AML REGULATION 21 AUDITS · LONDON LAW FIRMS · LONDON
Know where your AML framework stands - before your regulatory audit
"Is the gap between your AML obligations and your actual compliance something you are carrying quietly?"
We provide small London law firms with independent, objective Regulation 21 audits and confidential mock audits. Not to alarm you. Not judgemental.
Independent
Findings
Practical
WHY IS AML CHALLENGING
AML compliance in a small firm is carried by people — not systems
The regulations do not fall on the firm as an abstract entity. They fall on the individuals responsible for implementing and maintaining the framework. This page is written for those people directly.
If you are the MLRO
You maybe doing the compliance work and the fee-earning work simultaneously.
You are responsible for the AML framework, for training, for supervising SARs, for keeping the FWRA current — whilst also carrying a caseload and serving clients.
If you are a Sole Principal or Senior Partner
You are ultimately responsible and you know it - but the day-to-day falls elsewhere.
You might feel that your oversight is lighter than it should be, and you feel your personal regulatory exposure. An adverse finding would land on you just as much as the firm - but commissioning an audit feels like opening a door you are not sure you want to open.
If you are a Compliance Officer
You know the framework - and you know where it is weakest.
You know the areas where practice does not match policy, where fee earner take shortcuts under time pressure, where the FWRA has not been updated to reflect changes in the firm's work - and you are worried about what an audit will say.
REGULATION
What Regulation 21 actually requires — in plain language
Many firms are uncertain about whether Regulation 21 applies to them, what it covers, and what the genuine consequences of non-compliance are. Here is a clear, straightforward explanation.
Regulation 21(1)(c) of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 requires relevant persons, where appropriate with regard to the size and nature of their business, to establish an independent audit function. It is important to understand what the legislation actually says — because most commentary on this topic simplifies it in a way that is not quite accurate.
The regulation does not require you to commission an external independent auditor. It requires you to establish an independent audit function that does three specific things: examine and evaluate the adequacy and effectiveness of your AML policies, controls, and procedures; make recommendations in relation to those policies, controls, and procedures; and monitor your compliance with those recommendations. All three obligations must be met — not just the first two.
The function must be independent. Technically, this could be fulfilled by an internal person — provided they are genuinely independent of the framework being assessed. But genuine independence within a small firm is structurally very difficult to achieve, for reasons that matter and that most AML advisers do not address clearly.
Why internal independence is rarely achievable in a small firm
If you designed, drafted, or implemented your firm's AML framework — the FWRA, the PCPs, the internal escalation procedures — you cannot independently assess whether that framework is adequate and effective. You are marking your own homework. This is not a question of integrity. It is a structural impossibility. Independence requires absence of prior involvement.
Even a colleague who had no involvement in drafting the framework faces other structural obstacles: the employment relationship creates hierarchy and internal politics that can constrain honest findings about senior colleagues' work; access to files — including random sampling or pursuit of files where problems are suspected — may be informally constrained in ways that would never apply to an external assessor; and independence from the firm's governance structure may be impossible where the MLCO is a senior partner whose conduct is being assessed.
The third limb of the obligation — monitoring compliance with recommendations — is the most difficult of all for an internal person. Producing findings critical of senior partners' conduct, and then monitoring whether those partners have acted on the criticism, is not a realistic position for an employee to occupy.
An Alternative Solution - an external assessor
An external independent assessor resolves all three structural problems simultaneously: no prior involvement in the framework; no employment relationship creating hierarchy or conflict; unrestricted access to files and information; and genuine independence from the governance structure. For most small firms, external review is not a luxury or a formality — it is the only realistic way to fulfil the statutory obligation with genuine independence rather than the appearance of it.
The obligation is also qualified by size and nature — but these are two separate questions, and being a small firm does not automatically mean a lower obligation. The nature of your work matters equally and may determine the obligation more than your size.
See the FAQ below for a fuller explanation of when the proportionality argument applies — and when it does not.
82%
of firms reviewed by the SRA were referred
The SRA's most recent AML controls review found that around 82% of firms had some form of AML control failing. This is not an outlier figure — it is the norm across the profession.
Whichever of those three roles describes you, there is likely something you feel but have not said aloud: "I am not certain we are fully compliant. And I am not entirely sure I want to know the full picture." That feeling is more common than you know. You are in exactly the right place — and taking the first step to understand your position is already the most important thing you can do.
THE REGULATION
What Regulation 21 actually requires — in plain language
Many firms are uncertain about whether Regulation 21 applies to them, what it covers, and what the genuine consequences of non-compliance are. Here is a clear, straightforward explanation.
Regulation 21(1)(c) of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 requires relevant persons, where appropriate with regard to the size and nature of their business, to establish an independent audit function. It is important to understand what the legislation actually says — because most commentary on this topic simplifies it in a way that is not quite accurate.
The regulation does not require you to commission an external independent auditor. It requires you to establish an independent audit function that does three specific things: examine and evaluate the adequacy and effectiveness of your AML policies, controls, and procedures; make recommendations in relation to those policies, controls, and procedures; and monitor your compliance with those recommendations.
All three obligations must be met — not just the first two.
The function must be independent. Technically, this could be fulfilled by an internal person — provided they are genuinely independent of the framework being assessed. But genuine independence within a small firm is structurally very difficult to achieve, for reasons that matter and that most AML advisers do not address clearly.
