In 2025, the Government decided that the FCA would assume anti-money laundering (AML) and counter terrorist financing (CTF) supervision for the accountancy and legal sectors. Thistle Initiatives Consultant, Oxana Pisier-Caillet, delves into the supervisory and expectations from firms.
The Government’s decision to appoint the FCA as the single AML supervisor for legal, accountancy, trust and company service providers represents a significant structural change in the UK’s supervisory landscape. Although legislation and transition arrangements still need to be followed, the overall policy direction is now clear. For firms that have historically operated under professional body supervision, the reform is unlikely to be perceived as purely administrative. In practice, it signals a shift in supervisory style, expectations and accountability.
The roots of this reform lie in the UK’s 2018 FATF Mutual Evaluation. FATF did not primarily criticise the UK’s legislative framework for combating money laundering. Instead, its concerns focused on the structure of supervision. At the time, AML supervision across sectors was divided between 25 different bodies, whose levels of resourcing, capability and enforcement activity varied significantly.
Among these supervisors, only three were identified as having the scale and consistency typically associated with effective AML oversight: the FCA, HMRC and the Gambling Commission. The legal and accountancy sectors themselves were not categorised as inherently high risk. Indeed, successive National Risk Assessments have generally assessed them as presenting lower inherent money laundering risk than the banking sector. FATF’s concern was therefore structural rather than sectoral. Fragmented supervision was seen as undermining consistency and weakening the overall deterrent effect of the regime.
The creation of OPBAS was intended to address these concerns. Its role was to oversee the professional body supervisors and encourage improvements in risk assessment methodologies, monitoring approaches and enforcement standards. While OPBAS has contributed to raising supervisory standards, the underlying structure remained indirect. Firms continued to be supervised by professional bodies, which were themselves overseen by OPBAS within the FCA.
The Government’s latest reform removes this intermediary layer. Direct FCA supervision effectively collapses the two-tier system into a single line of accountability. From a regulatory perspective, this alters the dynamic between firms and their supervisor. Issues will no longer pass through professional bodies before reaching the conduct regulator, and the FCA will engage with firms directly on supervisory matters.
The significance of the reform lies not only in the identity of the supervisor but also in the FCA’s supervisory methodology. Conduct regulators typically approach supervision through a combination of evidence, data and comparative analysis. They assess firms not only individually but also in relation to their peers, conduct thematic reviews across sectors and examine whether risk frameworks and controls function effectively in practice.
For firms previously supervised by professional bodies, the transition is likely to bring several practical changes.
Firms should expect:·
Greater scrutiny of governance and senior management accountability
Closer testing of whether risk-based frameworks operate in practice
Structured file sampling and control effectiveness reviews
Increased expectations around management information and data quality
Clearer delineation of responsibilities between the first and second lines of defence
These expectations reflect a broader shift in supervisory philosophy.
Under professional body supervision, responsibility for AML compliance frequently sits operationally within the MLRO function and the broader compliance team. Senior leadership may receive periodic updates on policy developments, training programmes or regulatory changes, but day-to-day oversight of financial crime risk is often delegated.
Under a conduct regulator model, expectations around governance are typically more explicit. Boards and senior partners are increasingly expected to demonstrate a clear understanding of the firm’s exposure to financial crime risk and to take an active role in overseeing the effectiveness of mitigation measures. This includes articulating the firm’s risk appetite, understanding the composition of higher-risk client relationships and reviewing management information that highlights emerging risks or control weaknesses.
In practical terms, supervisors will often expect to see evidence that these issues are discussed meaningfully at the senior level. Board minutes and governance papers should demonstrate that management information is reviewed and challenged, and that remediation actions are monitored through to completion. Where senior leadership is unable to explain the firm’s financial crime risk profile or justify its tolerance for particular types of exposure, this can itself become a supervisory concern. The shift is subtle but important: AML oversight becomes a central governance responsibility rather than a function largely managed within compliance.
Most firms in the legal and accountancy sectors have invested significant effort in developing firm-wide risk assessments. These documents typically identify the types of clients, services and jurisdictions that may present elevated exposure to money laundering risk and set out the broad framework through which that risk should be managed.
Under FCA supervision, however, the focus is likely to move beyond the quality of the document itself to the way in which it influences operational behaviour. A genuinely risk-based framework should be visible in how clients are classified, how due diligence requirements vary across risk categories and how monitoring or review cycles are determined.
Where large portions of a client base fall within broadly defined “medium-risk” categories, or where review cycles remain largely uniform regardless of exposure, supervisors may question whether the framework is sufficiently risk-sensitive. The question will therefore not simply be whether a comprehensive risk assessment exists, but whether the risks identified in that document are clearly reflected in the firm’s day-to-day control activities.
Conduct regulators often rely on structured file sampling and thematic reviews to assess whether AML controls operate as intended. When files are reviewed systematically, recurring patterns can emerge relatively quickly. These may include inconsistencies in documentation, limited analysis of the source of funds or decisions to downgrade risk classifications without a clear rationale.
