Why law firms are falling foul of the law

By Bobby Hussain, 3 November 2025

Taking stock of the legal landscape, and reflecting on the last twelve months or so, I came to a rather dispiriting conclusion. Reflecting on the number of law firms that had been on the receiving end of fines issued by the Solicitors Regulation Authority (SRA), I theorised that some law firms have quite simply forgotten about the existence of the UK’s Money Laundering Regulations (MLRs).

My conclusion was perhaps impetuous. But it was one arrived at based on an examination of the volume and nature of these fines; I was struck by quite how many fines were issued to firms, most of whom operated in a way that seemed to suggest that they were oblivious to the existence of the MLRs.

On further reflection, I wondered whether the SRA’s penalties might be attributed to a system risk emerging eight years after the MLRs came into force. In any case, I think it is worthwhile to look at some of these fines in more detail, as well as the MLRs themselves, to try and discover why so many law firms are falling short.

Law firm failures

The MLRs 2017 came into effect on 26 June 2017. They were implemented prior to Brexit as a way of transposing the EU’s Fourth Money Laundering Directive into British law.

The MLRs 2017 replaced their 2007 predecessor, but this was not a case of replacing like for like; the MLRs 2017 represented, in their expanded scope, a seismic shift. Below I set out some of the requirements of the MLRs 2017, and examine some recent cases where law firms have behaved contrary to its dictates.

Mandatory risk assessments: with the MLRs 2007, risk-based thinking, while encouraged, was not enforced. The MLRs 2017 made it clear that firms are legally required to conduct documented risk assessments on both a firm-wide basis and on a client/matter level.

Example: Duffield Harrison LLP failed to produce a documented, firm-wide risk assessment until December 2019, in accordance with Regulation 18, some two years after the MLRs 2017 were enacted. Similarly, Steinbergs operated without one until 2020, despite handling high-risk conveyancing matters.

Enhanced due diligence: the MLRs 2017 introduced mandatory enhanced due diligence for high-risk third countries, stricter verification of beneficial ownership and control, and a clearer obligation to apply enhanced due diligence to politically exposed persons (PEPs), family members and close associates.

Example: PCB Lawyers LLP was fined £25,000 in March 2025 for failing to apply enhanced due diligence pertaining to source of funds and source of wealth, and failed to conduct enhanced ongoing monitoring.

Policies, controls and procedures: the MLRs 2017 state that a firm must establish and maintain policies, controls and procedures to mitigate and manage the risks of money laundering and terrorist financing, and must subject these policies to regular review.

Example: Burch Phillips & Co operated without compliant policies, controls and procedures for six years. Duffield Harrison LLP, meanwhile, had outdated policies and controls until 2023, and Steinbergs only formalised its policies after enforcement pressure.

Client risk assessment: these risk assessments would include customer, geographic, product/service and delivery channel risks. In addition, the risk record must be up-to-date and firms must be prepared to provide this record if requested. Overall, the relevant person must comply with the requirement to take CDD measures, and this must reflect the risk assessment, taking into account the level of risk.

Example: The Commercial Law Practice Ltd failed to conduct client-level risk assessments on five of six reviewed files. In addition, William Harris Solicitors was struck off after £8.8 million in unverified funds passed through the firm in the absence of any meaningful CDD being carried out.

Sector comparison

Let’s weigh up the reasons why fines are on the increase. One reason might be the sluggishness with which the Law Society helped shore up knowledge of the MLRs within its sector. Articles and guidance on the MLRs were only published in 2019, two years after the MLRs were enacted. One could argue that any guidance could have been disseminated sooner.

It is also useful to compare the legal sector to the financial. When one considers financial institutions, one instantly sees a more robust and mature industry, driven by FCA thematic reviews and the threat of punitive action. With the legal sector, though we have seen an increase in action from the SRA, this has only been from 2023 onwards. This tardy intensification might have been mistaken for a lack of priority.

It is also worth noting that four of the five firms subject to the SRA’s scrutiny were small practices; all, save PCB Lawyers LLP, were based outside of London. It has often been argued that smaller entities do not have the resource to continually meet regulations in respect of money laundering. A similar charge has been levelled at the financial sector.

Perhaps the uptick in fines by the SRA signals a change in approach by the regulator. Gone are the days of firms being able to rely on a stout defence to lower potential fines or wrangle out of scrutiny. The question now is whether law firms are sufficiently informed of this change, and are prepared to meet the gaze of the regulator as it settles on them.