AML Regulation 21 Audits · Mock Audits · London Law Firms
Know where your AML framework stands - before your regulatory audit
For MLROs, compliance officers, and principals of small London law firms who carry a question they have not yet answered out loud.
"I am not certain we are fully compliant. And I am not entirely sure I want to know the full picture."
That feeling is more common than you know. And acting on it, before it becomes urgent, is exactly the right instinct. This page is for you.
The compliance responsibility in a small firm is carried by people
Which of these is yours?
The regulations do not fall on the firm as an abstract entity. They fall on the individuals responsible for implementing and maintaining the framework.
MLRO
Doing the compliance work and the fee-earning work simultaneously
Responsible for the AML framework, for training, for supervising SARs, for keeping the FWRA current whilst also carrying a caseload and serving clients.
The compliance work does not stop because the billable work is busy. Neither does the awareness that the framework has not been independently examined.
You:"I know I should have had this looked at. I just have not found the time and I am not sure what finding the time would actually reveal."
Sole Principal or Senior Partner
Ultimately responsible and carrying that personally
The day-to-day compliance falls elsewhere. But the regulatory exposure does not. An adverse finding lands on the principal just as much as on the firm.
Commissioning an audit feels like opening a door you are not entirely sure you want to open. But the risk of not opening it is greater than the risk of what might be behind it.
You: "I know we need to do this. What I am not sure about is whether I am ready for what it finds."
Compliance Officer
You know the framework and you know where it is weakest
The areas where practice does not match policy. Where fee earners take shortcuts under time pressure. Where the FWRA has not been updated to reflect changes in the firm's work.
You want an independent view that confirms what you already suspect and gives you the documented basis to act on it without having to make the case yourself.
You: "I know where the gaps are. What I need is someone outside to say it so something actually changes."
Why this does not get done
The gap between knowing you need this and acting on it.
In most firms, AML weaknesses arise not from intent, but from the quiet drift of everyday operations or updates that were easy to miss.
The obligation that gets deferred
Regulation 21 of the Money Laundering Regulations 2017 requires certain firms to commission an independent audit of their AML framework.
Many small firms have never obtained one some because they are uncertain whether it applies, others because they fear what it might find.
Both carry regulatory risk.
The gap you cannot see from the inside
Most AML weaknesses are not visible to the people inside the firm. You cannot find those gaps yourself because you are too close to them, and too busy to look systematically.
Independence is not a luxury. For most small firms it is the only way the obligation can be genuinely fulfilled
The fear that compounds the risk
Many compliance officers and principals put off an independent audit because they are worried about what it will reveal and what obligations that knowledge creates.
This is understandable. It is also the reasoning that tends to make eventual findings more serious, not less. Acting before it is urgent is always the right instinct
Why internal independence is rarely achievable
Marking your own homework is a structural problem, not an integrity one.
The fundamental problem
If you designed, drafted, or implemented your firm's AML framework the FWRA, the PCPs, the internal escalation procedures you cannot independently assess whether that framework is adequate and effective.
This is not a question of integrity. It is a structural impossibility. Independence requires absence of prior involvement.
Even a colleague who had no involvement in drafting the framework faces other structural obstacles that an external assessor does not.
- The employment relationship creates hierarchy that can constrain findings about senior colleagues' work
- Access to files including random sampling or pursuit of files where problems are suspected may be informally constrained
- Independence from the firm's governance structure may be impossible where a senior partner's conduct is being assessed
- The third limb of the obligation monitoring compliance with recommendations is particularly difficult for an employee whose findings may be critical of the people who determine their employment
What an external assessor provides
An external independent assessor resolves all three structural problems simultaneously. No prior involvement in the framework. No employment relationship creating hierarchy or conflict. Unrestricted access to files and information. Genuine independence from the governance structure.
For most small firms, external review is not a luxury or a formality. It is the only realistic way to fulfil the statutory obligation with genuine independence rather than the appearance of it.
The ICA and ACAMS accreditations held by this practice are not decorative. They represent the professional standard against which the audit is conducted and the report is produced. The findings are stated directly. The recommendations are practical. The report is yours to act on.
