Firm-wide risk assessment
Expect this to be central. The SRA wants a risk assessment specific to your firm — reflecting your actual clients, services, jurisdictions, and delivery methods — and kept up to date as those change. Generic, template-based assessments that don't reflect the firm's real risk profile are one of the most common findings.
AML policies, controls, and procedures
Your policies should be current, approved, and reflect how the firm actually operates. A frequent issue is documented procedures that fee earners don't follow in practice — or aren't clear how to apply.
Training records
The SRA looks for evidence of ongoing and role-specific AML training, not just a single annual session. Poor training records — with no evidence of who was trained, on what, or whether they understood it — recur in findings.
A sample of files
Files are selected on a risk basis to test how AML requirements were applied in real matters. The SRA looks for clear evidence of client due diligence, source of funds and source of wealth, and the rationale behind risk decisions and escalations.
Make each document credible
Beyond having the documents, make sure they are version-controlled, consistent with each other, and aligned with practice. The package should tell a coherent and credible story — which is far easier when evidence is captured as work happens rather than assembled at the last minute.
Reglo helps firms keep this evidence organised and audit-ready — humans approve every change. AI drafts and organises; your compliance team decides.
This guide is general information for compliance teams, not legal or regulatory advice. Always refer to the SRA's current guidance and take your own professional advice where needed.