As always, nobody has time for summaries, let’s just get into it.

Here’s the link to the full report on SRA’s website.

Policy, Strategy, and Oversight

• The United Kingdom continues to be a major global centre for financial services, and consequently, a high-risk jurisdiction for money laundering.
• An estimated £100 billion or more is laundered through the UK or through UK-linked corporate structures each year.
• More than 4,500 organised crime groups are known to operate within or through the UK.
• The SRA supervises 5,569 law firms for compliance with the Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017.
• The SRA’s remit covers approximately two-thirds of all authorised law firms in England and Wales.
• The SRA’s authority derives from delegation by the Law Society, which remains the statutory supervisor under the regulations.
• Oversight of the SRA’s supervisory performance is provided by the Office for Professional Body Anti-Money Laundering Supervision (OPBAS).
• The Financial Action Task Force (FATF) provides the international standards underpinning the UK’s regulatory framework.
• The Economic Crime and Corporate Transparency Act 2023 introduced a new regulatory objective for legal regulators to actively prevent and detect economic crime.
• The Act also strengthens Companies House powers, beneficial ownership transparency, and information-sharing mechanisms across regulators.
• The SRA contributed to national consultations led by HM Treasury, the Home Office, and the Legal Services Board regarding anti-money laundering supervision reform.
• The UK government intends to consolidate anti-money laundering supervision under the Financial Conduct Authority (FCA).
• The transition to the FCA, if implemented, will represent a structural change from a multi-supervisor model to a single-supervisor model.
• The SRA has aligned its supervisory focus with the nine National Economic Crime Priorities, including misuse of corporate structures, high-risk jurisdictions, politically exposed persons, professional enablers, and sanctions evasion.
• The SRA has committed to using artificial intelligence and data analytics to strengthen supervisory targeting by 2026.

Supervision, Inspections, and Data-Led Regulation

• In 2024–25, the SRA conducted 935 anti-money laundering supervisory engagements.
• Engagement types included 317 onsite inspections, 516 desk-based reviews, 71 thematic reviews, and 25 independent audits.
• The number of engagements increased by 72% compared to the previous year (from 545 to 935).
• A total of 5,873 client files were examined during these supervisory activities.
• Onsite inspections generally produced higher compliance levels than desk-based reviews.
• The SRA applies a risk-based approach to select firms for inspection, prioritising those handling higher-risk transactions such as conveyancing and trust management.
• The average inspection reviewed 10 to 12 client files per firm.
• The SRA also carried out 71 thematic reviews focusing on specific issues such as source-of-funds procedures, proliferation financing, and sanctions compliance.
• Independent AML audits were performed at 25 large firms, with 24 of these audits including file sampling.
• Engagements assess firms’ compliance with key Money Laundering Regulations, including Regulations 18 (Firm-Wide Risk Assessment), 19 (Policies, Controls, and Procedures), and 28 (Customer Due Diligence).
• 270 firms (32.4%) were found to be non-compliant.
• The majority of non-compliance was due to inadequate risk assessments, missing or ineffective client and matter risk assessments, and weaknesses in source-of-funds checks.
• The SRA uses a graduated regulatory response model that ranges from informal feedback to formal investigation and sanction.
• Firms are typically first given written feedback or guidance before formal enforcement unless the breach is serious or repeated.
• The SRA continues to move toward “data-led supervision,” using analytics derived from thousands of inspection files to predict risk.
• Supervisory intelligence is increasingly shared with OPBAS, the National Crime Agency (NCA), and other professional regulators.

Firm-Wide Risk Assessments

• A firm-wide risk assessment (FWRA) is required under Regulation 18 of the Money Laundering Regulations.
• Only 47% of firm-wide risk assessments reviewed were rated as compliant.
• 9% were fully non-compliant, and 44% were only partially compliant.
• The compliance rate declined from 60% in the previous year to 47%.
• 19 firms had no firm-wide risk assessment at all and were immediately referred for investigation.
• Common weaknesses in risk assessments included:
  • Failure to tailor assessments to the firm’s specific services or client base.
  • Over-reliance on generic or template risk assessments.
  • Inadequate analysis of transaction risk, client risk, and geographic risk.
  • Lack of documented rationale for assigning risk ratings.
• The SRA provided quantitative feedback in the following areas:
  • 387 instances of missing transaction-risk analysis.
  • 365 instances of inadequate product or service risk evaluation.
  • 343 instances of weak geographic risk consideration.
  • 340 instances of insufficient client-risk analysis.
  • 151 instances of poorly tailored assessments.
  • 118 instances of failure to incorporate sectoral guidance.
• Firms with higher compliance typically linked their firm-wide risk assessments to data from internal suspicious activity reports and client-matter records.
• 78% of firms had completed risk assessments covering proliferation financing, which refers to the financing of weapons of mass destruction.

