Anti-money laundering (AML) compliance for small firms

The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) pose a challenge for firms of all sizes.

This guide looks at the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 from the perspective of small firms and shares tips on effective compliance.

This legislation has been amended significantly by:

The other main pieces of legislation to be aware of are the Proceeds of Crime Act 2002 (POCA) and the Terrorism Act 2000 (TACT), which set out the main requirements to report suspicious activity to the National Crime Agency and related offences.

It covers:

Carrying out an AML risk assessment

What type of work is 'regulated'?

The MLR 2017 apply to firms that:

  • buy and sell real property or business entities
  • manage client money, securities or other assets
  • open or manage bank, savings or securities accounts
  • organise contributions necessary for creating, operating or managing companies
  • create, operate or manage trusts, companies, foundations or similar structures

Activities that have a lower risk of exposure to money laundering are not covered, for example:

  • paying costs to lawyers
  • providing legal advice
  • litigation
  • will writing

If your firm does a mixture of regulated and unregulated work, the MLR 2017 will apply to the regulated aspects only.

Your internal AML risk assessment should state that only some of your work is regulated. But the type and frequency of this work may still lead you to conclude your firm has a high risk of being targeted by criminals.

Doing an AML risk assessment

A key feature of the MLR 2017 is the ‘risk-based approach’ to preventing and detecting money laundering, and the specific requirement to undertake and maintain a documented practice-wide AML risk assessment.

There are no black-and-white rules that tell you your firm is at high risk of exposure to money laundering activity.

The conclusions of your practice-wide risk assessment are a matter of judgement.

Factors that will play a part in setting your risk rating include:

  • the type of work you do
  • the countries in which your work takes place
  • the types of clients you have
  • how often you engage in regulated activities

You should also consider, as a minimum:

Keep a record

Regardless of the size of your practice or the amount of regulated work you do, you need to make sure your practice-wide AML risk assessment is written down.

It’s important to be self-critical when you do your risk assessment.

Regulators can ask to see your risk assessment, especially if something goes wrong with compliance at your practice.

You should also keep a record of the sources you use to complete your AML risk assessment.

Reviewing your risk assessment

Review your risk assessment regularly, to reflect changes in your circumstances or the sector-wide risk assessments.

You should also keep note of when you carry out these reviews.

Client and matter level risk assessments

In addition to the practice-wide risk assessment, you need to carry out a risk assessment at client level and matter level. This will inform the way in which you conduct your customer due diligence and ongoing monitoring.

Your processes for carrying out the client- and matter-level risk assessment should be set out in your practice-wide risk assessment.

Policies, controls and procedures

Your AML risk assessment should list the steps you take to mitigate the money laundering risk in your work.

You should reference your policies, controls and procedures, and state clearly what you do when you identify a high-risk client or matter.

The conclusions of your risk assessment should feature in your policies, controls and procedures.

The policies, controls and procedures that firms must adopt are set out in regulations 19 to 21.

These are designed to mitigate your exposure to money laundering risk and should reflect the risks identified in your practice-wide, client and matter risk assessments.

AML controls

You only need to apply three of the "internal controls" listed in regulations 19 to 21 if they’re "appropriate with regard to the size and nature" of your firm’s business:

Regulation 21(1)(a) appointing a member of senior management – or a member of the board of directors or equivalent body – as the officer responsible for the firm’s compliance with MLR 2017

This is separate from the requirements to appoint a nominated officer – often referred to as a money laundering reporting officer (MLRO) – and a compliance officer for legal practice (COLP). But the same person may hold both roles where appropriate.

Regulation 21(1)(b) screening employees before and during their appointment

This means checking a person’s qualifications and references, which is good practice regardless of the size of your firm or the nature of your business.

You may wish to consider a DBS (criminal record) check with the employee’s consent.

Regulation 21(1)(c) establishing an independent audit function to review and make recommendations about your firm’s AML policies, controls and procedures, and its compliance with them

The auditor does not need to be independent of the firm, but they must be independent of the function being reviewed.

If you’re an experienced small practice, where senior people have a good understanding of all the firm’s clients and matters, you may decide that this internal control is not necessary.

An independent audit is more likely to be needed if junior staff undertake a high volume of work.

If you already have a system of external file reviews because of the Conveyancing Quality Scheme or Lexcel, you can factor these in when deciding whether to establish an independent audit function.

Deciding if the three controls are needed

When you’re deciding whether you need to apply the three controls, you should consider both:

  • the types of clients you act for
  • the nature and complexity of your work

You should document your thinking, even if you only have a single office and a small number of staff.