Two services clearly distinguished
The right choice depends on where your firm is.
The initial consultation identifies which is the right starting point. The two services serve different purposes and produce different outputs. Understanding the distinction before you book saves time for both parties.
Regulation 21(1)(c) Independent Audit
A formal independent audit of the firm's AML framework examining adequacy, effectiveness, and compliance against the Money Laundering Regulations 2017 and LSAG 2025.
The audit report states findings directly, including those that are uncomfortable. Recommendations are practical and prioritised. The report is a regulatory document it demonstrates that the obligation was taken seriously and fulfilled properly.
This is not a pass or fail exercise. It is an independent professional assessment of where the framework stands and sets out recommendations.
It is your choice if you comply with the recommendations.
Confidential Mock Audit
A mock audit conducted to the same rigour as the formal engagement. The difference is the status of the output.
A mock audit finding is not a regulatory document. It is intelligence a clear picture of where the framework stands, used by the firm to strengthen its position before the formal process begins.
The mock audit is particularly valuable for the firm that suspects weaknesses but does not yet know their nature or severity. It removes the uncertainty and replaces it with a specific, actionable picture. The firm then decides whether to address findings before commissioning the formal audit.
Many firms use the mock audit and the formal audit together. The mock audit prepares. The Regulation 21 audit evidences.
Together
The mock audit and the Regulation 21 audit are most powerful when used in sequence. The mock audit gives the firm the intelligence it needs to prepare. The Regulation 21 audit gives the firm the documented evidence it needs to demonstrate compliance. Many firms that commission a mock audit proceed to a formal audit within the same year. The initial consultation will identify whether the sequence is right for your firm's current position.
The audit process
What happens from initial consultation to final report.
Initial Fixed Fee Consultation
A paid, in-person conversation about the firm's current position, the most proportionate starting point, and the scope of the engagement. The fee is not offset against any subsequent engagement
Document review
Examination of the FWRA, PCPs, training records, risk assessments, and key compliance documents. The firm provides documentation in advance.
File review
A sample of client files is reviewed. The sample is determined by risk profile and agreed in advance.
Interviews
Conversations with relevant members of the firm including the MLRO, fee earners, and support staff where appropriate to assess how AML requirements are understood and applied in practice.
Report and recommendations
A written report stating findings. A draft is shared for factual accuracy before the final report is issued.
Other Services
Other ways we support your AML compliance
Depending on where your firm is, a full Regulation 21 audit may not be the most appropriate starting point. Here are the other ways we can help.
We will always advise you on the most proportionate starting point for your situation — even if that means recommending something less than a full audit.
Mock Audit
A confidential preparatory review in the format of a Regulation 21 audit — identifying gaps and building team confidence before a formal audit. No regulatory reporting obligation. Ideal for firms that have never had an independent review.
AML Framework Document Review
An independent review of your key AML documents — FWRA, policies, procedures, risk assessments — against the current regulatory standard. A focused, lower-cost starting point where documentation gaps are the primary concern.
Client & Matter Risk Assessment Review
A targeted review of client and matter risk assessments across a sample of files — testing whether CDD, EDD, and ongoing monitoring are being applied consistently with your documented procedures.
We help you know
Know where yourAML framework stands.
A paid initial consultation about your firm's current position and the most proportionate starting point. No advice given until the retainer is signed. No obligation to proceed.
Quick Contact -
See our Privacy Page
See our Client Due Diligence Page
See our Pre-onboarding Page
See our Fees Overview Page
Important note: The purpose of an independent AML audit is to assess how the firm measures against the Money Laundering Regulations 2017 and LSAG 2025 guidance and to provide practical recommendations for improvement. It is not the role of the audit to provide legal or regulatory advice. Responsibility for the design and maintenance of the AML framework remains with the firm at all times. AML compliance services do not constitute a guarantee of regulatory compliance or protection from enforcement action.
Topics and search terms
Independent Regulation 21(1)(c) AML audits and confidential mock audits for small law firms in London. ICA and ACAMS accredited.
