Most law firms have an AML programme. Policies, procedures, annual training, and a nominated MLRO. The paperwork exists. But when you audit the files, something is off. Checks are missed, risk ratings are inconsistent, and policies that nobody reads are sitting in a folder nobody visits.
The programme looks complete on paper, but it isn’t working in practice.
This is not a niche problem. It is the dominant complaint from compliance professionals across the legal sector. At a recent event in Manchester, co-hosted with Amy Bell, founder of Teal Compliance and an AML expert with over 21 years in the field, we asked a room full of MLROs and compliance officers to name their biggest challenges. The answers fell into the same categories every time.
Here is what we heard, and what you can do about it.
The real problem is not a lack of policy
When asked about their biggest pain points, the word that dominated the MLRO feedback was "lack". Lack of staff, lack of resources, lack of support and lack of time.
But when we dug deeper, three problems sat underneath it all.
- People still don't do what you ask them to do, despite the time and money spent asking. This was the top answer by a wide margin.
- There is never enough time to manage the compliance role properly.
- It is hard to get a straight answer from the regulators on what you are actually required to do.
The third problem gets a lot of attention. Compliance officers spend significant energy trying to interpret 200-plus pages of Legal Sector Affinity Group (LSAG) guidance, cross-reference the regulations and make judgment calls without a clear playbook. That is genuinely hard. But it is not the core issue.
The core issue is that even where firms have clarity on what is required, and have designed a programme to meet it, the programme is not being followed. That is where compliance fails.
Six cogs. All of them need to turn.
Amy frames the problem as a machine with six components. If any one of them stops working, the whole programme breaks down.
As she said, the gears interlock. So you can invest heavily in five of them. But if the culture is not working, the programme will still fail.
Cog 1
Clarity
Does your compliance team actually understand what is required? Not just the technical rules, but what good practice looks like, how to exercise judgment, and how to deploy risk appetite in real cases? The fundamentals of how to build and run a compliance programme are a separate body of knowledge, and most MLROs come into the role without formal training in it.
Cog 2
Capacity
How much does your compliance function actually cost, and is it resourced correctly? Not just headcount, but whether the right people are doing the right jobs. A simple calculation of file volumes multiplied by average handling time will almost always underestimate what is needed. It does not account for seasonal variation, remediation work, or the time cost of escalating and resolving edge cases.
Cog 3
Communication
Are your policies actually communicating what you want people to do, when to do it and how?. Training that does not change behaviour is not training. It is a tick-box exercise that gives people another reason to resent the compliance function.
Cog 4
Commitment
Have people actually agreed to comply? There is a difference between distributing a policy and extracting a commitment. Lawyers, specifically, are much more likely to honour an explicit promise than to follow a general instruction. Following up training with a clear statement of expectations is not bureaucratic. It is effective.
Cog 5
Consistency
Are there controls in place to check whether compliance is actually happening? Most firms do file reviews. Fewer firms do root cause analysis when the reviews surface problems. Even fewer firms have the capacity set aside to fix what the reviews find. Identifying a problem and fixing it are two different things. Both need to be resourced.
Cog 6
Culture
This is the biggest gear and the one most often treated as optional. Culture is not a values exercise. It is the sum of what leadership tolerates, rewards and ignores. If partners treat compliance as an administrative inconvenience, that view will spread. If the biggest biller is routinely excluded from disciplinary conversations about non-compliance, the programme will not hold.
The approach
Groundwork: start by finding out what is actually happening
Before you redesign anything, you need an honest picture of where you are.
That means good quality training for the people running the programme, not just technical updates on new regulations, but training on how to do the job from first principles. It means understanding your firm's actual risk appetite and making sure that is documented, communicated and matched to the people being asked to implement it. And it means an audit that identifies genuine gaps rather than one that catalogues options and leaves the firm to choose.
A well-run audit tells you what the law requires and whether your firm's approach meets that requirement. It does not list every possible way you could do something differently. That distinction matters. An audit that adds "nice to haves" creates risk. If a regulator asks why you have not implemented one of them, you have a problem that the audit itself created.
Design: the plan you made three MLROs ago may not fit the firm you have now
Most firms drew up their AML processes at some point in the past, with the staff, software and caseload they had at the time. The firm has changed. The processes may not have kept up.
It is worth doing a proper time-and-motion study of what is actually happening, particularly if there are bottlenecks, frustrations, or patterns of non-compliance. Root cause analysis is not a luxury. When something goes wrong, "human error" is not a root cause. It is a category.
