A conversation with Mike Ross, Head of Risk and Compliance at Anderson Strathern, and Luke Haddon, Money Laundering Reporting Officer at Keystone Law.
Compliance in the legal sector should be getting easier. The tools are better, the guidance is clearer, and awareness of financial crime has never been higher. And yet, for many firms, it feels like it’s getting harder. We sat down with two of the UK’s leading legal compliance experts to discuss why that is.
An evolving compliance landscape for law firms
The shift for anyone working with law firm has been dramatic. Since the Money Laundering Regulations changed in 2017, the legal profession has been navigating a significant expansion in what’s expected of them. Not just in anti-money laundering compliance, but across financial crime prevention more broadly.
Financial crime, fraud and money laundering, despite stricter regulation, greater technological assistance and increased public awareness is still increasing in veracity and velocity. Law firms are under increasing pressure to help solve this problem while also trying to keep up with client expectations on faster transactions, convenient onboarding and clearer communication.
Regulatory pressure has driven improvements in areas like firm-wide risk assessments and ID verification, but has it also reinforced a checkbox approach to compliance?
Beyond ID Checks: The Bigger KYC Picture
One of the most common misconceptions in the sector, according to Luke Haddon, MLRO at Keystone Law, is that compliance is primarily about identity verification. In reality, ID checks are just the starting point.
“IDV is the easy part in the wider aspect. Technology can help in this regard, no doubt, but it’s the wider KYC piece that matters,” he says. “That is reliant on asking the right questions, developing the right profile, and understanding: is this normal?”
For anyone going to purchase a house, setting up a new business or family trust, the onboarding process looks very different from what it did a decade ago. The volume of questions, the depth of verification, and the evidence required have all increased significantly and for good reason.
“You should expect to be asked quite a number of questions at the outset,” says Mike Ross, Head of Risk and Compliance at Anderson Strathern. “Around whom you are, what you do, where your money comes from. And it’s a case of ‘show me’, don’t ‘tell me’. You’re going to tell me these things, but after that, I’m going to ask for evidence to back up what you’re telling us.”
This is where culture becomes as important as process. MLROs can only build a complete picture of risk if fee earners are flagging concerns and sharing what they know. “We can only report and develop the wider anti-financial crime profile of a firm if we know what’s going on,” Haddon says. “And that’s culture driven. That’s people speaking to compliance when they should be speaking to compliance.”
Customers have come to expect that they will need to prove who they are and what they do. What they don’t expect is for that process to be slow and laborious.
The gap between policy and practice
A recurring theme in firms of all sizes is the disconnect between what’s written in compliance policies and what actually happens on the ground. Ross is direct about this: “Quite often I’ll see firms where they have very long, very protracted policies and procedures, but what they actually do is nothing like what they’ve got written down on paper.”
His advice is pragmatic: start with what you can actually achieve, not just what you think the regulator expects. “Even though you might not get to exactly that gold standard touted on LinkedIn, at least you’re having a better chance of getting to something that’s actually workable for you.”
The regulations, both experts point out, allow for more flexibility than many firms realise. Firms don’t have to push every client through a one-size-fits-all process. They can and should adapt their approach based on the risk profile in front of them.
Large firms vs small firms: A tale of two realities
That distinction is very important when it comes to the different challenges large and small firms face when it comes to compliance. The compliance challenge looks very different depending on the size of the firm. Larger organisations have the resources to build centralised compliance teams that act as a gatekeeper, ensuring consistency across dozens of fee earners and practice areas. Anderson Strathern, for example, has a team of seven dedicated to AML compliance, onboarding, and conflict checking.
“I would argue it’s easier for a much larger firm,” says Ross, “because you get to a size where the only way you can control this is by having a central hub.”
But for smaller firms, that luxury doesn’t exist. They’re balancing compliance obligations against the commercial reality of keeping the lights on. Haddon believes the answer lies in practical, targeted training not just covering the mandatory points, but equipping people to apply judgment in real situations and that start’s with your Firm Wide Risk Assessment.
“Most importantly, introduce the idea that the regulations allow for flexibility, he says. You can adapt what ID verification you get or what source of funds evidence you gather based on the client in front of you. By giving people that flexibility, you’re more likely to have them do it right.”
The “I’ve known them for 20 years” problem
One of the most persistent challenges in legal compliance is the long-standing client relationship where a senior partner has acted for someone for decades and sees formal verification as unnecessary, sometimes even insulting.
Both Ross and Haddon agree the sentiment is understandable, but the approach needs to evolve. “There is absolutely a place for ‘I’ve known this person for 20 years,'” says Ross, “but it needs to be formalised. Tell me what you’ve gathered over those 20 years about that person, because so much knowledge resides in solicitors’ heads from the relationships they have.”
The key principle: if it isn’t written down, it didn’t happen. That knowledge needs to be documented, formalised, and placed on file, not just held in someone’s memory.
Haddon adds that client expectations have largely shifted too. “Clients understand that we live in a compliance landscape today. Your client is probably going to say, ‘Okay, they have to do this.’ The bigger challenge is changing the mindset within the lawyer pool.”
Managing the pressure to complete
For most law firms, the commercial pressure; to keep the lights running, as Mike puts it, is real. Clients want deals done quickly, and fee earners feel that pressure acutely, especially within the conveyancing sector. So how do compliance professionals manage that tension?
Managing expectations early is essential, say both Ross and Haddon. Being transparent with clients and fee earners about what the process involves and why. Haddon references a psychological study from the 1980s called “the power of the cause” to make the point: “Whatever you ask someone to do; you have to tell them why. Bring your client on that journey with you.”
Ross is careful to distinguish between pressure and sacrifice: “People come to you at pressure points and say, ‘What can we do differently?’ But I don’t think in this day and age people are genuinely wanting to sacrifice compliance. The pressure pushes people to want to do it differently, not to not do it.”
Technology, both agree, is increasingly part of the answer. Helping to triage the more time-consuming aspects of onboarding and compliance, reviewing documents automatically, and reducing the burden on fee earners so they can focus on the work clients are actually paying for helps relieve this pressure, and speed up transactions.
So, how compliant is the UK Legal sector?
When asked to score the UK legal sector’s compliance on a scale of one to ten, the two experts give different but revealing answers.
Haddon puts it at around eight. “People genuinely want to do the right thing. If you get your culture right, people will speak up at the right time. Where it comes down a little is around smaller firms fighting commercial pressures — that’s where criminals are probably exploiting the sector hardest.” His concern is that regulators coming down hard on smaller firms may be doing more damage than supporting them to raise standards.
Ross is more cautious, settling on five and a half to six. “If ten out of ten is absolute perfection, then five and a half, six for me means most of the time we’re doing it right. It might be a bit scrappy, we might break some eggs but, on the whole, are we safe? Are we compliant? Yeah.” The sector, in his view, is still getting to grips with the new landscape, but is motivated and moving in the right direction.
Both assessments point to the same conclusion: the legal sector’s compliance story is one of genuine effort hampered by resource constraints, cultural inertia, and the inherent complexity of applying rules flexibly in a commercial environment. The firms doing it well aren’t necessarily the ones with the longest policies. They’re the ones that have built a culture where people understand why compliance matters and feel empowered to act on it.
As Haddon puts it: “Ostriches don’t work in compliance. Things only get worse when you stick your head in the sand. Speak early. Train your people to do that as well.”