For example, if your small firm practises in a high-risk area (such as conveyancing or company formation) you may still feel that it should adopt these controls.

If you decide not to adopt these, you should keep a brief record of the factors you considered and the reasons for your decision.

If you’re a sole practitioner who does not employ other lawyers or paralegals, you do not need to apply the three controls set out above or appoint an MLRO or a COLP.


Regulation 24 of MLR 2017 requires firms to take appropriate measures to ensure that relevant employees and agents the business uses for AML-related work are:

  • made aware of the law relating to money laundering, terrorist financing and data protection (insofar as the law on data protection relates to money laundering and terrorist financing)
  • regularly given training on how to recognise and deal with transactions and situations that may be related to money laundering or terrorist financing

Relevant employees are staff who are "capable of contributing to the identification or mitigation of the risk of money laundering… or the prevention or detection of money laundering" in relation to the business. This should include accounts and reception staff.

Agents the firm uses for AML compliance or for the matters identified in regulation 24(2)(b) now also fall within the training requirements.

Make sure that staff know and understand your firm’s policies, controls and procedures.

For data protection, training should cover record keeping requirements (regulation 40) and the obligation under MLR 2017 to inform clients about the purpose for which their personal data is being collected when you carry out customer due diligence (CDD) checks (regulation 41).

How and when to train your staff

As a smaller firm, you may prefer to do training face to face rather than online. You may also consider hiring an external consultant to provide the training.

Additional training can be in the form of bulletins or information emails.

The level of training you provide, and how often you run it, depends on:

  • the size and nature of your business
  • the nature and extent of the risks you face

As best practice, you should consider training all relevant employees at least once every two years.

You should keep a record of which staff have been trained and how.

Keeping clients’ personal data

MLR 2017 impose a limit of five years on keeping personal data contained in CDD documents and records, unless:

  • you need to retain the CDD documents and records about the transaction under an enactment or for legal proceedings
  • you have the client’s consent

You can obtain the client’s consent to keep their personal data for a longer period through your engagement letters.

If you do not have the client’s consent and if the other exceptions do not apply, you’ll need to destroy personal data contained in paper and electronic CDD records when the five-year period following the end of your professional relationship has expired.

Customer due diligence (CDD)

Your process for carrying out CDD needs to be informed by your risk assessment of the client and the matter.

Unlike many larger firms, you may not have the resources to:

  • employ a centralised compliance team
  • use an electronic verification or business intake software
  • operate a database to record CDD information

Where this is the case, you can meet the requirements set out in the MLR 2017 by creating a CDD form.

This form should be completed for each new client and matter according to whether it’s categorised as:

  • low risk – simplified due diligence measures can be applied taking account of the risk factors in regulation 37, for example, when the client is a bank, publicly listed company or public body
  • standard risk – for example, when the client is a private company or an individual
  • high risk – usually enhanced due diligence (EDD) measures will need to be applied. There’s an obligation to apply EDD in certain circumstances, for example when the client is in a high-risk third country, is a politically exposed person (PEP) or the transaction is complex or unusually large and has no apparent economic or legal purpose. Other high-risk factors can be found in regulation 33

Your form should:

  • include a risk assessment for the client and for the matter
  • record the reasons for your risk assessment
  • list what identity information and documentation you’ll require from the client and relevant parties. Record details of beneficial owners (BO) and verification of BO if appropriate, for example, if the client/matter are high risk
  • record source of funds and supporting documentation – this includes documentation relating to third party payers if appropriate
  • where necessary, confirm that the individual is authorised to instruct you on behalf of the client in accordance with regulation 28. Taking a risk-based approach, it should not be necessary to verify the individual’s identity unless they claim to act on behalf of the client, such as an individual from outside the client organisation, an agent or an intermediary
  • consider whether the level of ongoing monitoring should be standard or high
  • record the client’s PEP status
  • record the sanctions check

Politically exposed persons (PEPs)

When recording the client’s PEP status:

  • consider the likelihood that the client is a PEP, and the level of risk associated with the matter
  • check both the client’s and beneficial owner’s status and confirm whether the client is a family member or known associate of a PEP

You can do a PEP check by accessing publicly available information online.

Some electronic verification providers also offer a pay-as-you-go charging system.

If your client is a PEP, as well as applying EDD, you should conduct and record a source of wealth check and get your money laundering reporting officer’s (MLRO) approval before continuing to engage the client.

Find out more about PEPs

Sanctions check

You should check the client against HM Treasury and the Office of Financial Sanctions Implementation’s consolidated list.

