The SRA AML inspection checklist: what your firm needs before the letter arrives.
A category-by-category checklist for SRA AML inspection readiness, covering the FWRA, CMRA, source of funds, ongoing monitoring, ID checks, audit and training, with exact figures from the SRA's own 2024/25 report.
Arvind Manimaran · 14 July 2026 · 9 min read
An SRA AML inspection checklist, at its core, comes down to seven documents: a firm-wide risk assessment, a client and matter risk assessment for every open file, evidenced source-of-funds checks, a record of ongoing monitoring, identity verification for every client, an independent audit, and training records. Firms that can produce all seven, on demand, for a sample file, tend to have a straightforward inspection. Firms that cannot are, on the SRA's own 2024/25 figures, the norm rather than the exception: 86.6% of the 833 firms it assessed that year were not fully compliant.
This checklist works through those seven core areas, plus two related duties firms often overlook or conflate with them, nine categories in total, each with the exact figures the SRA published against it, so a COLP or MLRO can see precisely where their own firm is most likely to be tested, and how common each specific gap actually is nationally.
What the SRA actually inspects.
The SRA's AML inspections and desk-based reviews test whether a firm's documentation shows real risk-based decision-making, not just whether the right forms exist on file. In 2024/25 it reviewed 5,873 individual client files across 833 firms (SRA AML Annual Report 2024/25). The categories below map directly onto the regulatory duties those reviews test against.
1. The firm-wide risk assessment.
Regulation 18, MLR 2017. Also called a practice-wide risk assessment (PWRA) outside the legal sector; see what a PWRA is if you have seen the other term used.
- A written risk assessment exists covering: the types of customers the firm services, the countries or geographic areas it operates in, its products or services, its transactions, and its delivery channels (Reg 18(2)).
- It has been reviewed within the last year, or sooner if a material change has occurred (new fee-earner, new practice area, new client base).
- It is dated and there is a written record of the steps taken to produce it (Reg 18(4)).
The stakes: 19 firms in 2024/25 had no firm-wide risk assessment at all, despite the duty having existed for over seven years, and were referred for investigation on that basis. Of the 814 firm-wide risk assessments the SRA did review, 47% were rated compliant (up from 43% the year before) and 9% were rated non-compliant (SRA AML Annual Report 2024/25).
2. The client and matter risk assessment.
Regulation 28(12)-(13), MLR 2017. Full explainer: MLR 2017 Reg 28, explained.
- Every active matter has a CMRA recording the client risk factors, the matter risk factors, and a resulting risk rating.
- The CMRA is dated and signed by the responsible fee-earner or the MLRO.
- Where the rating is medium or high, the file shows enhanced measures that actually match that rating.
The stakes: 950 files (16%) reviewed in 2024/25 had no CMRA at all, or only an incomplete one. A further 39% of the CMRAs that did exist failed to effectively evaluate the money-laundering risk. Of the 270 firms rated non-compliant, 135 (50%) were referred specifically for a lack of CMRAs on file, though 111 of those 135 had a process in place that simply was not being followed (SRA AML Annual Report 2024/25).
3. Source of funds and source of wealth.
Regulation 28(2)(c) and Regulation 33, MLR 2017. Full explainer: source of funds versus source of wealth.
- For every matter where a source-of-funds check is required, the origin of the specific money used is documented, not just the client's identity.
- Documents gathered (bank statements, completion statements, probate grants) have a written note showing someone actually checked them against the client's account of events.
- Enhanced due diligence, including source of wealth, is applied where the matter involves a politically exposed person or a high-risk third country.
The stakes: of the 5,026 files that required a source-of-funds check in 2024/25, 10% had none at all. Where documents had been gathered, 18% were never scrutinised. 8% contained source-of-funds information that did not match the ledger. Firms received source-of-funds feedback in 41% of onsite inspections and desk-based reviews (SRA AML Annual Report 2024/25).
4. Ongoing monitoring.
Regulation 28(11), MLR 2017. Full explainer: ongoing monitoring under Reg 28(11).
- Transactions on live matters are scrutinised for consistency with what the firm knows about the client, not processed on autopilot.
- CDD records are refreshed when they age or when a trigger event occurs.
- There is a dated log entry for each review: what was checked, what triggered it, and the outcome.
The stakes: the SRA does not publish a single national ongoing-monitoring compliance rate, so treat any specific percentage you see quoted for this category with caution unless it cites the report directly. What the SRA's data does show is the downstream effect: money-laundering-related reports it received rose to 426 in 2024/25, nearly double the 227 received the year before (SRA AML Annual Report 2024/25).
5. Identity verification and client due diligence.
Regulation 28(2), MLR 2017.
