Anti-Money Laundering Annual Report 2023-24

Money laundering is when criminals 'clean' the proceeds (the financial gains) of crime. Criminals transform proceeds into assets, such as houses or businesses, or other seemingly legitimate funds, for example, money in a bank account. In some cases, laundered money is used to fund terrorism.

Money laundering makes these proceeds look like genuine sources of income, which criminals can then spend freely and without raising suspicion. Such criminals often make their money from serious crimes like fraud, or trafficking people, wildlife or drugs.

It is estimated that more than £100bn is laundered every year through the UK or through UK corporate structures. The National Crime Agency (NCA) believes there are approximately 4,500 organised crime groups operating in the UK.

Tackling money laundering remains an international and UK priority, among other reasons due to:

• a rise in terrorist attacks in recent years, funded by proceeds of crime
• the expansion of the sanctions regime which may provide an additional motive to conceal the origins of money
• an increasingly complex and uncertain global situation which may lead to a higher risk of all types of financial crime including money laundering.

The information in this report details our work in this area and highlights key information on specific areas of our AML work for the 2023/24 fiscal year.

We produce this report as part of our responsibility as an AML supervisor and our duty to report information to the Office for Professional Body Anti-Money Laundering Supervision (OPBAS) under regulation 46A of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017(as amended) (MLR 2017). Where we refer to 'the regulations' in this document, this refers to the MLR 2017.

For this purpose, we are reporting on the fiscal year (6 April 2023 to 5 April 2024).

The Solicitors Regulation Authority (SRA) is the regulator of solicitors and law firms in England and Wales. We work to protect members of the public and support the rule of law and the administration of justice. We do this by overseeing all education and training requirements necessary to practise as a solicitor, licensing individuals and firms to practise, setting the standards of the profession and regulating and enforcing compliance against these standards.

We are the largest regulator of legal services in England and Wales, covering around 90% of the regulated market. We oversee over 200,000 practising solicitors and around 9,300 law firms. We supervise 5,683 firms for the purpose of AML requirements.

The money laundering regulations we enforce come from the international standard-setting body, the Financial Action Taskforce (FATF). This includes the Fourth Money Laundering Directive and the Fifth Money Laundering Directive (5MLD). These directives were integrated into UK legislation through amendments to the MLR 2017 in January 2020. Following our exit from the EU, new UK legislation has come from recommendations made by the FATF and the UK Government.

The regulations set out the business types which offer services that could, potentially, be targeted by money launderers. They include banks, estate agents and some legal services.

Laundering money through the legal sector

Solicitors and law firms are attractive to criminals because they are trusted, process large amounts of money, and can make the transfer of money or assets appear legitimate. Most law firms work hard to prevent and to spot money laundering and take necessary action, but some get involved unknowingly. A very small number may even knowingly cooperate or work with criminals to launder money.

The legal sector also plays a key role in upholding the financial sanctions regime, restricting what individuals and businesses that are subject to sanctions can do.

Firms and solicitors may become involved in money laundering for several reasons, either knowingly or unknowingly. Some of these are due to the work solicitors carry out:

• Buying and selling property allows large amounts of money to be moved and converted in a single transaction. It also involves assets which are attractive as they can generate income of their own through rentals, or be lived in.
• Setting up trusts and companies that create structures which allow the true ownership and control of assets to be obscured.
• Linked to both of these, transfers through a client account allowing monies to be moved, split, or rerouted. It also gives them a veneer of legitimacy.

Other reasons are due to shortcomings in the processes which firms use, for example:

• Failing to carry out appropriate due diligence on a client's source of funds reduces the likelihood of money laundering being detected.
• Failing to train staff also reduces the likelihood of money laundering being detected and reduces the effectiveness of AML policies, controls and procedures (PCPs).

Our work as an AML supervisor

The regulations name professional bodies with responsibilities for AML supervision. The Law Society is the named supervisor for solicitors in England and Wales and delegates regulatory activities to us. This means we must effectively monitor the firms we supervise and take necessary measures, including:

• Making sure the firms we supervise comply with the regulations, and we approve the relevant beneficial owners, officers, and managers to work in those firms.
• Adopting a risk-based approach and basing the frequency and intensity of supervision on our risk assessments of firms.
• Encouraging firms we supervise to report actual or potential breaches of the regulations. We do this by:
  • making reporting it a requirement in paragraph 3.9 of the SRA Code of Conduct for Firms
  • providing a secure communication channel for reporting through the Red Alert line.

We must take appropriate measures to review:

• the risk assessments carried out by firms (under regulation 18 MLR 2017)
• the adequacy of firms' PCPs (under regulation 19 to 21 and 24 MLR 2017), and the way in which they have been implemented.

We enforce the money laundering regulations mentioned above and carry out our work as an AML supervisor through:

• sharing and receiving information to prevent money laundering with other supervisors and law enforcement agencies
• publishing guidance on the regulations
• proactive supervision – we do this through desk-based reviews and onsite inspections
• investigating potential breaches of the regulations
• taking enforcement action where breaches of the regulations are proved
• annual data collection exercises – last year we contacted all firms not within the MLR 2017 and asked them to provide us with information on their approach to managing financial sanctions risk.

Our proactive supervision

AML

We have increased the resource in the AML Proactive Supervision Team. In total, we had 545 proactive AML engagements with firms during the reporting period, compared to 273 proactive engagements in the last reporting year.

*In this context, an onsite investigation is one carried out by a non-AML team. This follows a different process to AML supervision.

These were broken down as follows:

Rolling programme of inspections	As part of an onsite investigation*	Desk-based review	Thematic work	AML Audit review
237	17	258	13	20

We carried out a thematic review, to assess how firms are complying with the requirement to risk assess clients and matters under regulation 28 (12) and (13) of the MLR 2017. We liaised with 13 firms as part of this thematic review to test and provide us with feedback on the client and matter risk assessment template we created. These engagements did not assess the firms' compliance with the MLR 2017.

Onsite AML inspections and desk-based reviews

For inspections and desk-based reviews, we typically reviewed between four and eight files for each firm, depending on the size and nature of the firm. For larger firms, or those doing a high volume of regulated work, we are likely to review eight files. We reviewed 3,035 files in total in this reporting period.

On occasions, we may also ask to see further files, if we have not been able to complete our assessment on the ones selected. For example, if there are files that show a client or matter closed quickly after being opened, or where we may have identified a trend but need to see more files to check our initial findings.

Our desk-based reviews involve examining:

• firm-wide risk assessments
• a firm's PCPs
• client and matter risk assessments
• a sample of a firm's files to assess compliance with their PCPs and the regulations.

This, to a large extent, mirrors what we do onsite.

The onsite inspections involved interviewing the firm's Money Laundering Compliance Officer (MLCO), Money Laundering Reporting Officer (MLRO) and two fee earners, using our AML questionnaire.

Compliance levels

Of the 545 firms we engaged with, 512 received an inspection, a desk-based review or an inspection carried out as part of an investigation.

We found the following levels of compliance:

	Compliant	Partially compliant	Not compliant
Desk-based reviews	29	160	69
Inspections	81	124	49
Total	110	284	118

Supervision actions

Below are the types of steps we take and an explanation, including how we define the compliance level at a firm. These are used throughout the report. We also set out the number of times we have taken these steps during the reporting period.

The figures below do not include the outcomes where we have identified AML issues as part of an onsite investigation. This is because the engagement, substance and outcome of an investigation is different to that of a desk-based review or an onsite inspection.

Actions taken	Compliance level at firm	What this involves	Step taken with number of firms
Guidance issued	Compliant	Standard required in the regulations has been met. This includes cases where no changes or minor changes are necessary, and we issue guidance or share best practice.	63 firms inspected 25 desk-based reviews
Letter of engagement	Partially compliant – where there are some elements of a firm's controls that need improving, but there is some good practice, and the firm is generally doing well at preventing money laundering.	We engage with some firms to help them refine their processes and bring them into full compliance. When we talk about our process of engagement with a firm, this is where corrective action is required in one or more areas but is not so widespread that it requires a compliance plan. Depending on the extent of action, we need evidence or confirmation from the firm that this has been rectified before we conclude our contact. We can, and do, refer firms for a disciplinary investigation if they fail to act on our letter of engagement.	111 firms inspected 122 desk-based reviews
Compliance plan	Partially compliant – not fully compliant in a number of areas or where the level of non- compliance in one area is significant.	A compliance plan sets out a series of actions that firms need to take, and by when, to bring them back into compliance with the regulations. We monitor the firm to make sure it has carried out all the actions. We require evidence that action has been taken. We can, and do, refer firms for an investigation if they fail to follow the plan.	12 firms inspected 30 desk-based reviews
Referred for investigation	Non-compliant – examples include failure to carry out CDD, no firm-wide risk assessment in place, out-of-date policies or a failure to train staff on the regulations.	We open an investigation into the firm, which may result in a sanction. Where necessary, we will also set up a compliance plan.	51 firms inspected 81 desk-based reviews

In this report, we have set out some findings from our supervisory work by theme, such as assessing risk, and the steps we have taken. We often identify more than one issue at a firm, so some firms are included in the figures for several themes throughout the report. This is particularly relevant for matters referred for disciplinary investigations where firms are often referred due to multiple breaches.

When making the decision we consider several factors, such as:

• The extent of the breaches and how widespread the issues are.
• The impact of the breach, for example, if a failure to risk assess files has led to insufficient due diligence being undertaken, or a failure to identify a politically exposed person (PEP).
• Whether there is a systemic lack of compliance, for example, a firm that does not have adequate PCPs and is failing to comply with a significant number of the regulations.

Sanctions we can apply

Following evidence of a serious breach of our rules by a firm or solicitor, we can issue a sanction.

The range we can impose is limited. For example, up until July 2022 we could only issue a fine of £2,000 to regulated firms or individuals. After this date, the limit increased to £25,000. However, we can impose a fine of up to £250m on an Alternative Business Structure (ABS), also known as a licensed body, and up to £50m on managers and employees of an ABS.

Since June 2023, we have also been able to issue fixed financial penalties of up to £1,500 for firms. These apply to a small number of lower-level breaches of our rules to enable compliance with our more administrative requirements to be dealt with more effectively and in a timely way. An example of misconduct which may result in a fixed penalty could include failing to comply with a regulatory request for information. For example, failing to respond to a declaration of how your firm complies with AML requirements or the financial sanctions regime.

