What happens during an SRA AML inspection?

The Solicitors Regulation Authority (SRA) is the AML supervisor for the majority of law firms in England and Wales in scope of the Money Laundering Regulations 2017 (as amended) (MLRs). If your firm carries out work within scope of those regulations, from conveyancing and corporate work to trust formation and client money handling, an SRA AML inspection is part of that supervisory landscape.

The scale of the SRA’s supervisory activity has increased sharply. In its Anti-Money Laundering Annual Report 2024 to 2025, the SRA revealed that it carried out 864 proactive AML engagements with firms, up from 545 the previous year. Of the 833 firms that received an onsite inspection or desk-based review, nearly a third were found to be non-compliant.

Enforcement outcomes, including fines agreed through regulatory settlement agreements and cases referred to the Solicitors Disciplinary Tribunal, rose to 151 in the same period, up from 78 the year before.

Understanding what an SRA AML inspection actually involves, and what the SRA consistently finds when things go wrong, puts your firm in a significantly stronger position.

How the SRA decides which firms to inspect

The SRA takes a risk-based approach to supervision. Firms are risk-profiled using a range of factors including regulatory history, the nature and volume of regulated work and data gathered through annual AML data collection exercises. 

Higher-risk firms are inspected more frequently but the SRA also regularly inspects low and medium-risk firms. Receiving a notification that an inspection has been scheduled does not mean the SRA believes something is wrong at your firm.

Inspections can also be triggered by intelligence from third parties, self-reports from firms or referrals from law enforcement. The SRA publishes its annual AML report setting out findings from its supervisory activity, which provides a useful picture of where the risks currently sit across the profession.

Two formats: onsite inspection and desk-based review

The SRA uses two main formats for AML compliance checks. 

• An onsite inspection involves SRA officers visiting your firm’s premises. 
• A desk-based review (DBR) is conducted remotely, with documents submitted and reviewed without a physical visit. 

Both formats carry the same weight. A desk-based review can and does result in referral for investigation, compliance plans and enforcement action.

In 2024 to 2025, the SRA conducted 317 onsite inspections and 516 desk-based reviews. The compliance outcomes across both formats were broadly similar. 

• An onsite inspection is more intensive in scope, involving file reviews, interviews with fee earners and direct assessment of how your policies operate in practice. 

• A desk-based review focuses primarily on documentation, though the SRA may follow up with an onsite visit if concerns arise.

If your firm is selected for an onsite inspection, the SRA will contact you to offer a selection of dates. 

What the SRA asks for before the inspection

Ahead of an onsite inspection, the SRA will ask your firm to submit a defined set of documents within 10 days. These are set out in the SRA’s published guidance on firm inspections and include:

• Your business-wide risk assessment (BWRA), required under Regulation 18 of the MLRs, identifying the money laundering, terrorist financing and proliferation financing risks your firm faces.

• Your proliferation financing risk assessment, required under Regulation 18A, which may be included within your BWRA or held as a standalone document.

• Your AML policies, controls and procedures (PCPs) under Regulations 19 to 21, which must be directly linked to what your risk assessment identifies and tailored to your firm.

• Your client AML risk assessment template, showing how you assess risk at client and matter level under Regulations 28(12) and 28(13).

• Copies of any independent audits of your policies and procedures carried out under Regulation 21, including any recommendations or follow-up action arising from them.

• AML training records required under Regulation 24, showing what training was delivered, when and to whom.

• A list of fee earners who carry out work in scope of the MLRs, along with matter lists so the SRA can select files to review. If your system allows, a list of open matters identified as high risk.

The SRA will also ask your firm to complete a short questionnaire describing the services you provide. This is used to understand the scope of regulated work at your firm before the inspection takes place.

What happens on the day

The onsite inspection is more forensic than many firms anticipate. The SRA will interview the firm’s Money Laundering Compliance Officer (MLCO) and Money Laundering Reporting Officer (MLRO). 

These are distinct roles:

• The MLCO is responsible for the firm’s overall AML compliance framework. 

• The MLRO is the nominated officer responsible for receiving internal reports and deciding whether to submit Suspicious Activity Reports (SARs) to the National Crime Agency. 

In smaller firms, one person may hold both roles but the SRA will assess whether the responsibilities are being properly discharged in either case.

Beyond the MLCO and MLRO interviews, the SRA will also select two fee earners to interview. This is to test whether the people doing the regulated work actually understand your AML policies and apply them consistently. 

A disconnect between what the PCPs say and what fee earners do in practice is one of the most common sources of referral for investigation.

The SRA will review a sample of open and closed files, together with client ledgers. In the 2024 to 2025 reporting period, SRA reviewers examined 5,873 files across all inspections and desk-based reviews, typically reviewing between 10 and 12 files per firm. 

On the day, SRA officers will also review any internal SARs and SARs or Defence Against Money Laundering (DAML) SARs the firm has submitted to the NCA. These are reviewed on-site only. The SRA will not ask you to send copies in advance due to their confidential nature.

What the SRA is assessing in your AML inspection

The SRA’s inspection centres on whether your AML framework functions in practice, not just whether the documents exist. Each element is tested against what actually happens at file level.

Your BWRA is reviewed for quality. The SRA looks at whether it genuinely addresses transaction risk, client type, delivery channels, geographic exposure and service-specific risks. 

