Regulation 21 AML Audit for Law Firms

Regulation 21 of the Money Laundering Regulations 2017 requires firms to take “appropriate measures” to ensure compliance with their AML obligations. Buried in that seemingly innocuous phrase is a requirement that catches many firms off guard – the independent audit.

After three decades working with law firms on anti-money laundering compliance, we can tell you that the independent audit requirement under Regulation 21 is one of the most misunderstood – and most frequently inadequate – aspects of AML compliance frameworks. Yet it’s also one of the most powerful tools you have to protect your firm.

Understanding the Regulation 21 Requirement

Regulation 21 isn’t a suggestion; it’s a legal requirement. It mandates that firms must have their AML policies, controls, and procedures (PCPs) independently audited. The key word here is “independent” – this cannot be a box-ticking exercise conducted by someone who designed the systems they’re auditing. The regulations require an objective, expert evaluation of whether your AML framework is not just documented, but actually adequate and effective.

The question isn’t whether you need this audit. The question is whether your current arrangements genuinely satisfy the regulatory requirement and provide meaningful assurance that your systems are working as intended.

What Makes a Regulation 21 Audit Effective

An effective Reg 21 audit goes far beyond reviewing your written policies. We’ve seen too many “audits” that simply check whether documents exist and whether they mention the right regulations. That’s not what Regulation 21 requires, and it’s certainly not what provides genuine protection for your firm.

A proper Regulation 21 audit examines three critical elements:

First, adequacy: Are your PCPs comprehensive, up-to-date, and appropriate for your firm’s specific risk profile? Do they reflect your practice areas, client base, and the jurisdictions you work with?

Second, effectiveness: Are your PCPs being followed in practice? This requires examining actual client files, interviewing staff, and testing whether the controls you’ve documented are actually being applied consistently.

Third, alignment: Do your PCPs align with your firm-wide risk assessment? Are the controls you’ve implemented proportionate to the risks you’ve identified?

The Legal Eye Approach: Two Options, One Goal

Legal Eye offers two distinct approaches to Regulation 21 compliance, because we understand that different firms have different needs and different levels of AML maturity.

Option 1: The One-Off Audit

This comprehensive audit is ideal for firms who need to satisfy the Reg 21 requirement or who want a thorough independent assessment of their AML framework. We conduct a complete evaluation of your PCPs, including staff interviews and a representative sample of file reviews. You receive a detailed audit report highlighting any corrective actions needed.

The cost is spread over three consecutive monthly payments making it manageable within your compliance budget. At the end of the process, you have complete clarity on where your AML compliance stands and what needs to be addressed.

Option 2: The Audit with Certification (Rolling Contract)

This is our gold standard approach for firms that want not just compliance, but demonstrable excellence in their AML arrangements. Here’s how it works:

Year 1: We conduct a full Regulation 21 audit. Once you’ve implemented the recommended correctives, we certify your compliance and issue your firm the Legal Eye AML Accreditation Logo.

Year 2: We conduct an audit recertification to verify that your compliance has been maintained and to identify any new areas for improvement.

This rolling two-year cycle ensures you have ongoing, demonstrable compliance with Regulation 21. The certification provides tangible evidence to clients, insurers, and regulators that your AML framework has been independently verified by recognised experts.

Why Independent Expertise Matters

The Legal Eye team includes former SRA case handlers who have investigated AML failures firsthand. We know what regulators look for, what constitutes best practice, and critically, what shortcuts and inadequate arrangements look like. Our auditors have seen AML compliance from every angle – as regulators, as practitioners, and as compliance specialists.

This matters because an effective Regulation 21 audit requires more than just knowledge of the regulations. It requires understanding how AML risks manifest in legal practice, how controls should operate in reality, and what effective supervision and oversight look like.

What the Audit Covers

Our Regulation 21 audit is comprehensive. We examine your:

Firm-wide risk assessment and how it drives your AML approach
Client due diligence procedures and their practical application
Ongoing monitoring arrangements
Staff training and awareness
Suspicious activity reporting procedures and culture
Record-keeping and documentation
Management information and oversight
PEP and sanctions screening processes
Source of funds and source of wealth verification.

We don’t just check whether these elements exist – we evaluate whether they’re adequate for your firm’s risk profile and whether they’re being applied effectively in practice.

The Cost of Getting It Wrong

The financial penalties for AML failures can be devastating. We’ve seen firms face six-figure fines, regulatory intervention, and reputational damage that takes years to recover from. But perhaps more concerning is the criminal liability that can attach to AML failures – both for firms and for individuals in key compliance roles.

An inadequate Regulation 21 audit doesn’t protect you. If your audit fails to identify deficiencies that later come to light, you haven’t satisfied the regulatory requirement. You’ve simply paid for false assurance.

Making the Right Choice

Whether you choose our one-off audit or our certification program, you’re investing in genuine independent assurance. You’re demonstrating to regulators, clients, and insurers that you take your AML obligations seriously. And you’re gaining peace of mind that your systems are not just documented, but actually working.

For MLROs, COLPs, and COFAs carrying the weight of AML compliance, this audit is more than a regulatory requirement – it’s professional protection.