The SRA has no power to strike off a solicitor, such a sanction can only be imposed by the courts, most commonly the Solicitors Disciplinary Tribunal (SDT).

Under section 207 of the Economic Crime and Transparency Act 2023, we can issue unlimited fines for breaches connected to certain economic crime offences. We have recently concluded a consultation on our fining powers, which included consideration of how this power should be used. These powers will not be used until the new framework has been introduced post consultation.

Where appropriate, we can also resolve a matter through a regulatory settlement agreement (RSA). Under an RSA, the facts and outcome are agreed by both parties. These allow us to protect both consumers and the public interest by reaching appropriate outcomes swiftly, efficiently and at a proportionate cost.

We publish the details of our findings and sanctions, including RSAs, on our website. We withhold confidential matters from publication, where this outweighs the public interest in publication (for example, details of an individual's health condition).

Thematic work

In this reporting period, we undertook a thematic review on client and matter risk assessments (CMRAs) to better understand how firms were complying with the requirements of the MLR 2017. This was the focus of our review because we observed that there was a persistent level of non-compliance in this area from our desk-based review work and inspections over a number of years. We first identified that compliance with CMRAs was an area of concern in our 2019/20 report.

CMRAs are a control that can help prevent money laundering by making sure firms consider the risks posed by each client and matter. They also assist firms in determining the correct level of CDD to apply to mitigate those risks. It is a mandatory requirement to risk assess client and matters under regulation 28(12) and 28(13) MLR 2017.

We reviewed the CMRA processes of 30 firms. Our findings from the review confirmed that this is an area that some firms struggle to comply with.

In response to our findings from the thematic review, we published:

• A thematic report setting out our findings. The report also includes a good and bad practice guide.
• A warning notice setting out our expectations for complying with CMRAs.
• A client and matter risk assessment template along with guidance notes and two examples of the completed templates.

We also sought feedback on the template with 13 firms of differing sizes and four consultants to test how it would be used in practice and obtain guidance from firms on what it should include.

We also held a webinar in February 2024 which provided practical tips on how to properly complete and document a CMRA.

Work with larger firms

This reporting year we also engaged with some of the largest firms in England and Wales as part of our supervision process. These engagements are supplemental to the SRA's wider proactive AML programme and reflect our risk-based approach to proactive work with the largest firms.

Review of independent audits

Regulation 21 MLR 2017 sets out the requirement for firms to establish an independent audit function. The purpose of an independent audit is to examine the adequacy and effectiveness of a firm's AML controls and procedures.

We expect large firms to regularly carry out independent audits, given the size and nature of their practices. An effective audit will make recommendations as to how PCPs can be improved and how well a firm's controls are working.

In this reporting period, we started a three-year cyclical programme to review the outcomes of firms' last independent audits. We reviewed the independent audits of 20 firms.

The purpose of our review is to:

• assess if a firm's independent audit process is compliant with the MLR 2017
• establish any concerns that had been identified by the auditor and
• assess if the recommendations in the audit have been met.

Depending on the outcome of our review, a more in-depth review may be carried out by the Proactive Supervision Team or the AML Investigation Team to look at the firm's wider controls.

Where no issues are identified, no further action is taken.

We found that:

• All 20 firms had an independent audit process.
• 17 of the 20 firms met the recommendations from their independent audits. No further action was required in those instances.
• Three firms were referred for a desk-based review or inspection by the Proactive Supervision Team. This is because the audits had identified issues with some of the firms' AML controls and/or because the recommendations of the audit had not been met.
• None of the firms were referred to the AML Investigations Team because we did not identify any breaches or serious concerns.

Letters to managing partners and round table events

We wrote to 72 firms to get their views on the low levels of compliance we continue to see with the MLR 2017. The letters invited the firms to take part in an optional roundtable event, where we met with 69 Money Laundering Compliance Officers, Compliance Officers for Legal Practices and senior compliance professionals from 65 firms.

The sessions were used to reinforce the importance of compliance with the regulations and discuss the day-to-day challenges larger firms face.

The key themes from these meetings are:

• the challenges with creating a compliance culture
• the different approaches to training staff across firms
• clarity on the requirements of independent audits
• suggestions for updating the LSAG guidance
• practicalities of ongoing monitoring
• identifying ultimate beneficial owners in a transaction
• the importance of screening to comply with the UK's sanctions regime.

The firms that attended the roundtables reported that they found it useful to engage with us in this format.

This section relates to firms and individuals we regulate that fall in scope of the regulations.

As of 5 April 2024, 5,683 firms fall within the scope of the money laundering regulations. This represents almost two-thirds of the firms we authorise (9,308).

As a professional body supervisor, we have a duty to make sure that the firms we supervise comply with the regulations and have appropriate controls in place to prevent money laundering.

The table below shows the number of firms we supervise which fall within scope of the regulations. It gives a breakdown for the number of firms we supervise for AML purposes where there is just one solicitor or registered European lawyer (REL) practising at the firm. This is different to our definition of a sole practitioner, who may employ staff or work in conjunction with others. But these are the categories that we report to HM Treasury and our oversight supervisor, OPBAS.

Firms subject to the regulations	2021/22	2022/23	2023/24
Number of firms where there is more than one solicitor/REL practising at the firm.	5,124	4,816	4,634
Number of firms where there is just one solicitor/REL practising at the firm	1,284	1,191	1,049
Total number of firms we regulate that fall within scope of the regulations	6,408	6,007	5,683

Number of beneficial owners, officers and managers

Under the regulations, beneficial owners, officers and managers (BOOMs) must be approved by us. They must get a Disclosure and Barring Service check and submit it to us when they first become a BOOM or take on a new role. The table below shows the total number of BOOMs we regulate as of 5 April 2024, compared to previous years.

	2021/22	2022/23	2023/24
Number of BOOMs	23,349	23,275	22,639

Number of money laundering related reports received

We receive reports about potential breaches of the regulations and money laundering activity from the profession and consumers. We monitor media and other reports for potential breaches, and receive intelligence from the NCA, other law enforcement bodies and government agencies. The number of reports we receive, also includes where we have identified a potential breach of the regulations ourselves, for example, through an AML onsite inspection at a firm, or a desk-based review of the firm's AML controls.

We investigate suspected breaches of the money laundering regulations and cases of suspected money laundering. The table below shows the number of reports we have received year on year, for comparison. The variation in the number of reports is primarily due to a reduction in referrals from the NCA and other law enforcement bodies.

2017/18	2018/19	2019/20	2020/21	2021/22	2022/23	2023/24
235	197	196	273	252	249	227

Types of reports received

We record the reasons why a report has been made. Often, reports have more than one suspected breach requiring investigation, and these can change during the life of a matter as we receive and assess more information.

These were the most common reasons for the AML reports we received:

Specific matter reason	Count
Failure to have proper AML PCPs	61
Failure to carry out a source of funds check	46
Failure to carry out a risk assessment on client or matter	87
Failure to carry out a firm-wide risk assessment	41
Failure to carry out/complete initial CDD	26
Failure to comply with sanctions regime	22

Number of money laundering related matters determined by the SRA

Where we see that firms or individuals have failed to comply with the money laundering regulations, we can take enforcement action. We refer matters likely to require a penalty which we would be unable to impose to the independent Solicitors Disciplinary Tribunal (SDT). We have provided further details below. Other matters can be determined by the SRA. This includes letters of advice or rebuke, where we remind the individual or firm of their regulatory responsibilities.

We can also fine a firm or individual, or put conditions on their practising certificate, limiting what they can do in their role. The table below shows the number of money laundering matters determined by the SRA that involved further action.

2017/18	2018/19	2019/20	2020/21	2021/22	2022/23	2023/24
10	14	21	16	43	39	74

The increase in cases resulting in a determination by the SRA in April 2023/April 2024 is due to several factors. There has been an increase in the number of Investigation Officers working within the team. Furthermore, amendments in our case management processes have also created efficiencies in case progression and a more streamlined process, therefore driving productivity.

We made 74 decisions in total relating to money laundering concerns. Below is a breakdown of the type of outcomes:

SRA determined outcomes	Count
Fine (by SRA Adjudicator)	35
Letter of advice	27
Regulatory Settlement Agreements (fine by agreement)	9
Finding and warning	2
Condition on Firm's Authorisation	1

More information on the type of decisions we can make, and their purpose, can be found in our enforcement strategy.

Since our fining powers have been increased from £2,000 to £25,000 for recognised sole practices and recognised bodies (firms where all the managers are lawyers), we have seen more fines being dealt with in-house. We are anticipating that this trend will continue. Please see our fining guidance.

In 2023/24 we issued 44 fines totalling £556,832. These include fines agreed through the adjudication process or via regulatory settlement agreement. These can be broken down as follows:

Fine value	Number of fines in the bracket	Total amount of fines
0 - £2000	5	£8,731
£2,0001 - £5,000	9	£32,172
£5,001 - £10,000	7	£55,270
£10,001 - £20,000	18	£268,251
£20,001 - £24,999	4	£91,051
£25,000 - £50,000	0	0
£50,000 and above	1	£101,357

Of the total fines shown above, nine were Regulatory Settlement Agreements totalling £167,750. These are as follows:

Fine value	Number of fines in the bracket	Total amount
0 -£2000	2	£3,745
£2,0001-£5,000	2	£6,760
£5,001-£10,000	1	£7,900
£10,001-£20,000	2	£24,772
£20,001 - £24,999	1	£23,216
£25,000 - £50,000	0	0
£50,001 and above	1	£101,357

Number of money laundering-related cases referred to the SDT

In circumstances where the matter involves a firm or an employee of a firm that is a recognised body, our fining powers are limited to £25,000. We also do not have the power to suspend or strike off.

If a case is likely to result in a penalty higher than £25,000, or need outcomes that are not within our remit, we would have to refer the case to the SDT. The SDT's powers include imposing unlimited fines and suspending or striking solicitors off the roll.

2017/18	2018/19	2019/20	2020/21	2021/22	2022/23	2023/24
10	14	13	13	8	8	4

In 2023/24 the number of decisions made at the SDT totalled four. The reduction in the number is partly due to the increase in our internal fining powers.

