“The strength of the United Kingdom’s legal and financial institutions has made it a centre of world commerce,” opens the Solicitors Regulation Authority’s (SRA) review, Preventing Money Laundering and Financing of Terrorism. Of course, that also makes it a centre of money laundering and terrorist financing. The National Crime Agency (NCA) has said that money laundering is likely to cost the United Kingdom more than £24 billion (U.S.$33bn) a year and is a major source of financing for criminal activity. 

In addition, law firms that help clients with large financial transactions, and that are seen as inherently “respectable,” are a major target of money launderers.

For example, in the last three years, in cases linked to potential improper money movements, the SRA closed down eight firms, with another 14 firms closing down voluntarily. It has also referred 49 individual solicitors and two other firms to the Solicitors Disciplinary Tribunal. These referrals resulted in 12 strike-offs, 13 suspensions, and fines of more than £800,000 (U.S.$1M).

It’s not simple to comply with the legal framework. Solicitors must comply with their legal obligations under the Proceeds of Crime Act (POCA) 2002, the Terrorism Act (TACT) 2000 and, where applicable, the Money Laundering, Terrorist Financial and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017). MLR 2017 transposed the EU’s Fourth Anti-Money Laundering Directive into U.K. law in June last year. Complying with it means not facilitating money laundering, and it applies to high risk services, such as conveyancing and offering trust and company services.

We are encouraged that most firms seem to be on top of the issues, but all firms in scope must now comply with the new regulations. It is not enough to want to do the right thing. Weak processes or undertrained staff leave the door open for criminals. If firms do not step up and treat this issue with the seriousness it deserves, we will take action.
Paul Philip, SRA Chief Executive

The Law Society is the named supervisor for solicitors for MLR 2017, but it delegates supervision of AML to the SRA. As one of its periodic reviews of the industry’s compliance (especially with the new regulations), the SRA, during July and August 2017, visited 50 firms across the profession, both small and large, to examine their AML and Countering the Financing of Terrorism (CFT) policies. The review brought up serious concerns about the processes and practices in six of those firms. These firms are now in “ongoing disciplinary processes.” In addition to the SRA review, later this year, the Financial Action Task Force (FATF) will conduct a peer review of the United Kingdom will assess the effectiveness MLR 2017 and of solicitors’ firms in preventing financial crime.

The most substantial changes in MLR 2017

Some of the more substantial changes that have been introduced as a result of MLR 2017 include:
a requirement for a practice-wide risk assessment
the obligation to appoint an individual at the level of 'senior management' as the officer responsible for compliance with the MLR 2017. This individual will be the Money Laundering Compliance Officer (MLCO) and is required by a firm where it is appropriate “with regard to the size and nature of its business”
amendments to the way in which simplified due diligence may be applied.


One of the requirements of MLR 2017 is that, from this year, many firms will be required to appoint a Money Laundering Compliance Officer (MLCO). The review showed that close to have the firms have already identified an individual to occupy this role. MLR 2017 also requires firms to register MLCOs with the SRA. It is a new role and will supplement the duties of the existing Money Laundering Reporting Officer (MLRO). But, the MLCO will be a board-level or equivalent status position and will be responsible for AML and CFT compliance, not just reporting activities.

Among the firms, the SRA reviewed 100 files for compliance with MLR 2017. “There was evidence that the level of risk [of AML] was assessed on only 69 of these files,” said the review, “which was less than we would have liked to have seen.” The SRA recommends that all firms should keep “written records of decisions, risk assessment processes, and what due diligence was undertaken for each client/matter.”

In general, processes surrounding complying with the new customer due diligence (CDD) requirements are going well. Likewise, progress on identifying the source of funds and source of wealth shows signs of high compliance, though some firms are lax in this area. Training for the new regulations and in basic AML and CDD practices appears to be universally good. In addition, almost all firms had an AML/CFT policy, and many had reviewed this policy recently; only 11, however, had conducted a firm-wide risk assessment. Given that such a firm-wide risk assessment is a requirement under MLR 2017, the SRA was very disappointed with progress on this issue. While there was only a couple of months between the implementation of the law and the review, firms had known about the contents of the law much earlier and should, said the Authority, have made an attempt to be in compliance immediately. A firm-wide risk assessment should include “consideration of their geographic areas of operation, customers, the types of services and products, and the nature of transactions.”

FATF definitions of source of funds and source of wealth

These terms are not defined in the MLR 2017, but the FATF gives the following definitions23:
The source of funds refers to the origin of the particular funds or other assets…Normally it will be easier to obtain this information but it should not simply be limited to knowing from which financial institution it may have been transferred. The information obtained should be substantive and establish a provenance or reason for having been acquired.
The source of wealth refers to the origin of the…entire body of wealth (i.e., total assets). This information will usually give an indication as to the volume of wealth the customer would be expected to have, and a picture of how the PEP acquired such wealth. Although [firms] may not have specific information about assets not deposited or processed by them, it may be possible to gather general information from commercial databases or other open sources.


MLR 2017 places a specific requirement on firms where they seek to act for a politically exposed person (PEP) or their family or known associate. The “fee earner must have approval from senior management, establish the source of wealth, and conduct ongoing EDD [enhanced due diligence].”

Using a variety of CDD and EDD methods, recommends the SRA, “means that firms can verify information between documents.” This appears to be the case. Most firms used documentary IDs, an ID checking service—which also checked clients against the HM Treasury sanctions list—and Companies House documents among a range of other information sources. As the review says: “EDD is a live issue for many firms. Of the 50 we visited, 24 had clients who were PEPs.”

From 25 May 2018, because firms will not only be subject to MLR 2017 but also to the General Data Protection Regulation (GDPR), they will have to balance the competing compliance requirements of these two sets of regulations. GDPR, says the review, “will have an impact on the data which firms must retain for AML/CFT purposes. The rights to erasure and objection will have a bearing on what information firms can hold about their clients.”

Monitoring AML/CFT compliance

Thirty-five firms had a designated audit function that monitored AML/CFT compliance:
twenty-three firms said that the audit function was internal
four said that it was external
eight firms had both an internal and external audit function
Thirty-three firms said they took other steps to test compliance with the firm's AML/CFT policies and procedures. That included:
regular AML meetings with fee earners
training and testing
reviewing client opening forms
undertaking an annual firm risk assessment
technical file reviews
monitoring by the finance/internal compliance teams
weekly exceptions reporting

The review also looked at not just reporting processes, but actual reporting of suspected money laundering at the firms. In the United Kingdom, it is the United Kingdom Financial Intelligence Unit (UKFIU) that is responsible for gathering reports about potential AML activities. To submit a report, an MLRO must make a suspicious activity report (SAR). There are two kinds of SARs, a defence against a money laundering (DAML) SAR (which provides the firm with a defence in case an activity is consequently identified as criminal) or an intelligence SAR (which provides intelligence to the UKFIU and the NCA about possible AML activities).

There are two parts to the process:

internal reports by staff to their MLRO

reports by the MLRO to the UKFIU

In the review, the SRA found that almost three-fifths of MLROs had submitted a DAML SAR, including more than three-quarters of MLROs at large firms and almost half of MLROs at other firms. Almost two-fifths of MLROs had submitted an intelligence SAR, half of the large firms and just under a third of the other firms. A total of 337 DAML SARs and 91 intelligence SARs had been made, though the review does not say over what period. We are clearly not talking about just potential risk, however, but about actual, ongoing criminal activities.