FCA AML Audit Readiness: Essential Document Checklist for Solicitors
Key Regulatory Frameworks and Expectations
Solicitors must primarily focus on the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs). The FCA’s supervisory approach implements and enforces these regulations.
1. Independent Audit Function (MLR Regulation 21)
This is the most direct requirement concerning audits.
- Requirement: Regulation 21(1)(d) requires a “relevant person” (including a solicitor’s firm) to establish an independent audit function where appropriate regarding the size and nature of its business.
- FCA/SRA Expectation: Regulators, including the SRA (and soon the FCA), have found that most medium to large firms require an independent audit function. The audit must:
- Be Independent: Conducted by a person or team independent of the individuals responsible for setting and carrying out the AML policies and procedures. Internal staff may be used, but they must be structurally separate and sufficiently senior.
- Be Comprehensive: Examine and evaluate the adequacy and effectiveness of the firm’s AML policies, controls, and procedures. It must check not just if the documents exist, but if they are working in practice.
- Include Testing: This goes beyond document review, involving:
- File reviews across different risk levels, fee-earners, and offices.
- Interviews with the MLRO, senior management, and fee-earners to test their understanding and application of policies.
- Lead to Action: The audit must result in a written report with actionable recommendations. Firms are expected to keep a clear audit trail demonstrating that these recommendations were implemented in a timely manner.
2. Risk Assessment (MLR Regulation 18)
The Firmwide Risk Assessment (FWRA) is the foundation of all compliance and the starting point for any FCA AML audit.
- Expectation: The FWRA must be tailored to the firm’s specific risks (customers, geographical areas, products/services, delivery channels) and written down.
- FCA Focus: The FCA looks for evidence that the firm is actively managing its risks, not just listing them. Expect scrutiny on:
- Whether the risk assessment is regularly reviewed and kept current.
- How the FWRA directly informs the Client/Matter Risk Assessments (CMRAs) and the level of Customer Due Diligence (CDD) applied.
- A common failure is an over-reliance on generic or geographic risk without assessing the specific risks posed by the firm’s clients and work types.
3. Senior Management Oversight and Accountability (MLR Regulation 21)
The FCA places significant emphasis on the tone from the top.
- Expectation: Senior management (board or equivalent) must take responsibility for the firm’s AML measures, including knowing the risks and ensuring effective mitigation.
- FCA Scrutiny: FCA AML Auditors will look for evidence that senior management:
- Receive informative and objective reports from the MLRO (at least annually) and that the reports are acted upon.
- Are involved in approving relationships with high-risk clients (e.g., PEPs).
- Ensure the MLRO is adequately resourced and not overstretched.
- The expansion of the FCA’s remit raises the likelihood that MLROs and senior compliance staff in law firms may become subject to the FCA’s Senior Managers and Certification Regime (SMCR)-style fit and proper assessments.
4. Customer Due Diligence (CDD) and Ongoing Monitoring (MLRs 28, 30, 33)
- Expectation: Robust CDD (identification, verification, beneficial ownership) and Enhanced Due Diligence (EDD) for high-risk clients (PEPs, complex structures, high-risk jurisdictions).
- FCA Focus:
- Source of Wealth/Funds: Ensuring sufficient evidence is gathered and verified for high-risk clients. The FCA is critical of over-reliance on “staff knowledge” without independent evidence.
- Ongoing Monitoring: Firms must continuously monitor customer activity and review risk profiles throughout the relationship, not just at onboarding.
- Documentation: Clear, auditable records for all CDD measures, risk assessments, and the rationale for accepting or declining a client.
| FCA Supervisory Trait | Implication for Solicitors |
|---|---|
| Data-Driven Approach | Be prepared to provide accurate, reliable AML data on your client base, high-risk transactions, and SAR volumes. This could involve new regulatory reporting templates. |
| Focus on Effectiveness | The FCA is not satisfied with just having AML policies. You must demonstrate that your controls are working and mitigating the identified risks in practice. |
| Skilled Person (s166) Reviews | If an initial FCA AML audit identifies serious deficiencies, the FCA may impose a costly and intrusive Skilled Person Review, which is a formal, in-depth investigation by an independent third party chosen by the FCA. This could be financially crippling for a firm. |
| FCA Enforcement | Expect a move towards more immediate and substantial enforcement action (fines, public censures, business restrictions) for failures, rather than only remedial supervision. |
Preparing for an FCA AML audit requires meticulous organisation and evidence that your firm’s Anti-Money Laundering (AML) system is not just documented, but is demonstrably effective in practice. The FCA’s supervisory approach is data-driven and outcomes-focused.