Below is a breakdown of SDT decisions for 2023/24:

SDT decision	Count
Fine	2 in the same matter for the firm and the individual (totalling £511,900)
Suspended for a period / Control of employment	1
Case dismissed or findings not upheld	2

All fines received are paid to His Majesty's Treasury.

Themes from enforcement action

In total, there were 78 enforcement outcomes in relation to money laundering, an increase from 47 in the previous year. In over half of the cases, the most common area for breaches related to firms having inadequate AML controls. Specifically, firms failing to:

• carry out risk assessments on clients and/or their matters (pursuant to regulation 28 MLR 2017)
• have a compliant firm-wide risk assessment (pursuant to regulation 18 MLR 2017)
• have adequate AML policies, controls and procedures (pursuant to regulation 19 MLR 2017)
• undertake staff training (pursuant to regulation 24 MLR 2017).

Of the remaining outcomes, the majority related to the buying and selling of property and poor customer due diligence. These concerned:

• inadequate identification and verification of clients (both individual and corporate) at the outset
• failings in assessing and identifying the risks pertaining to the client or matter
• ongoing monitoring of transactions and source of funds checks (where monies were transacted).

Understanding the source of funds to be used in a transaction is a fundamental part of the risk-based approach. Being clear around the legitimacy of the source of funds greatly reduces the risk of money laundering. While we have seen a slight improvement, firms need to do more in this area and check source of funds more often than we are seeing them do, especially when higher risk elements are prevalent in the transaction.

Other issues we identified, seen in previous years and repeated again, were failure to:

• apply enhanced customer due diligence and enhanced ongoing monitoring.
• recognise work that brings the firm into scope of the regulations, which then carries all the legislative requirements of being 'in-scope' and the necessity to have in place mandatory AML controls.
• have sufficient regard for our issued warning notices, red flag indicators (as highlighted in a FATF report) in transactions and sector wide guidance.

We have identified three key themes that we believe contributed to these breaches:

• At a senior level in firms, there is not enough importance on having robust and compliant AML controls in place. These controls include risk assessing the firm's exposure to money laundering and terrorist financing or putting having good PCPs.
• Inadequate supervision or training of fee earners, particularly on the regulations and the firm's PCPs.
• Having systems and processes that allow events to happen unchecked, such as receipt of funds or moving to the next stage in the transaction (rather than an automated 'stop' being put to a transaction when an element of customer due diligence has not been performed).

Emerging themes

We are investigating some cases relating to breaches of the sanctions' regime, specifically sanctions placed on Russians and Russian entities. We are developing an approach to these cases with the Office of Financial Sanctions Implementation (OFSI) and expect investigations to conclude and decisions to be taken whether enforcement action is required in the coming year on these matters.

Submitting a suspicious activity report (SAR) provides law enforcement with valuable information about potential criminality.

We submit a SAR to the NCA if we identify a suspicion of money laundering through our work.

We submitted 23 SARs to the NCA involving money laundering, relating to funds amounting to over £75 million. The number of SARs made during the last reporting period remained largely the same compared with the previous reporting period (24 in 2022/23).

We also submitted two financial sanctions reports to OFSI under the Russia Sanctions Regime relating to funds totalling over £369,000.

2018/19 (SRA financial year)	2019/20 (SRA financial year)	2020/2021	2021/2022	2022/2023	2023/2024
19	26	39	20	24	23

Based on the 23 SARs submitted by us the main red flags and risk areas were:

• property conveyancing transactions (both residential and commercial)
• funds linked to fraud – for example vendor fraud, dubious investment schemes and insurance fraud (motor vehicle and personal injury)
• transactions with no underlying legal work or legitimate purpose for the involvement of a solicitor (misuse of the client account)
• clients and or funds from countries which pose a higher risk for money laundering
• aborted or unexplained / unclear transactions
• pressure to complete a transaction very quickly
• funds being broken down and remitted or received in multiple transactions
• involvement of third parties (individuals and companies)   
• carrying out work not in line with a firm's usual business activities.

Of the SARs submitted by us 73% involved property conveyancing work, the majority of which were residential properties. Most of the transactions completed with funds being exchanged, but in some instances the transaction was aborted and did not proceed. Therefore, based on what we have seen during the period, property conveyancing remains by far the highest risk area for illicit finance and money laundering in our reports.

Other aspects which featured in our reports concerned transactions where no underlying legal work was carried out, leaving firms vulnerable to facilitating suspected money laundering through misuse of the client account. Also, firms transacting proceeds from insurance frauds, such as motor vehicle and personal injury were seen. Additionally, this year also saw us make our first SAR linked to proliferation financing involving the trading of large quantities of high value dual-use goods.

Firms not conducting any or sufficient due diligence and source of funding checks on their clients, or third parties, was a key contributor in many of the cases we reported. Also, in some instances firms not properly scrutinising the information they were in receipt of which should have triggered concerns about the legitimacy of the funds or instructions they were involved with. In a small number of cases the firms did identify money laundering red flags and formed a suspicion but failed to make a SAR.

The SARs we submitted during the reporting period involved all sizes and types of firms. However, 64% related to activities carried out at small firms (2-10 fee earners) and sole practitioners.

Suspicious Activity Reports and firms' risk tolerance

Firms are obliged to report suspicious activity to the NCA under the Proceeds of Crime Act 2002 (POCA) or Terrorism Act 2000 (TACT) where the information of concern has come to the firm during the course of its business.

Where we conducted an inspection in the reporting year we reviewed a sample of SARs firms have submitted to the NCA.

We reviewed a total of 40 Defence Against Money Laundering SARs (DAML) and 55 information SARs submitted by 42 firms.

A DAML can be requested from the NCA where a reporter has a suspicion that property they intend to deal with is in some way criminal. By dealing with it, they risk committing one of the principal money laundering offences under the POCA. A person does not commit one of those offences if they have received 'appropriate consent' (a DAML) from the NCA. Conversely, information SARs are submitted simply to notify law enforcement to potential instances of money laundering or terrorist financing.

We found that most of the SARs we reviewed were written in a clear manner and contained sufficient levels of detail.

However we found the following quality issues:

• Three firms did not include their reason for suspicion in their SAR narrative. In one case, the firm was unclear on the origin of funds (not formed a suspicion) when a DAML was submitted.
• Four of the DAMLs we reviewed did not describe the criminal act the firm was seeking a defence for.
• Seventeen firms did not include the glossary codes in their SAR as recommended by the NCA.
• Nineteen firms did not include the company number for entities mentioned in the SAR narrative.
• Thirty-one firms did not include the phone number of the person or entity the SAR related to.

Firms should include as much information as possible in SAR reports. For example, phone numbers, email addresses and company numbers should be included if available. This information is useful to law enforcement when investigating crime. Poor quality SARs can lead to unnecessary delays, particularly where a DAML has been sought. This can also cause problems for the firm in explaining the delay to a client.

In one instance, the DAML was submitted before the firm had completed necessary due diligence and source of funds checks. The matter involved multiple parties contributing funds to a transaction. The firm was concerned about the source of funds and asked the NCA for 'consent' to proceed with the transaction. At the point of submitting the DAML, the firm had not formed a suspicion. Upon completing the source of funds checks the firm were satisfied that they were able to proceed with the matter.

A DAML must not be used as a substitute for a firm's obligation to conduct adequate due diligence and source of funds checks. To do so is a misuse of the SARs regime. A DAML must only be submitted if the reporter 'knows' or 'suspects' or has reason to 'know' or 'suspect' that a person/entity is engaged in money laundering or terrorist financing. It is important that firms fully understand the purpose of submitting DAML SARs.

The inclusion of glossary codes helps the NCA triage SARs to the correct area of law enforcement. We are pleased to note that the number of SARs submitted without glossary codes has decreased. We do not expect the lack of glossary codes in SAR reports to be an issue in the future. This is because the new SAR reporting portal introduced in September 2023 makes it mandatory for glossary codes to be included for every SAR submitted.

The NCA has previously reported that some SARs received from the legal sector are poor quality due to firms providing inadequate information. Our warning notice on SARs makes it clear that we expect all firms and individuals regulated by us to comply with the NCA guidance.

We encourage firms to watch our joint webinar with the NCA to understand when they should report concerns to us and how to submit a good quality SAR.

This section of our report concentrates on the measures taken by firms to assess the level of risk, both at firm level (as required under regulation 18) and client and matter level (as required under regulations 28(12) and 28(13)).

Firm-wide risk assessments

The purpose of a firm-wide risk assessment (FWRA) is to identify the risks a firm is or could be exposed to. Then, appropriate policies, controls and procedures (PCPs) should be put in place to mitigate the risks. It is a crucial document for preventing money laundering and forms the backbone of firms' AML controls.

Over the last few years, we have seen an improvement in the quality of FWRAs which reflects the thought, effort, and time that many firms put into these documents. Nonetheless, there is still a very significant proportion of firms with FWRAs that are not compliant. We would urge firms to review and update this key document. We have provided information below that should help firms to do that.

When undertaking an AML inspection or desk-based review, firms must provide us with a copy of their FWRA. During the reporting period, we called in a total of 495 FWRAs for review. Despite the requirement to have a FWRA having been in place for over seven years now, 12 firms did not have a FWRA. They were referred for investigation.

Of the remaining 483 FWRAs we reviewed; we found the following levels of compliance:

	Compliant	Partially compliant	Non-compliant
Desk-based reviews	109	109	33
Inspections	140	76	16
Total	249	185	49

• During the reporting period, 52% of the FWRAs we looked at were compliant, which has increased slightly when compared to 49% in 2022/2023.
• However, 10% were non-compliant. In the previous reporting period this was 7%.

We provided feedback to firms where their FWRAs were partially or not compliant. The main areas of feedback we provided are shown below. At times, we found some of these risk areas were not addressed in the FWRA. Often feedback will have been provided on several areas, which is why these figures do not total 483.

