FCA AML Transition for Law Firms, Accountants and TCSPs

The FCA is replacing 23 professional body supervisors as the single AML supervisor for around 60,000 UK law firms, accountancy practices and trust and company service providers. The transition runs through 2027 and 2028. Most small firms are not yet ready.

What is changing

In October 2025, HM Treasury confirmed that the Financial Conduct Authority (FCA) will become the Single Professional Services Supervisor (SPSS) for anti-money laundering and counter-terrorist financing. This consolidates AML supervision currently carried out by 23 separate professional body supervisors - including the SRA, ICAEW, ACCA, ICAS, Law Society, IPA, CILEx, and CIOT - into a single, statutory supervisor.

Around 60,000 firms are in scope: UK legal service providers, accountancy service providers, and trust and company service providers (TCSPs). Firms already supervised by the FCA under FSMA remain so. HMRC will continue to supervise estate and letting agents, high-value dealers, and money service businesses.

Timeline

  • October 2025 - Government decision announced

  • December 2025 - HM Treasury consultation on FCA powers closed

  • Summer 2026 - King's Speech expected to announce the AML Supervision Bill

  • Autumn 2026 - Draft legislation setting out the FCA's expanded remit

  • Mid-2027 - Bill expected to receive Royal Assent

  • 2027–2028 - Transition phase: firms register with the FCA, fit-and-proper assessments commence, new AML Handbook published

  • 2029 - Full implementation across all in-scope firms

Why this matters now

HM Treasury's 2024–25 supervision report confirms that only 24% of accountancy firms and 29% of legal firms are fully compliant with the existing Money Laundering Regulations. 17% of accountancy firms and 26% of legal firms are explicitly non-compliant. Among the highest-risk legal firms, 28% are non-compliant.

The FCA's supervisory approach is materially different from the professional body supervisors that have historically overseen these sectors:

  • Data-intensive. Firms should expect periodic returns similar to the FCA's existing REP-CRIM filing, with regular reporting of risk, control, and incident data.

  • Effectiveness-focused. The FCA looks at whether controls operate in practice, not whether they are documented in a manual. Expect staff interviews, sample file reviews, and questions about how the MLRO actually signed off.

  • Greater senior management accountability. Personal responsibility for AML failings will be sharper under FCA supervision than under most current PBSs.

  • Higher penalty framework. FCA fines for AML failings have averaged £15 million per case in recent years across the wider supervised population - many multiples of the heaviest PBS-imposed penalties.

  • Professional enabler focus. The SPSS reforms sit alongside the Cross-System Professional Enablers Strategy. TCSP services, nominee director arrangements, and company formation work that have been treated as routine administration will be looked at much harder.

Where small firms are most exposed

From visits and inspection reports across the existing PBS regime, the most commonly identified compliance gaps in small firms are:

Business-Wide Risk Assessment (BWRA)

Regulation 18 of the Money Laundering Regulations 2017 requires every firm to maintain a written risk assessment covering five required factors: customers, geographic areas, products and services, transactions, and delivery channels. The assessment must be approved by senior management, reviewed regularly, and reference the UK National Risk Assessment and the firm's supervisor risk outlook. Most small firms have a templated BWRA that has never been meaningfully customised.

Proliferation Financing Risk Assessment

Regulation 18A, in force since 1 September 2022, requires every supervised firm to assess proliferation financing risk independently of money laundering and terrorist financing risk. The assessment may be a standalone document or a clearly identified section within the BWRA, but it must reference HM Treasury's national risk assessment on proliferation financing. This is one of the most commonly missed obligations in small firms - many have done nothing about it since the regulation came into force.

Regulation 21 Independent AML Audit

Reg 21 requires firms (where appropriate to size and nature) to establish an independent audit function that examines and evaluates the adequacy and effectiveness of AML policies, controls and procedures. The audit must be independent of the people who run compliance day-to-day. LSAG guidance expects this audit in all but micro-firms, typically every two years. A current Reg 21 audit is becoming the standard evidence piece firms will present to demonstrate FCA-readiness.

Material discrepancy reporting (Reg 30A)

Since 2017, firms have been required to report material discrepancies between their own beneficial ownership findings and the Companies House public register. Most small firms have never filed one despite holding hundreds of corporate clients with imperfect Companies House data. The FCA, coming in fresh, will look at filing rates per firm and find firms with zero filings against substantial corporate client bases.

Source of funds evidence

For high-risk relationships and property transactions, MLR 2017 requires source of funds evidence sufficient to demonstrate the legitimacy of client funds. A bank statement alone is generally not sufficient. The FCA standard is documentary evidence of the underlying source - sale proceeds, salary, inheritance, business income - corroborated by the bank trail. Conveyancing firms in particular are exposed here, as property transactions are the most acute ML pathway in the UK economy.

