Legal Compliance Update

This month we focused primarily on anti-money laundering (AML) due to the recent publication of the UK’s National Risk Assessment of Money Laundering and Terrorist Financing, jointly developed by HM Treasury and the Home Office; the last assessment was published in 2020.

One of the key observations from the assessment is that ‘the volume of cases of suspected money laundering that involve lawyers has remained high, relative to the small number of regulated professionals’; ‘suspected money laundering’ isn’t a criminal offence under the Money Laundering Regulations, so when are we going to see this “volume” of suspected cases turn into prosecutions for ‘actual’ money laundering!

Following on from the above assessment, the Solicitors Regulation Authority (SRA) has published its own sectoral assessment, identifying the following emerging risks:

• Capital flight from high-risk countries
• Client account issues (using it as a banking facility)
• Poor client due diligence
• Changing firm business models (including decentralized checks undertaken by consultant fee-share firms)
• Technology

Law firm client accounts have also been addressed by the national assessment, with it saying, “client accounts continue to be assessed as high risk as they can be misused by criminals to both move illicit funds and to provide a veil of legitimacy to the proceeds of crime”; the report goes on to say that the emergence of third party management accounts (TPMA) “may, in time, reduce the client account risk”. Many argue that moving from client accounts to TPMAs would just be moving the problem from one place to another and that fraud would not reduce; they also say that putting funds in one or two places increases the risk of cyber crime!

The government wants to improve the anti-money laundering regime by making a number of changes to it, but firms shouldn’t get too excited that it will reduce the day-to-day burdens around firm-wide, client and matter risk assessments, client due diligence, policies, controls and procedures, etc.; the proposed changes will include:

• Clarifying thresholds for Simplified Due Diligence (SDD)
• Refining triggers for Enhanced Due Diligence (EDD)
• Improving guidance on ongoing monitoring

On 31 July 2025, the threshold for submitting a Defence Against Money Laundering Suspicious Activity Report rose to £3,000 from £1,000 in line with the Proceeds of Crime (Money Laundering) (Threshold Amount) Order 2025; this means firms will not commit money laundering offences if the value of the criminal property in the proposed transaction is less than £3,000. One aspect of this is that firms can return money to a client to end the business relationship without committing a criminal offence if the value of the suspected criminal property is below £3,000.

A solicitor has been jailed for his part in helping to run two bogus investment schemes and for money laundering; one of these involved 150 clients and £6m.

Another solicitor has agreed to be struck off for various AML breaches with the Solicitors Disciplinary Tribunal saying it represented ‘widespread and fundamental non-compliance with critical regulations’ amounting to systemic failures. This potentially shows the SRA could be taking a far more robust approach to such breaches as more recent similar cases where only fines were imposed; the breaches were:

·       Inaccurately confirmed to the SRA that his firm had a firm wide risk assessment (FWRA) when it did not.

·       Failed to ensure that the firm had the FWRA or the required policies, controls and procedures (PCPs).

·       Failed to ensure the necessary scrutiny regarding the source of funds of 63 conveyancing clients.

·       Failed to ensure the firm had an adequate system for the application of customer due diligence (CDD) measures.

·       Failed to ensure residual client balances were returned to 54 clients.

·       Failed to obtain an accountant’s report for several accounting periods during which the firm held client money.

It is clear that the solicitor was not in proper control of his firm and it may be the culmination of the different breaches that led to the strike off.

It has become apparent that many firms are not carrying out counter-party due diligence, with some saying they don’t feel it is a matter for them as the firm acting for the counter-party will have undertaken their own due diligence. However, the Legal Sector Affinity Group guidance (5.16.3) says that in the sale/purchase of real property “firms must seek to understand all aspects of the matter, including undertaking appropriate due diligence on the parties involved in line with regulatory requirements, and understanding the source of funds/source of wealth used.”

Another area of concern that the SRA has identified is solicitors’ misunderstandings around sources of funds; the SRA has provided this question with a view to clarifying matters:

Is a source of funds check always required?

a) Yes, you must always carry out a source of funds check, or

b) It is required where necessary, based on a risk-based assessment and specific regulatory triggers (such as PEPs and high-risk third countries), or

c) It is only required if client money passes through your client account.

Correct answer: b

Why: If the client is a politically exposed person, you must apply a source of funds check under regulation 35. If the client or counterparty are established in a high-risk third country, you will need to check source of funds also.

