Key takeaways

  • The Solicitors Regulation Authority (SRA) fined 59 law firms a total of £600,000 in six months for Anti-Money Laundering (AML) compliance failures, primarily involving missing risk assessments and inadequate AML controls.
  • Client and Matter Risk Assessments (CMRAs) remain a major enforcement focus, with several firms unable to demonstrate that assessments had been completed or documented correctly.
  • A compliant CMRA should assess client risk, source of funds, transaction purpose, geographic exposure, service risk, ownership structures and any indicators requiring enhanced due diligence.
  • The latest enforcement actions show that AML penalties are often triggered by poor documentation and inconsistent processes rather than deliberate financial crime.
  • For legal compliance teams, the fines highlight the need for stronger oversight, audit trails and automated AML workflows that support consistent risk assessment and regulatory reporting.

Introduction

The SRA has fined 59 law firms a combined £600,000 over the past six months for AML failings. While the total value of penalties is significant, the real story lies in the nature of the breaches themselves.  

These were not sophisticated criminal schemes or deliberate attempts to circumvent regulations. In many cases, firms were sanctioned for failing to put in place some of the most fundamental AML controls required under the Money Laundering Regulations.  

The message from the regulator remains consistent: basic AML compliance failures continue to attract enforcement action, regardless of a firm’s size, location or intentions. 

The same AML problems keep arising 

Across all 59 firms, the SRA identified recurring weaknesses that compliance professionals will recognise immediately.  

Many firms either did not have a firm-wide risk assessment in place, had failed to maintain suitable AML policies and procedures, or were unable to demonstrate that client and matter risk assessments had been completed. 

These are not new requirements; law firms have been expected to comply with the Money Laundering Regulations 2017 for years. Yet SRA investigations continue to uncover gaps in documentation, inconsistent processes and poor record-keeping.  

Three firms received the maximum £25,000 fine that the SRA can impose without referring the matter to the Solicitors Disciplinary Tribunal. Those firms were BRR LawWilliam Heath & Co and HMG Law 

In each case, the regulator found shortcomings that went directly to the heart of risk assessment and customer due diligence processes. 

For BRR Law, the SRA identified an eight-year failure to carry out client and matter risk assessments. William Heath & Co was unable to produce client matter risk assessments on files reviewed during an inspection, while HMG Law failed to maintain up-to-date risk assessments and AML procedures. 

The underlying theme is difficult to ignore. Firms are still falling short on requirements that regulators consider foundational. 

Why client and matter risk assessments matter 

A client matter risk assessment (CMRA) sits at the centre of a firm’s AML framework. It is the mechanism that helps fee earners and compliance teams understand the money laundering and terrorist financing risks associated with a particular client and a specific instruction.  

The SRA expects firms to carry out and document these assessments at the beginning of a client relationship and, where appropriate, throughout the life of the matter. The assessment should not be treated as a formality or a box-ticking exercise. It should actively inform the level of due diligence applied to the client.  

Importantly, the risk assessment must align with the firm’s wider risk profile. If a firm identifies particular services, client types or jurisdictions as presenting higher risks in its firm-wide risk assessment, those factors should feed into matter-level assessments. 

What should a CMRA include? 

The SRA’s guidance and template provide a practical framework for assessing risk. A compliant client matter risk assessment should consider several factors before determining the overall risk rating.  

The assessment should examine the purpose of the transaction or business relationship, the size and nature of funds involved, the expected duration of the relationship and any indicators that could suggest elevated money laundering risk.  

Fee earners should also consider the client’s background, ownership structure, source of funds, source of wealth where relevant, geographic connections and the nature of the legal service being provided.  

The regulations require firms to take account of high-risk factors, including politically exposed persons (PEPs), connections to high-risk jurisdictions, unusual transaction patterns and circumstances that may warrant enhanced due diligence.  

Perhaps most importantly, firms must record the rationale behind their conclusions. The SRA has repeatedly criticised generic tick-box assessments that fail to explain why a particular risk rating was assigned. Templates can be helpful, but they must be tailored to the firm’s own services, clients and risk exposure. 

Why compliance teams should pay attention 

Although the latest figures show a reduction in the number of firms fined compared with late 2025, enforcement activity remains steady.  

For AML compliance teams, the fines highlight a common challenge. Many firms have policies, templates and procedures on paper. The problem arises when those controls are not consistently followed across the business. 

The SRA has repeatedly stated that having a process is not enough. Firms must be able to demonstrate that fee earners are completing risk assessments correctly, documenting their decisions and applying appropriate levels of due diligence based on the risks identified. This is often where manual processes begin to break down.  

Risk assessments are missed. Reviews become overdue. Source of funds checks are inconsistently recorded. Documentation sits in different systems. When an SRA inspection arrives, firms can struggle to evidence compliance even when work has been undertaken.  

The growing case for AML automation 

As enforcement action continues, many legal practices are reassessing how they manage AML obligations across the client lifecycle. Technology cannot replace professional judgement, but it can help firms build consistency into processes that are otherwise vulnerable to human error.  

Automated workflows can prompt fee earners to complete mandatory risk assessments, flag high-risk matters requiring enhanced due diligence, maintain audit trails and support ongoing monitoring obligations. They can also provide compliance teams with oversight that is difficult to achieve through spreadsheets and disconnected systems.  

When regulators ask for evidence, firms need to be able to demonstrate not only that assessments were completed, but also why decisions were made and how risks were managed throughout the matter.