In October 2025, the UK Government announced a landmark reform that will reshape the nation’s professional services sector.^[1]Reform of the Anti-Money Laundering and Counter-Terrorism Financing Supervision Regime: Consultation Response – GOV.UK The Financial Conduct Authority (FCA) is set to become the Single Professional Services Supervisor (SPSS) for anti-money laundering (AML) and counter-terrorist financing (CTF) consolidating supervisory oversight from 22 professional body supervisors to a single independent public body, the FCA.

The announcement responds to longstanding concerns raised by the Financial Action Task Force (FATF)^[2]FATF is the international standard setting body for tackling money laundering (ML), terrorist financing (TF), and proliferation financing (PF)., which in 2018 called out significant weaknesses in the UK’s AML supervision, particularly across the legal and accountancy sectors.^[3]The United Kingdom’s measures to combat money laundering and terrorist financing With the next FATF mutual evaluation scheduled for August 2027, the timing of this shift is no coincidence.

On 6 November 2025 HM Treasury (HMT) launched a consultation, which runs until 24 December 2025, to define the duties, powers and accountability mechanisms the FCA will need to be an effective SPSS.^[4]AML-Supervision_Reform_Powers_Consultation.pdf The devil is always in the detail and in this case, the detail is still to be worked out. Legislative amendments, funding structures and transitional arrangements must all follow.

HMT reiterated that under the Money Laundering Regulations (MLR) supervisors must assess not only AML controls, but also the systems and controls in place to mitigate the risks of breaching relevant sanctions relating to CTF/CPF, as part of their compliance checks.^[5]HMT 2023-24 AML/CTF supervision report published in March 2025: (((AML_Annual__Report.pdf For the purposes of this paper the term AML is used as an umbrella term encompassing AML, CTF, CPF and Sanctions.

From guidance to governance: a new supervisory landscape

For legal professionals, this marks a significant change in how AML compliance will be assessed and enforced. Solicitors will now be supervised for AML compliance by the FCA, replacing the nine legal sector professional body supervisors, most notably the Solicitors Regulatory Authority (SRA). Whilst the headline is clear, the operational details remain under active consultation.

While no formal timeline has been set for changing guards, the urgency is there for the UK to present a credible, consistent, and effective supervisory system to FATF by August 2027.

This paper explores the implications of this transition, comparing the supervisory approaches of the FCA and the SRA, outlining practical steps legal firms should take now to prepare for increased scrutiny and evolving expectations, and shares strategic insights on how legal firms can align with FCA standards to avoid common pitfalls. This paper is designed to help legal professionals understand the regulatory shift, assess their readiness, and take proactive steps to strengthen their AML compliance in anticipation of FCA oversight.

Same battlefield, different uniforms: shared AML weaknesses across sectors

The FCA and legal sector supervisors have identified recurring weaknesses in firms’ AML compliance frameworks irrespective of sector boundaries and regulatory culture. These shared findings point to systemic vulnerabilities and emphasise the importance of robust, risk-based controls that can transcend sectors.

---

• Firm- or Business-Wide Risk Assessments (FWRA / BWRA)
  Regulations 18 and 18A of the MLRs mandate firms to identify and assess money laundering, terrorist financing, and proliferation financing risks across their operations. These risk assessments should be the foundation of any risk-based AML programme, however both sector regulators report persistent shortcomings. The SRA reports that some firms still lack a FWRA despite the requirement being in place for over seven years. The FCA, which these days focuses more on effectiveness of controls, has been reporting ineffective BWRAs over a number of years.
  
• Customer and Matter Risk Assessments
  Regulation 28 of the MLRs mandates the requirement to assess the level of risk arising in any particular case. For financial services, this typically means at a customer level; the legal sector typically considers the risk posed by each client and matter. Regardless of the scope, firms in both sectors regularly fall short in conducting meaningful client and matter level risk assessments. Where assessments do exist, they are often superficial, lack granularity or fail to reflect the firm’s actual risk exposure.
  
