SRA AML Data Collection 2026: What law firms need to do before the deadline

As we reported last month, the SRA’s AML and sanctions data collection form opens on 29 June 2026 – only two weeks away – and returns are required during July.

Key takeaways:

  • Completion is a regulatory requirement for all SRA-regulated firms, including those that do no AML-scope work
  • The sanctions section is mandatory for every firm, regardless of practice area
  • The SRA has published a specimen questionnaire and is urging firms to review it now
  • Gaps identified through the return may trigger closer SRA scrutiny – make sure your framework is in order before you submit

What is the SRA AML data collection exercise?

Every year, the SRA requires all regulated law firms in England and Wales to complete an AML and sanctions data collection questionnaire. The exercise gives the SRA the information it needs to take a risk-based approach to supervising the legal sector – identifying which firms and practice areas present the highest risk, and where to focus its resources.

The 2026 exercise opens on 29 June and returns must be submitted during July. The SRA will contact compliance officers directly with access details. You will need a mySRA login and a six-digit two-factor authentication code, so if your COLP or MLCO hasn’t used mySRA with two-factor authentication before, set that up now – don’t leave it until the form opens.

Does every law firm have to complete the SRA AML return?

Yes.

Completion is a regulatory requirement for all SRA-regulated firms, regardless of whether your work falls within the scope of the Money Laundering Regulations 2017 or involves the UK sanctions regime. If neither applies to your practice, you submit a nil return. Failure to complete the form may result in enforcement action.

This catches some firms off guard. I’ve spoken to partners at smaller practices who assumed the return wasn’t relevant to them because they don’t handle the types of transactions typically associated with money laundering risk. The obligation to respond applies universally – what differs is how much of the questionnaire you are required to complete.

What does the SRA AML questionnaire cover?

The questionnaire is structured around three opening questions that determine which subsequent sections apply to your firm. The main areas are:

AML compliance:  if your firm carries out work within the scope of the MLR 2017 (including buying and selling property or businesses, managing client money, and related activities), you will be asked about your firm-wide risk assessment, AML policies, controls and procedures, client matter risk assessments, due diligence processes, and suspicious activity reports submitted to the National Crime Agency in the last 12 months.

Trust and company service provision: firms that provide trust or company services face additional questions on their controls in this area.

Sanctions:  this section is mandatory for all firms, regardless of how you answer the opening questions. The SRA has made sanctions compliance a regulatory priority, and the questions are designed to test whether your firm has properly assessed its exposure to the sanctions regime and documented its approach.

The SRA has published a specimen questionnaire on its website in both PDF and Word document formats – both downloadable directly from the SRA’s AML and sanctions data requirements page. We strongly recommend that you review it now – before the form opens..

What should law firms do to prepare for the AML data return?

The SRA has explicitly encouraged firms to begin reviewing the specimen questionnaire now, and to consider four specific questions:

  1. Does the firm capture the required data?
    The return asks for figures – numbers of SARs submitted, proportions of work in different risk categories, details of your client and matter risk assessment process. If your practice management system doesn’t record this information in a way that’s easy to retrieve, now is the time to work out how you will pull it together. This will also be useful preparation for the transition to FCA oversight as they are likely to require a lot more data from law firms.

  2. Are AML records sufficiently accessible and accurate?
    This isn’t just about having records – it’s about being able to find them quickly and being confident they are complete. Firms that have been carrying out client and matter risk assessments inconsistently, or whose file records are patchy, may find this question uncomfortable.

  3. Has sanctions exposure been appropriately assessed and documented?
    Sanctions compliance remains an area of significant regulatory focus. If your firm hasn’t fully integrated sanctions screening into its AML procedures, or if your documentation of sanctions checks is incomplete, this is the area that most urgently needs attention before you submit.

  4. Does the firm’s AML framework remain fit for purpose?
    This is the question that should prompt the deepest reflection. It isn’t asking whether you have a framework – it’s asking whether it still works in your operating environment and your risk exposure. In my experience of carrying out Regulation 21 audits across firms of all sizes, the most common finding isn’t an absence of documents. It’s documents that were put in place several years ago and haven’t been meaningfully reviewed since. The risk landscape changes. Your framework needs to change with it.

What happens if a law firm’s AML return reveals gaps?

The data return feeds directly into the SRA’s risk-based supervision model. Firms whose returns indicate weaknesses – gaps in their AML framework, inconsistent client matter risk assessment processes, or inadequate sanctions procedures – are more likely to attract closer attention, whether through a targeted visit, a desk-based inspection, or a follow-up request for information.

The return, in other words, is both a compliance obligation and a signal to the regulator about how well-run your firm is. Submitting an honest return that reveals gaps, without having taken steps to address them, is a risk. The better approach is to understand where your gaps are now, address them where you can before 29 June (when the form opens), and submit a return that accurately reflects a firm that takes its obligations seriously.

How can Enderley help law firms prepare for the SRA AML return?

We often work with firms at exactly this point in the compliance cycle – when a deadline is approaching and there is a genuine need to understand where the gaps are and close them quickly.  It’s a busy time for us, as well as for our clients.

AML framework review:  if you’re not confident that your firm-wide risk assessment, AML policy, and client matter risk assessment process are up to date and adequate, we can review them and help you make the changes needed before you submit.

AML file spot checks:  if you’re not sure how consistently your team is applying your procedures at file level, we can carry out targeted spot checks and give you an honest picture of where things stand, so you can address any issues before they show up in the return.

Regulation 21 AML audits:  an independent audit under Regulation 21 of the Money Laundering Regulations is the most thorough way to understand the real state of your firm’s AML compliance. We review your FWRA, AML policy, CMRAs and training records, audit a sample of files, and interview staff to test their practical understanding of your procedures. Our findings are presented in a written report with a traffic light summary of mandatory actions, recommendations and advisories – and we stay involved to support your MLCO and MLRO in acting on them.

AML training: if your team hasn’t completed AML training in the last year, or needs more targeted support in specific areas, we offer bespoke training sessions tailored to your firm’s risk profile and procedures, as well as a full suite of role-specific webinars through the Enderley Infohub, the licences for which start at £950 plus VAT for five.

Frequently Asked Questions

Do I need to complete the SRA AML return if my firm doesn’t do any AML-scope work?

Yes. All SRA-regulated firms must respond. If your firm carries out no work within the scope of the Money Laundering Regulations and has no involvement with the sanctions regime, you submit a nil return – but you must still submit.

What is a nil return?

A nil return is your firm’s confirmation that it carries out no work in scope of the MLR 2017 and has no sanctions-related activity to report. It is submitted through the same online form as a full return.

Where can I find the SRA’s specimen questionnaire?

The SRA has published both PDF and Word versions of the specimen questionnaire on its AML and sanctions data requirements page here.  It is for preparation purposes only – you cannot submit it in place of the online form.

What if I need my mySRA login details?

The SRA will contact compliance officers directly before the form opens. If you are unsure of your login details or have not set up two-factor authentication, visit the mySRA login page and follow the step-by-step guide.

What happens if my firm misses the deadline?

Failure to complete the form is a regulatory breach and may result in enforcement action. If you are concerned about meeting the deadline, contact the SRA and seek support – don’t simply leave the return incomplete.

The form opens on 29 June. If you’d like to talk through where your firm stands ahead of the deadline, please get in touch – I’d  be very happy to help.