML Annual Report 2024-25 (dated 30 October 2025)  — the most recent and most detailed supervisory data available — identifies client and matter risk assessments as the single largest cause of SRA referrals. Across the files reviewed, 16% had no assessment at all or incomplete documentation. A further 39% had an assessment that failed to effectively evaluate the money laundering risk. That is 55% of reviewed files with a client or matter risk assessment problem of one kind or another, under Regulation 28 of the Money Laundering Regulations 2017.


The same report records 151 AML outcomes in 2024-25 — up from 78 the previous year and 47 the year before that. The SRA carried out 935 proactive engagements including onsite inspections, desk-based reviews and thematic assessments. Almost a third of firms examined were assessed as non-compliant, with a further 54% only partially compliant. The direction of travel is unambiguous: supervisory activity is increasing, outcomes are increasing, and the expectation that all firms will face AML scrutiny in the near future has been stated explicitly by the SRA.


These documents provide vital insights, and point to the commonality of the issues experienced by many regulated law firms. But this commonality should not lead to complacency but proactive efforts. 

📄SRA AML Annual Report - dated 30/10/2025 

The gap between AML policy and the reality can be vast
Is there a gap between Policy and Practice?

The question an independent file review answers is not "do you have the right documents?" It is "are those documents being applied in practice — and is that practice consistent, documented, and proportionate to the risk on each file?"

Book A Scoping Session

01.

Risk assessments completed as a formality

Client and matter risk assessments exist on file — but they carry a default rating, are undated, or do not reflect the actual characteristics of the client or the transaction. They satisfy the requirement on paper but not in substance.

02.

CDD not matched to the risk level

Standard CDD is applied regardless of the risk assessment outcome. Higher-risk clients and matters are not receiving enhanced due diligence. Lower-risk matters are receiving disproportionate scrutiny. The risk-based approach exists in the policy but not in the file.

03.

Source of funds not adequately evidenced

Source of funds and source of wealth are not consistently sought, documented, or evaluated — particularly on higher-value property transactions where this is a specific area of SRA scrutiny.

04.

Ongoing monitoring absent in practice

CDD was collected at the start of the client relationship and has not been reviewed as the relationship developed, the client's circumstances changed, or new matters were opened that carry a different risk profile.

05.

Inconsistency between fee earners

Some fee earners apply the firm's CDD and risk assessment procedures rigorously. Others do not. The inconsistency reflects a training gap — fee earners have not been trained to the specific risks in their practice area or to the firm's own risk profile.

NOT KNOWING, IS NO EXCUSE

"82% firms referred for lack of client and matter risk assessments – had a process in place but firms did not know it was not being followed"

The SRA slides for their 'AML Controls' webinar - March 2026 makes this statement. 

One of the most vital features of a AML framework and the firms did not know it wasn't being implemented.

Not knowing speaks to training, oversight, and governance. 

UNDERSTANDING THE OBLIGATION

What client and matter risk assessments actually require

The LSAG guidance and the Money Laundering Regulations set out clear requirements. Here is what an adequate client and matter risk assessment involves in practice.

The risk-based approach — which underpins the entire AML regulatory framework — requires that the level of CDD applied to any client or matter is proportionate to the risk that client or matter presents. This means that risk must be genuinely assessed, not assumed. It cannot be adequately discharged by applying standard CDD to everything regardless of the actual risk profile.


The LSAG guidance distinguishes between three levels of risk assessment that must operate together: the Practice Wide Risk Assessment (PWRA or FWRA), which assesses the risk profile of the firm as a whole; the client risk assessment, which assesses the risk presented by each individual client; and the matter risk assessment, which assesses the risk of each specific transaction or matter separately from the client risk.


All three must be in place, must be current, must be documented, and must demonstrably inform the level of CDD applied. An adequate FWRA does not substitute for a client risk assessment. An adequate client risk assessment does not substitute for a matter risk assessment. They operate at different levels and serve different purposes.

In a law firm there are 3 levels of AML Risk Assessment starting with the Firm Wide Risk Assessment, to Client Risk Assessment , to Matter Risk Assessment
The three levels of Risk Assessment
Book A Scoping Session

Level 1

Practice Wide Risk Assessment (FWRA)

Assesses the risk profile of the firm as a whole — the types of clients the firm serves, the work it does, the geographies it operates in, and the inherent money laundering and terrorist financing risks those factors present. Must be documented, current, and reviewed periodically or when the firm's circumstances change. Every client and matter risk assessment should be consistent with this foundation.

