Beyond the fine - Should AML penalties trigger professional conduct investigations of MLROs and COLPs

The Solicitors Regulation Authority (SRA) has been issuing a steady stream of anti-money laundering (AML) fines against law firms that cannot evidence baseline compliance with the Money Laundering Regulations 2017 (MLRs 2017). In a single three-month period reported on 1 December 2025, the SRA levied £550,000 in fines across 46 firms, with the proceeds payable to HM Treasury.

That enforcement activity raises a more difficult question for the profession. When a firm is fined for AML breaches, should that routinely (or automatically) trigger a professional conduct investigation, particularly of the MLRO and COLP? In my view, the answer should be “often, yes—but not automatically”. The right model is a structured escalation framework that links type, duration, and governance context of AML failures to individual accountability decisions.

The pattern: fines for “basic rules” and the structural cap problem

The recent fine data is notable not merely for the volume of enforcement but for the recurring themes. The common failures include:

• no (or inadequate) firm-wide risk assessment;
• no (or inadequate) policies, controls and procedures to manage ML/TF risk; and
• failure to complete client and matter risk assessments (CMRAs).

The SRA also described how it reduced some calculated fines to £25,000, the maximum it could impose on traditional law firms at the time, so it did not need to refer matters to the Solicitors Disciplinary Tribunal (SDT). 

This is not a technicality; it shapes behaviour. If the regulator’s most practical lever is a firm-level financial penalty (often capped), the system risks drifting toward “pay the fine and move on” outcomes, especially where root causes sit in leadership, governance, and compliance ownership.

The contrast with alternative business structures (ABSs) is instructive.  For example, CGM Hampshire (an ABS) was fined £31,045 and criticised for failing to have a firm-wide risk assessment in place for seven years. Where failures persist over multi-year periods, it becomes difficult to characterise them as isolated operational mistakes.

Why this is not just “AML compliance”, it is governance

In practice, the “basic rules” failures the SRA has been fining are not primarily fee-earner errors. They are typically control failures. No risk assessment, no workable control framework, inconsistent file-level risk assessment, and inadequate monitoring.

That is precisely the terrain where COLP and MLRO responsibilities become central.

• The COLP function is designed to provide assurance that the firm has effective systems and controls to comply with its regulatory obligations and to remediate issues when they arise.

• The MLRO role is not merely a reporting postbox; it is (in competent operating models) a key node in oversight, risk appetite, escalation, training, and quality assurance, particularly in high-risk areas such as conveyancing.

Where a firm is fined because it cannot evidence foundational MLR 2017 controls, a serious question follows. How did governance allow that gap to exist, persist, and remain undetected (or unremedied)? At that point, it becomes legitimate to assess whether the failure reflects individual conduct issues (competence, neglect, willful blindness, or failure to act) rather than solely a corporate shortcoming.

The SDT decisions that exposed an accountability gap

The debate about whether breaches of anti-money laundering obligations should result in professional conduct consequences is not an abstract or academic one. It has played out in very real terms before the Solicitors Disciplinary Tribunal and the courts, with outcomes that expose a growing disconnect between breaches of AML law and findings of professional misconduct. Two recent enforcement pathways in particular, Dentons and Sa’id, illustrate how that misalignment arises and why reliance on firm-level fines alone may be insufficient to ensure accountability, particularly for those charged with governance and oversight.

Dentons: an established AML breach, but no immediate route to sanction

In SRA v Dentons UK and Middle East LLP, the Solicitors Disciplinary Tribunal heard the matter over several days in March 2024. The Tribunal accepted, as a matter of fact, that Dentons had breached Regulation 14 of the Money Laundering Regulations 2007 by failing to carry out adequate source-of-funds and source-of-wealth checks in a high-risk context. The factual shortcomings in the firm’s AML due diligence were not seriously in dispute.

However, the case ultimately turned not on whether the Money Laundering Regulations had been breached, but on whether that breach had been properly framed as a breach of the SRA’s Principles or Code of Conduct. The Tribunal concluded that, as pleaded, the failures did not meet the threshold for professional misconduct. As a result, it held that it had no jurisdiction to impose a sanction, notwithstanding the fact that an AML breach had been established. In other words, the Tribunal accepted that unlawful conduct had occurred, but considered itself unable to act because the regulatory gateway to sanction, a breach of professional rules, had not been crossed.