In addition regulation 28(11)(a) requires firms to undertake a source of funds check 'where necessary', though this is not defined in the regulations. We interpret this as requiring a risk-based approach. This means your firm, client and matter risk assessments need to be considered when deciding if it is necessary.

The requirement to do source of funds checks might apply even if no money is coming through your client account.

This month has seen yet more comings and goings at the top of the legal regulators, with the announcement that the new Chief Executive of the Solicitors Regulation Authority (SRA) will be Sarah Rapson, who will take up her post towards the end of 2025.

In the last 12 months the SRA will have seen the departure of its CEO, Deputy CEO and GC, and Head of Legal, with its Chair looking to leave in the next 12-18 months; she had wanted to leave sooner had it not been for these other top-level departures, but agreed to stay for a further two years to help ‘steady the ship’!  

Out of the blue came the announcement that Craig Westwood, Chief Executive of the Legal Services Board (LSB) had resigned from 1 July; this follows on from the immediate resignation of Alan Kershaw, the Chair, in February. We are still waiting for the publication of the SSB scandal report, and to see what the SRA does in terms of the enforcement action taken by the LSB in the wake of the Axiom Ince scandal, so new incumbents coming into both organisations are likely to face a real baptism of fire, especially when the SRA’s reputation with those it regulates appears to be in tatters!

We have also seen the departure of Kathryn Stone, Chair of the Bar Standards Board, who fired a salvo of criticism on her way out, saying, ““Legal services are a great UK success story marked by high levels of professional and ethical competence. Those services are manifestly not for the most part poorly regulated and it is deeply unhelpful to the reputation of a successful industry to say that they are. So how has this come about? I think the answer lies in the difficulty which an oversight regulator necessarily has in exercising its functions at one remove from the front-line. The board and executive of the oversight regulator are no more experienced than the boards and executives they are overseeing. Oversight gives responsibility, but it does not, in itself, give sharper insight into, or greater care for, the public interest. Still less does it give a better understanding of the challenges of front-line regulation.”

Seeing so many senior executives leaving, even when some have said it was for ‘personal reasons’, leaves many wondering whether there is something seriously wrong with the current legal regulatory framework, but whatever it is, we now need to see some calm, not only for the regulated sector, but also for legal service users who rely on regulators to protect them!

To add to the crisis, the Chair of the Legal Services Consumer Panel has said that the Legal Services Act 2007 is no longer fit for purpose and should be replaced by a new Act that better reflects the needs of consumers today. Even though the current government has promised to reduce the regulatory burden on business, we are unlikely to see a new Legal Services Act for some years, if at all.

Legislative and regulatory changes

·   The Legal Ombudsman is working on a blueprint for all firms to provide a standard response to complaints from clients; it has announced the development and pilot of its Model Complaints Resolution Procedure in an effort to create consistency across all firms. It will be interesting to see if a ‘one size fits all’ approach will work!

·   The Data (Use and Access) Act 2025 received Royal Assent on 19 June 2025. The Act amends, but does not replace, the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA) and the Privacy and Electronic Communications Regulations (PECR). The requirements of the Act will be implemented over the next 12 months. Key changes include:

o   The Act introduces “recognised legitimate interests,” simplifying compliance for certain activities such as crime prevention and safeguarding, though its scope is limited.

o   The Act codifies the requirement for “reasonable and proportionate” searches when responding to data subject access requests, potentially reducing administrative burdens. There isn't anything specific about the cost of carrying out the request when considering your reasonable and proportionate efforts when completing a SAR. It's up to you to decide on whether you want to consider cost and what is reasonable for your organisation.

o   Restrictions on automated decisions are relaxed except for special category data, supporting innovation but requiring careful risk management.

o   New frameworks will enable more secure data sharing and digital identity verification, opening opportunities for innovation but demanding robust compliance.

o   The Information Commissioner’s Office (ICO) will be replaced by the Information Commission, with enhanced investigatory and enforcement powers.

·   Law firms that operate as a limited company or LLP will be required to reveal profit and loss figures from 2027 as part of the government’s drive to reduce fraud. Small companies (£1m - £10.2m annual turnover) will also have to file a director’s report. The option to file ‘abridged’ accounts will be removed.

·   From October 2025 all legal aid providers will be required to obtain Cyber Essentials certification to retain their Legal Aid Contracts with the Legal Aid Agency.