Level 2

Client Risk Assessment

Assesses the risk presented by each individual client — their nature, background, geographic connections, PEP or sanctions status, and the circumstances in which they are instructing the firm. Must be completed at the start of the relationship and reviewed as the relationship develops. Determines the baseline level of CDD to be applied to that client across all their matters.

Level 3

Matter Risk Assessment

Assesses the risk presented by each specific transaction or matter — separately from the client risk assessment. A client assessed as standard risk may instruct on a matter that carries higher inherent risk. The matter risk assessment must be completed for each matter and must reflect the specific characteristics of that transaction — not just the client's overall risk profile.

Application

CDD proportionate to the combined assessment

The outcome of the client and matter risk assessments together determines the level of CDD to be applied. Standard CDD for standard risk. Enhanced due diligence — including source of funds, source of wealth, and additional verification — for higher-risk clients or matters. Simplified due diligence only where permitted and demonstrably justified. The risk assessment and the CDD applied must be consistent and evidenced on the file.

What inadequate looks like — and what supervisors find

✗ A risk assessment form completed with a default rating and no explanation

✗ Client risk assessed as standard without considering geographic risk, PEP status, or business type

✗ Matter risk not assessed separately from client risk — or not assessed at all

✗ Source of funds noted as "confirmed" without any supporting evidence on file

✗ Source of funds on file, but not reviewed, not documented, and no explanation or reasoning

✗ CDD collected at client onboarding and not revisited on subsequent matters

 EDD not applied to clients or matters that the firm's own FWRA identifies as higher risks

A depiction of inadequate client matter risk assessment for AML law firm risk
A depiction of inadequate CMRA
Book A Scoping Session

What an adequate client and matter risk assessment looks like


✓ It is specific to the client or matter — not a generic template applied without thought

✓ It identifies the relevant risk factors — client type, geographic risk, product or service risk, delivery channel risk, transaction risk

✓ It reaches a documented conclusion — high, medium, or standard risk — with reasoning

✓ It determines the level of CDD to be applied — and that level is actually applied

✓ It is reviewed and updated when circumstances change — new matters, changes in client profile, changes in the transaction

✓ It is consistent with the firm's FWRA — the risk factors identified at firm level are reflected in the assessment of individual clients and matters

✓ It is evidenced and accessible to relevant persons

Alexander Christian - What a Client Matter Risk Assessment looks like
Good Practice - Client Matter Risk Assessment
Book A Scoping Session

THE MOST IMPORTANT POINT ON THIS PAGE

A template is a starting point. It is not a risk assessment.

The SRA has now published a client and matter risk assessment template. This is genuinely useful — but the SRA has been explicit that it must be adapted to suit the firm. Understanding what that means in practice is the difference between adequate compliance and a tick-box exercise that satisfies the form but not the substance.

The SRA has consistently found — and explicitly criticised — risk assessments that are very basic or tick-box in nature, where fee earners only mark a file as high, medium, or low risk without documenting what they considered to arrive at that rating. An assessment that does not capture the reasoning is, in the SRA's view, inadequate — and it creates a particular danger: it encourages complacency when dealing with similar or apparently straightforward matters.


A genuine, adequate risk assessment must connect to the firm's own FWRA (firm-wide risk assessment). The FWRA is the foundation. It tells fee earners what the firm's specific risk profile looks like — not in generic terms, but in terms of the actual work the firm does and the actual clients it serves.


The SRA's AML Controls Webinar illustrated this precisely through a fictional case study: a fee earner was directed not just to a generic policy, but to specific information in the firm's FWRA — the types of conveyancing work that practice typically undertook, the typical range of purchase prices in their area, whether the firm regularly received funds from outside the jurisdiction, and the fact that the firm's probate department had relationships with French and Spanish law firms who could undertake CDD checks in those jurisdictions. That level of granularity in the FWRA is what enables a genuine, firm-specific risk assessment rather than a generic one.

It is important to tailor your risk assessments whether FWRA or CMRA to actual risks
It is important to tailor your risk assessments whether FWRA or CMRA to actual risks
Book A Scoping Session

What adequate tailoring looks like in practice


The FWRA identifies the firm's specific practice areas and the typical risk profile of each — not "we do conveyancing" but "our conveyancing work is predominantly residential purchases in the £200,000-£500,000 range in North West London, with a small proportion of commercial transactions

The FWRA addresses the specific risk factors relevant to the firm's client base — whether clients typically provide funds from within the UK, what proportion instruct remotely, what the firm's experience of PEP exposure has been

The risk assessment template is adapted to include fields specific to the firm's practice areas — a conveyancing firm's template should prompt for property-specific risk factors; a probate firm's should prompt for probate-specific considerations

The assessment includes a narrative field — not just a rating — so that the fee earner records what they considered and why they reached the risk rating they did

The assessment is treated as a live document — reviewed as the matter progresses and updated when the risk profile changes, not completed once at the start and filed away

OUR SERVICE

Independent AML File Review

A focused, independent assessment of your client and matter risk assessments and CDD processes across a representative sample of your files — telling you honestly where practice matches policy and where it does not.