Area of feedback	Number of times feedback provided (desk-based review)	Number of times feedback provided (inspections)	Total number of times feedback provided
Transaction risk Firms did not sufficiently explore transactional risk, such as how many high-value transactions the firms deal with, the typical size and value of a transaction, whether transactions are large or complex, and the type of payments accepted, for example, cash payments or payments from third parties.	40	97	137
Product/service risk Many firms were failing to list all the services they provide that are within scope of the regulations. A cross check against the firm's website and information we gather during our practising certificate renewal exercise shows a disconnect between the FWRA and the products and services listed. We would also often see firms focusing on the services they do not provide, as opposed to the risks attached to the services they do provide.	27	74	101
Delivery channel risk Firms did not risk assess how they are delivering their services. The risk assessments didn't show if firms meet their clients face-to-face. If they offer services that are not face-to-face, how do they deliver them?   Are they using email or video meetings for example.	41	69	110
Geographic risk There was a lack of detail on where the firm's clients and transactions are based and if any of the firm's clients have overseas connections. Most risk assessments focused only on setting out the likelihood of dealing with a client from a high-risk jurisdiction and failed to address the geographical locations the firm does deal with and if these are local, national or international.	32	86	118
Client risk Firms failed to set out the type of clients they deal with. For example, whether these clients are individual or companies, if any of the companies have complex structures, whether the clients are predominantly new or longstanding clients, and if any clients pose a higher risk, such as politically exposed persons (PEPs).	30	69	99
Further tailoring to firm's size and nature In some cases, firms provided an FWRA that was not suitable, given the size and nature of their practice. These documents were often completed on templates that were predominately specimen text, which had not been tailored to the firm. While there is nothing inherently wrong in using a template but firms must make sure that the information is tailored to their firm.	35	57	92

There were several themes which featured within the non-compliant FWRAs. These include:

• Some firms only putting in place a FWRA after we asked to see it. This is despite some of these firms having previously confirmed to us in January 2020 that they did have a FWRA in place.
• Not providing a FWRA but instead providing an alternative document, such as an AML Policy.
• Providing an operational risk assessment, which looks at business risks rather than AML risks.
• Using a template but not completing it correctly (for example, using a checklist or not including enough detail) or failing to tailor the content to the firm.
• Failing to consider all services the firm provides.
• Many firms failed to expand on the risks identified, for example, we saw firms stating they often operated in high-risk jurisdictions but not setting out and assessing the applicable jurisdictions.
• Many documents focused on what the firm does not do (for example, setting out that the firm does not offer trust formation services or act for politically exposed persons). The focus should be on the AML risks the firm is exposed to in its day-to-day business.

It is important that the FWRA is reviewed regularly and updated, where necessary. We found that some firms had not done this. A FWRA is a living document and should be regularly updated, for example:

• when AML legislation changes, or we update our sectoral risk assessment
• where firms provide a new service or act in a new area of law
• where firms make changes to the way they work, for example if they introduce a new client verification system.

Good practice

We identified a lot of good practice through our reviews of FWRAs during the reporting period.

We continue to see an improvement in the use of templates. This is where firms had adapted and tailored the templates to cover the risks in detail and in a way specific to the firm. We have highlighted poor practice in previous reports, where firms had used templates but had not edited the standard text to make it relevant to their firm.

In some examples we saw, it was clear the person undertaking the FWRA had worked closely with various teams and partners across the business to assess the risks. The advantage of this was that all areas of the business were feeding into the FWRA. It also helped to demonstrate a risk-based approach, as something which would be low risk in one business area may be considered high risk elsewhere.

Some firms also made use of quantitative data and statistics to help analyse their AML risks. For example, using information gathered from internal SARs or the percentage value of work in specific areas of work and how this equates to potential risk for the firm. We consider this to be good practice as it forms part of a risk assessment framework.

We expect firms to be compliant in this area. Over the years we have provided a variety of resources to help firms draft an effective firm risk assessment if they don't already have one.

• Our sectoral risk assessment setting out common risks
• A checklist to help firms prepare for a firm risk assessment (DOC 8 pages, 44KB)
• An updated FWRA template (DOC 5 pages, 42KB) 
• Two webinars on FWRA – link to most recent webinar.

Proliferation financing risk assessment

From 1 April 2023, firms must risk assess and document their exposure to proliferation financing (PF). This is a requirement under regulation 18A of the MLR 2017. This assessment can be done as part of the FWRA or as a standalone assessment. We found that 330 of 483 firms that provided us with a FWRA had a proliferation financing risk assessment.

We highlighted the need for firms to conduct a PF risk assessment on 4 April 2023. Firms without a PF risk assessment must put one in place immediately.

Client and matter risk assessments

We review client and matter risk assessments (CMRA) on files as part of a desk-based review and onsite inspection.

CMRAs prevent money laundering by making sure firms consider the risks posed by each client and matter and inform the correct level of client due diligence (CDD) required to mitigate those risks. CMRA are required under regulation 28(12) and 28(13) of the MLR 2017.

During the reporting period we reviewed 3,048 files. We found:

• that 585 files (19%) did not contain a CMRA as required under the regulations. Of the 585 files, 314 concerned a new client to the firm and 295 of those files were opened in relation to matters which we highlighted as high risk in our sectoral risk assessment.
• that 12% of CMRA we reviewed were ineffective. For example, the rationale for allocating a particular risk rating to a client or matter was not clear. Or there was no clear process for when a fee earner should apply enhanced due diligence (EDD), which risks EDD not being carried out when it should be.

In the previous year, we reported that 51% of CMRA we reviewed were ineffective. We are pleased to note the improvement in this area. This suggests that our publications following our thematic review (report with good and bad practice guide, warning notice and client and matter risk assessment template) have been effective in highlighting this issue to the profession.

While we note a clear improvement, we feel that there is still room for improvement for some firms in this area. The lack of CMRAs on files was the most common reason firms were referred for investigations in this reporting period.

Poor practice

We continue to see firms using very basic and tick box CMRA template forms where fee earners only mark whether a file is high risk, medium risk, or low risk.

Often, these forms did not feature any commentary or justification for the fee earner to explain how they had arrived at the risk level. It is important that the rationale for the risk level and level of due diligence is clearly recorded, along with what actions the fee earner will take to mitigate those risks.

Some CMRA forms we reviewed addressed business risk (creditworthiness and reputational risk), rather than AML risk factors. These forms would not constitute a client or matter risk assessment under the regulations.

In addition, many forms we looked at did not consider when a client or matter requires EDD. This is concerning, as matters subject to EDD are typically the highest risk.

Many matter risk assessment forms we looked at did not reflect their FWRA. For example, one firm considered receiving funds from abroad to be high risk in the FWRA. When we reviewed the matter risk assessment, the file was assessed to be low risk by the fee earner. The reason for this was not recorded.

Good practice

Some of the best examples were when the matter risk assessment form set out the factors that fee earners must consider when assessing client or matter risk. These forms often required the person completing them to make an active decision on the level of due diligence required, based on the level of risk the client or matter presented.

We saw examples of CMRA forms that were tailored to the firm's risk exposure. For example, questions were added to the CMRA template to help fee-earners identify additional risks specific to the firm's clients.

Some CMRA forms reflected the risks identified in the firm's FWRA. We noted at one firm that where fee-earners felt the level of risk was different from that identified in the FWRA, they documented their rationale for this. For example, if a FWRA states that conveyancing is high risk, the matter risk assessment is then completed in line with that. The firm mentioned above also added commentary to explain why a particular matter was not considered high risk. For example, due to length of relationship with a client, value of a transaction or source of funds checks completed.

We were pleased to see that some CMRAs were reviewed reactively when additional information about the client or matter was received. For example, when funds were received on a matter, to ensure the source of funds is consistent with the information the firm held. The purpose of this is to ensure that the information presented does not change the level of risk present in relation to the client or matter.

We continued to see a collaborative effort by fee earners and risk teams to assess risk. We saw examples where a fee earner would initially complete the risk assessment before passing it on to the risk team. The risk team would then go back to the fee earner with any risks they identified and highlight any further information the fee earner would need to obtain to mitigate the risks.

Customer due diligence

This section concentrates on the customer due diligence measures (CDD) firms must apply to mitigate against any money laundering risks under regulations 27 and 28 of the MLR 2017.

CDD is a key requirement of the MLR 2017 and one of the most effective controls firms can put in place to protect against money laundering. CDD requires firms to take a holistic approach to have a comprehensive view of the risks associated with a particular client or parties to a matter or client. This section of the report focuses on the obligation to identify and verify clients and conduct source of funds checks.

Firms must have processes in place to identify and verify their clients' identities. Identification of a client or a beneficial owner is simply being told or otherwise coming to know a client's identifying details, such as their name and address. Verification is obtaining evidence which supports this claim of identity.

Conducting CDD goes beyond identifying and verifying the client's identity using a reliable independent source. It also includes:

• Identifying an ultimate beneficial owner (where applicable) who may not be the client and taking reasonable measures to verify their identity.
• Understanding the purpose and intended nature of the business relationship or transaction.
• Taking a risk-based approach to determine the level of checks that is required for a client or matter. For example, a high-risk client or matter will require additional checks to a low-risk client or matter.
• Scrutinising transactions including the source of funds, where necessary, to ensure that the transaction is consistent with the firm's knowledge of the customer, the customer's business and risk profile.

We assess firms' CDD processes when we review files as part of an onsite inspection or desk-based review.

Findings from file reviews

We found that:

• out of 3,048 files, 152 files (5%) did not contain evidence that the client had been identified and verified.
• these documents were missing in 97 files for desk-based reviews and 55 files for onsite inspections.

The high level of compliance shows that firms are taking their CDD obligations seriously. We saw some good examples of ways firms were conducting CDD. These include:

• Explaining to clients at the early stages why CDD is required to set expectations and foster cooperation.
• System led controls preventing matters being worked on until CDD is in place.
• Making use of open-source information to search for adverse media on clients. For example, a secretary at a high street firm was able to obtain adverse media on a prospective client by conducting a google search. This discovery led the firm to declining to act on instructions from the client.
• We also saw examples of firms doing wider internet searches to verify ultimate beneficial owner's positions.

This is important because an ultimate beneficial owner has ultimate control over a business or asset, (although they may not be directly named as such in some instances).