• Flaws Persist in Due Diligence Controls
  Due diligence remains one of the most effective controls (when designed and implemented properly) to mitigate financial crime risks. Yet both sector regulators regularly find issues with due diligence controls in their supervisory activities. Issues still exist in identification, verification, beneficial ownership checks and enhanced due diligence for higher-risk clients or matters.

These commonalities suggest that while the sectors’ regulators differ, the foundational challenges in AML compliance are strikingly similar. As the FCA assumes supervisory responsibility for the legal sector, these shared themes offer a baseline for understanding where firms need to begin strengthening their controls.

Changing uniforms: from SRA support to FCA scrutiny

While both the FCA and SRA aim to uphold AML standards, their supervisory models, enforcement powers, and regulatory cultures differ. These differences could have material implications for legal sector firms as they transition to FCA oversight.

A Wider Lens: What FCA Supervision means for AML Oversight

The FCA’s supervisory model is fundamentally different. It is data-driven, risk-based and increasingly focused on the effectiveness of controls. With decades of experience supervising financial services firms under both the MLRs and the Financial Services and Markets Act 2000 (FSMA), the FCA brings a level of regulatory maturity and enforcement capability that is likely to reshape expectations for legal firms. The FCA will expect firms to demonstrate not just compliance, but effectiveness,with clear evidence that controls are working in practice. In contrast, the SRA began AML supervision in 2007 and takes a more collaborative, guidance-led approach.

The FCA currently supervises around 17,200 firms for AML.^[6]AML_Annual__Report.pdf The expansion of its scope to include professional services organisations will more than triple the FCA’s remit with AML oversight for more than 60,000 firms. Of these 12% will comprise 7,500 legal sector firms currently supervised by the nine legal sector professional bodies, of which the SRA supervises over 5,600 (75%). It seems probable that the FCA will draw on talent from the SRA and the Office for Professional Body Anti‑Money Laundering Supervision (OPBAS) to provide it with sector knowledge and continuity as well as an additional capacity to supervise a significantly increased population. It would not be unreasonable to assume that, over time, there may be some convergence in supervision across the sectors.

Risk Reassessed: Legal Sector Under the FCA Lens

In 2024, only 5% of FCA-supervised firms received an inspection, compared to 12% under the SRA. Whilst this suggests that the chances of a supervisory visit may be reduced for the legal sector under its new regulator, the FCA’s data-driven and risk-based approach focusses on the highest risk sectors within its portfolios with lighter touch thematics across other sectors.

The UK’s National Risk Assessment classifies the legal sector as high-risk which is at odds with the SRA’s assessment that 92% of the firms it supervises (as the largest legal sector professional body regulator) are low risk. The following chart compares the risk profile of both regulators’ current populations^[7]AML_Annual__Report.pdf.

Source: Data from HMT AML and CTF Supervision Report 2023-24^[8]AML_Annual__Report.pdf

Given this disparity, the FCA is likely to re-assess the risk profile of the new firms it will take on as the SPSS and one of the ways it could do that is by getting firms to provide it with regular data not dissimilar to the REP-CRIM^[9]REP-CRIM was introduced by the FCA in 2016 and is a way to gather more information about a firm’s regulated activities and ML risks. used in financial services.

The FCA will not be satisfied with well-written procedures, it will expect proof that controls work in practice and mitigate risk effectively. In transitioning to FCA supervision, legal firms should:

• ensure they are able to extract accurate, reliable data about the risks their firms face and the effectiveness of their control environment
• prepare for a shift from procedural compliance to deeper scrutiny of control effectiveness
• be able to demonstrate controls are operating as designed and are effective

Section 166 of FSMA gives the FCA powers to appoint a Skilled Person. The current consultation is seeking views on extending these powers to the new population. A Skilled Person is an independent third party appointed to provide a deeper level of analysis to the FCA. Historically, the FCA has commissioned between 10-23 Skilled Person reviews annually^[10]Data across the last 8 years. Skilled person reviews | FCA. Such reviews are intrusive, costly, and disruptive to firms, and are often coupled with business restrictions which impact a firm’s revenue generation. A double whammy: increased costs and decreased revenue, which has been found to be extremely effective at driving the pace of compliance improvements.