On appeal, the High Court allowed the SRA’s challenge and remitted the matter to a differently constituted Tribunal. The court’s decision underscored the seriousness of the issues at stake and confirmed that the relationship between AML obligations and professional standards is not merely procedural but goes to the heart of effective enforcement.

From the perspective of MLRO and COLP accountability, the Dentons case is significant because it exposes the risk of an “enforcement gap”. Where AML breaches are treated as legally distinct from professional standards unless very carefully pleaded and proved, firms and the individuals responsible for oversight – may avoid meaningful consequences even when serious compliance failures are established on the facts. That gap weakens deterrence and blurs responsibility for governance failures that sit squarely within the MLRO and COLP remit.

Sa’id: acknowledged failures, but characterised as professional judgment

A similar tension is evident in the case concerning George Fahim Sa’id (George Fahim Sa’id (SDT Case No. 12461-2023), a sole practitioner. In that matter, the Tribunal accepted that there had been failures in the firm’s AML processes, including a failure to identify politically exposed person (PEP) status and to apply enhanced due diligence in circumstances that were plainly high risk. The practitioner accepted that the system had not operated as it should.

Nevertheless, the Tribunal dismissed the allegations of professional misconduct. It treated the failings as falling within the scope of professional judgment in a risk-based AML regime, rather than as conduct sufficiently serious or culpable to justify disciplinary sanction. The existence of an AML system, albeit one that failed in the particular cases under scrutiny, weighed heavily in the Tribunal’s reasoning.

The importance of Sa’id lies in the signal it sends about how tribunals may approach AML shortcomings. Where failures are framed as errors of judgment within an otherwise functioning system, they may be insulated from professional consequences unless the regulator can demonstrate a high degree of seriousness, recklessness or culpability. This approach risks normalising significant AML lapses as unfortunate but tolerable outcomes of a risk-based framework.

The wider implication: AML law without professional consequence

Taken together, Dentons and Sa’id demonstrate how law firms and individual lawyers can breach AML obligations, sometimes in high-risk contexts, without necessarily facing professional discipline. For MLROs and COLPs, this creates an uncomfortable reality. These roles are expressly designed to ensure that AML systems are effective, that risks are properly identified and escalated, and that failures are addressed before they become systemic. Yet tribunal reasoning that focuses narrowly on professional misconduct thresholds can leave governance failures largely untouched.

This misalignment matters because AML compliance in legal practice is not simply a technical regulatory requirement. It is integral to public trust, professional integrity and the ethical standing of the profession. If breaches of AML law do not reliably translate into professional accountability, particularly where oversight and governance have failed, the deterrent effect of enforcement is weakened and the risk of repeat failures increases.

The Dentons and Sa’id pathways therefore reinforce the case for a more explicit and structured link between AML breaches and professional conduct scrutiny. Without that link, firm-level fines risk becoming the outer limit of accountability, leaving unanswered questions about individual responsibility in precisely the roles designed to prevent such failures.

The case for escalating to professional conduct investigations (especially MLRO/COLP)

A professional conduct investigation should not be viewed as “double punishment.” It serves different objectives from a firm-level fine:

Deterrence and personal accountability

If foundational AML controls are missing or ineffective over long periods, a firm-level fine can become a cost of doing business. Individual accountability changes incentives, particularly for governance roles.

Public trust and the ethics dimension

The profession’s licence to operate relies on more than technical compliance. High-risk work, especially property, has repeatedly been identified as vulnerable to illicit finance. The tribunal narratives show how reputational comfort and familiarity can blunt vigilance; regulators must be able to demonstrate credible consequences when that occurs.

Role clarity and operational discipline

Where the SRA identifies failures like “no FWRA, no PCP framework, no CMRAs,” it is inherently relevant to ask whether the COLP/MLRO discharged their oversight duties with appropriate competence and urgency.

System learning

Conduct investigations can produce granular findings about how risk decisions were made, how escalations were handled, and how governance failed, learning that is often lost when outcomes are limited to a financial settlement.

The case against automatic escalation

There are also compelling reasons not to make conduct investigations automatic whenever an AML fine is issued:

• Fairness and causation: a newly appointed MLRO/COLP may inherit a poor framework and be actively remediating it.

