Legal professional privilege and SAR reporting: when the exemption applies
When legal professional privilege exempts solicitors from suspicious activity reporting obligations and when it does not. Covers the …
How to meet anti-money laundering obligations as a solicitor or law firm in England and Wales. Covers the firm-wide risk assessment, client due diligence in conveyancing and trust work, source of funds verification, legal professional privilege, suspicious activity reporting, and what the SRA expects as your AML supervisor.
When legal professional privilege exempts solicitors from suspicious activity reporting obligations and when it does not. Covers the …
Essential guide to AML compliance for UK businesses under the Money Laundering Regulations 2017.
How to comply with UK financial sanctions. Includes OFSI enforcement powers, asset freeze requirements, screening obligations, breach reporting, …
UK Bribery Act compliance, due diligence on overseas buyers, political risk assessment, and IP protection abroad.
Current Aggregates Levy rate, registration requirements, exemptions for recycled and secondary aggregates, returns and payment deadlines, and the …
Law firms in England and Wales that carry out work within the scope of the Money Laundering Regulations 2017 (MLR 2017) must comply with anti-money laundering (AML) requirements. The legal sector is classified as high-risk in the UK National Risk Assessment because solicitors handle large transactions, manage client accounts, create legal structures, and facilitate property purchases — all of which can be exploited to launder the proceeds of crime.
This guide covers what is specific to solicitors and law firms. It does not repeat the general AML obligations that apply to all regulated businesses. If you are new to AML compliance, start with the generic AML guidance before reading this sector-specific guide.
Your firm falls within the scope of the MLR 2017 if it provides any of the following services as an independent legal professional:
Practice areas that typically do not fall within scope include family law (unless involving financial settlements channelled through the firm), criminal defence, personal injury, and employment law. However, if any in-scope work is carried out by any part of the firm, the entire firm must have AML policies and procedures in place.
Before undertaking any work within the scope of the MLR 2017, your firm must complete a written firm-wide risk assessment. This is not a box-ticking exercise. The SRA expects the assessment to reflect your firm's actual practice, client base, and geographic exposure — not a generic template downloaded from the internet.
The firm-wide risk assessment is distinct from the client and matter risk assessments you carry out on individual instructions. It looks at your firm as a whole and determines where the greatest AML risks lie so you can direct your controls accordingly.
Certain types of legal work carry higher inherent money laundering risk. Your firm-wide risk assessment and your client and matter risk assessments must reflect these elevated risks, and you must apply enhanced controls where they are present.
Client due diligence (CDD) must be completed before you establish a business relationship or carry out an occasional transaction within the scope of the MLR 2017. For law firms, this means before you begin substantive work on an instruction, not at the point of completion.
For every property purchase, you must verify the source of the funds being used. This goes beyond simply identifying where the money is being transferred from. You must understand how the client acquired the funds. Common sources include:
A client stating "savings" or "from my account" is not sufficient verification. You must obtain documentary evidence that supports the explanation. Where funds come from multiple sources, verify each one separately.
If your firm creates companies, establishes trusts, provides nominee shareholders or directors, or provides a registered office address, you are acting as a trust and company service provider. Regulation 12 of the MLR 2017 brings these activities within scope of the regulations; the customer due diligence obligations under Regulations 27–28 then apply, including identification and verification of all beneficial owners of the structures created. Given the opacity risk of complex structures, the SRA pays particular attention to TCSP work during supervisory reviews.
You must apply enhanced due diligence (EDD) in higher-risk situations. For law firms, the most common EDD triggers are:
EDD requires senior management approval to establish or continue the business relationship, enhanced ongoing monitoring, and establishment of the source of wealth (the overall origin of the client's financial resources, not just the funds for the specific transaction). Since 10 January 2024, the starting point under Regulation 35(3A) is that a domestic PEP presents a lower level of risk than a non-domestic PEP, and the extent of enhanced measures may be adjusted accordingly.
Solicitors occupy a unique position in the AML regime because of legal professional privilege (LPP). Understanding the boundary of this privilege is critical to complying with your reporting obligations without inadvertently breaching client confidentiality or, conversely, failing to report when required.
Under section 330 of the Proceeds of Crime Act 2002 (POCA), a person in the regulated sector who knows, suspects, or has reasonable grounds for knowing or suspecting that another person is engaged in money laundering must submit a suspicious activity report (SAR) to the National Crime Agency (NCA) through the firm's Money Laundering Reporting Officer (MLRO). Failure to report is a criminal offence carrying up to 5 years' imprisonment.