Business restrictions can totally shut down all revenue or restrict parts of a business with inadequate controls, typically in high-risk business areas. These restrictions are commonly applied to small and medium-sized firms with inadequate controls. Business restrictions are commonly disclosed in the FCA register. It remains to see whether legal firms, supervised by the FCA, will also be listed in a public register.

Sharper Swords

The FCA’s extensive enforcement powers include suspension, restrictions, prohibition of practice, public censure, disgorgement, and criminal prosecution. In 2023/24 the FCA cancelled five firm memberships, issued three fines totalling £26 million, and took 133 enforcement actions.^[11]AML_Annual__Report.pdf Operating under more limited powers and a £25,000 fine cap^[12]The fine cap increased from £2,000 to £25,000 in July 2022. The SRA is able to refer case to the Solicitors Disciplinary Tribunal (SDT) for more serious matters., the SRA issued less than £0.5 million fines across 34 firms and took 23 formal actions^[13]AML_Annual__Report.pdf. The SRA’s 2024/25 AML annual report shows an increase in enforcement actions resulting in 86 fines totalling £1.5 million.^[14]SRA | Anti-Money Laundering Annual Report 2024-25 | Solicitors Regulation Authority. £953,333 through regulatory settlement agreements and adjudication, with a further £545,650 through the SDT. The SRA fines ranged from £1,520 to £300,000; an average of £17,000. In the same period^[15]1 November 2024 to 30 October 2025, the FCA fined six firms £82 million ranging between £289,000 to £39.3 million for AML issues; averaging £13.7 million. The largest legal sector fine is broadly equivalent to the smallest financial services fine.

The following table compares two recent enforcement actions. Whilst there are many similarities in the compliance failures, their risk assessments, enforcement responses and penalty structures diverge significantly giving an indication as to how legal firms may be assessed under FCA supervision, and why early preparation will be key.

	Simpson Thacher & Bartlett LLP, London Office[16]12639.2024.Simpson-Thacher-Bartlett-LLP.pdf (STB)	ADM Investor Services International Limited[17]Final Notice 2023: ADM Investor Services International Limited (ADMISIL)
Regulator	SRA via SDT	FCA
Fine	£300,000	£6,470,600
Date	March 2025	September 2023
Additional Sanctions	None	No new high risk business restrictions.
Nature of Failings	No firm-wide risk assessmentFailed to have fully compliant policies, controls, or proceduresFailed to have in place compliant client and/or matter risk assessments in relation to four files and a requirement for written CMRAs was only introduced on 1 October 2022	No firm-wide risk assessmentFailed to have fully compliant policies, controls, or proceduresClient risk assessment was insufficiently detailed and not applied to customers onboarded before 2014Inadequate MLRO reportsInadequate training recordsFindings not identified by internal audit
Risk Crystallisation	Not apparent	Not apparent
Duration of Breaches	Over 5 years from June 2017 to January 2023	Circa 2 years from September 2014 to October 2016
Firm Revenue Estimate	£299 million[18]SRA-and-Simpson-Thacher-Bartlett-LLP-Agreed-Outcome-Redacted-12.3.25_36985775_1_Redacted.pdf discloses revenue of £299 million in the year to 1 November 2023. Thereafter, media reports a 23% … Continue reading discloses revenue of £299 million in the year to 1 November 2023. Thereafter, media reports a 23% increase in its London revenue, growing to $465m in 2023:)))	£49.8 million[19]Companies House – annual accounts year ended 31 December 2023
Estimated Staff Number	249[20]SRA-and-Simpson-Thacher-Bartlett-LLP-Agreed-Outcome-Redacted-12.3.25_36985775_1_Redacted.pdf	168[21]Companies House – annual accounts year ended 31 December 2023
Nature of Business	Provides legal advice related to corporate matters for FTSE100 sized public and private firms. Very rarely acts for individuals 92% of its work comes within the scope of the MLRs 2017 i.e. buying and selling of business entities, the creation, operation or management of trusts, companies, foundations or similar structures or tax advice. Does not conduct conveyancing or hold client money	Full-service investment multi-asset brokerage company based in London which facilitates over 180 million derivatives contracts a year Market coverage includes contracts relating to grains, energy, foreign exchange, cocoa, and base metals Clients include trade customers, asset managers, institutional clients, and high net worth individuals
ML risk assessed by the regulator	Low risk due to the nature of work in the private equity sector, long-standing clients well known to partners	High risk due to broker status, client risk (PEPs and extractive industries), and jurisdiction risk