An independent file review is a targeted assessment — distinct from a full Regulation 21 audit — that examines how AML obligations are being applied in practice on your files. It is the most direct way to understand the gap between your written policies and what your fee earners are actually doing.


The review examines a representative sample of files across your higher-risk practice areas — testing whether client risk assessments are completed, specific, and documented; whether matter risk assessments reflect the actual characteristics of each transaction; whether CDD is proportionate to the risk level; and whether source of funds is adequately evidenced where required.


The output is a clear written report — in plain language — setting out what the file sample shows, where practice is consistent with your policies, and where it is not. 

  • Representative file sample across higher-risk practice areas
  • Client risk assessments — completeness, specificity, and currency
  • Matter risk assessments — separate from client risk, transaction-specific
  • CDD proportionality — matched to the assessed risk level on each file
  • Source of funds and source of wealth — evidenced and evaluated where required
  • EDD application — applied where the risk assessment indicates it is required
  • PEP and sanctions screening — documented on file with dated results
  • Ongoing monitoring — evidence of review as client relationships develop
  • Consistency across fee earners — identifying training gaps from file evidence
  • Written report with actionable recommendations

01.

Scoping session

A confidential conversation to understand your firm's practice areas, risk profile, and existing CDD processes. We agree the file sample and scope in writing, with a fixed fee confirmed before any work begins.

02.

File selection

We work with you to select a representative sample across your higher-risk practice areas — including random selection and, where relevant, matters where risk level or CDD completeness is uncertain.

03.

File review

We examine each file against the regulatory standard — assessing whether the risk assessment, CDD, source of funds, and ongoing monitoring meet the requirements of the MLRs and the LSAG guidance for that matter type.

04.

Fee earner interviews

Brief structured conversations with fee earners — to understand how they approach risk assessment and CDD in practice, identify training gaps, and contextualise what the files show.

05.

Draft findings and report

We discuss our findings with you before the report is finalised — no surprises in the written document. The final report is in plain language with specific recommendations.

Fixed fee, scoped and agreed before any work begins. No obligation to proceed from the initial conversation.

Book A Scoping Session

THE CONNECTION WITH TRAINING

Inadequate Training will inevitably lead to File-Level failures 

When a file review identifies inconsistency between fee earners — some applying the firm's CDD and risk assessment procedures rigorously, others not — it almost always reflects a training gap rather than a conduct issue. Fee earners have not been trained to the specific risks in their practice area, or to the specific requirements of the firm's own FWRA.


The Law Society of Scotland's AML guidance makes this explicit: training must be tailored to specific roles and responsibilities and to the specific circumstances of the practice. Generic AML training that does not connect to the work fee earners actually do — the client types they serve, the transactions they handle, the red flags relevant to their practice area — fails to change behaviour because it does not speak to the situation fee earners actually face.


Regulation 24 of the Money Laundering Regulations requires that relevant employees receive appropriate AML training — covering the risks of money laundering, the firm's procedures, how to recognise suspicious activity, and how to report internally. That training must be documented, current, and role-specific.

  • Fee earners working on conveyancing need specific training on property-related red flags, source of funds requirements, and the risk factors identified in the firm's FWRA for property work
  • Fee earners working on corporate and trust matters need training on beneficial ownership verification, PEP assessment, and the specific risks of complex structures
  • Support staff collecting client ID need specific training on document verification and the indicators of false or tampered documentation
  • The MLCO and MLRO need a deeper level of knowledge than other staff — and that knowledge should be current, not based on training received several years ago
  • Training records must be maintained and demonstrate that training has taken place — an undocumented training session is indistinguishable from no training at all

Specific Training for their Roles, and Work.
Book A Scoping Session

Key resources on file-level AML compliance


These are the authoritative published resources that underpin file-level AML requirements for law firms in England and Wales and Scotland. All are publicly available.


SRA AML Annual Report 2024-25 — supervisory findings, enforcement data, and compliance trends







Please note that these links may change over time, for the latest information please consult your regulator's websites.

ANSWERS

Questions about AML file reviews

If your question is not here, call us. We would rather you asked.

