Had a call from the SRA regarding an audit?

Book a 20 minute free consultation

Click Here

FCA AML Audit: What Solicitors Need to Know and How to Prepare

The decision to make the Financial Conduct Authority the Single Professional Services Supervisor for anti-money laundering marks a fundamental shift in how the legal sector will be regulated. Although the FCA’s expanded powers are still subject to consultation, the practical expectations of an FCA AML audit are already clear from the FCA’s existing supervisory approach and the requirements of the Money Laundering Regulations 2017.

For solicitors in England and Wales, preparing for an FCA AML audit will require more than technical compliance. It will require demonstrating effective, outcomes-focused AML controls that operate in practice and can withstand detailed regulatory scrutiny.

FCA AML Audit Expectations for Solicitors

While sector-specific FCA guidance for solicitors is still forthcoming, the foundations of an FCA AML audit are already visible. The FCA enforces the Money Laundering Regulations through a structured, evidence-based supervisory model that prioritises effectiveness over formality.

An FCA AML audit for solicitors is therefore likely to focus on whether a firm’s AML framework genuinely identifies, mitigates and manages risk, rather than whether policies simply exist.

The Regulatory Framework Behind an FCA AML Audit

Any FCA AML audit will be grounded in the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017. However, the FCA’s interpretation and enforcement of these regulations is typically more rigorous than what many law firms have historically experienced.

Solicitors should expect an FCA AML audit to examine how the regulations are applied in real client and matter scenarios, with particular attention to evidence, consistency and decision-making.

Independent AML Audits and FCA Expectations

Regulation 21(1)(d) requires law firms to establish an independent AML audit where appropriate to the size and nature of the business. In practice, regulators already consider that most medium and large firms meet this threshold. The consensus amongst the cognoscenti is that all law firms should have an independent AML audit but the frequency will depend on the nature of the size and work of the firm.

In the context of an FCA AML audit, the independent audit function must be genuinely independent of those responsible for designing or operating AML controls. Internal staff may conduct the audit, but they must be structurally separate, sufficiently senior and free from conflicts. In practice it is clearly safer and prudents to have an external and independent AML auditor who is an expert in this area.

An audit is expected to be comprehensive. An FCA AML audit will test whether AML policies and procedures are working in practice, not merely whether they are documented. This includes file reviews across different risk levels, interviews with fee-earners, MLROs and senior management, and testing how policies are applied in live matters.

Crucially, the audit must result in a written report containing clear, actionable recommendations. Firms should be able to evidence that findings were addressed promptly and effectively. The absence of a clear audit trail is likely to be criticised during an FCA AML audit.

Firmwide Risk Assessments in an FCA AML Audit

The Firmwide Risk Assessment under Regulation 18 will be the starting point for almost every FCA AML audit.

Firms should expect detailed scrutiny of whether the risk assessment is tailored to the firm’s actual client base, services, delivery channels and geographic exposure. Generic or template-driven assessments are unlikely to satisfy FCA expectations.

An FCA AML audit will also examine whether the business-wide risk assessment is kept under regular review and how it informs customer and matter risk assessments. A common regulatory failing is the disconnect between documented risks and the level of due diligence applied in practice.

Senior Management Accountability in an FCA AML Audit

The FCA places significant emphasis on senior management responsibility and tone from the top. This focus will carry through into FCA AML audits of law firms.

FCA Auditors are likely to examine whether senior management understands the firm’s AML risks, receives meaningful reports from the MLRO and acts on issues identified. Evidence of senior involvement in approving high-risk clients, including politically exposed persons, will also be expected.

As the FCA’s remit expands, there is a growing possibility that MLROs and senior compliance staff within law firms could become subject to fit and proper assessments similar to those applied under the FCA’s Senior Managers and Certification Regime.

Customer Due Diligence and Ongoing Monitoring

Customer due diligence and enhanced due diligence will sit at the centre of any FCA AML audit.

Solicitors should expect particular focus on source of funds and source of wealth for higher-risk clients. The FCA has historically been critical of reliance on informal explanations or fee-earner knowledge without independent verification.

An FCA AML audit will also assess whether firms conduct ongoing monitoring throughout the client relationship. Risk must be reassessed as matters progress, not treated as a one-off onboarding exercise.

Clear documentation is essential. All risk assessments, due diligence decisions and rationales for accepting or declining clients must be recorded in a way that is auditable and defensible.

The FCA Supervisory Approach and Its Impact on Solicitors

An FCA AML audit is likely to reflect the FCA’s established supervisory characteristics. This includes a data-driven approach, requiring firms to provide accurate information on client risk, high-risk matters and suspicious activity reporting.

The FCA’s focus on effectiveness means that solicitors will need to demonstrate that their AML controls actively mitigate risk in practice. Policies that are not embedded into day-to-day behaviour are unlikely to satisfy an FCA AML audit.

Where serious deficiencies are identified, the FCA may impose a Skilled Person Review. These reviews are intrusive, costly and conducted by independent third parties appointed by the FCA, making early preparation essential.

Enforcement is also expected to be more immediate and robust, with greater use of fines, public censures and business restrictions where FCA AML audits identify material failures.

Preparing Now for an FCA AML Audit

Although the FCA’s expanded role is still under consultation, solicitors should assume that FCA AML audits will become a reality. Law firms should treat the Regulation 21 independent AML audit as the primary mechanism for preparing for FCA supervision.

A well-designed independent audit that mirrors the FCA’s expectations is the most effective way to identify weaknesses early and reduce regulatory risk.

Firms that prepare now will be far better positioned when FCA AML audits become part of the standard supervisory landscape for the legal sector.