Diverging Assessments: A Case in Contrast

The SRA accepted STB was a low-risk business:

• Despite the absence of a FWRA demonstrating low risk across all five factors set out in the MLRs (client, jurisdiction, product, transaction, channel);
• Based on the fact that the “majority of its clients are very longstanding and well known to the partners” despite there being no written requirement to have client risk assessments until October 2022; and
• Without apparent reference to the product risk (e.g. tax structures and trusts) however from a transactional risk perspective it did note that the firm does not hold client money.

In contrast, the FCA concluded ADMISIL is high-risk business based on a number of factors including 32% of its gross profit was generated by high-risk clients (i.e. 68% was not) and 1.8% of its client base were politically exposed persons. Factoring the disparity in the firm sizes (revenue and staff) and the period the breaches continued, legal sector firms can expect significantly higher fines for basic system and control failures irrespective of whether risk has crystallised.

The FCA has also extended fines and prohibitions to individuals responsible for AML in firms aided by the Senior Managers and Certification Regime (SMCR). One of the considerations for the current consultation will be to assess whether a similar regime (although SMCR is currently under review for streamlining) can be extended to the FCA’s new population of legal firms. The current consultation is also seeking views that the FCA should be able to extend the same civil and criminal enforcement powers to the legal sector.

Guarding the Gate

Given the FCA’s extensive experience in AML supervision and enforcement, particularly with new entrants, it critically assesses applications from new firms. It has the powers to accept, deny, suspend, and cancel registrations. In 2023/24, the FCA rejected 44% of 275 applications in 2023/24 whereas the SRA did not reject any of its 218 applications^[22]AML_Annual__Report.pdf. This could indicate a higher threshold for new legal entrants in the future if the FCA’s powers extend to all in-scope firms.

Bridging the divide

As the legal sector prepares for transition to FCA supervision, several critical considerations emerge.

The legal industry is concerned about the FCA’s familiarity with the nuances of legal practice and how it will tailor its supervisory approach. Since January 2018, OPBAS has operated within the FCA, when the Oversight of Professional Body AML and CTF Supervision Regulations came into effect. OPBAS will have an important role in the transition, and it is likely that this team will be re-deployed into the FCA’s new supervisory function for the legal sector bringing nearly eight years of experience to the transition.

Whilst the legislation and regulations are the same for both sectors, the practical guidance is not and may lead to different outcomes. Consideration is required as to whether in the long term the FCA and Joint Money Laundering Steering Group (JMLSG) financial services guidance, and various legal sector guidance from the SRA, Legal Sector Affinity Group (LSAG) AML Guidance for the Legal Sector and other bodies will remain separate or converge. The current consultation is seeking views on the FCA assuming responsibility for publishing AML guidance and removing the requirement for HMT approval enabling new guidance to be issued swiftly.

Dual regulation will persist; the FCA will oversee AML compliance, while the SRA will retain jurisdiction over professional conduct, ethics, and broader regulatory standards. This overlap introduces potential for regulatory friction or duplication, for example with respect to assessing fitness and propriety, unless a coordinated model, akin to the FCA-PRA joint supervision in financial services, is adopted.

Individual accountability may evolve. The FCA’s use of the Senior Managers and Certification Regime (SMCR) in financial services has driven personal responsibility for firm failures. Whether a similar framework will apply to legal professionals remains to be seen, but firms should prepare for increased scrutiny of designated AML officers.

Marching ahead: preparing for FCA scrutiny

Firms should not wait for the changing of the guard. They should assess their current compliance frameworks now against FCA expectations which can be gathered through their ‘Dear CEO’ letters, Financial Crime Guide (of good and poor practices), and FCA final notices. Many of the failings identified by the FCA already align with the common failings identified by the SRA. However, firms should pay particular attention regarding maintaining an audit trail to demonstrate compliance effectiveness, data quality, and the quality of risk assessments.