• Chilling effect: if every firm-level systems failure triggers individual jeopardy, fewer capable people may accept MLRO/COLP roles, ironically weakening compliance.

• Scapegoating risk: poor AML outcomes are often driven by partner-led risk appetite, resourcing choices, and business pressure. A model that reflexively targets MLRO/COLP can misallocate responsibility.

• Regulatory efficiency: automatic dual-track investigations would be slow and resource-intensive, reducing overall enforcement coverage.

The better answer is a triaged escalation policy.

A proportionate escalation model: when should MLRO/COLP conduct be investigated?

A practical decision framework would treat the firm-level AML outcome as a trigger for review, not a presumption of misconduct. Escalation to conduct investigation should be strongly considered where one or more of the following applies:

• Missing FWRA/PCPs over extended periods (measured in years, not months), or repeated failures after prior remediation plans.

Governance red flags

• Evidence that risk concerns were raised internally but not acted upon.
• Inadequate resourcing, training, or supervision despite known risk profile (for example, heavy conveyancing exposure).

Risk intensity

• High-risk factors (PEPs, high-risk jurisdictions, complex ownership, unusual valuations, third-party funding) where EDD/SoW/SoF failures are present.

The Charles Douglas outcome is a useful example of risk intensity. The SRA’s regulatory settlement agreement (agreement date 12 November 2025) recorded that the firm acted for a non-domestic PEP across 194 matters (June 2021–February 2024) and could not evidence adequate SoF measures for remitters representing less than 1% of funds received, in a context where total receipts exceeded £10m. A scenario like this should routinely prompt a governance-focused review of MLRO/COLP oversight, even if the ultimate conclusion is “no individual misconduct.”

Competence and capability indicators

• Compliance documentation that is formulaic, inconsistent, or clearly not used in decision-making.
• CMRAs completed retrospectively or not at all.
• Policies that exist on paper but are not operationalised (no QA, no file testing, no metrics).

Integrity and candor issues

• Any misleading statements to the regulator, suppression of internal audit findings, or backfilling documents post-event should almost always lead to individual scrutiny.

The moving landscape: the SRA’s fining regime is changing, but the conduct question remains

The Economic Crime and Corporate Transparency Act 2023 received Royal Assent on 26 October 2023. The SRA has stated that, from March 2024, ECCTA removed the cap on its fining powers in relation to certain breaches involving economic crime.

Even with higher firm-level fines, the central issue persists, money alone does not allocate responsibility inside a firm. If the profession wants credible assurance that AML is a lived discipline rather than a compliance veneer, the framework must be capable of identifying when failures are governance and conduct problems—not merely “systems that need improving.”

Practical implications for MLROs and COLPs

If you hold (or support) these roles, the trend line is clear, expect more scrutiny of how your framework operates in practice, not merely whether it exists.

Priorities that repeatedly differentiate defensible governance from “paper compliance” include:

• demonstrable FWRA ownership, review cadence, and change control;
• file-level risk assessment discipline (CMRAs) with QA sampling and feedback loops;
• documented escalation criteria for PEPs, third-party funding, complex structures, unusual valuations, and adverse media;
• resourcing and training evidence aligned to the firm’s risk profile (especially conveyancing);
• clear audit trails showing MLRO/COLP challenge, decisions, and remediation tracking.

Fines should trigger a governance review—sometimes ending in conduct action

Firms fined for AML breaches should not automatically face professional conduct proceedings. However, it should be unusual for significant AML systems failures to result in no structured assessment of MLRO/COLP effectiveness and accountability, particularly where the failings are prolonged, repeated, or concentrated in high-risk work.

The Dentons and Sa’id litigation pathways show why this matters. Tribunal reasoning can, in some circumstances, leave AML breaches without professional consequences unless the regulatory case is framed and proved in the right way, and unless the regulator can link failures to the profession’s standards with sufficient clarity. 

The policy solution is straightforward. A formalised escalation framework that makes individual investigations probable in high-risk governance failures, while protecting against unfair automatic blame. That approach best serves the public interest, strengthens compliance culture, and supports competent MLROs and COLPs who want clarity about what “good” looks like when enforcement arrives.