Source of funds: still the most common AML failing, and why
Source of funds remains one of the most common AML failings for UK law firms. What MLR 2017 requires, where firms fall short, and why the gap persists.
Jacob Styles · 1 July 2026 · 6 min read
Year after year, the same failing appears at or near the top of the Solicitors Regulation Authority's list of AML shortcomings: source of funds. It is one of the most heavily scrutinised areas in file reviews, one of the most frequently criticised, and, for a duty so central to the regime, one of the most misunderstood. The persistence of the problem is worth examining, because it tells you something about where firms genuinely go wrong.
What the rules actually require
Source of funds sits within the customer due diligence obligations of the Money Laundering Regulations 2017 (MLR 2017). Regulation 28 sets out what CDD involves: identifying and verifying the client, identifying beneficial owners, and, critically, "obtaining information on the purpose and intended nature of the business relationship" (MLR 2017, Reg 28). Where the risk warrants it, that extends to understanding where a client's money has come from.
Two related concepts are often confused:
- Source of funds: where the specific money used in this transaction originated (for example, the proceeds of a named house sale, a documented inheritance, or a savings account with a traceable history).
- Source of wealth: how the client accumulated their overall wealth in the first place.
MLR 2017 does not demand a forensic audit on every matter. It demands a risk-based response: the higher the money-laundering risk of the client and matter, the deeper the enquiry and the stronger the evidence required (MLR 2017, Reg 28; LSAG guidance). Enhanced due diligence, including establishing source of funds, is mandatory in higher-risk situations such as dealings involving politically exposed persons or high-risk third countries.
Where firms fall short
The SRA's file reviews expose a consistent pattern. In its thematic review of source of funds and wealth compliance, and again in the 2024/25 annual report, a meaningful share of applicable files either contained no evidence of source-of-funds checks or showed checks that were carried out but not properly scrutinised (SRA, Thematic review of source of funds and wealth compliance; SRA AML Annual Report 2024/25). Reporting of the exact rates varies with how the sample is cut, but the direction is unambiguous: a large minority of files do not adequately evidence where the money came from.
A firm can ask where the money came from, accept the answer, and still fail, because it never tested or evidenced it.
The failings tend to cluster into a few recognisable types.
1. Asking but not evidencing
The most common gap is not a total absence of enquiry; it is enquiry that leaves no trace. A fee-earner asks the client where the deposit came from, receives a plausible answer, and moves on. Nothing is recorded, no supporting document is obtained, and the file cannot demonstrate that any check happened at all. Under the SRA's approach, an undocumented check is, for practical purposes, no check.
2. Collecting documents without interrogating them
A bank statement in the file is not the same as scrutiny of that statement. Inspectors look for evidence that the firm actually tested what it received: does the money trail make sense, are there unexplained large credits, does the stated origin match the documentary reality? Simply filing a statement, the "collect and forget" approach, does not satisfy the obligation.
3. Treating identity verification as source of funds
Electronic identity checks and AML screening tools confirm who the client is. They say nothing about where their money came from. The SRA has been explicit that electronic identity verification is not a substitute for source-of-funds work or for a proper client and matter risk assessment. Conflating the two is a recurring, and penalised, mistake.
4. Applying the wrong depth of enquiry
Because the duty is risk-based, some firms under-investigate genuinely high-risk matters while over-documenting low-risk ones, or apply a flat approach that ignores the risk rating entirely. Both miss the point: the level of scrutiny should track the assessed risk of the specific client and matter.
Why the failing persists
If the rule is well known, why does source of funds keep topping the list? Part of the answer is that it is genuinely effortful. Testing the origin of money is slower and more judgement-heavy than ticking an identity box, and it often surfaces at the point of a transaction when the client wants to complete quickly. Commercial pressure and compliance rigour pull in opposite directions.
There is also a stakes problem that firms underestimate. Failing to establish source of funds is not only a regulatory breach. Where funds turn out to be criminal property, a firm that failed to make proper enquiries can find itself exposed under the Proceeds of Crime Act 2002: the offences there do not require the firm to have known, only, in some circumstances, to have had grounds for suspicion it should have acted on. The source-of-funds check is, in effect, the firm's own defensive shield.
Why it matters
Source of funds is the point where AML compliance stops being about paperwork and starts being about the actual purpose of the regime: keeping dirty money out of the legitimate economy. That is precisely why the SRA scrutinises it so hard, and why it remains the failing most likely to appear in an enforcement summary.
For any firm, the uncomfortable truth is that the checks it believes it performs and the checks it can evidence are often two different things. Closing that gap, recording the enquiry, interrogating the documents, and matching the depth of scrutiny to the risk, is not box-ticking. It is the difference between a defensible file and a finding.
Sources
- SRA, Thematic review of source of funds and wealth compliance: www.sra.org.uk/sra/research-publications/thematic-review-source-funds-wealth-compliance
- SRA, Anti-Money Laundering Annual Report 2024-25: www.sra.org.uk/sra/research-publications/aml-annual-report-2024-25
- The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, Reg 28: www.legislation.gov.uk/uksi/2017/692/regulation/28
- Legal Sector Affinity Group (LSAG), Anti-Money Laundering Guidance for the Legal Sector
- Proceeds of Crime Act 2002: www.legislation.gov.uk/ukpga/2002/29/contents
Written by Jacob Styles. This article is educational and does not constitute legal advice. Regulatory positions should be verified against current SRA guidance and primary legislation.
Book a free compliance health-check