We also identified some examples of firms not complying with their CDD obligations properly. For example:

• In a few cases, the client's identity was not independently verified because the fee earner or someone at the firm knew the client personally.
• Inadequate identification and verification of corporate clients. For example, on one file reviewed, the firm was instructed by an individual as a director of a limited company. The firm obtained identification and verification documents for the individual but not the limited company.
• On one file, the firm conducted an electronic verification check. The client's passport failed the authenticity check and the firm was not aware until we notified them following our review.

There is no provision in the MLR 2017 for waiving CDD requirements based on long-standing or personal relationships. Taking this approach will not satisfy the requirement to undertake independent verification.

It is important to understand who is instructing the firm and/or the ownership and control structure of any entities involved in a transaction. This is particularly important with entities involving ultimate beneficial owners. The better you know your client and understand your instructions, the better placed you will be to assess risks and spot suspicious activities. It is important to keep file records of CDD that is carried out. This will enable firms to spot any changes as part of ongoing monitoring obligations, as well as evidencing the enquires made to understand the company structure.

Failure to do so properly may lead to the firm breaching the requirements of the MLR 2017, the UK sanctions regime and/or open your firm to reputational risks.

In an increasingly digital age, many firms use electronic identification and verification tools at the onboarding stage to help fulfil their obligations under the regulations. Such firms must develop an in-depth understanding of the tools they choose to incorporate to fulfil their regulatory obligations. An electronic report is only as good as the understanding of the person reviewing the report.

Source of funds/wealth

Understanding the source of funds in a transaction is fundamental to understanding the risk of every transaction. Failing to identify where funds have come from or obtain evidence of the source of funds (where necessary), could put your firm at risk of committing an offence under the Proceeds of Crime Act 2002.

Firms must have processes in place to ensure that the funds used in a transaction are from a legitimate source. This will help identify and mitigate potential money laundering risks. If you are clear around the legitimacy of the source of funds, the risk of money laundering is greatly reduced.

Findings from file reviews

Of the 3,048 files we reviewed, 2,701 files required source of funds/wealth checks to be completed.

Sixty-one per cent of files we reviewed that required source of funds/wealth checks contained evidence of checks taking place. Having adequate source of funds controls in place can prevent the firm being used to launder money.

Our findings indicate that more could be done in this area.

We found that 678 (25%) of the 2,701 files we reviewed did not contain information or evidence of source of funds. While several firms were able to provide an explanation of the enquiries they made, the files contained no audit trail to confirm the information provided. In multiple cases, after our request, firms would provide us with a written summary of how the transaction was funded. This information had not previously been recorded (for example, on the matter risk assessment). If there is a time lapse, it would be difficult for firms to explain the enquires made at the time.

In several cases, the transactions involved high risk work such as property purchases and cash transactions. Both of which have been highlighted as inherently high risk for money laundering in our sectoral risk assessment. For example, one file concerned the cash purchase of a property for £700,000. The file did not contain information or evidence of checks undertaken to substantiate the origin of the funds.

In total, we provided feedback on source of funds/source of wealth to 167 firms where we identified inadequate evidence of source of funds/wealth checks on the files we reviewed.

These are concerning figures considering services provided by law firms, such as conveyancing, are attractive to criminals wishing to hide proceeds of crime by making their money or assets appear legitimate.

There were several themes we identified when reviewing the files. These included:

• Accepting funds into the client account before understanding the origin and legitimacy of the funds.
• Firms taking copies of bank statements from clients but making few enquiries to understand how the funds in these accounts have been accrued.
• Firms obtaining bank statements which show significantly less money than is required for a transaction without making further enquiries.
• Firms' policies suggesting source of funds checks are not required if funds come from a UK bank account.
• Firms making a written note of how the transaction will be funded but not obtaining any documents in support.
• Firms not conducting source of funds checks because the client is known personally to someone at the firm.
• Firms not checking source of funds to avoid offending clients, particularly long-standing clients.

Understanding and documenting source of funds/wealth should be approached as an opportunity to protect your firm from being used for money laundering.

The type of documentation you accept to verify source of funds/wealth should depend on the level of risk presented by the client and or matter. The higher the risk, the more comprehensive the documents you obtain should be.

Additional findings

This section of our report concentrates on controls, in particular the AML policies firms must put in place to mitigate against any money laundering risks.

AML policies controls and procedures

We reviewed the policies, controls and procedures (PCPs) put in place by 481 firms. Fourteen firms did not have PCPs in place when we carried out a desk-based review or an onsite inspection. They were referred for further investigation.

We found the following levels of compliance:

	Compliant	Partially compliant	Non-compliant
Desk-based reviews	88	111	49
Inspections	121	90	22
Total	209	201	71

The table below highlights some of the most common themes and missed areas within firm AML PCPs.

Area	Deficiency in percentage of PCPs we reviewed during desk-based reviews (approx.)	Deficiency in percentage of PCPs we reviewed during inspections (approx.)
Assessment and mitigation of the risks associated with new products and business practices	54%	60%
Reporting discrepancies to Companies House	48%	32%
How to identify and scrutinise unusually large or unusual patterns of transactions	27%	12%
How to identify and scrutinise transactions that have no apparent economic or legal purpose	31%	12%
How to identify and scrutinise complex transactions	28%	11%
Information on the firm's stance on reliance (on another person to carry out CDD).	37%	30%
Simplified due diligence	37%	22%
Taking additional measures, where appropriate, to prevent the use for money laundering or terrorist financing of products and transactions which might favour anonymity	36%	20%
High-risk third countries / high-risk jurisdictions	32%	15%
Checking the sanctions register/complying with the sanctions regime	28%	14%

The first five boxes in the table above indicate that many firms still have not updated their PCPs to reflect the 5MLD changes. Given that the 5MLD requirements were integrated into UK law in January 2020, over four years ago, we expect firms to have updated their policies. Some of these policies had been reviewed since 2020 and we are concerned that the update had not been reflected. We issued guidance on the 5MLD changes in January 2020.

Risks associated with new products and business practices

Under regulation 19(4)(c) MLR 2017, firms' PCPs must assess and mitigate against risks associated with new products and new business practices. In practice, this means that when new technology is adopted by a firm, it must take appropriate measures to assess and mitigate any money laundering or terrorist financing risks this adoption may cause. This also applies to any new products or business practices introduced at the firm.

Firms should also document it if there are no new products or business practices to assess.

Discrepancy reporting to Companies House

Under regulation 30A MLR 2017, firms must inform Companies House of any material discrepancies between the information it holds about a person with significant control or registrable beneficial owner of an overseas entity, and the information on the Companies House register. Any material discrepancies must be reported to Companies House as soon as reasonably possible.

Identifying and scrutinising patterns of transactions

Under regulation 19(4) MLR 2017, firms must have in place controls which identify and scrutinise:

• transactions that are unusually large or complex
• unusual patterns of transactions
• transactions which have no apparent legal or economic purpose.

We found that many firms mentioned these factors within their PCPs. However, very little explanation was given as to what a large or unusually complex transaction looks like for that firm. Each individual firm will have their own measure as to what constitutes unusually large or complex transactions.

Firms' PCPs should outline a list of potential red flags that fee earners must be aware of. These red flags should be tailored to the firm. We accept that it is impossible to list every possible red flag, given that criminals are constantly adapting their methods to launder money. However, the inclusion of a non-exhaustive list will help fee earners identify transactions that may be out of the ordinary.

Reliance

Reliance was another area we provided feedback on. Reliance has a specific meaning within the regulations and relates to the process under regulation 39 MLR 2017. In certain circumstances, firms may rely on another person to conduct CDD, subject to their agreement.

We found that the vast majority of firms (98%) did not use reliance or permit other firms to rely on CDD they had collected. The firm's stance on reliance, however, was missing from many of the policies we reviewed.

A firm's stance on reliance must be documented within their policies and procedures so fee earners know whether it is permitted by the firm.

Simplified due diligence

Simplified due diligence (SDD) is another area we often provided feedback to firms on. Many policies contained conflicting information around what SDD is, and some did not mention it at all.

Regulation 37 allows SDD to be carried out where a firm determines that the business relationship or transaction presents a low risk of money laundering or terrorist financing, taking into account the FWRA.

SDD is the lowest permissible form of due diligence and can only be used where the firm has actively determined that the client presents a low risk of money laundering or terrorist financing.

It is important to note that, while there is no obligation on firms to apply SDD, it is something they may wish to consider adopting, in the appropriate circumstances. However, a firm's approach to SDD must be set out in its policies and procedures. This is so fee earners know whether they can apply it or not.

If firms do permit SDD, they need to set out the circumstances and the checks they would expect to see, as CDD will still need to be applied albeit to a lesser extent, and fully documented.

Products or transactions favouring anonymity

The regulations are clear that firms must set out their position on whether they offer services that favour anonymity. If this is a service firms offer, they must make sure their AML policy contains a section which sets out mitigating actions for their fee earners. In many cases, we provided feedback on including a section within PCPs to take additional measures when dealing with products or transactions that may favour anonymity.

High-risk jurisdictions

We found that many firms failed to identify high-risk jurisdictions or comment on their approach to them.

While it may be unusual for some practices to come across overseas clients, firms must make sure their fee earners are aware of any high-risk jurisdictions so they can exercise caution. They must ultimately identify matters that need EDD.

Regulation 33(1)(b) of the regulations requires firms to apply EDD measures in circumstances where high-risk third countries are involved. It is therefore important firms identify where their clients, client entities or the transactions they are working on are linked to, and whether they are high risk jurisdictions.

Sanctions

Firms may be at risk of being used to evade sanctions. We were concerned to note that a proportion of the PCPs we reviewed failed to mention what steps a fee earner should take to make sure their client is not subject to financial sanctions. It is important that fee earners are aware of all parties involved within a transaction, including any beneficial owners, to ensure they are complying with the sanctions regime and regulation 33(6)(ii) of the MLR 2017.

Firms may choose to document their approach to complying with the sanctions regime within their AML policy document or as a separate sanctions policy.

We have undertaken a suite of work in this area in the reporting period, this is detailed in the sanctions section of this report.

Other findings

We noted there is still a tendency for firms to use 'off-the-shelf' AML Policy documents, which have not been tailored to the firm, and/or are not being applied in practice by fee earners. A firm's AML policy should be specific to the firm. It should be used to guide fee earners on what steps they need to take to mitigate risks. We will take further action where policies have not been followed and breaches of the regulations have been identified.

