In October 2025 the government confirmed a decision that had been circling the profession for two years: the Financial Conduct Authority will become the single supervisor for anti-money laundering across professional services. For law firms, that means AML supervision moves away from the Solicitors Regulation Authority and into the hands of a regulator whose reputation was built supervising banks, insurers and investment firms.
It is worth being precise about what has and has not happened, because the commentary has not always been careful about the distinction.
What has actually been decided
The government has chosen its model. The FCA will act as the Single Professional Services Supervisor, replacing a fragmented landscape of 22 professional body supervisors and HMRC. HM Treasury ran a consultation on the FCA's powers between November and December 2025, and the enabling provisions now sit within the Financial Services and Markets Bill making its way through Parliament.
What has not happened is implementation. The transfer requires primary legislation, and the timeline is governed by the availability of parliamentary time rather than a fixed date. The most considered analysis across the profession points to the transfer being unlikely to begin before 2028, with the SRA expected to retain its AML supervisory function through 2026 and into the transition period. Firms should treat the changes as real and coming, but not imminent, and certainly not a reason to pause current compliance work.
The point that matters most: your obligations have not changed
This is the part that gets lost. The Money Laundering Regulations 2017 and the Proceeds of Crime Act 2002 remain fully in force, unchanged. A firm that is genuinely compliant today, with a current firm-wide risk assessment, properly implemented policies, controls and procedures, sound client and matter risk assessments, and well-evidenced due diligence, does not need to rebuild anything because its supervisor is changing.
What changes is not the rulebook. It is who reads your file, how closely they read it, and what happens when they find a gap.
What is genuinely different under the FCA
Three things should focus a managing partner's attention.
The first is supervisory intensity. The FCA's model is built on granular, evidence-based, data-driven oversight. It is comfortable asking for documentation, testing the effectiveness of controls rather than their mere existence, and concentrating its attention on the firms and sectors it judges highest-risk. Annual reviews and a tidy policy folder will not be enough; the FCA expects to see that controls work in practice.
The second is the penalty framework. The FCA's enforcement powers and fine levels are materially more severe than those of the professional body supervisors firms are used to. The gap between an SRA outcome and an FCA outcome for the same failing is significant, and it is one of the clearest reasons not to wait.
The third is fit and proper assessment. The proposals extend fit and proper testing to professional services firms and the individuals who run them, potentially including partners, beneficial owners, compliance officers and MLROs. For some firms this introduces a layer of individual accountability and pre-appointment scrutiny that has no real equivalent under the current regime.
There is also the unresolved question of dual regulation. The SRA will continue to regulate solicitors for conduct, accounts and professional standards, while the FCA supervises AML. Where a single set of facts engages both regulators, firms face the prospect of overlapping oversight and, at worst, double jeopardy. The mechanics of information-sharing between the two have not been settled.
What a firm should do now
The honest answer is that the most effective preparation for FCA supervision is to be properly compliant with the rules that already apply. There is no separate FCA checklist to work from yet, and any consultant selling one is selling speculation. What there is, is a standard the FCA will expect to see met, and it is the same standard the MLRs already set, applied more rigorously.
In practice that means a firm-wide risk assessment that is current, specific to the firm's actual client base and work, and not a generic template. It means policies, controls and procedures that are implemented and demonstrably followed, with the records to prove it. It means client and matter risk assessments and due diligence that would survive someone testing them, not just confirming they exist. It means SAR decision-making, including decisions not to report, that is documented and defensible. And it means governance and escalation routes that a regulator can see working.
The single most useful step a firm can take is an independent AML audit, of the kind contemplated by Regulation 21 for firms above the relevant size. A proper audit reviews the documentation, tests the controls through file reviews and interviews, and tells you where the gaps are while you still have time and a friendlier supervisor to address them. Finding a weakness in your own firm-wide risk assessment now, on your own terms, is a very different experience from the FCA finding it later.
The way to think about this
The transition is significant, but it is not a reason to panic and not a reason to wait. The firms that struggle will be the ones that treated AML as a box-ticking exercise under a supervisor they considered lenient, and then met a regulator that does not. The firms that come through well will be the ones that used the window between now and transition to make their compliance genuinely effective, so that the change of supervisor is a change of letterhead rather than a crisis.
That window is open now. It will not stay open indefinitely.