Section 330(6) of POCA provides that the reporting obligation does not apply to information received in privileged circumstances. Information is received in privileged circumstances if it is communicated:
However, this exemption does not apply if the information is communicated with the intention of furthering a criminal purpose. This is known as the "crime/fraud exception" — if the client is seeking legal advice to facilitate money laundering, the privilege does not attach, and you must report.
If you form a genuine suspicion that your client is engaged in money laundering based on information received outside the scope of privileged communications (for example, through your own due diligence, source of funds checks, or observations about the transaction), you must submit a SAR. Where you are uncertain whether privilege applies, seek guidance from the firm's MLRO and, if necessary, from the SRA or the Law Society's practice advice service. Do not allow uncertainty about privilege to prevent you from reporting where you should.
Once a SAR has been submitted (or you know one has been submitted), it is a criminal offence under section 333A of POCA to disclose to the client or any third party that a report has been made, if that disclosure is likely to prejudice any investigation. The maximum penalty is 2 years' imprisonment. POCA does provide limited statutory gateways: section 333C permits disclosure between professional legal advisers who share a client or a transaction, for the purpose of preventing a money laundering offence (and only where both advisers are subject to equivalent duties of confidentiality and data protection), and section 333D permits disclosure to your client for the purpose of dissuading them from engaging in criminal conduct.
Designate a Money Laundering Reporting Officer who has the seniority and authority to make decisions about reporting suspicious activity. In smaller firms this is often a partner or the COLP. Notify the SRA of the appointment. Ensure a deputy MLRO is appointed to cover absences.
Produce a written assessment of your firm's money laundering and terrorist financing risks covering all practice areas within MLR 2017 scope. Follow the LSAG guidance methodology. Ensure the assessment reflects your firm's actual work, not a generic template. Have it approved by the COLP or senior management.
Create documented procedures for client identification and verification, beneficial ownership identification, source of funds verification, source of wealth checks for high-risk clients, PEP screening, and ongoing monitoring. Procedures must cover both standard and enhanced due diligence and set out clear escalation routes.
Require a documented risk assessment for every client and matter within the scope of the MLR 2017. Use the risk assessment to determine the level of CDD required (simplified, standard, or enhanced). The SRA provides a template, but adapt it to your firm's practice areas.
Establish a clear internal process for staff to report suspicions to the MLRO. Provide initial AML training to all staff on joining and at least annually thereafter. Training must cover recognition of suspicious activity, the firm's reporting procedures, legal professional privilege boundaries, and the tipping off offence.
Set up systems to retain all CDD records, risk assessments, SARs, and training records for at least 5 years. Conduct regular compliance monitoring through file reviews and sample testing. Document your monitoring findings and any corrective actions.
Ensure your firm-wide risk assessment, policies, procedures, training records, and compliance monitoring evidence are readily accessible. The SRA may conduct desk-based reviews, request specific documentation, or carry out on-site visits. Higher-risk firms should expect more frequent supervisory contact.
AML compliance is not a one-off exercise. After implementing these measures, you must:
If your firm's UK revenue exceeds £10.2 million, you must also pay the annual Economic Crime Levy: £10,000 for revenue between £10.2 million and £36 million, £36,000 between £36 million and £1 billion, and £500,000 above £1 billion. HMRC collects the levy from firms supervised by professional body supervisors such as the SRA. Firms with UK revenue below £10.2 million are exempt.
If you suspect the funds in a property transaction are the proceeds of crime, you must submit a SAR with a defence against money laundering (DAML) request — formerly known as a consent SAR — before proceeding to completion. The NCA has 7 working days to respond. If the DAML is refused, a further 31-day moratorium applies. Proceeding without a defence risks committing a principal money laundering offence under sections 327-329 of POCA 2002. Build this timeline into your completion schedule.
SRA guidance on AML compliance for solicitors' firms
sra.org.ukSRA guidance articles on money laundering including LSAG sector guidance
sra.org.ukGOV.UK overview of AML obligations including suspicious activity reporting
gov.ukFull text of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017
legislation.gov.ukPOCA 2002 including money laundering offences and reporting obligations
legislation.gov.ukOffice for Professional Body Anti-Money Laundering Supervision
fca.org.uk