In 2022 we undertook a thematic review of law firm compliance with the financial sanctions regime. As a result of this, we issued guidance explaining the requirements of the financial sanctions legislation, setting out risks and red flags, and outlining what we think a good control framework looks like.

Since issuing the guidance, we have increased our work in this area, including undertaking proactive sanctions inspections and assessing the controls firms have in place to mitigate sanctions risk.

As firms may be at risk of being used to evade sanctions, fee earners must continue to be aware of all parties involved within a transaction, including any beneficial owners, to be certain they are complying with the sanctions regime.

Last year we reported that 26% of the AML policies we reviewed failed to mention what steps a fee earner should take to make sure their client is not subject to financial sanctions. Our review of this years' AML inspections shows an improvement in controls with 84% of firms now including details on the steps to follow.

Given the continued importance of the financial sanctions regime, we have featured sanctions updates on our website throughout the year and recently updated our published sanctions guidance.

Our proactive supervision

We have increased our programme of proactive sanctions work this year. As sanctions apply to all law firms, the work we carried out included all the firms we regulate not just those we supervise under the money laundering regulations.

In total, we carried out 55 sanctions inspections in this reporting year. Overall, we had 1,485 proactive engagements with firms, which were broken down as follows:

Desk-based review - issued a letter of guidance	Sanctions Inspections	Sanctions controls checks during AML inspection	Sanctions controls checks – Forensic Investigation
1087	55	237	106

The purpose of the sanctions work was to gather information and assess how firms complied with the sanctions regime. Therefore, in those engagements we did not assess firms' overall compliance with the money laundering regulations.

Sanctions data collection

We carried out a data collection survey that was sent to more than 3,000 firms. The data we gathered was used to inform our proactive work in this reporting period.

We sent the data collection survey to firms not in scope of the money laundering regulations because sanctions legislation applies to all law firms. Unlike the firms we do supervise for money laundering, there is no prescribed set of controls or CDD requirement. The survey was designed to help us understand firms' exposure to sanctions risk as well as the controls they have in place to mitigate those risks. It was important that we had this data to understand how these firms were ensuring they did not breach the sanctions regime.

We also asked questions about whether firms had dealt with a designated person (an individual, entity, or ship subject to financial sanctions). Key findings from the exercise were:

• nearly 1,700 firms did not do or were unsure if they did one or more of the following:
  • identify their clients
  • verify their clients' identities
  • check source of funds
  • check if a client was subject to sanctions.
• Over 1,000 firms had a greater risk of encountering a designated person. This was because they or their clients had a connection to a sanctioned country, or the services the firm provided, had greater exposure to sanctions risk. For example, trade and shipping.
• Twenty-six firms had dealt with a matter involving a designated person.

Guidance letters on sanctions controls

During the reporting year we issued 1,087 letters of guidance to assist firms in improving their sanctions controls.

We wrote to 1,076 firms in January 2024 who responded to the sanctions data collection survey by saying they did not:

• have or were not aware of a written sanctions firm wide risk assessment (FWRA)
• have controls in place to identify or verify individuals or ultimate beneficial owner
• screen their clients to see if they were designated persons
• carry out source of funds checks.

We wrote to these firms because:

• conducting a sanctions FWRA can help a firm understand their exposure to the sanctions regime and determine what controls will mitigate those risks.
• failing to identify, verify or screen clients to check if they are a designated person increases the risk of inadvertently acting for a designated person and providing services that are not permissible.
• failing to carry out source of funds checks could mean a firm accepts payment from a designated person without a licence, which would breach the regime.

The letters sent included guidance on complying with the regime and how to improve controls. The letter also included guidance on completing a firm wide sanctions risk assessment along with a link to our newly published template for firms to use. We also included information on client screening, which firms can do for free using the online tool offered by the Office of Financial Sanctions Implementation (OFSI).

The support we have provided should help firms address risks and weaknesses in controls and remain compliant.

We also provided similar letters of guidance to 11 firms in scope of the MLR 2017 that we identified from the AML data collection exercise completed in May 2022 . We selected these firms because they confirmed that at the time they did not know if they had acted for a designated person or not.

Sanctions inspections

This year we also conducted a programme of proactive sanctions inspections. We selected a cohort of firms who declared that they had dealt with a designated person in either the 2022 AML survey or the 2023 sanctions survey.

We inspected 55 firms in total, this was made up of 37 firms who had declared they had acted for a designated person in the 2022 AML data collection survey and 18 from the 2023 sanctions survey. During the inspections we assessed:

• the controls firms had in place to mitigate their sanctions risks
• compliance with the sanctions regime and reporting and licensing requirements set out by the Office of Financial Sanctions Implementation (OFSI).

Of the 55 sanctions inspections we conducted, we found the following levels of compliance:

Outcome	Compliant	Partially Compliant	Not Compliant
Number	40	6	9
Action taken	Guidance/closed no further action	Engagement	Referred for investigation

As you can see from the table above, we engaged with six firms and had to refer nine firms for further investigation.

Overall, we found firms had good controls in place. If we gave guidance to or engaged with a firm we always signposted them to our published sanctions guidance. Where we engaged with firms, we asked them to complete follow up actions in one or more of the following areas:

• to amend their controls around client screening, discussed further below
• to make improvements to their FWRA and policies, controls and procedures (PCPs)
• provide training to their staff.

For the nine firms we referred for investigation, eight of the referrals related to a breach of a licence. We found that although these firms had PCPs in place, at times these policies were either not followed or were not strong enough to prevent the breach.

Where we referred a firm for investigation, it was because we identified:

• late reporting on the use of a general licence – three firms only identified this issue when they were preparing matters for us to review on site.
• a payment received from a designated person was not covered by a licence – again two firms only identified this issue when they were preparing matters for us to review on site.

Where we identified a breach of a licence, we ensured that all firms had made a report to OFSI.

Sanctions are a fast-changing area of practice and firms working in this area should ensure they have allocated sufficient resource to manage sanctions matters. To mitigate the risk of a licence breach, it is important that:

• Firms monitor sanction regimes for updates to identify changes to sanctions licences and expiry dates. Where firms identify changes, they should consider amending existing controls and procedures if required, such as adjusting diary alerts and signing up for notifications from OFSI.
• Firms make sure there is sufficient management and oversight of sanctions matters. This should include oversight of licence terms and conditions, reporting to OFSI, and monitoring all payments from or to the client.

Exposure to sanctions and designated persons

An analysis of our findings show that 25% (14 out of 55) firms did not actively provide sanctions advice to clients or work in this area, so their involvement with a designated person was incidental to their usual work. This shows why it is so important that all firms are screening clients for sanctions on an ongoing basis.

Overall, amongst the 55 firms we found firms had:

• acted for 197 designated persons in the last 24 months
• applied for 205 specific licences
• worked under a general licence 189 times
• reported encountering a designated person to OFSI 262 times
• reported a breach of the sanctions regime to OFSI 19 times
• frozen funds of £5,684,210.47 held for 58 designated persons.

Good practice

Overall, we found firms are working well in this area and we identified the following best practice during our inspections: 

• For firms actively providing sanctions advice these were:
  • Restricting advice to experts in the firm.
  • Increased central oversight and controls on all sanctions matters with cooperation and coordination between matter experts, compliance teams, and finance teams.
  • Specific procedures and controls in place to ensure they meet licence terms and conditions such as payment routes and reporting requirements.
• For all firms, including those not actively providing sanctions advice:
  • Having a written risk assessment in place.
  • Having a policy in place for fee earners to follow, on what to do if they encounter a designated person, this was regardless of whether the firm assessed its risk as low or did not ordinarily provide sanctions advice. We saw examples where firms not actively providing sanctions advice unexpectedly encountered a designated person during the course of a matter.
  • Screening, all clients (including ultimate beneficial owners) and counterparties for sanctions.
  • Devoting sufficient resource to keep up to date with sanction regime changes
  • Providing sanctions training to all staff at a level that was appropriate to their role.

On site inspection - file reviews

We carried out 152 file reviews and found:

• most matters contained evidence of client identification, with only four files with no evidence.
• twenty matters did not have sanctions screening results on file, on some of these matters the client had approached the firm for sanctions advice as a designated person.
• five matters had no source of funds evidence on file or details on when it was appropriate to carry out these checks.
• no matters resulted in funds or economic resources being made available to a designated person.

We also assessed firms' compliance with licence terms and conditions. We found

• forty-one firms complied in full
• nine firms did not comply in full
• five firms assisted individuals or entities with their licence applications and while they were providing sanctions advice, they were not acting for a designated person. For this reason, there was no licence for us to assess.

Overall, we found that even the firms that had not complied with the licences' conditions, did have good practices in place. However, they breached the licence terms in the following ways:

• Failing to report the use of a general licence within the set time limit. The reason for the failure s was often linked to timescales changing and the licence being renewed.
• Receiving a payment not covered by the licence.

This highlights the importance of:

• Keeping up to date with changes to the regime and licences and reviewing existing controls and procedures to ensure they remain fit for purpose.
• Increased oversight and more checks and controls in place for sanctions matters and specifically to ensure the firm is meeting any licence terms and conditions.
• Ensuring any payments, in or out, are covered in full by a licence – it is crucial for fee-earners, compliance and finance teams to work together to manage this risk.

Sanctions screening exercise

During the inspections we also asked firms to carry out a screening exercise to test their screening controls. We provided firms with six names to process using their normal screening methods and asked them to confirm if the individuals were or were not a designated person.

Of the 55 firms that completed this exercise:

• thirty-five firms matched our results for all six names
• fifteen matched our results for between three to five names.

Sanctions screening tools need to be fit for purpose and when you are reliant on a third-party provider you must have a clear understanding and oversight of the service they are providing. It is essential to ensure all potential sanctions matches are identified and investigated.

Most firms who conducted the screening exercise were using e-verification software to screen names. Where firms did not correctly identify all names, we asked firms to investigate their controls around screening. It is good practice to implement regular reviews of your screening systems and test them to ensure the results produced are accurate.

Sanctions Controls

We found all firms had considered the sanctions risks they faced, had implemented controls to manage those risks and demonstrated a commitment to prevent sanction breaches.