Ongoing monitoring

Reg 28(11) requires ongoing scrutiny of transactions and periodic refresh of client information throughout the business relationship. Most small firms perform CDD at onboarding and never refresh it. This is consistently the most common inspection finding across all PBSs.

Why Fundsure

  • Genuine FCA-side experience. Steve Middleton, founder of Fundsure, was Chief Administrative Officer of BNP Paribas Global Markets and is a current Non-Executive Director and Audit Committee Chair at a listed FCA-regulated stockbroker. The FCA's supervisory approach to professional services will draw heavily on its existing playbook for financial services firms - we know that playbook from the inside.

  • Existing professional services AML supervision. Fundsure is already HMRC AML supervised under XKML00000206994 and operates as an Authorised Corporate Service Provider. We have lived professional services AML supervision end to end.

  • Right-sized for small firms. The major compliance consultancies (Bovill, Mazars, FTI) serve enterprise clients. We are deliberately built for sole-practitioner and small-firm work - the segment most exposed to the supervisory transition and least served by the existing market.

  • APCC member. Fundsure is a member of the Association of Professional Compliance Consultants.

  • Consultancy approach. We provide expert review and drafting; the firm's MLRO retains the regulatory obligation.

Which firms are in scope

The Single Professional Services Supervisor regime will cover:

  • Legal Service Providers - solicitors, barristers, notaries, licensed conveyancers, and other legal practitioners providing services within scope of the MLRs (currently supervised by the SRA, Law Society, Council for Licensed Conveyancers, and others)

  • Accountancy Service Providers - accountants, tax advisers, bookkeepers, and insolvency practitioners (currently supervised by ICAEW, ACCA, ICAS, ATT, CIOT, CIMA, AAT, IPA, IFA, and others)

  • Trust or Company Service Providers (TCSPs) - company formation agents, registered office providers, nominee directors, and trust administrators (currently supervised by HMRC where not within a professional body supervisor)

Firms already supervised by the FCA under FSMA - including banks, investment firms, payment institutions, e-money institutions, and crypto-asset businesses - are not affected by this transition.

Frequently Asked Questions

When does the FCA actually take over AML supervision for my firm?

The legislation transferring AML supervision to the FCA is expected to be announced in the King's Speech in Summer 2026, with draft legislation in Autumn 2026 and Royal Assent expected mid-2027. The transition phase, during which firms will register with the FCA and undergo fit-and-proper assessments, runs through 2027 and 2028. Full implementation is expected in 2029. Your existing professional body supervisor (SRA, ICAEW, etc.) continues to supervise you in the interim.

Will my AML obligations under the Money Laundering Regulations change?

The underlying obligations under the Money Laundering Regulations 2017 remain in force throughout the transition. What changes is the supervisor, the supervisory approach, the data reporting requirements, and the penalty framework. The FCA is expected to take a more data-intensive, effectiveness-focused approach than most existing PBSs and to apply substantially higher penalties for breaches.

Does my firm still need to comply with its current professional body in other respects?

Yes. Professional body supervisors will continue to regulate your firm in all other respects - professional standards, accounts rules, conduct, education, and so on. Only AML/CTF supervision transfers to the FCA. You will be dual-regulated: your professional body for everything else, the FCA for AML.

My firm is small and we feel we are not at meaningful money laundering risk. Does this still apply?

Yes. Every firm within scope of the MLRs must have a written firm-wide risk assessment, written policies and procedures, training, customer due diligence, and ongoing monitoring — regardless of perceived risk level. The most common finding on inspection is that firms self-assessing as low risk have not done the underlying compliance work to evidence that conclusion. The FCA will not accept "we feel low risk" as a substitute for a properly written and reviewed risk assessment.

What is a Business-Wide Risk Assessment (BWRA)?

The Business-Wide Risk Assessment is the foundational AML document required under Regulation 18 of the Money Laundering Regulations 2017. It must be written, approved by senior management, and reviewed regularly. It assesses your firm's exposure to money laundering and terrorist financing risk across five required factors: your customers, the geographic areas you operate in, your products and services, your transactions, and your delivery channels. It must reference the UK National Risk Assessment and your supervisor's published risk outlook.

What is a proliferation financing risk assessment?

Regulation 18A of the MLRs, in force since 1 September 2022, requires every supervised firm to assess proliferation financing risk independently of money laundering and terrorist financing risk. Proliferation financing is the provision of funds or financial services in connection with the development, production, or transfer of chemical, biological, radiological or nuclear weapons in contravention of UK financial sanctions. The assessment can be a standalone document or a clearly identified section within the BWRA, but it must consider PF risk as an independent risk factor and reference HM Treasury's national risk assessment on proliferation financing.