You may not like it, but your FWRA can be your strongest ally, and it is the time to get it into shape. A well-documented FWRA, grounded in a robust methodology, forms the cornerstone of an effective risk-based AML programme. It should:

• Identify all relevant AML risks using both internal firm data and external sources such as the National Risk Assessment.
• Resist the temptation to downgrade high-risk areas as effective controls mitigate risk, not mask it.
• Include a clear, actionable FWRA plan to enhance controls, with defined ownership, budgets, and timelines.
• Be subject to senior management oversight.

A strong FWRA not only supports internal governance but also strengthens your position in future discussions with the FCA or any third-party assessment. It is the document that articulates why your firm’s approach is proportionate and defensible.

Regulation 21 of the MLRs mandates that, where appropriate given the size and nature of the business, firms must establish an independent audit function responsible for:

• Examining and evaluating the adequacy and effectiveness of their AML-related policies, controls, and procedures;
• Making recommendations to strengthen those frameworks; and
• Monitoring the implementation of those recommendations.

Regardless of firm size, it may be beneficial to conduct such a review to obtain assurance that FCA regulatory expectations are being met. Ensure that any findings from past internal or external reviews (including MLRO/MLCO reports) have been dealt with appropriately, and consider external assurance over those areas.

If your firm outsources any part of its AML programme, it is imperative to ensure you understand how the outsourced provider is managing your risk. Whilst you may be able to outsource the process, you cannot outsource the risk. Ensure you have conducted appropriate testing of your outsourced provider’s processes and outcomes to satisfy yourselves that the risk is being managed adequately. Document your findings and follow up on any issues on a timely basis.

Ensure there is a clear governance framework in place with accountability at the board (or equivalent) level as required by MLR 21(1)(a) which specifically considers AML risks and controls. Good governance arrangements should include appropriate management information incorporating early warning indicators so that senior management are able to sufficiently consider risk mitigation actions.

The guard is changing and the spotlight is shifting

The FCA brings sharper scrutiny, broader powers, and a data-driven lens. Legal firms must be ready for the shift in supervision. Compliance frameworks must evolve from written frameworks to demonstrable control effectiveness.

How can HKA help

At HKA, many of our experts have spent decades supporting firms of all sizes under FCA supervision, from startup firms to global institutions. We have a clear understanding of what the FCA expects from firms, and we know how to get you there. Whether it’s strengthening your FWRA, preparing for FCA scrutiny, or building governance that stands up to third-party review, our experts bring deep regulatory insight and practical experience. The spotlight is shifting. HKA can help your firm anticipate challenges, close compliance gaps, and position itself for success under the new supervisory regime.

About the Author:

Priya Giuliani is a specialist in financial crime investigations & compliance with nearly 30 years’ experience, including a decade as a Partner. She specialises in helping clients on a proactive basis to assess and manage the risk of financial crime including assessing governance, oversight, conduct, and training Senior Managers and Boards. Her investigative experience provides insight in to how various financial crime types (e.g. money laundering, terrorist and proliferation financing, sanctions and tax evasion, bribery, corruption and fraud) can occur, including through the use of professional enablers, and the controls required to manage these risks effectively. Priya has been appointed on many Skilled Person engagements. Widely regarded as a well-qualified and highly experienced expert in financial crime risk management and investigations. She understands risk well and works with clients to assess and develop proportionate and effective control frameworks.

This article presents the views, thoughts, or opinions only of the author and not those of any HKA entity. The information in this article is provided for general informational purposes only. While we take reasonable care at the time of publication to confirm the accuracy of the information presented, the content is not intended to deal with all aspects of the referenced subject matter, should not be relied upon as the basis for business decisions, and does not constitute legal or professional advice of any kind. HKA Global, LLC is not responsible for any errors, omissions, or results obtained from the use of the information within this article. This article is protected by copyright © 2025 HKA Global, LLC. All rights reserved.