Sanctions legislation does not prescribe how compliance must be achieved, only that it must be.

Firms in scope of the MLR 2017 have a prescribed set of controls they must follow. From our review, we noted that firms in scope of the MLR 2017 had better controls for mitigating sanctions risk, than those who were not in scope.

Firms we supervise under the MLR 2017 (37 firms)	Firms we do not supervise under the MLR 2017 (18 firms)
37 (100%) of firms were completing identification and verification checks	16 (89%) of firms were completing identification and verification checks
37 (100%) of firms were screening clients for sanctions	14 (78%) of firms were screening clients for sanctions
31 (84%) of firms were completing a client/matter risk assessment form (not all matters reviewed were regulated under the MLR 2017)	10 (56%) of firms were completing a client/matter risk assessment form

Challenges with sanctions

During our inspections we also reviewed the challenges the firms faced in dealing with the sanctions regimes and identified some common themes:

• Keeping up to date with sanction regimes that continue to broaden and change. As well as keeping on top of the interplay between the UK, UN, USA, and European regimes. This is important because 36 of the 55 firms we inspected confirmed they had a client who became subject to sanctions part way through the retainer.
• Understanding ownership and control within complicated corporate structures. The importance of checking ownership structures is shown by the fact that 29 firms we inspected confirmed they had a client where a designated person had a minority shareholding or interest.
• Although OFSI may grant a licence, firms may still need to engage with their bank or insurer to ensure the matter can progress.

Sanctions controls checks – AML Inspections

In the last reporting year we introduced a review of sanctions controls as part of all onsite AML inspections. We will continue to review sanctions controls on each AML inspection.

During this reporting year, we carried out 237 onsite AML Inspections. We reviewed the sanctions controls at each of these inspections.

Since issuing our sanctions guidance, we have noted the following improvements:

• Five per cent of firms did not check whether new clients were designated persons down from 10% reported in the previous year.
• Seventeen per cent did not check whether existing clients were designated persons down from 47% the previous year.

We provided feedback to 27 firms on either their sanctions screening processes, sanction controls or both. So, in total only 11% of firms needed advice on how to improve their controls.

Sanctions controls checks – Forensic Investigations

We also widened the scope of our activities by asking our Forensic Investigations (FI) team to conduct sanction controls checks on investigations they carry out. The FI Team assessed sanctions controls at 106 FI Investigations. Widening the scope of the sanctions controls checks beyond an AML Inspection allows us to check controls on our wider regulated population and not just those firms we supervise under the money laundering regulations.

We learnt that:

• Seventy-two per cent of firms had assessed their sanctions risk in writing
• Eighty-three per cent of firms had written procedures in place for if they discovered a client was a designated person
• Seventy-seven per cent of firms had provided sanctions training to their staff
• Seventy-nine per cent of firms did check if their clients were subject to sanctions.

These results will allow us to check for improving trends or areas of decline as we continue with this work.

We have continued to update our guidance to provide support for firms and raise awareness about sanctions risks across the legal profession. For example, we:

• Regularly use our SRA Update e-bulletin to provide information to the profession on the latest financial sanctions updates and highlight materials being published by the government, ourselves, and others.
• Promoted sanction articles in 11 of the 12 bulletins issued between July 2023 and June 2024.
• Provide support and guidance to firms on financial sanctions via our events page and webinar programme. More than 1,000 people have joined our live webinars and events on sanction-related issues, and a further 1,500 viewers to-date watching recordings of the sessions.
• Delivered a keynote session on the subject at our annual Compliance Officer Conference in 2023. 'Tackling financial crime – staying ahead of the criminals. This included a contribution from a leading KC on the practical challenges of sanctions compliance. This face-to-face event was also broadcast online.

Using the information gathered from the different strands of our proactive work we have:

• Issued guidance on how to complete a sanctions firm wide risk assessment and provided a template that firms can use to draft their own sanctions FWRA. Used together these can help a firm assess their exposure to risks associate with the UK's sanctions regime and create a record of this that can be reviewed and updated as appropriate over time.
• Updated our guidance to help firms comply with the financial sanctions regime. Setting out details of the various sanctions regimes, red flag indicators and our expectations of what a good control regime looks like.

These case studies provide an insight into when and why we take enforcement action and how our fining guidelines are implemented.

Case study one

We conducted a desk-based review on a firm in March 2023. We identified that five files did not contain CMRAs. The firm accepted that it had not completed any CMRAs on its files prior to March 2023.

The firm was issued with a financial penalty of £23,035 in line with our fining guidelines.

Case study two

We inspected a firm and identified that it did not have a compliant FWRA and PCPs. Our inspections also highlighted that relevant staff had not received AML training. In addition, source of funds checks had not been completed on files and we found that fee earners were not following processes relating to assessing client and matter risk assessments (CMRAs). The firm also did not have a process to monitor fee earner's compliance with its PCPs.

The firm was issued a fine of £15,202.00 in line with our fining guidelines.

Case study three

We inspected a firm and identified that it did not have a FWRA in place prior to April 2020 or compliant PCPs in place until December 2022. The inspection also highlighted that the firm were not risk assessing clients and matters prior to April 2022.

The firm received a fine of £9,993.40 in line with our fining guidelines.

Case study four

We carried out a desk-based review on a firm. The review identified that the firm did not have a firm wide risk assessment (FWRA) despite previously declaring to us that they had. The review also identified that the firm's AML policies, controls and procedures (PCPs) were not compliant with the MLR 2017.

The firm was issued a fine of £17,223.21 in line with our fining guidelines.

Emerging risks

We assess emerging risks through a range of sources, such as:

• through our investigative work
• reports from law enforcement agencies or other authorities
• the National Risk Assessment by the UK government
• our proactive inspections of firms.

On a quarterly basis we discuss emerging risks with our MLRO and Intelligence colleagues, also comparing notes on findings from proactive reviews and investigations. We also consider any risks which we may have encountered during our external engagements or which have been reported in the media.

Sanctions

The pace and complexity of the changes to the sanctions regime over the past years have presented challenges for some firms. This is an important regime and the consequences of non-compliance are high because of the strict liability regime in place. Sanctions evasion can undermine the credibility of international law and cooperation, crucial pillars for maintaining global peace and stability. Firms must, therefore, make sure they are fully compliant at all times.

For most firms, this will generally involve:

• taking measures to identify designated persons
• avoiding providing them with prohibited services without proper licensing from the Office of Financial Sanctions Implementation
• making sure all reporting obligations are fulfilled.

We have continued to provide guidance to firms and to alert them of significant changes to sanctions legislation and regulation. The pace of change and lack of forewarning is intended to be disruptive to designated persons but can cause challenges for firms.

We undertook a data collection exercise in late 2023 aimed at firms which are out of scope of the MLR 2017, requesting information on their sanctions' controls. Through this, we were able to further enhance our knowledge of the exposure of the profession to the risk of breaching the regime. We also provided tailored advice to 1,086 firms whose answers suggested weak sanctions controls.

We also published guidance and a template for firms to use in assessing their own sanctions risk. We understand that firms out of AML scope may be unfamiliar with the process of assessing their own risk and have drafted these documents accordingly to be relevant to all.

We have also revised our sanctions guidance note. Among other things, this now takes account of the Office of Trade Sanctions Implementation being formed, and sanctions on trust services to persons connected with Russia.

Conveyancing

The area where we continue to see the most risks relating to money laundering is conveyancing. 73% of the SARs we submitted to the National Crime Agency during the reporting period involved residential conveyancing.

Sales and purchases of property not only allow large amounts of money to be transferred in a single transaction, but also involve an asset which can generate its own income, will likely increase in value, and can be lived in. This makes conveyancing an attractive option for money launderers.

This has been a consistent pattern over multiple years and one that should cause firms to consider conveyancing as a high-risk activity. Firms should treat it as such when it comes to due diligence and ongoing monitoring.

We have also recently seen an increase in vendor fraud. This is where fraudsters try to sell a property, and receive the purchase price, without the consent or knowledge of the owner. A robust client due diligence regime is the best form of defence against a firm becoming involved in this form of fraud.

Technology

New technology presents risks on various fronts, for example:

• Cyber security. Firms should be aware not only of their own cyber security but also that of any third-party providers they may use. A recent cyber-attack affected users of a particular case management system which affected many firms' ability to provide a normal service to clients.
• New funding platforms will present new challenges in establishing the legitimacy of the funds in transactions.
• AI continues to develop in new ways and can be used to both combat and aid money laundering. The use of video and audio deepfakes presents new issues in dealing with remote clients, making identification and verification even more important.

Any use of new technologies must, under the MLR 2017, be preceded by an assessment of the risks they may introduce and effective mitigation of these risks where possible.

Supply chain risk

Firms may find themselves providing one aspect of advice or services in a wider chain or network. There may be other professionals and service providers also involved, advising on  separate aspects of the wider transaction or structure. This leads to a risk that firms may unwittingly contribute to a criminal enterprise by concentrating on a single aspect which, in isolation, appears legitimate.

Understanding the purpose of the services firms provide, and who is ultimately benefiting from them, is important in being able to identify and manage any supply chain risks. This could involve making preliminary enquiries of clients to help understand the purpose of the whole matter and how their instructions fit into the overall supply chain. If necessary, firms should also look beyond their own instructions to understand the totality of the transaction and identify any risks. This may include taking steps to understand the role of other professionals in the supply chain, for example, accountants or company formation agents, and ensuring that these services fit with the solicitor's understanding.

The MLR 2017 requires firms to assess the purpose of a transaction and effective use of client and matter risk assessments can help mitigate this risk.

Other risks

A broader related risk is the risk of a law firm being compromised by criminals who may use the services of the firm to clean illicit funds. We consider that the new controls imposed by Companies House, and the Trusts Registration Service, will contribute to reducing the use of corporate structures to do this. However, criminals will invent ever more sophisticated methods of circumventing these stronger controls.

We set out the areas where we think there is the greatest risk of money laundering in our sectoral risk assessment which also reflects the National Risk Assessment.

