Skip to main content

AML Regulation 21 Independent Auditing Service

By February 1, 2024July 5th, 2024No Comments

With the Solicitors Regulation Authority (SRA) making it clear that most firms should expect a Regulation 21 audit to be performed, it is essential to implement the requirements and decide who the best person (or organisation) is to perform the audit.

A Regulation 21 audit is not just an audit of a firm’s approach to compliance with the MLR 2017, but also evidence that the Money Laundering Compliance Officer (MLCO) and Money Laundering Reporting Officer (MLRO) have implemented an effective process to ensure and maintain compliance.

The audit itself is a ‘deep dive’ into:

  • The Firm’s Policies, Controls and Procedures and their adequacy.
  • Staff’s ability to actively demonstrate compliance.
  • Monitoring processes to ensure application at all levels.
  • An overall assessment and understanding of the risks associated with the Firm, its clients and matters directly relating to Money Laundering and Terrorist Financing.

The audit must be documented and make clear what is working and what needs improving.  It must also be presented to the wider Senior Management in the Firm.

Self-auditing will always spark a debate about whether autonomy and cost-effectiveness offset the potential pitfalls that might compromise the efficacy of the audit process. A component of the evaluation will be the level of importance ascribed to the subject of the audit, but when it comes to your Anti-Money Laundering (AML) controls and procedures, are the benefits of self-auditing practical and, moreover, worth it?

As stated above, most firms have a regulatory requirement to perform an “Independent Audit of AML Policies, Controls and Procedures” in accordance with Regulation 21 of the AML Regulations, and it’s the firm’s responsibility to the SRA to ensure it performs the audit effectively. The AML Regulations require the firm to:

21 (c)establish an independent audit function with the responsibility – 

(i)to examine and evaluate the adequacy and effectiveness of the policies, controls and procedures adopted by the relevant person to comply with the requirements of these Regulations;

(ii)to make recommendations in relation to those policies, controls and procedures; and

(iii)to monitor the relevant person’s compliance with those recommendations.

The obvious challenge is to ensure you comply with the independence requirement of the regulations. Any internally performed auditing process will have to tackle the challenges of objectivity, confirmation bias and conflict of interest to ensure the integrity and credibility of the audit. However, overcoming these challenges and achieving “independence” is made all the more difficult as the personnel with the appropriate knowledge and skills within your organisation might well be ineligible to perform the audit. Typically, in-house employees with the right expertise and the capability to undertake an audit of this type are those responsible for designing, implementing and monitoring the application of the firm’s AML policies and procedures. The audit should not be performed by the MLRO, MLCO or anyone else responsible for maintaining the AML function within the firm.

Paragon has developed a close working relationship with The Strategic Partner (TSP), a leading risk, regulation and compliance consultancy for the legal profession. As a result of this collaboration, Paragon’s existing and prospective clients have discounted access to TSP’s “Regulation 21 Independent Audit” service, saving 10% on the usual fees. David Green, co-founder of The Strategic Partner, said: “We recognise this issue, and our service provides firms with a truly independent audit and report which meets regulatory requirements and is specifically designed to comply with the requirement of the MLR 2017. It is recommended that a law firm performs such a review every two years, although large firms might consider that annually is more appropriate.”

TSP’s Regulation 21 Independent Audit includes: –

  • Discovery meeting to scope out and agree on the approach and focus of the review.
  • Policies have been written to document how the firm complies with the MLRO 2017.
  • A review and analysis of the firm’s High Risk and Suspicious Activity Register
  • Interviews with staff to consider the practical application of a firm’s AML PCPs and to establish understanding and knowledge.
  • Optional file reviews to consider the application of a firm’s AML PCP requirements at case/matter level.
  • A formal report detailing the information obtained in the review, the current approach adopted by the firm and identifying any gaps with a series of recommendations and solutions.
  • Presentation of the findings to the partners.
  • A Directors/Partners Report to evidence the requirement of Regulation 21 of the MLR 2017:-
  1. PCP Analysis
  2. Application
  3. Analysis of trends
  4. Recommendations

The Regulation 21 independent audit extension will further include a review of the approach adopted by the firm for compliance with AML regulations.

For more information about our AML independent auditing offer, please contact:


Ryan Senior


T +44 (0)20 7280 8254

M +44 (0)7827 575 652


This article is published without responsibility on the part of the author or publishers for any loss occasioned by any person acting or refraining from action as a result of any views expressed in the article. Specific risk management advice requires detailed knowledge and analysis of each firm and practice area facts relating to the risk. The information included in this article cannot and does not attempt to satisfy this requirement for any of its readers.