Client and Matter Risk Assessments

• Regulation 28 requires firms to conduct individual client and matter risk assessments for every relevant transaction.
• 16% of reviewed client files lacked any client or matter risk assessment.
• 39% of client and matter risk assessments were found to be ineffective or incomplete.
• 5% of client and matter risk assessments contained incorrect risk ratings.
• 135 firms, representing approximately 50% of all non-compliant firms, were referred for further investigation due to failures in client and matter risk assessment.
• Common deficiencies included:
  • Failure to connect the client or matter risk assessment to the firm-wide risk assessment.
  • Overuse of standard templates without meaningful analysis.
  • Lack of documentation explaining risk rating decisions.
  • Failure to update assessments when new risk information arose.
• The SRA emphasised that a client and matter risk assessment must demonstrate how a firm determines the level of due diligence required, rather than simply stating a rating.

Customer Due Diligence and Source of Funds

• Customer due diligence (CDD) is governed by Regulation 28 and includes verifying client identity, beneficial ownership, and source of funds.
• 6% of reviewed files lacked complete identity or verification evidence for clients.
• 18% of files lacked proper documentation of the source of funds.
• 8% of files showed discrepancies between source-of-funds information and financial ledgers.
• 90% of firms use electronic identity verification systems.
• 35% of those firms formally test their electronic systems for accuracy or data reliability.
• 41% of firms received supervisory feedback regarding weaknesses in their source-of-funds controls.
• 20% of non-compliant files exhibited issues relating to source-of-funds checks.
• The SRA observed an increase in the use of digital onboarding and e-verification, but also an increase in over-reliance on automated systems without human scrutiny.
• Firms are required to identify and verify the beneficial owners, officers, and managers (BOOMs) of client entities; 22,585 BOOMs were registered under SRA supervision.
• The SRA reminded firms that simplified due diligence (SDD) can only be applied after assessing and documenting low risk, not as a default.

Policies, Controls, Procedures, and Audits

• Regulation 19 requires each firm to establish internal policies, controls, and procedures to manage money-laundering risk.
• 823 firms’ policies, controls, and procedures were reviewed.
• 311 were compliant, 382 were partially compliant, and 130 were non-compliant.
• Common deficiencies in policies included:
  • Failure to address new products and technology risk (239 cases).
  • Weak discrepancy reporting (329 cases).
  • Incomplete reliance procedures (176 cases).
  • Deficient simplified due diligence provisions (165 cases).
  • Poorly defined enhanced due diligence procedures (155 cases).
  • Missing or outdated sanctions controls (144 cases).
• 77% of firms conducted internal AML file reviews, but 33% of these reviews omitted checks on source of funds.
• 48% of firms carried out independent AML audits.
• 32% of those audits were non-compliant, mainly due to inadequate sampling or failure to include client files.
• The SRA encourages firms to complete independent audits on a three-year cycle, adjusted for risk profile.

Financial Sanctions Compliance

• The SRA conducted 432 sanctions-related supervisory engagements, an increase of 8% year on year.
• 47 of these were targeted sanctions inspections.
• Of the 47 inspections, 38 firms were compliant, 2 were partially compliant, and 6 were non-compliant.
• 309 sanctions checks were carried out as part of wider AML inspections.
• 77 additional sanctions reviews were conducted on firms not subject to the Money Laundering Regulations.
• 82% of AML policies reviewed included sanctions provisions.
• 86% of firms assessed sanctions risk in writing.
• 79% of firms maintained written sanctions procedures.
• 74% of firms provided sanctions-specific training to staff.
• 92% of firms screened new clients against sanctions lists, while 79% regularly re-checked existing clients.
• 14% of firms had clients linked to sanctioned countries.
• 28% of firms provided legal services in sectors considered to be high risk for sanctions exposure.
• Less than 1% of firms acted for sanctioned individuals or entities or held frozen assets.
• Approximately £3.2 million in frozen assets were held across 27 designated persons.
• 43 specific sanctions licences were applied for by regulated firms.
• Six firms were referred for investigation due to sanctions-related breaches.
• Common sanctions compliance failures included:
  • Delayed or incomplete reporting to the Office of Financial Sanctions Implementation (OFSI).
  • Absence of documented procedures for applying for or managing sanctions licences.
  • Failure to perform full beneficial ownership screening.

Enforcement and Disciplinary Outcomes

• The SRA recorded 137 internal enforcement outcomes, nearly double the 74 from the previous year.
• In addition, 14 disciplinary outcomes were issued by the Solicitors Disciplinary Tribunal (SDT).
• Total fines from internal and tribunal actions amounted to £953,000.
• £292,000 of fines were issued by adjudicators.
• £661,000 were imposed through regulatory settlement agreements.
• SDT fines totalled £545,000, up significantly from £80,000 the previous year.
• The number of regulatory settlement agreements increased from 9 to 58.
• Fines were distributed across tiers: four in the £10,000–£20,000 range, four in the £20,000–£30,000 range, two in the £30,000–£50,000 range, and one exceeding £300,000.
• Common regulatory breaches included:
  • Regulation 28 (client and matter risk assessments).
  • Regulation 18 (firm-wide risk assessments).
  • Regulation 19 (policies, controls, and procedures).
• Case studies published in the report demonstrate recurring patterns such as lack of risk assessments, misuse of client accounts, and insufficient staff training.
• 426 money-laundering-related reports were received, an 88% increase year on year.
• Fining powers for the SRA have increased twelvefold since 2022, enabling more in-house enforcement rather than referral to the SDT.
• The SRA’s approach emphasises proportionality but signals zero tolerance for repeat breaches.