What is the difference between a File Review and a Regulation 21 Audit

A file review is a targeted, focused assessment of how AML obligations are being applied in practice on your files — specifically examining client and matter risk assessments, CDD, source of funds, and ongoing monitoring. It is faster, more focused, and typically less expensive than a full Regulation 21 audit.

A Regulation 21 audit is a comprehensive independent assessment of your entire AML framework — covering your documentation, your processes, your governance, your training, and your file practice. It fulfils the statutory independent audit function requirement under regulation 21(1)(c) of the Money Laundering Regulations 2017.

A file review does not fulfil the Regulation 21 obligation on its own. But it is often the most useful and proportionate starting point — either as a standalone exercise to understand where file practice currently stands, or as a precursor to a full Regulation 21 audit where you want to address file-level gaps before a comprehensive assessment. We will advise you on which approach makes most sense for your specific situation.

How many files does a File Review typically cover?

The number of files depends on the size of the firm, the range of practice areas in scope, and the purpose of the review. For a small firm with one or two higher-risk practice areas, a meaningful review typically covers between ten and twenty files — selected to represent the range of client types, transaction types, and risk levels the firm handles.

We include both random selection and targeted selection — random files give a genuine picture of standard practice; targeted files (for example, higher-value transactions, overseas clients, or matters flagged by the MLRO) test how the firm handles higher-risk situations.

We will agree the selection approach with you at the scoping session and explain the rationale for it. The goal is a sample that gives an indication of file practice across the firm.

What happens if you observe failures?

We will tell you clearly what we find. You will need to address findings, attend to any remediation, and document your actions and approach. You may need to obtain specific  independent training. You may need to report your breaches to your regulator and take independent legal advice regarding your obligations. Failing to have a Regulation 21(1)(c) audit where it is appropriate maybe a breach, so avoiding an audit may worsen your potential situation.

We already have a Regulation 21 Audit - Do we need to undertake a further File Review?

Not necessarily. A well-scoped Regulation 21 audit should include file sampling as part of its assessment of whether your AML policies are being effectively applied in practice. If your last audit included a meaningful file sample across your higher-risk practice areas, a separate file review may not be the most urgent priority.

A separate file review is most useful where: your last audit did not include thorough file sampling; your practice areas have changed significantly since the last audit; you have had a change of fee earner or MLRO and want to understand current practice before commissioning a full audit; or a specific supervisory concern has been raised about file-level CDD quality.

We will discuss your specific situation at the scoping session and tell you honestly whether a standalone file review or a full audit is the more appropriate starting point.

How long does a File Review take?

For a small firm, a focused file review covering ten to twenty files typically takes between one and two days on site — plus time for the scoping session, report preparation, and the pre-finalisation discussion. The total elapsed time from instruction to final report is usually two to three weeks, depending on scheduling.

We design the process to minimise disruption to your fee-earning work. We request access to files in advance rather than on the day where possible, and we conduct fee earner interviews at times that suit your team. We will give you a clear picture of the time commitment at the scoping stage so you can plan around it.

RELATED SERVICES

Other ways we support your AML compliance

Formal audit

Regulation 21 Independent Audit

The formal, comprehensive independent assessment of your entire AML framework — fulfilling the statutory independent audit function obligation under regulation 21(1)(c). Covers documentation, governance, file practice, training, and produces a written report.

Learn more →

Documentation

AML Framework Document Review

An independent review of your FWRA, policies, controls, and procedures against the current regulatory standard — identifying gaps in your documentation before they become audit findings or supervisory concerns.

Learn more →

TAKE THE NEXT STEP

Helping you narrow the gap between policy and practice. 

A confidential scoping session — fixed fee, no obligation to proceed — gives you a clear picture of what a file review would involve for your firm and what it is likely to show.

Book A Scoping Session
Alexander Christian - Book a scoping meeing
Book your Scoping Meeting.
Book A Scoping Session

Quick Contact -

  • Tell us about your needs
  • Which country do you reside in?
  • Privacy Policy *
    Please read the Privacy Policy https://www.alexanderchristian.co.uk/privacy-policy

Get in Touch at Any Time

Do not hesitate to contact us with any queries.

Alexander Christian

Harrow Business Centre

429-433 Pinner Road

North Harrow

Middlesex

Greater London

HA1 4HN

Phone : 020 4578 4684 or

complete the contact form

Book an Initial Consultation

We offer initial consultations by pre-arranged appointment only on:


Mondays and Tuesdays 

  • Pre- booked in advance
  • In‑person at Harrow Business Centre


Office Hours

10am–4pm - Monday to Fridays


Contact Form: To help us respond efficiently, please complete the contact form. We may be with a client or have limited availability, and the form ensures we can follow up promptly and with the right information.