MLR 2017 compliance for solicitors: 2026 guide

The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, known as MLR 2017, defines the anti-money laundering standards every UK solicitor must meet to practise lawfully. MLR 2017 compliance for solicitors rests on six core obligations: firm-wide risk assessment, written policies, Customer Due Diligence, MLRO appointment, staff training, and record-keeping. The Financial Conduct Authority and the Law Society both enforce these requirements, and failure to meet them can result in regulatory fines, reputational damage, and loss of authorisation to practise. Understanding each obligation in full is the foundation of a defensible compliance framework.
What are the core MLR 2017 compliance obligations for solicitors?
Six mandatory obligations form the backbone of every law firm’s anti-money laundering framework under MLR 2017. Each one carries distinct procedural requirements, and weakness in any single area can expose the firm to enforcement action.
-
Firm-wide risk assessment. Your firm must identify and document the specific money laundering risks it faces, based on its client base, services, geographic exposure, and transaction types. Generic templates fail regulatory scrutiny; regulators require bespoke assessments that address your actual risk profile.
-
Written policies, controls, and procedures. Policies must be documented, approved at senior level, and kept current. They should cover how the firm identifies risk, applies due diligence, and escalates concerns.
-
Customer Due Diligence (CDD). CDD applies at the start of every new client relationship and whenever risk indicators change. Standard CDD covers identity verification. Enhanced Due Diligence applies to higher-risk clients, including politically exposed persons and complex structures. Simplified Due Diligence is permitted only where risk is demonstrably low.
-
MLRO appointment. Every regulated firm must appoint a Money Laundering Reporting Officer. The MLRO is the senior individual responsible for the firm’s AML framework and acts as the primary contact for Suspicious Activity Reports submitted to the National Crime Agency. This is not a nominal title. The MLRO carries personal accountability under SMF17 of the Senior Managers and Certification Regime, and the FCA has pursued individuals for failures in this role.
-
Staff training. All relevant staff must receive AML training at induction and on an ongoing basis. Training records must be maintained and available for inspection.
-
Record-keeping. Records must be kept for at least five years after the business relationship ends. They must be easily retrievable for audits. Record-keeping failures are a frequent cause of enforcement actions, often more so than gaps in initial due diligence.
Pro Tip: Document not just what checks you carried out, but why. Regulators assess the quality of your reasoning, not only the existence of a procedure.

How have the June 2026 amendments affected solicitors’ compliance duties?
The most significant recent changes to MLR 2017 came into force on 30 june 2026. These amendments cover two principal areas: pooled client accounts and the Trust Registration Service.
Key changes solicitors need to act on:
- Pooled client accounts. The amendments retain provisions that allow banks to apply simplified due diligence controls to solicitors’ pooled client accounts. This means banks can treat the law firm as the regulated entity rather than conducting full CDD on every underlying client. Firms must understand this does not reduce their own CDD obligations toward their clients.
- Trust Registration Service exemptions. Changes to the Trusts Registration Service affect which trusts must be registered and which qualify for exemption. Solicitors advising on trust structures must review whether existing arrangements still meet the amended de minimis thresholds.
- Client confidentiality and data disclosure. The amendments clarify the circumstances under which firms may disclose client information to comply with AML requirements without breaching confidentiality obligations. This is a nuanced area requiring careful policy review.
- Operational updates. Firms must update their written policies to reflect the new statutory instrument provisions. Policies drafted before june 2026 that have not been reviewed are likely to be out of date.
The practical implication is clear: compliance is not a static state. Firms that reviewed their AML policies in 2023 or 2024 and have not returned to them since are operating on outdated frameworks.