In the coming year we will continue to focus on: 

• Taking a risk-based approach to inspections and desk-based reviews, informed by a further data-gathering exercise, to gain a richer understanding of AML systems, processes and procedures in place.
• Helping firms put strong controls in place to prevent money laundering by way of our sectoral risk assessment, published guidance and bespoke advice following proactive reviews.
• Taking a risk-based approach to sanctions inspections and continuing to monitor external changes and develop or update our guidance as appropriate.
• Bringing enforcement action against firms that are not meeting their responsibilities under the regulations.
• Providing targeted and timely guidance for firms through a programme of lunchtime webinars focused on different AML and related topics.
• Monitoring the areas mentioned above, under emerging risks, and considering what next steps we might need to take.

In addition, we are considering how best to respond to our new regulatory objective of promoting the prevention and detection of economic crime under the Economic Crime and Corporate Transparency Act 2023 (ECCTA). Alongside our work relating to AML and sanctions, we will be recruiting to expand our proactive capability. This will make sure we have the right levels of oversight and coordination of the reactive and proactive ways of working that support our fraud prevention work.

ECCTA also gives us unlimited fining powers to sanction certain breaches that involve economic crime. Economic crime defined in ECCTA includes, by way of summary, theft, fraud, false accounting, bribery, tax evasion, money laundering and funding of terrorism, and breach of financial sanction arrangements. During the summer of 2024 we consulted on proposals to update our approach to financial penalties in light of our new powers. We will publish a response to this consultation and our final position, in 2025.

During August and September 2024, we began a major data collection exercise aimed at all firms we regulate. This covers:

• areas within AML scope
• trusts and company services
• sanctions
• suspicious activity reports.

Under the regulations, we must risk profile firms and monitor risks as discussed in this report. We look at a range of factors to determine risk, including regulatory history and size. Where appropriate, our risk model also considers mitigation, such as AML controls. The updated firm information we will gather in 2024 will be fed into this model to further enhance our view of firm risk.

AML Controls – Training

As a first line of defence, AML training is one of the most effective controls against fee earners and firms becoming inadvertently involved in money laundering. Staff training and awareness has long been recognised as a key AML and counter terrorist funding (CTF) control. We have published a thematic review into AML training, which has involved liaising with training providers and firms as to how best to use this valuable tool to improve and bolster their AML regimes.

Continuous improvements and widening the scope of our work

Where we identify themes or common areas of weaknesses to comply with the regulations, we take action to address this. We have included some examples of activities we have undertaken in the last reporting period that reflect our approach to AML supervision.

Firm wide risk assessment

We consistently have to provide feedback on firm wide risk assessments during inspections and desk-based reviews. This suggests to us that this is an area some firms do not fully understand. This has led us to take steps to provide a variety of resources to help firms produce effective firm risk assessments. These include:

• An updated firm wide risk assessment (FWRA) template and checklist which was originally produced in 2019. We identified that the template was not being used as we intended which has led us to update the template and checklist in October 2023. The update also reflects the updates we have made to our sectoral risk assessment which sets out common risks firms must be aware of when drafting their FWRA. The template is available for firms that may wish to use it.
• A webinar on how to complete a FWRA in February 2024 to support firms those firms that need help with complying in this area. This is the second webinar we have done on this topic in two years.

Client and matter risk assessments

We identified from our proactive supervision work in recent years that this is an area with low levels of compliance. For example, in the 2021/2022 reporting period, we reported that 42% of the CMRA we reviewed on files were ineffective. In the 2022/2023 reporting period, this figure was 51%.

In response to this, we:

• carried out a thematic review on CMRA in the summer of 2023
• published guidance and CMRA template
• published a warning notice, clearly setting out our expectations of firms in this area in October 2023
• produced a practical webinar on completing client and matter risk assessments in February 2024.

We trialled the new template with 13 firms of different sizes and four AML consultants to make sure it was as relevant and practical as possible for users.

In this reporting period (April 2023/April 2024), we have found that 12% of the CMRA we reviewed were ineffective, this is an improvement on previous years. This reflects improvements and better understanding in this area, since the publication of the suite of documents mentioned above.

Sanctions

The sanctions regime has expanded rapidly since February 2022, both in scope and scale which has presented challenges for many firms. Last year to support firms with understanding how to comply with the UK's sanctions regime we published financial sanctions guidance.

Sanctions has been a priority area for us and we have significantly widened the scope of our work this year.

 This reporting year we have:

• Updated the sanctions guidance.
• Published press releases on key changes such as the ban on legal services and updates to legal services general licences.
• Published a sanction risk assessment template to help firms assess their exposure to risks associated with the UK's sanctions regime.
• Produced a practical sanctions webinar on how to comply and what to do if you find yourself in breach.

We have also strengthened our proactive supervision in this area by:

• a series of data collection exercises, we identified over 1,000 firms that had weak or no sanctions controls and issued them with guidance
• carrying out sanctions inspections on firms that had informed us that they have acted for a designated person, and
• monitoring sanctions controls through AML inspections or forensic investigations.

We will continue to monitor this area and take a risk-based approach to proactive supervision of sanctions inspections.

Enforcement

Where we see that firms or individuals have failed to comply with the money laundering regulations, we can take enforcement action.

We are likely to impose a sanction where there are substantial breaches of the regulations which put the firm at a high risk of money laundering.

As a regulator we regularly review how we carry out our work and functions. We have made changes to our processes in the last year. This has led to increased levels of appropriate fines and swifter conclusion of cases.

We recognise that the firms we supervise, and other stakeholders, are interested in our AML enforcement approach. This is why we held a webinar in September 2023 where we shared the AML trends from cases where money laundering, terrorist financing and financial sanctions rules had been breached.

Increased proactive supervision

As a regulator and an AML supervisor, it is important to us that we carry out our supervision responsibilities in an effective manner. We regularly review our supervisory approach to ensure it is in line with the OPBAS sourcebook and take steps to monitor the efficiency of our processes.

We consider our supervisory approach to be effective. This is demonstrated in the increased number of engagements we have carried out this year.

• We reviewed 3,048 files in this reporting period, compared to 1,245 files in the previous year.
• We have almost doubled the number of AML reviews we have carried out in this reporting year.
• We, conducted 545 proactive engagements in this reporting period, compared to 273 the previous year.

We have increased our resources whilst also reviewing and streamlining our processes. As a result, we expect to see a further increase to these numbers in the next reporting year.

This reporting year we also introduced a cyclical programme of work targeted at reviewing the independent audits of our largest firms.

Further, we continue to evolve our inspection and desk-based review programme to take into account legislative changes. We are closely monitoring any trends we identify in non-compliance. We have expanded our inspection programme to look more closely at how well firms review their AML controls.

On sanctions compliance, we have carried out a significant amount of proactive work identifying weaknesses in controls and ensuring compliance. Overall firms are doing well in this area, and we have already seen an improvement in controls compared to last year. We will continue to monitor firms' controls throughout our engagement and will carry out inspections using a risk-based approach.

Success measures

Through our success measures work, we measure how well firms are doing in three areas. These are firm wide risk assessments, AML policies and due diligence. We have noted that there has generally been an improvement in the quality of AML documents firms have provided to us in the last couple of years.

We found that:

• Compliance levels on firm wide risk assessments increased from 53% last year to 60% this year.
• Compliance levels across AML policies increased from 35% last year to 51% this year.
• Compliance levels for adequacy or identification and verification checks increased from 88% to 96% this year.

These figures relate to the number of firms that we assessed as being fully compliant across two reporting periods. Given we have more than doubled our proactive supervision work and reviewed more firms, this is a positive shift in compliance.

Communications and engagement

As part of our proactive approach to AML compliance and guidance, we run awareness campaigns across the year. AML regulation can be complex, and the feedback we receive tells us that people appreciate proactive communications campaigns.

We speak to the profession in many ways, directly through our own social media channels, but also by attending sector events. AML sessions are always the most popular at our annual compliance conference, which is attended by more than 1,000 people and watched virtually by an additional 800, To support this we run dedicated webinars throughout the year to provide opportunities to ask questions of our AML experts. In this reporting year we held two webinars on firm wide risk assessments and client and matter risk assessments. We then hosted a live questions and answers webinar in May 2024.

In addition to webinars, we have also focussed on improving the way we communicate with the sector. We have:

• Developed an insight-driven AML basics campaign to help increase compliance with and understanding of AML regulation.
• Reviewed existing communications to understand what type of content gets greater engagement and response from the profession.
• Increased our video content, answering most common questions, responding to what the profession wants to know.
• Produced more first-person pieces from AML staff, lifting the lid on supervision and inspection.

We have already seen results, with increased engagement across social media, achieving an average engagement rate of 6%, against an industry-wide AML average of 2%.

Our AML resources

Money laundering regulations and who they apply to

What does my firm need to do?

How we regulate money laundering

Sectoral Risk Assessment - Anti-money laundering and terrorist financing

Anti Money Laundering annual report 2021-22

Anti Money Laundering annual report 2022-23

Make changes to your Anti-Money Laundering authorisation

Money Laundering Governance: Three Pillars of Success

Firm wide risk assessment guidance

Client and matter risk assessment warning notice

Client and matter risk assessment thematic report

Client and matter risk assessment template

AML Basics

AML and sanctions webinars

AML Questions and Answers webinar – May 2024

Client and matter risk assessment webinar – February 2024

AML: enforcement trends – September 2023

Government sanctions regime: how all firms can stay compliant – May 2023

Compliance Officers Virtual Conference 2022

AML: How to do a firm-wide risk assessment – June 2022

AML officers: what they need to know - February 2022

Our sanctions resources

Tell us about your firm's approach to financial sanctions

Financial sanctions and Russia

Financial sanctions and Russia

Government sanctions regime - how all firms can stay compliant

Sanctions regime guidance helps firms stay compliant

Complying with the UK sanctions regime

Other relevant sector guidance

Proceeds of crime guidance  

Published by the Legal Sector Affinity Group

Legal Sector Affinity Group Guidance – Part 1

Legal Sector Affinity Group – Part 2 (barristers, Trust or Service Company Providers and Notaries)

Barristers – to be read independently of Part 1

TCSPs – to be read in conjunction with Part 1

Notaries – to be read in conjunction with Part 1

Published by the National Crime Agency

Guide to submitting better quality SARs

SARs Online User Guidance

SARs FAQs

SARs Glossary Codes

Produced by HM Government

UK National Risk Assessment