Prepared at a moment’s notice: A step-by-step guide for UK law firms facing SRA audits

A step-by-step guide for UK law firms facing SRA audits

The Solicitors Regulation Authority (SRA) is intensifying its efforts to ensure law firms meet strict AML requirements – often conducting audits with little or no warning. Failing to plan for a moment’s notice audit can result in a scramble to provide evidence of compliance. Worst-case scenario: a firm that lacks robust procedures may face severe penalties and damage to its reputation should it fail an SRA inspection.   

In this article, we look at the key questions every UK law firm should be asking itself to ensure it can meet the SRA’s rigorous compliance requirements – at any time. 

1. Have we conducted a thorough firm-wide risk assessment (FWRA)?

 Law firms must have a FWRA to comply with the SRA Standards and Regulations. This means firms must conduct a detailed review of the potential risks they face – from AML to GDPR – taking into account the nature of their legal services, client base, and any firm-specific risk factors. 

2. When was our last risk assessment carried out?

If your last assessment was done years ago, there’s a high likelihood it does not account for current risks. The risk assessment should be treated as a “living document”, updated at least every year and whenever there is a significant shift in client base, regulatory guidance, or the nature of your firm’s legal work. 

 An annual independent assessment from Legal Eye can help keep you compliant. 

3. Have we conducted an independent AML audit?  

 Anti-Money Laundering Guidance for the legal sector states, ‘The practice must conduct an independent audit of the adequacy and effectiveness of its AML policies, controls and procedures’. 

Go beyond templated checklists and adopt a risk-based approach tailored to your firm’s clientele and services. For example, a model that considers factors like client industry, geographic exposure, transaction type, source of funds, and any complex ownership structures. Crucially, document the rationale behind each client’s risk rating and the due diligence measures applied​. Many enforcement cases show firms actually performed checks informally, but got fined because they had no written record or risk rationale.  

Our certified AML independent audit helps firms adhere to the latest guidance, while creating better and more effective anti-money laundering and counter-terrorist financing policies, controls and procedures (PCPS). 

4. Are we familiar with our client’s risk profiles? 

To comply with AML regulations, you need to know who you are acting for. Things to consider when onboarding new clients include: 

  • Customer Due Diligence (CDD): Having a robust process for client onboarding is non-negotiable. The days of relying on “gut feel” to spot suspicious behaviour are long gone.  
  • Enhanced Due Diligence (EDD): Have you implemented procedures to identify high-risk clients, such as politically exposed persons (PEPs) or clients whose sources of funds are difficult to verify? Enhanced checks are mandatory for high-risk individuals or corporate structures. 
  • Beneficial owners: If your firm deals with corporate or trust structures, you must identify the individuals behind those entities. Lack of transparency in ownership should raise immediate red flags. 

CDD and EDD are not one-time events – they are an ongoing obligation. The Law Society’s guidance emphasises regularly reviewing and updating client information, and monitoring transactions for anything suspicious throughout the client relationship. Along with scheduling periodic reviews of high-risk clients, ongoing monitoring means scrutinising client transactions in real-time relative to the expected activity. 

5. Are our policies, controls, and procedures (PCPs) compliant and current?

Generic PCPs don’t work because they aren’t tailored to the unique risks your business faces. If yours reads like a cut-and-paste job, it’s time to rewrite. Consider your client demographics, the matters you handle, and the nature of transactions you process. Tailor your policies to reflect these nuances. 

Your policies aren’t static and are probably outdated if they were written once and then left to gather dust. Regularly review and update them, ensuring they reflect any changes in regulation, your business, or your client base. 

6. Are our AML procedures adequately documented and understood?

Compliance is everyone’s responsibility – not just the MLRO or compliance team. This means regularly training staff to spot red flags and understand evolving regulations. Based on recent advice from the SRA, good compliance training should be: 

  • Accessible and relevant 
  • Not exclusive to senior staff or specific teams 
  • Relevant to individuals’ roles 
  • Regularly updated to include real-life examples  
  • Designed to engage staff via a variety of delivery methods  
  • Tested regularly through internal audits, spot checks, or file reviews. 

You can learn more about good AML law firm training here.   

7. How can we be sure we’re not handling the proceeds of crime?

Perhaps the most serious risk a law firm faces is the unwitting or negligent handling of criminally derived funds. Understanding where your client’s money comes from is pivotal. Basic identity checks alone won’t stop money laundering – elevate your checks on where the money comes from. 

Source of Funds & Source of Wealth checks

Source of Funds (SoF) describes money used to fund a specific transaction, while Source of Wealth (SoW) is the source of a client’s total wealth/assets.  

These checks should include verifying bank statements, salary slips, sale agreements, inheritance documents, or audited financial reports to substantiate the source and legitimacy of the funds. Different levels of due diligence apply depending on risk. Standard CDD may require a basic SoF check, while EDD requires a more thorough SoW investigation. 

8. Do staff know how to make a suspicious activity report (SAR)? 

All staff should know what to do if they suspect something isn’t right. SARs (Suspicious Activity Reports) are your first line of defence, and everyone in your firm needs to know how and when to submit one internally. Clear guidelines for escalating concerns to your MLRO (Money Laundering Reporting Officer) fosters a compliance culture that protects the firm and its clients. If only your MLRO knows the process, it’s time for an update. 

9. Do we have a clearly documented audit trail?  

During a regulatory inspection, you must show how decisions were made and the rationale behind those decisions. As such, an audit trail is the backbone of your AML compliance. Things the SAR may ask to see include: 

  • Evidence of a compliant firm-wide risk assessment (FWRA) 
  • Copies of your policies, controls and procedures (PCPs), including your  AML policy  
  • Details of your firm’s onboarding processes and checks  
  • A sample of client and matter risk assessments 
  • CDD & EDD records  
  • SoF & SoW records  
  • Suspicious activity reports (SARs) 
  • A sample of the firm’s open and closed files 
  • Other supporting documents 
  • Training records  
  • A list of all fee earners 
  • Minutes of board meetings to demonstrate a compliance culture  

10. When did we last conduct a gap analysis?  

A gap analysis helps you to measure your firm’s current AML procedures against best practices and regulatory expectations. Once vulnerabilities are identified, your next step is implementing specific measures to strengthen those areas. This might include additional training, new technologies, or revised procedures for client onboarding. 

Carried out in just one day, Legal Eye’s gap analysis provides a comprehensive review of all aspects of risk and compliance, offering firms the insights needed to safeguard their operations and mitigate regulatory risks. Following the review, firms will be provided with a written report identifying any corrective actions recommended as a result of the audit. 

The cost of non-compliance should not be ignored

If your firm is unprepared, regulatory fines are not the only loss you might suffer. Damaged client trust, negative media coverage, and potential liability for senior partners can spell disaster. Building and maintaining a robust compliance infrastructure is a significant undertaking, even for well-resourced law firms. But partnering with an external specialist like Legal Eye can provide the expertise, objectivity, and resources needed. 

Don’t wait until it’s too late. Start reviewing – and, if necessary, revamping – your AML procedures with Legal Eye today. Contact us. Email: [email protected] or call: 020 3051 2049

Latest Articles

Any Questions?

To find out more about Products and Services, please complete the form below.



    Privacy and cookie policy | © Legal Eye Limited 2025