As expected the Solicitors Regulation Authority (SRA) has been very busy focusing on the conduct of those it regulates, however, it has itself been sanctioned by the Legal Services Board (LSB) over its conduct in the Axiom Ince scandal, with binding directions being placed on it in the following terms:

• Improve how it identifies risks to consumers and be more proactive in responding to them. This includes risks arising from the corporate structure of law firms and from sales, mergers and acquisitions. 
  
  
• Strengthen the regulation of client money and ensuring firms have effective safeguards in place. 
  
  
• Strengthen controls to protect the public interest and consumer interest where there is a concentration of ownership, compliance and management roles in one person. 

This is the first time that the LSB has issued such directions to a front-line regulator under the Legal Services Act, which clearly shows how serious the issue is being taken.

Annual SRA AML/sanctions audit

The SRA has been sending emails to all firms telling them they must complete the annual questionnaire, which will provide insights into their levels of compliance with the relevant legislation; the questionnaire has 44 questions and will require COLPs and money laundering compliance officers to take time out to answer them.

The data collection exercise will run from 7 July to 15 August 2025

It will be interesting to see how many, if any, firms are subject to enforcement action after this exercise, and whether the SRA will start using its new unlimited fining powers against any firms that may be found to be non-compliant!

SRA fines

May saw the largest ever fine of £4m imposed by the SRA, however, the solicitor involved had already been declared bankrupt so it was never going to be paid; it appears the SRA wanted to grab the headlines and use the case as a deterrent for other solicitors who may want to step out of line in the future!

We also recently saw one of the largest fines (£120,000) being imposed for AML breaches, with the level of fine being largely determined by the fact that non-compliance had occurred over a 15 year period; the fine was nearly five times more than the average AML fine imposed to date.

In recent weeks the SRA has imposed fines on 12 firms for AML breaches, and has said that it will be clamping down on firms even harder as it says past fines have not acted as enough of a deterrent!

The most recent fines for AML non-compliance suggest that risk assessments and policies were still not in place at the end of 2024;. this was after a series of fines for AML breaches and came in the wake of several warnings about the importance of meeting AML requirements.

Some solicitors may balk at the level of scrutiny and sanctions they are being placed under, but the SRA says it under pressure from the Office for Professional Body Anti-Money Laundering Supervision (OPBAS) to act where firms are in breach.

Client due diligence and ‘Reliance’

It has become apparent that some firms are still being pressured by third parties and clients into accepting the client due diligence (CDD) undertaken by the third parties on their clients, in order to reduce costs and inconvenience, however, to do this the requirements of R39 must be complied with; to assist, here is an extract from the Legal Sector Affinity Group (LSAG) guidance:

Reliance has a specific meaning within the Regulations and relates to the process under R39 where, in certain circumstances, you may rely on another person to conduct CDD for you, subject to their agreement.

Reliance does not necessarily mean obtaining certified copies of documentation from other regulated professionals for due diligence purposes.

You should note that you remain liable for any non-compliance with CDD requirements when you rely on another person. For this reason, you should view reliance as a risk as, if things go wrong, it is you that will be held responsible. It may not always be appropriate to rely on another person, especially where there is a higher risk of money laundering, requiring enhanced due diligence measures.

In order to rely on another regulated person to apply CDD measures you must as a precondition, obtain from them all the information (though it should be noted not the underlying documentation) needed to satisfy the requirement to apply CDD measures in accordance with R28(2) to (6) and (10).

Subsequently you must:

• • enter into arrangements with the other person, which:
    • enable you to obtain from the other person immediately on request copies of any identification and verification data and any other relevant documentation on the identity of the client and/or its beneficial owner; and
      
      
    • require the other person to retain copies of the data and documents in accordance with R40; and
      
      
  • Obtain evidence to establish that the person relied upon, falls into the category of persons who may be relied upon as per R39(3) (regulated party).

New complaint rule

The SRA has proposed a new rule requiring firms to provide clients with a copy of their complaint procedures at the end of the matter (it should already be provided at the start); a further rule change would require solicitors to make sure complaints information was “clear, accessible and in a prominent place” on their websites.

Apparently only 68% of law firms published their complaints procedure on their websites, despite it being a regulatory requirement, and even where they were, they could be hard to find; the SRA will develop guidance on this, such as “not requiring multiple clicks to access or that it should be linked from a home page”. These changes need to be approved by the Legal Services Board.

SRA Diversity Data Collection

The SRA requires firms to send in their diversity data from 9 June to 4 July 2025; Access Legal is, as usual, providing its Diversity Survey Tool to enable firms to anonymously collect data from their employees. Click here if you would like further details - https://survey.riliance.co.uk/