Suspicious Activity Reporting

• The SRA filed 19 Suspicious Activity Reports (SARs) with the National Crime Agency in 2024–25.
• Although the number of SARs fell from 23 to 19, the total value of suspected criminal funds rose from £75 million to £148 million.
• 73% of the SARs submitted by the SRA related to property conveyancing.
• 111 Defence Against Money Laundering (DAML) SARs were reviewed, and 7 were found to lack critical information.
• Firms are expected to maintain internal SAR registers, document decision-making, and train staff in the statutory reporting process.
• The SRA uses intelligence from SARs to identify high-risk practice areas and inform inspection priorities.

Sectoral and Thematic Finding

• Property conveyancing remains the most exploited legal service for money laundering.
• Trust and company service provision also presents elevated risk.
• The SRA identified a continuing trend of criminal exploitation of client accounts to obscure transaction origins.
• Thematic reviews indicated that smaller firms were more likely to have incomplete risk assessments and weaker governance structures.
• Larger firms generally demonstrated stronger policies and training but sometimes weaker application at file level.
• Decentralised business models, such as consultant-based firms, pose heightened AML oversight challenges due to dispersed supervision.
• Firms offering services in high-risk jurisdictions are expected to apply enhanced due diligence and document their assessment process.

Technology, Data, and Emerging Risks

• Increased adoption of digital onboarding and remote verification has created both efficiencies and vulnerabilities.
• Artificial intelligence and deepfake technology are being used by criminals to falsify identification documents.
• Firms must verify that electronic verification systems are secure, accurate, and sourced from reputable providers.
• The SRA plans to deploy AI analytics in 2026 to cross-check AML compliance declarations across firms.
• Reliance on third-party technology vendors introduces additional cybersecurity and data protection risks.
• Vendor fraud, including interception of client funds during property transactions, remains prevalent.
• Firms are reminded that technology is a tool to support, not replace, professional judgment in risk assessment and client due diligence.

Education, Training, and Culture

• The SRA reported that firms with structured, ongoing AML training had significantly higher compliance levels.
• 74% of firms provided sanctions training, and most provided AML refresher training annually.
• Common weaknesses included failure to record attendance, lack of tailored content for different staff roles, and minimal testing of knowledge retention.
• The SRA emphasised the importance of a strong “tone from the top,” meaning that firm leadership must actively promote compliance culture.
• Firms should integrate AML compliance into broader ethical governance and professional standards frameworks.

Communications, Engagement, and Guidance

• The SRA’s annual AML conference attracted over 1,200 in-person attendees and more than 11,000 online viewers.
• The Authority hosted four dedicated AML webinars in 2024–25, covering AML fundamentals, sanctions compliance, enforcement trends, and issues for sole practitioners.
• The average engagement rate across digital channels was 6%, three times the industry average.
• Public feedback described SRA Q&A sessions as highly practical and relevant.
• The SRA launched thematic campaigns titled “AML Basics” and “Source of Funds.”
• Guidance materials were updated to include new firm-wide risk assessment templates and sanctions checklists.
• These outreach initiatives support the SRA’s shift toward an “educative regulation” approach, combining enforcement with professional development.

Forward Outlook and Future Priorities

• The SRA will continue to apply a risk-based supervisory strategy.
• Planned priorities for 2025–26 include:
  • Targeted inspections of conveyancing and trust service providers.
  • Expanded monitoring of sanctions compliance.
  • Continued thematic reviews of source-of-funds procedures.
  • Integration of AI-based data validation for AML declarations.
  • Development of a single data reporting framework for AML supervision.
  • Collaboration with the FCA to support potential supervision transition.
  • Further outreach through brief “lunch-and-learn” AML sessions.
• The SRA intends to publish updated sectoral risk assessments to reflect geopolitical and economic changes.
• The overall strategic objective is to ensure that firms can evidence compliance in real time, not only through documentation but through data integrity and behavioural indicators.

Overarching Lessons for Law Firms

• Anti-money laundering compliance is now central to maintaining professional credibility and public trust.
• Regulators expect demonstrable understanding of risk, not procedural formality alone.
• Data accuracy, audit trails, and documented rationale for decisions are as important as policy documents.
• Human oversight remains critical even as digital tools expand.
• Senior leadership must take ownership of compliance strategy, not delegate it entirely to compliance staff.
• Regular training, active monitoring, and proactive remediation are indicators of a healthy compliance culture.
• Firms that integrate AML, sanctions, and cybersecurity risk frameworks perform better in inspections.
• The SRA’s enhanced data-driven supervision model will increase detection of weaknesses across the sector.
• The direction of regulation is toward continuous, measurable, technology-assisted compliance.