On the radar – 10 things

As many compliance officers will know, it is always a worthwhile risk management task to plan, prepare and budget for the year ahead and to try and anticipate changes on the horizon. Being proactive, rather than reactive, is key. Here are our top 10 things to watch for 2025.

1. Money laundering and terrorist financing

For firms within the scope of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR), compliance with anti-money laundering (AML) requirements will continue to be one of the key risks for 2025. The recently published Solicitors Regulation Authority (SRA) Anti-Money Laundering Annual Report 2023–24 and Anti-Money Laundering Training – Thematic Review reported that proactive supervision doubled, with only 22% of firms being fully compliant. Enforcement increased by almost 50% as well, with over £1m in fines imposed by the SRA and Solicitors Disciplinary Tribunal in relation to AML breaches.

In its Business Plan and Budget (November 2024 – October 2025), the SRA confirmed that a corporate strategy key deliverable 2023–26 would be to enhance its money laundering risk assessment model, adapting its targeted AML inspections and desk-based reviews accordingly.

We are already seeing the next round of notifications from the SRA regarding inspections, including:

• giving 14 days to provide documents and a response to the questionnaire
• requests for copies of any audits with any recommendations or follow-up actions
• AML-related training records and training material for the last three years, and
• file review form template and a list of file reviews within the last six months.

There are also questions relating to when firm-wide risk assessments (FWRAs) and policies, controls and procedures (PCPs) were first drafted, and it is expected that those documents will be requested in due course. Now is the time to review your FWRA, PCPs and carry out an independent AML audit.

In addition, 2025 will see an SRA thematic review considering how firms deal with source of funds and source of wealth checks.

2. AML controls in high-risk third countries

Changes to the high-risk third countries list continued to be a trend in 2024, with the latest changes made on 25 October 2024, when Algeria, Angola, Cote d’Ivoire and Lebanon were added to the Financial Action Task Force lists. Senegal was removed but remains on the EU list. It is worth keeping an eye out for updates as they occur fairly regularly.

As a reminder, enhanced due diligence and enhanced ongoing monitoring are required in any business relationship with a person established in a high-risk third country or about any relevant transaction where either of the parties to the transaction is established in a high-risk third country.

3. Sanctions regime

The UK sanctions list continues to grow, with countries and individuals added on an almost daily basis. The SRA issued guidance in January 2024, Sanctions regime – firm-wide risk assessments, which, while not compulsory, is considered best practice by the SRA, particularly for firms at higher risk.

It also updated its sanctions guidance, Complying with the UK Sanctions Regime, in August 2024. Following on from its survey, the SRA identified several issues, including firms not having a written sanctions FWRA, identification / verification controls and failure to screen against designated persons lists. It confirmed that its data collection, risk profiling and proactive inspection will extend to compliance with financial sanctions.

4. Economic crime

The government published guidance on the new corporate criminal offence of failure to prevent fraud, providing advice on the requirement to develop and implement reasonable fraud prevention measures. Large organisations (having two out of three criteria; namely, over 250 staff members, £36m annual turnover, £18m held assets) have until 1 September 2025 to develop and implement these measures. After this time, any organisation that has not introduced reasonable anti-fraud procedures could face investigation and prosecution and an unlimited fine.

In November 2024, the Legal Services Board (LSB) launched its Consultation on Guidance for New Regulatory Objective on Economic Crime. This is a response to a new legal duty placed on the LSB and the legal services regulators to “promote the prevention and detection of economic crime”. The Economic Crime and Corporate Transparency Act 2023 (ECCTA) introduced this as a new regulatory objective under the Legal Services Act 2007. This may lead to an increase in SRA inspections, investigations and enforcement. The consultation runs until 7 February 2025.

At the time of writing, we are still waiting for the SRA’s decision following its consultation on proposals on financial penalties in light of its new powers to issue unlimited fines for certain breaches of its rules under the ECCTA.

5. SRA consultation on consumer protection

The SRA consultation on consumer protection, covering a wide range of areas, including changes to the way firms hold client money, interest earned on client money, compensation fund changes, accounts rules changes and more, ends on 21 February 2025. The Law Society and local law societies are responding. We would encourage solicitors and firms to review and respond to the consultation.

6. Cybersecurity

Cyber-attacks against law firms increased dramatically in the 12 months to August 2024, with a 77% rise in successful attacks. Almost 75% of the top 100 law firms have, at some time, been affected by cyber-attacks. In its recently published annual Law Firms Survey, PwC notes that cyber threats are the main concern for law firms.

Firms are a target for cyber criminals because they regularly handle commercially sensitive and confidential information on behalf of clients and act on transactions involving the transfer of significant funds. The SRA AML annual report also recognised this as an emerging risk, not only as an immediate risk of an attack on a firm’s IT systems but also the risk of an attack within the law firm’s supply chain, which could have serious consequences for a firm’s operations. One SRA example was that: “A recent cyber-attack affected users of a particular case management system which affected many firms’ ability to provide a normal service to clients.”

This is the time to review your cyber security position to understand whether there are any actions to take to either prevent successful attacks on IT infrastructure or, in the event that you do suffer a successful attack, to be in the best position to respond effectively, minimise any damage, and avoid the emerging risks flagged by the SRA.

7. Use of technology

Firms need to be aware of the use of technology – particularly artificial intelligence and potential risks relating to data privacy, client confidentiality and so on. Firms should consider what systems and processes they have in place to meet changing standards and protect reputational risk. To date, there is no regulatory guidance or legislation, but there undoubtedly will be in the future and this should be on your firm’s radar.

8. Axiom Ince report and other firm failures

This is a huge topic for solicitors and firms need to be aware of the potential ramifications resulting from the findings. The failure of the SRA to heed warnings, adequately assess risks associated with acquisitions, and its oversight of client accounts could have consequences for the profession. It may lead to increased regulatory obligations, inspections and interventions, and, as raised in the SRA consultation referred to above, a move away from client account to third-party managed accounts.

9. Culture and wellbeing

Last year, the SRA introduced paragraph 1.5 of the Code for Solicitors and paragraph 1.6 of the Code for Firms, requiring solicitors and firms to treat colleagues fairly and with respect, and to not bully, harass or discriminate unfairly against colleagues. A senior partner was struck off and ordered to pay almost £42k costs for such conduct. With the introduction of the Worker Protection (Amendment of Equality Act 2010) Act 2023, which imposes a duty on all employers to take reasonable steps to protect workers from sexual harassment by other workers or third parties (including clients), there is a clear overlap with the Code. All firms must ensure a risk assessment is carried out, review existing policies / draft any new policies to fill in the gaps and provide training.

10. Continuing competence

In its annual assessment of continuing competence, the SRA indicated an increase in reports in several areas, including family, and landlord and tenant law, and will be looking into if and how solicitors in these areas are maintaining their competence. It updated the continuing competence resources and included a requirement at the 2024 renewal that solicitors confirm they have an up-to-date understanding of the legal, ethical and regulatory obligations relevant to their role; have reflected on and addressed any identified learning and development needs; and are competent to perform their role. The SRA has also begun to ask solicitors to submit continuing competence records during investigations.