The SRA’s 2025 AML and governance crackdown: fines top £565k across 35 firms

Back in February this year we analysed the SRA’s enforcement activity over the first two months. At that point, 16 firms had been fined for AML non-compliance, with total penalties of £61,715.

Skip to today and the picture has grown far more serious. The SRA has now issued 35 fines worth more than £565,000, covering everything from missing firm-wide risk assessments to inadequate AML policies, poor client risk assessments and repeated governance lapses.

While the individual fine amounts vary - from just £658 for smaller high-street firms to over £114,000 for systemic failings - the underlying causes remain remarkably consistent. The regulator’s message is clear: it is no longer enough to have policies and templates on file; firms must be able to evidence how those controls work in practice.

Why are firms being fined?

Recent decisions show a clear pattern: firms continue to fall short in the same core areas despite repeated warnings.

Missing or inadequate firm-wide risk assessments (70%)

Many firms still lack a meaningful firm-wide AML risk assessment (FWRA). The SRA expects every firm to have a documented and regularly reviewed FWRA that accurately reflects its size, services, clients and geography. Where none exist, or where it’s generic or outdated, the regulator views it as a major breach.

Defective AML policies, controls and procedures (67%)

Two-thirds of firms were fined for failing to establish or maintain compliant AML policies, controls and procedures (PCPs). In several cases, the SRA found template policies with no evidence they had ever been applied in practice.

Poor client and matter-level risk assessments (67%)

Client/matter risk assessments (CMRAs) remain a widespread weak spot. Many firms either didn’t complete them at all or used tick-box forms detached from actual client risk. Even firms with a strong FWRA often failed to cascade that framework down to individual files.

Training and governance weaknesses (20%)

A fifth of firms had inadequate AML training or unclear compliance oversight. The SRA expects firms to document all AML training and ensure that compliance officers, particularly Money Laundering Compliance Officers (MLCOs), maintain active oversight and reporting lines.

Source-of-funds and due-diligence gaps (17%)

CDD and source-of-funds (SoF) checks were missing or poorly evidenced on several conveyancing and private-client files. In some cases, firms had obtained ID but never verified where the money came from.

Notification and reporting breaches (11%)

A handful of fines stemmed from governance failures rather than direct AML breaches, particularly firms that failed to maintain COLP/COFA appointments or didn’t notify the SRA when compliance officers changed. While administrative, these breaches signal a weak compliance culture.

What this means for firms

The regulator’s expectations have shifted from existence to effectiveness. Policies and risk assessments are no longer enough unless they are embedded and evidenced in daily practice.

Firms should:

• Refresh and document FWRAs and CMRAs: Show clear linkage between firm-level and file-level risk.
• Review PCPs annually: Update controls to reflect current services and jurisdictions.
• Maintain AML training logs: Keep attendance and topic records for all staff.
• Record MLCO and COLP/COFA oversight: Demonstrate governance continuity.
• Remediate quickly: Address any audit or inspection findings within defined timeframes.

The SRA’s expectations have matured, not shifted

The 2025 enforcement data confirms that the SRA isn’t moving the goalposts - it’s holding firms to standards that have existed for years but are now being tested in full.

Every one of the 35 fines ties back to the same fundamentals: risk assessments that aren’t reviewed, policies that aren’t followed and training that isn’t evidenced.

Firms that treat AML as a one-off compliance exercise rather than a living, documented process are being caught out. The SRA’s inspection teams now expect to see a joined-up framework; one where risk assessment, policies, training and oversight all reinforce each other and can be demonstrated on demand.

The takeaway for firms isn’t that expectations have changed, but that enforcement has caught up. The Rules have always required substance; now the regulator is testing whether it exists in practice.

The firms avoiding fines in 2025 aren’t necessarily larger or better resourced - they’re the ones that can prove how AML decisions are made, recorded and reviewed.