Why internal independence is rarely achievable in a small firm
If you designed, drafted, or implemented your firm's AML framework — the FWRA, the PCPs, the internal escalation procedures — you cannot independently assess whether that framework is adequate and effective. You are marking your own homework. This is not a question of integrity. It is a structural impossibility. Independence requires absence of prior involvement.
Even a colleague who had no involvement in drafting the framework faces other structural obstacles: the employment relationship creates hierarchy and internal politics that can constrain honest findings about senior colleagues' work; access to files — including random sampling or pursuit of files where problems are suspected — may be informally constrained in ways that would never apply to an external assessor; and independence from the firm's governance structure may be impossible where the MLCO is a senior partner whose conduct is being assessed.
The third limb of the obligation — monitoring compliance with recommendations — is the most difficult of all for an internal person. Producing findings critical of senior partners' conduct, and then monitoring whether those partners have acted on the criticism, is not a realistic position for an employee to occupy.
An external independent assessor resolves all three structural problems simultaneously: no prior involvement in the framework; no employment relationship creating hierarchy or conflict; unrestricted access to files and information; and genuine independence from the governance structure. For most small firms, external review is not a luxury or a formality — it is the only realistic way to fulfil the statutory obligation with genuine independence rather than the appearance of it.
The obligation is also qualified by size and nature — but these are two separate questions, and being a small firm does not automatically mean a lower obligation. The nature of your work matters equally and may determine the obligation more than your size.
See the FAQ below for a fuller explanation of when the proportionality argument applies — and when it does not.
The formal independent audit
A formal, documented assessment of your AML framework conducted by an independent external assessor — fulfilling the Regulation 21 requirement and producing a written report with findings and recommendations.
✓ Helps you to fulfil your statutory independent audit requirement
✓ Conducted by an external, independent assessor
✓ Covers policies, procedures, files, and staff practice
✓ Written report with recommendations
✓ Supports your regulatory compliance record
✓ Documents your proactive approach (where applicable)
✓ Follow-up can be agreed separately.
How the two work in combination
You may wish to begin with a mock audit to understand their position, address identified gaps, and build team confidence — then commission a formal Regulation 21 audit from a stronger foundation. We are happy to discuss this with you before work is commenced during the scoping meeting.
OUR PRIMARY AML SERVICE
Regulation 21 Independent Audit
A formal, independent, documented assessment of your firm's AML framework — fulfilling your statutory obligation and giving you a clear picture of your compliance position.
The Regulation 21 independent audit function has three statutory obligations under regulation 21(1)(c): to examine and evaluate the adequacy and effectiveness of your framework; to make specific recommendations; and to monitor your compliance with those recommendations. Most external auditors fulfil the first two and disappear. Our service is designed to fulfil all three — including follow-up review of whether recommendations have been acted on, which is the limb most commonly overlooked and least commonly delivered.
The output is a written report that sets out our findings clearly — what is working, what is not, and what specific steps we recommend. The report is drafted in plain language that your whole team can use, not regulatory jargon that sits in a drawer.
Before any work begins, we agree the scope with you in writing and confirm the fixed fee. We do not expand the engagement without your approval. We discuss draft findings with you before the report is finalised. You will not be surprised by what the report says.
The first step is a confidential scoping session — no obligation to proceed, fixed fee, clear cost from the outset.
01.
Scoping session
A confidential conversation to understand your firm's size, structure, risk profile, and existing framework. Scope agreed and cost confirmed in writing before any work begins.
02.
Document review
Examination of your FWRA, policies, controls, procedures, and risk assessments against the current regulatory standard — identifying gaps in your documentation before we look at practice.
03.
File sampling and interviews
Review of a representative sample of client and matter files, and structured interviews with relevant staff — assessing how the framework operates in practice, not just on paper.
04.
Draft findings discussion
We discuss our findings with you before the report is finalised — so there are no surprises in the written document and any factual points can be addressed.
05.
Final report and recommendations
A clear, prioritised written report in plain language — with specific, actionable recommendations and optional follow-up support to implement them.
OTHER SERVICES
Other ways we support your AML compliance
Depending on where your firm is, a full Regulation 21 audit may not be the most appropriate starting point. Here are the other ways we can help.
We will always advise you on the most proportionate starting point for your situation — even if that means recommending something less than a full audit.
Mock Audit
A confidential preparatory review in the format of a Regulation 21 audit — identifying gaps and building team confidence before a formal audit. No regulatory reporting obligation. Ideal for firms that have never had an independent review.
Book a scoping session →AML Framework Document Review
An independent review of your key AML documents — FWRA, policies, procedures, risk assessments — against the current regulatory standard. A focused, lower-cost starting point where documentation gaps are the primary concern.
Book a scoping session →Client & Matter Risk Assessment Review
A targeted review of client and matter risk assessments across a sample of files — testing whether CDD, EDD, and ongoing monitoring are being applied consistently with your documented procedures.
Book a scoping session →AML Workshops & Training
Structured AML training for fee earners, support staff, and compliance officers — covering the regulations, your firm's obligations, and practical application. Available post audit or as a standalone engagement.
View workshops →Remediation & Follow-Up Support
Providing further independent support.
Book a scoping session →MLR 2026 Gap Analysis
The proposed 2026 amendments to the Money Laundering Regulations will introduce new requirements around EDD, currency thresholds, and information sharing. A focused gap analysis to identify where your existing framework needs to be updated.
Book a scoping session →Quick Contact -
See our Privacy Page
See our Client Due Diligence Page
See our Pre-onboarding Page
See our Fees Overview Page