The supervisory focus, therefore, shifts from the existence of policies to the consistency with which those policies are applied in practice. Firms may be expected to demonstrate that control frameworks are periodically tested, that weaknesses are formally identified and that remediation programmes are tracked until issues are resolved.
In this context, a framework that appears robust at a policy level can sometimes appear less effective when subjected to systematic file review. The emphasis is placed on operational consistency and evidence that risk decisions are appropriately documented and justified.
The reform may also lead to closer examination of the balance between the first and second lines of defence. In some professional services firms, compliance teams have historically carried out substantial elements of operational due diligence or client verification work.
Under a conduct regulator model, there is typically greater emphasis on first-line ownership of risk. Fee earners and engagement partners are generally expected to demonstrate that they understand the risks inherent in their client relationships, and they can justify the assessments made regarding the source of funds or wealth.
The role of the second line is therefore more clearly defined as one of oversight, challenge and independent testing. Rather than compensating for gaps in operational processes, compliance functions are expected to monitor the effectiveness of those processes and to identify systemic weaknesses through thematic reviews and quality assurance exercises. Clear allocation of responsibilities and documented evidence of challenge between the first and second lines are therefore likely to become increasingly important.
Another characteristic of conduct-style supervision is the importance placed on management information and underlying data. Regulators frequently expect firms to be able to produce meaningful information on demand, including metrics relating to higher-risk client relationships, findings from quality assurance reviews, volumes of internal suspicious activity reports and the status of remediation programmes.
Firms that rely on automated screening tools or risk-scoring systems may also find that greater attention is paid to how those systems are governed. Supervisors are often interested not only in whether a particular tool has been implemented, but also in how thresholds are calibrated, how false positives are analysed and how the system is periodically reviewed or adjusted to reflect evolving risks.
The underlying principle is that systems and data should support informed oversight. Where management information cannot be generated easily or where data quality is inconsistent, this may indicate weaknesses in the firm’s control environment and its ability to monitor risk effectively.
The practical differences between professional body supervision and direct FCA oversight can be illustrated by comparing the two models across several dimensions.
| Area | Current PBS Model | FCA Supervision Model |
| Supervisory structure | Professional body oversight, supervised by OPBAS | Direct supervision by a conduct regulator |
| Supervisory method | Periodic inspections, often checklist-oriented | Risk-led, data-driven, thematic and comparative |
| Senior accountability | Engagement is typically centred on MLRO | Board and senior partner scrutiny |
| Control testing | Variable in depth | Structured file sampling and effectiveness testing |
| Data expectations | Limited MI standardisation | Detailed management information and benchmarking |
| Enforcement visibility | Limited public outcomes | Established public enforcement record and financial penalties |
| Remediation | Advisory letters common | Formal remediation programmes with follow-up |
The FCA’s institutional scale allows it to benchmark firms against one another and to conduct thematic analysis across sectors. Even where the inherent risk associated with a sector is assessed as lower than in banking, the transparency and intensity of supervision are likely to increase.
Legal and accountancy services can be misused for money laundering in several ways, including through corporate structuring, trust arrangements, property transactions and the handling of client funds. The regulatory focus will continue to centre on how firms identify these risks and how effectively they mitigate them in practice.
In this sense, the reform does not fundamentally alter the underlying AML obligations placed on firms. Most organisations already have risk frameworks, due diligence processes and compliance programmes in place. The more relevant question is whether those frameworks would withstand the type of scrutiny typically applied by a conduct regulator.
For firms that have previously experienced relatively light supervisory engagement, the shift may be felt primarily through the intensity and depth of oversight rather than through the introduction of entirely new requirements.
The transition period offers firms an opportunity to review their AML frameworks through a conduct-regulator lens before direct FCA supervision begins. Taking a structured approach at this stage can help identify areas where existing policies or processes may not fully align with supervisory expectations.
Thistle Initiatives supports firms preparing for heightened supervisory scrutiny. Our work includes:
Independent AML assurance reviews
Enhancement of firm-wide risk assessments
Structured file testing and control effectiveness assessments
Development of meaningful management information frameworks
Delivery interview practice for senior management and MLROs
Targeted AML training for leadership and operational teams
Fully outsourced KYC solutions
On-demand KYC support
KYC technology product selection and implementation support
Drawing on experience supporting FCA-regulated firms, the aim is to help organisations understand how supervisory expectations translate into operational practice and where potential gaps may emerge under closer examination. Early preparation can often reduce the need for more reactive remediation once direct supervision begins.
Oxana is a Financial Crime Consultant at Thistle Initiatives. She previously worked as a Corporate Risk & Due Diligence Specialist at Interfax in London, following an early career in Geneva. Oxana holds a Master’s degree in Countering Organised Crime and Terrorism and brings expertise in due diligence, corporate risk assessment and financial crime prevention.