Had the call? What to expect from an AML audit by the SRA


The Solicitors Regulation Authority visited an average of seven law firms a month in 2020/21. Here’s what happened next.

Anti-money laundering (AML) has long been high on the priority list of the Solicitors Regulation Authority (SRA). In 2020/21, the regulator visited 85 firms and carried out 168 desk-based reviews to check AML compliance. Those numbers are only expected to rise in the future. 

According to the SRA’s annual report, potential breaches most commonly involved no risk assessment, or a failure to carry out source of funds checks, customer due diligence or identity checks. The main causes were inadequate policies, controls or procedures, a lack of supervision or training, and/or staff not following set procedures. 

But what actually happens when the SRA comes to call? Rebecca Atkinson, Director of Risk and Compliance at Howard Kennedy LLP, recently shared her experience on The Law Society podcast.

It starts with a phone call 

Howard Kennedy LLP was visited by the SRA in early December 2019. Three weeks beforehand, Atkinson received a call from a regulatory manager informing her of the impending audit, which was followed by a letter with three dates to choose from. Needless to say, she chose the latest date possible to give her the most time to prepare. The SRA also indicated that they would need a list of all of the firm’s fee earners who worked in the regulated space, and who would be available for interview on the day of the visit. This list would then be whittled down to a group of 10 two days beforehand, with two fee earners chosen at random for interview on the day. 

Documents to organise

The letter also listed the documentation the SRA wanted to see during those interviews. Atkinson had to pull together physical files for each fee earner that would be interviewed (or the 10-strong shortlist, because they didn’t yet know who that would be). 

“We don’t run physical files and that was quite difficult,” she told the Law Society’s Head of Risk and Compliance, Pearl Moses. “I had to arrange a laptop with our IT team and get them access to all of our systems … of course if the SRA says they need it, then that’s what they need.” 

This was on top of all of the policies or documentation that demonstrated the firm’s approach to AML compliance. These included training records, reports of any suspicions of money laundering (including those made to the National Crime Agency (NCA)), details of any independent audits (and associated recommendations), and client risk assessments. Atkinson also wrote to the firm’s partners to let them know what was happening and compiled a list of all of the AML communications sent out internally over the past two years (which was the time period the SRA indicated it was interested in). 

On the day

The SRA visit was conducted by two regulatory managers and took around three hours, including a 90-minute interview with Atkinson, and 40 minutes for each of the firm’s randomly selected fee earners. Atkinson is the firm’s Money Laundering Reporting Officer as well as the Money Laundering Compliance Officer. In the interview, she was asked questions such as: 

  • How policies and procedures were communicated across the firm

  • How employees were screened coming into the firm and during their employment

  • Whether the firm had turned any work away before because of an AML concern

  • If and when the firm uses simplified due diligence

  • How the firm checks for sanctions and politically exposed people (PEPs)

  • How many suspicious activity reports have been made in the past two years

  • Whether consent had ever been refused by the NCA and the circumstances around that 

The questions weren’t unexpected or overly technical, which was a relief, Atkinson added. She was also asked for the conversion rate between internal and external suspicious reports. Howard Kennedy’s rate was 68%, which she was told was within the normal range. 

The fee earners

The other interviews were also straightforward, although Atkinson wasn’t allowed to sit in. The fee earners were asked whether they knew who the MLRO is, how they would identify suspicious activities, and what action they would take once such a concern was identified. They were also asked if they understood their AML responsibilities. 

“The SRA was focused on the issue with centralised due diligence teams, which can create an environment where fee earners don’t think it’s their job to do due diligence anymore,” Atkinson says. “They were very keen to make sure that wasn’t the case.” The fee earners took the regulatory managers through their files, pointing out where the source of funds and risk assessment was for each client, and discussing what they knew about the client and if they were suspicious of anything.

The debrief

After the visit, the regulatory managers indicated they would take their findings back to discuss with the SRA’s central AML team and would then write to Atkinson with their recommendations. There were a number of small changes that they mentioned on the day that she has since implemented. But at the time of the podcast, she was still waiting for the letter. Looking back, she says the visit wasn’t as scary as it could have been. 

“It seemed to be a set programme, I don’t think it was tailored in any way to Howard Kennedy,” she says, adding that preparation was key. “When the SRA comes to visit you, the natural reaction is a bit of fright … [but] I gave them a lot of information to show that we were as compliant as we could be … [and they seemed] to want to be as helpful as possible.”

It’s understandable that a call from the SRA would cause compliance officers some anxiety. But Thirdfort helps its partners prepare for whatever the regulators may bring. It’s the only platform to combine digital ID verification, automated AML and source of funds checks to help partners streamline their compliance strategy. Plus its  intelligent technology platform is constantly evolving to stay up to date with any adjustments to the rules. 


Forward thinking legal firms are embracing change and their businesses are benefiting greatly. 

By bringing in simple, user-friendly solutions like Thirdfort for compliance management, these firms are successfully navigating the evolving regulatory landscape with the tech they now need to stay compliant and speed up client onboarding times.

If you’d like to learn more about how your firm can automate AML and ID verification using Thirdfort, book a demo with one of our team here

Subscribe to our newsletter

Subscribe to our monthly newsletter for recaps and recordings of our webinars, invitations for upcoming events and curated industry news. We’ll also send our guide to Digital ID Verification as a welcome gift.

Our Privacy Policy sets out how the personal data collected from you will be processed by us.