Confident compliance: A five-step guide to AML file review

Why the sudden focus on files?

During the webinar, risk and compliance expert Jonathon Bray observed a clear trend in the SRA's approach. There’s been a distinct shift away from focusing on firm-wide, systemic failures (like having an inadequate policy) to penalising firms for individual, file-level breaches.

With the SRA publishing fines that totalled more than £400,000 in June alone, the message is clear. As Jonathon warned, "You could have the most wonderful, beautiful AML policies and firm-wide risk assessment in the world, and if people aren't following it... it's for nought".

Having a great policy is no longer enough. The real test is how that policy is applied in practice, on every single file.

Your 5-step guide to a bulletproof AML file reviews

Regularly checking your own files is the single best way to spot any gaps before the regulator does. It helps you understand if your processes are working and where your team might need more support.

Here’s a simple 5-step process you can adopt:

Step 1: Select your sample

Start with a manageable, representative sample, such as a cross-section of files from different teams and fee-earners. Make sure to include a mix of risk levels, including a few high-risk cases, as this is where you’re most likely to find issues.

Step 2: Create your checklist

Decide exactly what you’re looking for. Your checklist should be a simple tool that reflects your firm's AML policy. Key questions to include are:

• Is there a completed Client Due Diligence (CDD) form on file?

• Has a risk assessment been carried out and recorded?

• Is the client’s identity and address properly verified and documented?

• Are Source of Funds and Source of Wealth checks complete and evidenced?

• Have Politically Exposed Person (PEP) and sanctions checks been performed and recorded?

Step 3: Review and document your findings

Work through your checklist for each file in your sample, focusing on whether the documentation is robust and complete. Make clear, objective notes. If a step has been missed or the evidence is unclear, record it.

Step 4: Identify themes and gaps

This is not about assigning blame; it's about honestly assessing your firm's current situation. It's about looking deeper and identifying the ultimate root cause of the failing or error. Often, it isn't deliberate - it stems from somewhere. Think of the 5 whys?

The "5 Whys" technique is a simple but powerful tool for root cause analysis. It involves asking "why" five times (or however many times needed) to dig beneath the surface problem to the underlying cause. For example, if a client matter was mishandled, don't stop at "someone made a mistake" - keep asking why until you reach the systemic issue.

Once you’ve completed your reviews, look at the findings as a whole. Are there any common themes? Perhaps one team consistently forgets to document the Source of Wealth check, or maybe junior solicitors are unsure how to conduct a risk assessment properly. Identifying these patterns is the most valuable part of the audit.

Step 5: Action, support, and retrain

The final step is to act on what you’ve found. This could mean:

• Providing specific feedback to individuals or teams.

• Updating your policies, controls or procedures to make them easier to use or interpret.

• Running a short, focused refresher training session on a common problem area.

Building confidence, not just compliance

Conducting your own AML file reviews doesn't have to be a daunting task. By making it a routine part of your compliance rhythm, you move from a place of reacting to problems to proactively building a stronger, more secure firm.

You’ll not only have peace of mind that you’re ready for a visit from the SRA, but you’ll also be giving your team the support and clarity they need to handle compliance with confidence.