Every law firm knows they need robust anti-money laundering controls in place. What is less clear for many firms is whether the controls they have are genuinely working in practice.
The SRA expects firms to be able to demonstrate that compliance forms part of daily operations, not simply something recorded in written procedures. That is where a Regulation 21 audit comes in.
Regulation 21 of the MLR 2017 requires firms, where appropriate, to establish an independent audit function to test their anti-money laundering framework. It is not simply a compliance formality but a structured, risk-based review and objective assessment of a firm’s systems, controls and procedures to ensure that they are effective, properly embedded and consistently applied. It is not enough to have carefully drafted policies sitting on a shelf, firms need to be able to prove their policies can stand up to scrutiny in real client matters.
Audit process
An effective Regulation 21 audit examines the firm’s:
· AML policies, controls and procedures
· firm-wide risk assessment
· client and matter risk assessments
· due diligence checks
· source of funds and source of wealth checks
· ongoing monitoring
· record keeping
· operational compliance
· training and competence
· incident handling and reporting
· governance arrangements and MLRO oversight
In our experience, regulators focus on whether controls are embedded in practice, leadership demonstrates accountability, there is a culture of compliance, issues are self-identified and remediated promptly and there is evidence of continuous improvement. Therefore, a well-run Regulation 21 audit should test both design and operational effectiveness and sustainability of controls.
Does Every Firm Need One?
The MLR 2017 indicates that an independent audit is required “where appropriate with regard to the size and nature” of the business, but no specific criteria is provided. In practice, any firm undertaking regulated work should carefully assess whether the requirement applies to them.
The SRA enforcement team has provided guidance on this and recommended all firms conducting conveyancing or property work, advising on corporate structures, operating across multiple offices or in higher-risk jurisdictions to implement an AML independent audit. Firms that have had an SRA AML desk-based review or inspection, where AML weaknesses have been identified, must prioritise implementing such control. Therefore, for many firms, the real question is not, do we need one, but how could we justify not having one?
The SRA has made it clear that failing to properly assess or implement Regulation 21 can lead to enforcement action.
Why Regulation 21 Audits Matter
As a starting point, they demonstrate proactive compliance. During inspections or thematic reviews, firms are routinely asked when their last independent audit took place, what it identified and what corrective action followed. A properly documented audit provides clear evidence of oversight.
In addition, they protect the firm. Anti-money laundering failings can lead to regulatory penalties, disciplinary action and serious reputational damage. An independent audit acts as an early warning mechanism, identifying weaknesses before they escalate into reportable breaches or inadvertently facilitate money laundering.
They also reflect culture and governance. The SRA increasingly assesses whether senior management takes active responsibility for compliance. An independent review reinforces accountability, tests the effectiveness of the MLRO function and demonstrates meaningful management control.
Beyond regulatory protection, there are also operational benefits. Audits frequently identify inconsistent risk scoring, gaps in source of funds analysis, training deficiencies or weaknesses in file documentation. Addressing these issues strengthens compliance and often improves efficiency and consistency across the firm.
Who Can Carry Out the Audit?
The key requirement is independence. The auditor must be independent of the anti-money laundering functions they are auditing, meaning they cannot be involved in setting, writing or applying the policies and procedures being reviewed.
While an internal staff member can conduct the audit, they must have deep knowledge of the Money Laundering Regulations, best practices and the firm’s AML controls without being directly involved in their development or implementation.
In some larger firms, suitably independent internal personnel may fulfil the role. However, for most firms, outsourcing to an external third party with the required expertise is the most reliable way to achieve the necessary level of independence and knowledge.
How DG Legal Can Help
DG Legal provide independent, risk-based Regulation 21 audits that focus on real-world implementation, not just paperwork. Our approach is practical and proportionate, aligned with regulatory expectations and designed to give firms defensible assurance.
We deliver detailed written reports, clearly graded findings, prioritised action plans and commercially realistic recommendations. Where required, we also provide ongoing compliance support and preparation for SRA engagement.
To discuss your AML support requirements, please get in touch with DG Legal by emailing: consultants@dglegal.co.uk or by phoning: 01509 214 999.