This checklist outlines the core documents and records that your firm’s Money Laundering Reporting Officer (MLRO) and senior management must have readily available and fully up-to-date to withstand FCA scrutiny.
| Document/Record | Description & FCA Expectation |
|---|---|
| Firm-Wide Risk Assessment (FWRA) | The cornerstone document (MLR Reg 18). Must be in writing, current, approved by senior management, and genuinely tailored to the firm’s specific clients, services, jurisdictions, and delivery channels. Include sanctions and proliferation financing risk. |
| AML Policies, Controls & Procedures (PCPs) Manual | The comprehensive manual (MLR Reg 19). Must clearly define all internal processes (CDD, EDD, ongoing monitoring, SAR reporting, record-keeping) and be consistent with the FWRA. Archive all previous versions with dates. |
| Senior Management Approval Minutes | Minutes from Board/Partner meetings showing formal discussion, approval, and adoption of the FWRA and AML PCPs. This proves senior management ownership. |
| MLRO/MLCO Appointment & Documentation | Formal record of the appointment of the MLRO and Money Laundering Compliance Officer (MLCO), detailing their reporting lines, seniority, authority, and adequate resourcing. |
| Regulatory Registration Documentation | Proof of current registration with the relevant supervisory body (currently SRA, soon FCA) for AML purposes, including any correspondence relating to the firm’s registration status. |
| Regulation 21 Independent Audit Reports | All reports from the independent AML audit function (MLR Reg 21), including the most recent one. The FCA will scrutinise the independence, scope, and rigour of the audit. |
| Remedial Action Plan and Follow-up | A log detailing all recommendations made in the audit report, the assigned owner, the deadline for completion, and documented evidence that the action was successfully implemented. |
| Internal Monitoring Logs | Records of any internal compliance testing, file reviews, or quality assurance checks conducted by the MLRO or compliance team between formal independent audits. |
| Client/Matter Risk Assessment (CMRA) Templates | The standard templates used to assess the risk of every new client and matter. These must clearly flow from the FWRA and justify the level of CDD applied. |
| High-Risk Client Register | A list of all clients classified as high-risk (e.g., PEPs, complex corporate structures, high-risk jurisdictions) and the rationale for their classification. |
| Sample Client Files (FCA AML Audit Selection) | Files selected by the FCA auditor (including high-risk, international, and non-face-to-face cases) containing complete, auditable records of:
|
| Ongoing Monitoring Logs | Records demonstrating that clients and matters are reviewed periodically throughout the relationship, including triggers for re-screening or updated CDD. |
| Discrepancy Reporting Records | Log of any discrepancies identified between the firm’s beneficial ownership data and the data held at Companies House, and the report submitted to the Registrar (MLR Reg 30A). |
| MLRO Annual Report to Senior Management | The most recent annual report from the MLRO to the Board/Partners, detailing AML performance, identified risks, resource adequacy, and future priorities. |
| Suspicious Activity Report (SAR) Logs | A confidential log maintained by the MLRO of all internal reports received, the MLRO’s decision on whether to submit an external SAR, and the rationale for that decision (both for submission and non-submission). |
| External SAR Submission Records | Copies of all SARs submitted to the National Crime Agency (NCA) and any Defence Against Money Laundering (DAML) requests, including the NCA reference number. |
| AML Training Records | Detailed records for all relevant staff (fee-earners, compliance, administrative) for the last three years, showing:
|
| Staff Screening Records | Records demonstrating that relevant staff have been screened at the point of recruitment and on an ongoing basis (where applicable and risk-based). |
Firms should treat an Independent Audit (Regulation 21) as a dry-run for the eventual FCA AML audit, and ensuring these documents are in place, solicitors can demonstrate the necessary institutional memory and accountability the FCA demands.