The actual cause is almost always one of three things:
- lack of supervision
- lack of time and resources, or
- lack of expertise.
Identifying which one means you can fix it.
Delivery: policies that tell people what to do + training that changes how they do it
Policies
Policies need to be long enough to cover every decision point. They do not need to reproduce the legislation. Most people reading a policy already know the regulatory context.
What people need is a clear process:
- what to do
- in what order
- when to escalate and
- who to ask if they are not sure.
Training
A "key facts front sheet", covering the 20% of information that applies to 80% of situations, is more useful than expecting busy lawyers to read 70 pages before opening a file.
Training that does not stick is worse than no training. It creates the illusion of coverage while leaving behaviour unchanged. The most effective training is targeted: fed by file review outputs, focused on what specific people are actually getting wrong, and followed up with a clear statement of what is expected. Asking someone to confirm they understand what is required of them is not onerous. It is the step most firms skip.
Monitoring: data is not optional
You cannot hold a conversation about non-compliance without data. You cannot challenge a pattern of behaviour on the basis of a feeling. Three documented instances of the same issue are much harder to dismiss than a general concern.
The monitoring loop matters:
- take steps
- detect breaches
- record and report them
- analyse the pattern
- take steps again
Most firms do the first two. The analysis step, which is where the learning happens, often gets dropped because there is no capacity allocated to it.
This is where the sector is heading. The FCA, which supervises financial services firms and is likely to take on oversight of the legal sector, expects regulated firms to demonstrate not just that controls exist but that they are working. The SRA currently looks at whether things were done. The FCA asks whether they were effective. That is a higher bar and it requires data.
Technology: from static to systematic
Jonny Coleman, First AML's UK Country Manager, framed the technology opportunity directly,
"Most compliance failures aren't caused by firms not knowing what to do. The knowledge exists in policies, in experienced staff, in the risk frameworks already written down. The problem is that it doesn't reliably reach the right person at the right moment. Technology's role is to close that gap."
Three problems come up repeatedly.
- Wrong risk ratings being applied.
- Screening hits being evaluated in isolation
- PCPs not being followed
Wrong risk ratings being applied
When risk assessment relies on individual judgment, you get inconsistency. Digitising your firm's risk matrix, with jurisdiction scores, entity type weightings and automated thresholds, removes that variability. The system applies to your risk appetite so MLROs review exceptions rather than processing every case from scratch.
Screening hits being evaluated in isolation
Many firms do not have visibility across how screening checks are being handled by matter teams. A technology platform that surfaces hits before they are marked as true matches or false positives gives the compliance function oversight without requiring them to review every case personally. Engaging compliance-aware fee earners as a second pair of eyes is one approach that works in practice.
PCPs not being followed
Policies, controls and procedures sitting in a file somewhere and a hope that they get read is not a compliance framework. It is optimism. Technology that surfaces the relevant procedure at the point of need, based on the specific situation (entity type, jurisdiction, CDD level), changes the dynamic. One client described it as “having a compliance expert on their shoulder”. The process becomes part of the workflow rather than an obstacle to it.
The shift is from static to systematic. Risk scoring applied automatically. Full visibility across how screening hits are managed. Policies, controls and procedures surfaced situationally, in real time.
The conversation nobody is having
The hardest part of all of this is culture. Not because it is conceptually difficult, but because it requires people to have honest conversations that many firms would prefer to avoid.
If the management team does not visibly prioritise compliance, the compliance team cannot hold the line on their own. If non-compliance has no consequences, the policies are aspirational at best. If support staff do not feel they can raise concerns, the people closest to the day-to-day process are silenced.
Building a compliance culture means being honest about what is actually happening, even when it is uncomfortable. Asking for an audit, reviewing the results without defensiveness and treating the findings as a starting point rather than a threat.
The legal sector has had over 23 years with the AML regime. Firms know the regime exists. Many have invested in meeting it. The ones where it is genuinely working have made culture the foundation, not the footnote.
About First AML
First AML comes from the perspective of both a technology provider, but also as compliance professionals. Prior to releasing, First AML’s all-in-one AML workflow platform, we processed over 2,000,000 AML cases ourselves. Understanding the acute problem that faces firms these days as they try to scale their own AML, is in our DNA.
That's why First AML now powers thousands of compliance experts around the globe to reduce the time and cost burden of complex and international entity KYC. First AML stands out as a leading solution for organisations with complex or international onboarding needs. It provides streamlined collaboration and ensures uniformity in all AML practices.
Keen to find out more? Book a demo today!