What is a Regulation 21 independent AML audit?

Regulation 21 of the MLRs requires firms (where appropriate to size and nature) to establish an independent audit function that examines and evaluates the adequacy and effectiveness of AML policies, controls and procedures. The audit must be independent of the people who run compliance day-to-day. LSAG (Legal Sector Affinity Group) guidance expects this in all but micro-firms, typically every two years. A current Reg 21 audit is becoming the standard piece of evidence firms will present to demonstrate FCA-readiness.

What is Reg 30A discrepancy reporting?

Regulation 30A requires firms to report material discrepancies between the beneficial ownership information they identify during customer due diligence and the public Companies House register. This obligation has been in force since 2017 but has been very poorly observed across the regulated sector. We expect the FCA to scrutinise discrepancy filing rates per firm as a quick proxy for genuine engagement with beneficial ownership verification.

How is the FCA different from my current AML supervisor?

The FCA is a statutory regulator with substantially greater enforcement powers and resources than the professional body supervisors. Expect: data-intensive supervision with periodic returns; staff interviews and file sample testing at inspection; substantially larger fines for AML failings; greater personal accountability at senior manager level; and a focus on whether controls actually operate, not whether they are documented. The FCA's existing supervisory approach for FSMA-regulated firms is the best guide to what is coming.

Will my supervisory fees change?

Yes, almost certainly. The FCA operates a fee-based supervisory model. The exact fee structure for SPSS firms will be confirmed during the consultation phase, but you should plan for a different (likely higher) cost profile than your current professional body supervision fee.

What is the most useful thing my firm can do right now?

Two things: Firstly your BWRA and ensure it covers Regulation 18A proliferation financing. Secondly, commission an independent Reg 21 audit (where appropriate to size) so you have a current evidence piece on the shelf when the FCA arrives. The legislation isn't yet final, but the underlying MLR obligations have been in force since 2017 and will not change - investing in compliance now is investing in compliance you would have needed regardless.

My firm is a sole practitioner. Does this affect me?

Yes. Sole practitioners within scope of the MLRs are equally subject to the supervisory transition. The Regulation 21 internal controls exemption for sole practitioners with no employees remains, but the underlying obligations to maintain a BWRA, written policies and procedures, customer due diligence, ongoing monitoring, and source of funds evidence apply to sole practitioners on the same basis as larger firms.

My firm is a TCSP. What should I be paying particular attention to?

Trust and Company Service Providers are at the centre of the Government's "professional enablers" focus. Expect particular scrutiny of: who you accept instructions from, the underlying purpose of company formations and nominee arrangements, the geographic origin and beneficial ownership of corporate clients, and your documented risk procedures for each new instruction. Treating TCSP work as routine administration is the position the FCA will challenge hardest.

My firm is a conveyancing solicitor. What should I be paying particular attention to?

Conveyancing files are where the FCA will look hardest at source of funds evidence and ongoing monitoring. The SRA has been raising the bar publicly for years and the FCA will continue that trajectory. The evidence standard expected is documentary proof of the underlying source of funds - not just a bank statement - and a defensible audit trail showing how the partner reviewed and accepted the evidence. Pace of work is a structural risk: firms processing 50 to 100 transactions a month with one MLRO and no file sampling are particularly exposed.

Will the FCA inspect my firm in person?

The FCA's typical supervisory approach combines remote data analysis with onsite inspections of higher-risk firms. For smaller firms, expect more remote review and data-driven supervision than physical visits, particularly in the early years of the regime. Higher-risk firms (by sector, geography, or risk indicators) should expect more direct scrutiny, including onsite inspections, staff interviews, and file sampling.

What does an engagement with Fundsure look like in practice?

Most engagements begin with a free 30-minute conversation to understand your firm's position. If we proceed, the typical first engagement is an FCA-Readiness Review, which involves a structured questionnaire, a document review, and a written report with prioritised remediation actions. From there, firms commonly engage us to refresh the BWRA, rewrite policies and procedures, conduct a Reg 21 audit, and deliver bespoke training. Some firms then move onto an ongoing outsourced MLRO retainer. All work is delivered remotely unless an onsite review or audit specifically requires attendance.

Are you regulated yourselves?

Fundsure Limited is HMRC AML supervised under registration number XKML00000206994 and an Authorised Corporate Service Provider under Companies House registration AP003554. We are a member of the Association of Professional Compliance Consultants (APCC), Cyber Essentials certified, ICO registered (ZB012773), and a CPD UK accredited training provider. Our founder is a Senior Manager Function holder (MLRO) at a FCA-regulated firm.

Start the conversation

Email:support@fundsure.co.uk
Phone: +44 20 7898 8522
Address: 3rd Floor, 45 Albemarle Street, Mayfair, London W1S 4JL