- Every client's identity has been identified and verified before, or as, the business relationship is established.
- Where technology (eIDVA) is used for identity checks, the firm can show it was used alongside, not instead of, a proper CMRA and source-of-funds process.
The stakes: 368 of the 5,873 files reviewed (6%) did not contain evidence the client had been identified and verified at all. Separately, 90% of the firms the SRA met with used electronic identification and verification technology to help with CDD checks (SRA AML Annual Report 2024/25); that figure describes firms generally, not specifically non-compliant ones, so treat any claim that ID tools alone predict compliance with caution.
6. Independent audit.
Regulation 21, MLR 2017.
- The firm has commissioned an independent audit of its AML policies, controls and procedures within the last two years.
- The audit itself included a file review, not just a policy-document check.
The stakes: 48% of firms had carried out an independent audit; of those, 79% had been done within the last two years. But 32% of the audits the SRA itself reviewed were themselves non-compliant with Reg 21, most commonly because they had not included a file review (SRA AML Annual Report 2024/25).
7. Training.
Regulation 24, MLR 2017.
- Every relevant employee, not just fee-earners, has received AML training appropriate to their role.
- Training records show who was trained, when, and on what.
8. Internal file reviews.
A firm's own periodic self-checks, distinct from the client-level ongoing monitoring in category 4 above.
- The firm runs its own internal file reviews on a regular schedule.
- Those internal reviews specifically consider source of funds, not just identity and documentation completeness.
The stakes: 77% of firms inspected in 2024/25 were carrying out internal file reviews. Of those, a third (33%) did not consider source of funds as part of that review (SRA AML Annual Report 2024/25).
9. Proliferation financing risk assessment.
Regulation 18A, MLR 2017, in force since 1 April 2023. A separate duty from the firm-wide risk assessment in category 1, though firms sometimes conflate the two.
- A written proliferation-financing risk assessment exists, separate from the general firm-wide risk assessment.
The stakes: 646 of the 833 firms the SRA assessed (78%) had completed one (SRA AML Annual Report 2024/25).
Assembling the evidence pack.
When an SRA inspection letter arrives, firms typically have limited time to produce the documents above for a sample of matters. The safest position is to have all nine categories current and centrally accessible before any letter arrives, not assembled retrospectively once one does.
Frequently asked questions.
How much notice does the SRA give before an AML inspection.
The SRA does not publish a fixed notice period, and firms report timelines ranging from a few days to a few weeks. Because the exact timeline is not guaranteed, the safer approach is to keep the evidence pack above current on an ongoing basis rather than assembling it only once a letter arrives.
Does the SRA inspect every firm every year.
No. In 2024/25 the SRA reviewed 833 firms out of the 5,569 firms that fall within the scope of the money laundering regulations (itself around two-thirds of the 9,149 total firms it authorises), which works out to roughly 14.9% of in-scope firms engaged with that year, by Retibo's own calculation from those two SRA-reported figures. The SRA does not publish its selection methodology, so this is a rough proportion for one year, not a guaranteed inspection cycle.
What is the difference between an SRA desk-based review and an onsite inspection.
Both form part of what the SRA calls its proactive AML engagements. Desk-based reviews are the larger category by volume (516 of the 935 proactive engagements in 2024/25); onsite inspections by the AML proactive team accounted for 317, with the remainder made up of engagements as part of onsite investigations, thematic reviews and audit reviews.
What happens if a firm cannot produce these documents when asked.
Based on the SRA's 2024/25 findings, missing or defective documentation in any of the categories above is treated as a compliance failing in its own right, independent of whether anything actually went wrong on the matter. Firms have been referred for investigation, and in the most serious cases fined, on documentation grounds alone.
Is a checklist like this a substitute for legal advice.
No. This is informational content to help a firm understand what an SRA AML inspection tests for. It is not a substitute for advice from your firm's own MLRO, COLP or external counsel on your specific obligations.
Sources
- SRA, Anti-Money Laundering Annual Report 2024-25, 30 October 2025: www.sra.org.uk/sra/research-publications/aml-annual-report-2024-25
- The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, Reg 18, 18A, 21, 24, 28 and 33: www.legislation.gov.uk/uksi/2017/692/contents/made
- Legal Sector Affinity Group (LSAG), Anti-Money Laundering Guidance for the Legal Sector, effective 23 April 2025
- SRA, Further changes to the fining regime (ECCTA 2023), SRA Update 139: www.sra.org.uk/news/news/sra-update-139-financial-penalties
Written by Arvind Manimaran. This article is educational and does not constitute legal advice. Regulatory positions should be verified against current SRA guidance and primary legislation.
Book a call