In 2024 to 2025, 19 firms did not have a BWRA at all and were referred for investigation. Of the remaining 814 reviewed, nearly half had feedback on specific areas where the assessment was incomplete or untailored. Template documents that have not been adapted to reflect your firm’s actual practice are a consistent finding.

Client and matter risk assessments (CMRAs) are examined on individual files. This is the area where the SRA currently sees the most significant failures. 

In the 2024 to 2025 period, 16% of the 5,873 files reviewed did not contain a CMRA at all, and 39% of those that did contained a form that assessed operational rather than AML risks. A lack of CMRAs on file was the single most common reason for referral for investigation in that period, accounting for half of all non-compliant firms.

Source of funds checks are tested at file level. The SRA provided feedback on source of funds to 41% of firms inspected or desk-reviewed in 2024 to 2025. 

Of the files that required a source of funds check, 10% contained no check at all. Where documents had been gathered, they had not been properly scrutinised in 18% of files. Taking a bank statement and filing it is not the same as understanding and documenting the legitimacy of the funds.

Your AML PCPs are assessed for completeness and practical application. Common gaps in the 2024 to 2025 cycle included:

• failure to address new products and business practices under Regulation 19(4)(c);
• discrepancy reporting to Companies House under Regulation 30A;
• the firm’s approach to simplified due diligence;
• enhanced due diligence triggers;
• the handling of high-risk jurisdictions. 

The SRA consistently finds that off-the-shelf policy documents that have not been tailored to the firm do not satisfy the standard required.

Training records are checked for content and regularity. The SRA asks for copies of training materials as well as records, to assess whether the training itself is adequate. One-off induction training with no refresher is a common finding. The SRA’s 2024 thematic review on AML training found that firms where the MLCO had undertaken additional training were around 50% more likely to be compliant overall.

The MLCO and MLRO: a legal sector distinction

One difference between the SRA inspection process and other supervisors is the emphasis on both the MLCO and MLRO roles. 

Regulation 19 of the MLRs requires firms to appoint a nominated officer (the MLRO) to handle internal reports and decisions on external SAR reporting. For firms of appropriate size and complexity, a separate MLCO is also required under Regulation 21A to oversee the AML compliance function more broadly.

The SRA will interview both people separately during an onsite inspection and assess whether each person understands and can demonstrate the responsibilities their role requires. 

If one person holds both functions, the SRA will assess whether those responsibilities are genuinely being discharged rather than being held nominally. 

Senior management attention to AML compliance is something the SRA has identified as a recurring weakness across enforcement themes.

What happens at the end of the inspection

The SRA operates a tiered response framework depending on what the inspection finds. For compliant firms, guidance is issued and the matter closes. 

For partially compliant firms the SRA issues a letter of engagement setting out what needs to improve, with the expectation that the firm will evidence the remedial action taken. 

Where concerns are more widespread, the SRA implements a compliance plan with specific actions and timescales. Firms that fail to act on a letter of engagement or comply with a compliance plan can be referred for investigation.

For non-compliant firms, the matter is referred for investigation. This can result in:

• a regulatory settlement agreement (a fine agreed between the firm and the SRA);
• a fine imposed by an SRA adjudicator;
• conditions on the firm’s authorisation;
• in serious cases, referral to the Solicitors Disciplinary Tribunal. 

In 2024 to 2025 the SRA agreed 58 regulatory settlement agreements totalling £661,200 and imposed 15 fines through adjudicators totalling £292,133. A further 14 matters reached the SDT with fines totalling £545,650.

The SRA can also use more immediate powers where serious concerns arise, including placing conditions on a firm’s practising certificate authorisation to restrict the regulated work it can carry out pending compliance.

What the data tells us about where firms fail

The SRA’s annual report data for 2024 to 2025 is specific about failure patterns. The most common reasons for AML reports received by the SRA were:

• failure to perform risk assessments on clients and matters (162 cases);
• failure to carry out source of funds checks (101 cases);
• failure to have adequate or effective PCPs (99 cases). 

Failure to have any firm-wide risk assessment at all accounted for a further 65 cases.

The SRA has identified three systemic themes behind these failures across multiple reporting periods:

• The first is insufficient senior management engagement with AML compliance. 
• The second is inadequate supervision and training of fee earners. 
• The third is having systems that allow regulated transactions to proceed without an AML checkpoint, whether that is receipt of funds, file progression or matter opening, when the required CDD has not been completed.

Conveyancing remains the highest-risk area in the legal sector for AML purposes. Property transactions featured in 73% of all SARs submitted by the SRA to the NCA in 2024 to 2025. If your firm does conveyancing work, the SRA’s inspection focus on source of funds, client and matter risk assessments and ongoing monitoring will be particularly acute.

Final thoughts

An SRA AML inspection is a structured, evidence-based review of whether your firm’s AML framework genuinely works at the level of individual files and individual fee earners. 

The SRA publishes detailed guidance on exactly what it will examine and shares specific findings from its supervisory work each year, making it possible to understand precisely where the profession is falling short.

The firms that come through inspections well are those where the risk assessment, PCPs, training, client and matter risk assessments and source of funds processes connect into a coherent system that fee earners understand and apply consistently, and where senior management treats AML compliance as a live operational responsibility rather than a periodic documentation exercise.

AMLCC brings your firm-wide risk assessment, client risk assessments, AML policies, sanctions and PEP checks, training and internal reporting together in one structured platform, with a complete audit trail. When the SRA asks to see how your AML framework operates in practice, every element is documented, current and ready for review.