What practical steps build an effective MLR 2017 compliance framework?
Building a defensible compliance framework requires deliberate, documented action across every obligation. The following steps reflect current regulatory expectations for UK law firms.
Step-by-step compliance framework
-
Conduct a bespoke firm-wide risk assessment. Map your client types, services, transaction values, and geographic exposure. Regulators require detailed assessments that address specific risk factors, not sector-wide generalisations. Review the assessment at least annually and after any significant change to the firm’s work.
-
Develop and maintain written AML policies. Policies must be approved by senior management and reviewed regularly. Incorporating LSAG AML guidance transforms compliance from a static exercise into a living risk management process. The Legal Sector Affinity Group publishes sector-specific guidance that regulators treat as the benchmark for the legal profession.
-
Establish CDD procedures with clear escalation paths. Define the triggers for standard, enhanced, and simplified CDD. Document the criteria for each level. Ensure fee earners know when to escalate to the MLRO rather than making independent judgements.
-
Appoint a qualified MLRO and define the role formally. The MLRO must have sufficient seniority, resource, and authority to fulfil the role. Under SMF17, the MLRO holds personal accountability for AML compliance. Document the appointment, the scope of responsibilities, and the reporting lines clearly.
-
Implement a structured training programme. Training must cover the firm’s specific risk profile, not just generic AML principles. Keep attendance records and test comprehension. Refresher training should follow any regulatory update or policy change.
-
Maintain secure, retrievable records for five years. Record-keeping failures are a common cause of enforcement action. Use a system that timestamps documents, preserves audit trails, and allows rapid retrieval during an inspection.
Pro Tip: Review your engagement letter practices as part of your compliance audit. Poorly drafted engagement letters can undermine your CDD documentation and create gaps in your audit trail.
Common pitfalls to avoid
| Pitfall | Why it fails regulatory scrutiny |
|---|---|
| Generic risk assessment templates | Fail to reflect the firm’s actual client and transaction profile |
| Undated or unsigned policies | Cannot demonstrate senior approval or currency |
| CDD completed but not documented | No audit trail to evidence the decision-making process |
| MLRO appointed in name only | Regulators assess whether the individual has real authority and resource |
| Training records not retained | Cannot demonstrate ongoing compliance during inspection |
How should solicitors conduct source of funds and source of wealth checks?
Source of funds and source of wealth are distinct concepts, and conflating them is a common compliance error. Source of funds refers to the origin of the specific money used in a transaction, for example, the proceeds of a property sale or a business loan. Source of wealth refers to the broader origin of a client’s overall financial position, for example, accumulated business income or an inheritance.
Solicitors must apply both checks on a risk-based basis. The threshold for enhanced scrutiny rises with transaction value, client risk profile, and jurisdictional exposure. The check is not optional simply because a client appears credible or well-established.
Regulatory expectations on documentation are precise:
- Record the source of funds and source of wealth identified for each client.
- Document the evidence reviewed, such as bank statements, sale contracts, or accountant letters.
- Record the rationale for the risk level assigned, including why you considered the source legitimate.
- Where you decide a full check is not required, document that decision and the reasoning behind it.
Regulatory commentary is unambiguous: merely not performing a check is insufficient. Firms must have a documented rationale justifying all risk-based decisions. An undocumented decision to waive a check carries the same regulatory exposure as failing to conduct one.
One point that catches firms out: funds originating from regulated UK financial institutions are not automatically low risk. Solicitors must understand and record the source rationale regardless of where the funds are held. Assuming legitimacy because money sits in a UK high street bank account does not satisfy the regulatory standard.
Key takeaways
MLR 2017 compliance for solicitors requires six documented obligations, a bespoke risk assessment, and a clear audit trail for every due diligence decision, including decisions not to act.
| Point | Details |
|---|---|
| Six core obligations | Risk assessment, written policies, CDD, MLRO, training, and record-keeping are all mandatory. |
| Bespoke risk assessments | Generic templates fail scrutiny; assessments must reflect your firm’s specific clients and services. |
| MLRO personal accountability | The MLRO holds individual liability under SMF17 and must have real authority, not just a title. |
| Document every decision | Regulators require a written rationale for checks carried out and for decisions not to check. |
| June 2026 amendments | Pooled client account rules and Trust Registration Service changes require immediate policy review. |
Why checkbox compliance puts your firm at greater risk than you think
After working closely with solicitors navigating AML obligations, the pattern I see most often is not outright non-compliance. It is compliance that looks complete on paper but collapses under scrutiny. A firm has a risk assessment, an MLRO, a training log. But the risk assessment was written three years ago by a consultant and has never been touched since. The MLRO was appointed because someone had to be, not because they had the authority or resource to act. The training log records attendance but not comprehension.
Regulators are not impressed by the existence of documents. They assess whether those documents reflect how the firm actually operates. The firms that fare worst in inspections are those that treated compliance as a project to complete rather than a process to maintain. The firms that fare best have embedded AML thinking into how they take on clients, how they assess transactions, and how they escalate concerns.
The June 2026 amendments are a useful forcing function. If your policies have not been reviewed since before june 2026, you have a concrete reason to act now. Use the LSAG AML guidance as your benchmark. It is the document regulators reference, and aligning your policies to it is the clearest signal of good faith you can give. Technology tools, including those that automate CDD and create timestamped audit trails, support this process materially. But they do not replace the judgement, training, and culture that genuine compliance requires.
— SignFlow Now
How SignFlow Now supports law firms with MLR 2017 compliance
Solicitors need more than good intentions to satisfy regulatory inspections. They need documented, timestamped evidence that every compliance step was completed correctly.
SignFlow Now is built for exactly this. The platform combines legally binding e-signatures with built-in AML screening, HMRC Agent Authorisation, and client onboarding packs, all within a single workflow. Every signature, identity check, and document exchange is logged with a full audit trail, giving your firm the retrievable records that regulators require. For law firms managing high volumes of client onboarding, SignFlow Now’s team-based compliance workflows reduce manual handling and the risk of documentation gaps. Visit signflownow.com to see how the platform supports MLR 2017 compliance in practice.
FAQ
What is MLR 2017 and who does it apply to?
MLR 2017 is the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017. It applies to all UK solicitors and law firms carrying out relevant legal activities, including conveyancing, trust and company formation, and financial transactions.
What are the six core obligations under MLR 2017?
The six obligations are: firm-wide risk assessment, written policies and procedures, Customer Due Diligence, MLRO appointment, staff training, and record-keeping. All six are mandatory for regulated legal firms.
How long must solicitors keep AML records?
Records must be retained for at least five years after the business relationship ends and must be easily retrievable for regulatory inspection.
What changed in the June 2026 MLR 2017 amendments?
The june 2026 amendments updated provisions for pooled client accounts and Trust Registration Service exemptions. Firms must review and update their written policies to reflect these changes.
What happens if a solicitor fails to comply with MLR 2017?
Non-compliance can result in regulatory fines, reputational damage, and loss of authorisation to practise. The MLRO may also face personal liability under the Senior Managers and Certification Regime.
