Does the AI train on our client data?

No. Client data is never used to train any AI model. Inference runs via AWS Bedrock (eu-west-2, London) with zero data retention (ZDR): Bedrock does not retain prompts or outputs after the API call completes. Files are processed in memory and discarded. A data processing agreement (DPA) is provided before any client data is processed.

Is this SRA compliant?

The product is designed to be consistent with the SRA's AI Risk Outlook guidance. Every AI output is a clearly-labelled draft requiring review and explicit sign-off by a named MLRO or COLP (with their SRA reference logged); no AI output is auto-filed; the firm remains the regulated entity and responsible party; and an append-only audit log of all AI outputs and human decisions is maintained. This does not constitute legal advice about a specific firm's obligations.

What happens when AML supervision transfers from the SRA to the FCA?

The FCA will inherit the files and procedures firms create today. The underlying MLR 2017 obligations remain unchanged — only who supervises changes. The FCA is expected to adopt a more data-driven, forensic inspection approach. Evidence packs are designed to be legible to both the current SRA inspection format and the FCA's anticipated forensic style.

Where is client data stored, and can it leave the UK?

All data is stored in AWS eu-west-2 (London). No data transits to US or non-UK/EU infrastructure. AI inference runs via Bedrock EU endpoints. ISO 27001 certification is planned before general availability (currently in design phase). Cyber Essentials Plus is planned (after initial pilots). The certification timeline is published transparently — no certifications are claimed that are not yet held.

Which practice management systems do you integrate with?

The product is PMS-agnostic and designed to sit above the existing stack, not replace it. Integration roadmap: Clio, LEAP, Actionstep, and Osprey. Reads from Thirdfort, Amiqus, and ComplyAdvantage for ID verification and sanctions data. Integration does not require replacing the existing PMS.

Does the AI file SARs (Suspicious Activity Reports) automatically?

No. Filing a SAR is a legal act with serious consequences. The AI can identify indicators that a matter may warrant SAR consideration and draft supporting analysis, but the MLRO must review the analysis, make the decision independently, and file via the NCA's SARS Online portal. The system logs that the consideration occurred and who made the decision — it never acts on it.

How do you handle the tipping off prohibition?

SAR-consideration workflows are partitioned from fee-earner views. Once a SAR consideration is open, the matter is flagged internally to the MLRO only — fee earners see a general hold instruction without the reason. This is enforced at the access-control layer, not just the UI layer.

What is the cost of the service?

Currently in pre-launch, conducting paid-intent discovery calls. Intended model: free 30-minute compliance health-check with no commitment, then a one-month free pilot with written success criteria and an end date, then a minimum 6-month subscription. Pricing is a transparent subscription, calibrated to be a fraction of the cost of a single avoided AML fine. Accessible to firms of any size — not enterprise-gated.

Will you sign a data processing agreement (DPA)?

Yes. A DPA is required before any client data is processed. The DPA covers: lawful basis for processing, sub-processor chain (AWS, Bedrock), data residency guarantees, retention and deletion schedule, and breach notification obligations. Client data will not be processed without a signed DPA.

Is the AI output protected by legal professional privilege?

This is a live area of law. AI-assisted outputs directed by a qualified lawyer, used in preparation for legal proceedings, and subject to MLRO review and adoption, may be capable of attracting privilege — but this has not been authoritatively decided. Firms should treat AI compliance outputs as records that assist the fee earner's own work product, not as privileged communications in their own right. This is not legal advice.

Learn — SRA AML Compliance

SRA AML compliance AI for UK law firms: what it can do, what it cannot.

151 SRA enforcement outcomes in 2024/25. 32% of inspected firms non-compliant. The failures are concentrated in the reasoning and documentation layer above the ID check — the exact layer where AI can help most.

Source: SRA AML Annual Report 2024/25 · Published June 2025 · HIGH confidence

Updated: June 2026Regulatory basis: MLR 2017, LSAG 2025, SRA AML Annual Report 2024/25By the Retibo team — built by qualified solicitors

What the SRA actually fails firms on

The SRA AML Annual Report 2024/25 inspected 833 firms and found 32.4% non-compliant. The most common specific failures were: (1) missing or inadequate client and matter risk assessments (CMRAs) under MLR 2017 Reg 28(12)–(13) — present in 50% of non-compliant firms; (2) missing firm-wide risk assessments (FWRAs) under MLR 2017 Reg 18; (3) weak ongoing monitoring under Reg 28(11); and (4) inadequate source-of-funds documentation. Critically, 90% of inspected firms already used electronic ID tools — the gap was in the reasoning and documentation layer above the data.

These failures are not caused by lack of effort or expertise. They are caused by the volume of documentation required per matter, the difficulty of consistently applying the regulatory framework across dozens of fee earners, and the absence of an automated system to flag when a matter falls short. These are tractable problems for AI-assisted tooling — if the tooling is designed correctly.

What AI can and cannot do in this context

AI can draft CMRAs citing the specific MLR 2017 regulation and LSAG paragraph; identify gaps in existing documentation; monitor active matters for the triggers the SRA specifically tests for (transaction value changes, counterparty changes, re-screen expiries); and assemble inspection-ready evidence packs on demand. These are appropriate uses where AI functions as a highly efficient drafting assistant, not as a decision-maker.

AI cannot and should not: make the final compliance decision; auto-file SARs or trigger any legal act; assert privilege on behalf of the firm; or substitute for a qualified MLRO's professional judgment. The SRA is explicit in its AI Risk Outlook guidance that firms must not over-rely on AI and must retain human accountability for every compliance record. Any product that does not enforce this — via a mandatory human sign-off step before any output is finalised — is not fit for SRA-regulated use.

Internal links — related guides

This article is informational only and does not constitute legal advice. Regulatory positions should be verified against current SRA guidance and primary legislation. Last updated June 2026.

Book a free compliance health-check