You should check the Office Foreign Assets Control’s consolidated list and specially designated nationals and blocked persons list if:

  • a US citizen is involved in the transaction, for example as the lawyer or the client
  • the transaction involves payment in US dollars
  • the transaction is based in the US

All documents about your client and matter risk assessment can be kept with your standard form and stored in a central paper folder or electronic folder.

A spreadsheet can help ensure that files are reviewed on a regular basis and be used to record:

  • an overview of new and ongoing clients and matters
  • a client risk rating and the reason for the risk rating
  • CDD clearance status

Ongoing monitoring and refreshing CDD

Ongoing monitoring means scrutinising transactions to check they remain consistent with what is known about the client.

For smaller firms, ongoing monitoring will usually be done by the fee-earner.

You may consider implementing a system of file reviews or using a matter spreadsheet to track high-risk matters and send reminders to fee-earners, so they remember to undertake ongoing monitoring.

You must also refresh your CDD information when the client’s circumstances change. For example, when:

  • an individual changes their name
  • there’s a change in the beneficial ownership of a client
  • the client instructs you in relation to a transaction that is not consistent with your knowledge about them

It’s also good practice to refresh your CDD information if there has been a long gap in instructions.

You may find it convenient to check the CDD information each time you open a matter for the client and either note that no refresh is necessary or update the CDD information.

Under the EU's 5th Money Laundering Directive, you must refresh due diligence for an existing client where you are under any legal duty to contact a client in the course of a calendar year for the purpose of reviewing any information which:

  • is relevant to the risk assessment for that customer, and
  • relates to the beneficial ownership of the customer

Money laundering warning signs

Whether you’re a fee-earner or a MLRO, recognising signs of potential money laundering sign is an ongoing challenge.

An individual warning sign may not be enough to form a suspicion of money laundering, but it will be a basis for asking more questions.

We’ve listed some of the most common warning signs. This information is not intended to be exhaustive.

Clients and instructions

You will want to ask further questions if:

  • there's no obvious reason for the client instructing you and/or the transaction falls outside your usual practice
  • there's a sudden change of instructions without a reasonable explanation
  • the transactions or private funding of the value is not consistent with the client’s profile or financial position
  • the client exhibits secretive behaviour, a reluctance to meet you or a lack of interest in the transaction
  • the client is reluctant or refuses to provide adequate identification, or relies on another professional
  • the transaction is unusually complex or does not make commercial sense
  • intermediaries claim to act on behalf of the client or group
  • the client has criminal convictions/activities/associations or an existing confiscation or restraint orders
  • the client has an unusually high level of knowledge about money laundering processes


You will want to ask further questions if:

  • money is transferred to your client account before it’s required
  • transactions are aborted with no clear reason and return of monies
  • there's a request that you act as a bank or escrow agent or pay bills unrelated to the matter
  • cash sums are paid in or there are requests to pay out
  • there's a request that funds are paid in by, or are paid out to, a third party
  • the funds are from an unexpected source, non-institutional lender and/or there are discrepancies in names or amounts
  • there's a request that funds are paid out at intervals
  • the funds are coming from multiple accounts
  • the offer to pay large sums, and/or refund is requested
  • the funds are said to be the benefits of an offshore tax avoidance scheme


You will want to ask further questions if:

  • there have been back-to-back property transactions, less than six months apart
  • the deposit or part of purchase price is being paid direct to seller
  • the deposit is paid as a 'gift' by the seller, so distorting the value
  • there have been sales and purchases between associates or related companies
  • there are unusual differences in valuations
  • there's been unexpected early repayment of a mortgage
  • the transaction includes unusual language, for example “grand master collateral commitment”
  • there's a strong interest in completing quickly or taking shortcuts without good reason
  • there are bearer shares
  • the transaction involves diamonds, precious stones, gold, oil, carbon credits, hotel rooms, forestry, antique documents, luxury goods or paintings
  • there's mention of bogus law firms – check Find a Solicitor if in doubt
Protect yourself and your firm from money laundering

Join AML specialists and experts from across the legal sector at our AML and Financial Crime Conference 2024 on Thursday 26 September.

Check the anti-money laundering guidance for the legal sector

Gain practical know-how with the Anti-money Laundering Toolkit (3rd edition)

Watch our partner Thirdfort's webinar on how to stay compliant

Learn how to improve the quality of your risk assessment

Call our free anti-money laundering helpline on 020 7320. 9544 or email Open 9am to 5pm, Monday to Friday.

Maximise your Law Society membership with My LS