Dentons and the future of AML misconduct

In April 2026, the Court of Appeal handed down a ruling that will be studied with particular care in compliance departments, risk committees and regulatory defence practices across the profession. The case, Dentons UK and Middle East LLP v Solicitors Regulation Authority Ltd [2026] EWCA Civ 508, had been through two lower courts already. It had produced conflicting outcomes at each stage. What the Court of Appeal delivered was not a clean victory for either side, but a carefully calibrated statement of principle: a breach of the Money Laundering Regulations does not automatically constitute professional misconduct. Seriousness, context and culpability still matter. And the SDT must assess them properly.

Dentons secured an important doctrinal win on the law, with the Court of Appeal rejecting automatic misconduct findings and allowing its appeal on Principles 6 and 8. However, the central allegation under Principle 7 has been remitted to a fresh SDT panel for reconsideration under the correct test.

For many practitioners, that might sound like welcome relief. It should also sound like a prompt to act.

A case ten years in the making

The facts are striking enough to matter beyond the legal principles they generated. Client A, identified in reporting as Jahangir Hajiyev, former chair of the International Bank of Azerbaijan, had been a client of Salans LLP's London office before Dentons acquired that office as part of an international merger in 2013. At the point of acquisition, a former Salans partner raised concerns about the client. Dentons nonetheless went on to act for Client A across 38 matters over the following four years, including the purchase of an £8 million UK property.

In 2016, Client A was convicted abroad and sentenced to fifteen years' imprisonment for embezzlement and related offences. Two years later, the High Court made an unexplained wealth order against his wife, one of the earliest such orders made under the Criminal Finances Act 2007 and a case that attracted considerable public attention at the time.

The SRA brought charges against Dentons alleging that between 2013 and 2017 the firm had failed to take adequate measures to establish the client's source of wealth and source of funds, in breach of regulation 14 of the Money Laundering Regulations 2007. After a six-day hearing, the Solicitors Disciplinary Tribunal in 2024 found as a matter of fact that Dentons had breached the MLRs, but concluded that the breach was not sufficiently serious, culpable or reprehensible to amount to professional misconduct. It dismissed all allegations and ordered the SRA to pay its own costs, later revealed to be £189,000.

The SRA appealed. In March 2025, Mrs Justice Lang in the High Court allowed that appeal. She found that the SDT had applied the wrong test: for breaches of this kind, she held, there was no universal requirement of seriousness before a finding of misconduct could be made. The only question, she said, was whether the firm had complied with the regulations.

Dentons appealed again. The Court of Appeal heard the case over two days in March 2026 and handed down judgment on 27 April.

What the Court of Appeal decided

The panel, Lord Justice Bean, Lord Justice Jeremy Baker and Lord Justice Zacaroli, rejected both extremes. They declined to accept the SRA's position that an MLR breach automatically produces a disciplinary finding. But they also declined to restore the SDT's original decision in full.

On the core question of principle, the court held that there is an inherent seriousness requirement built into the SRA's conduct rules. The applicable test, confirmed in language that compliance teams should retain, is whether the conduct in question "would be considered sufficiently serious by competent and reputable solicitors that it be categorised as professional misconduct." This is an evaluative judgment, not a mechanical one. Legal breach and regulatory breach are not co-extensive.

'Not every breach of a compliance obligation will amount to regulatory misconduct. Disciplinary liability remains contingent on an assessment of the seriousness and context of the alleged breach.'

However, the Court of Appeal upheld the High Court's quashing of the SDT's original dismissal in relation to Principle 7, the obligation to comply with legal and regulatory obligations and to uphold the rule of law. The matter is remitted to a freshly constituted SDT panel, which will apply the correct seriousness test to decide whether, on the facts of this case, Dentons' AML breach crossed the professional misconduct threshold. That question is still unresolved.

The court allowed Dentons' appeal in relation to the allegations under Principles 6 and 8, which are not being remitted. So Dentons has achieved a partial but significant procedural and doctrinal win, the wrong test has been corrected, and the SRA's overreach on automaticity has been rejected. Whether the firm ultimately escapes a misconduct finding is another matter entirely.

Why the facts make this harder than the headlines suggest

Coverage of this judgment has in some quarters framed Dentons as having been cleared. That is inaccurate, and the distinction matters practically. The case has been sent back precisely because the seriousness question was not properly decided at first instance. And the underlying facts, a high-risk PEP client inherited via acquisition, ongoing concerns raised internally, 38 matters conducted over four years, a subsequent conviction and unexplained wealth order, are not obviously the raw material of a technical or trivial breach.

Source of wealth and source of funds checks for politically exposed persons are not peripheral due diligence requirements. They are central to the anti-money laundering framework's purpose: establishing who a firm is acting for and whether legal services might be used to move, shelter or legitimise the proceeds of crime. When a firm has identified a client as high risk and PEP-status, the case for treating failures in that specific area as merely technical is a difficult one to make.

That is the tension at the heart of what the fresh SDT panel will have to resolve. And it is exactly the tension that compliance teams across the profession should be sitting with now.

The broader regulatory context

The judgment does not arrive in isolation. Three other regulatory developments in the first half of 2026 together create the environment within which it must be read.

In February 2026, the SRA published updated guidance on compliance with the UK sanctions regime. It is a substantial document, notable as much for its tone as its substance. It places firms on notice that failure to follow the guidance may be treated as an aggravating factor in enforcement proceedings, a signal that the guidance itself is now effectively a benchmark. It acknowledges that sanctions obligations apply to all firms regardless of AML scope, that due diligence mitigates risk but does not constitute a defence, and that firms engaging in higher-risk work will be held to a demanding standard if compliance is ever tested.

In April 2026, the Office of Financial Sanctions Implementation published its Strategy 2026–29, signalling a move towards more proactive, intelligence-led and co-ordinated enforcement across regulators and law enforcement bodies. The practical implication: AML and sanctions failures are more likely to be identified than they were before, not simply more likely to be penalised once identified.

And in December 2025, the SRA published a thematic review of compliance officers that carries direct relevance to the self-reporting question that Dentons raises obliquely. The review found that 36 compliance officers across 25 firms had received 1,377 internal reports over a three-year period, of which just nine were referred to the SRA. It also found that only half of compliance officers had read the SRA's reporting and notification guidance, and fewer than one in five had read the enforcement strategy. The gap between what is happening inside firms and what is reaching the regulator is not a comfortable one, particularly in a period of stated enforcement escalation.

The question compliance teams must now answer

The practical lesson from Dentons is not that AML failures are safely technical unless the regulator makes a sufficiently strong case. The Court of Appeal has preserved the seriousness threshold, but it has done so in a context where the regulatory framework is simultaneously becoming more exacting, more co-ordinated and more likely to identify problems in the first place.

For COLPs, COFAs and MLROs, the immediate questions are these. When an AML issue is identified, how is its seriousness assessed? Who makes that assessment? Is it documented? Is the firm's decision to continue acting, or not to self-report, capable of being explained and evidenced if it is later examined?

The judgment sits somewhere in the middle: an AML breach still has to be serious enough to cross the misconduct threshold, but firms should not assume that failures involving high-risk clients will be treated as minor.

The Dentons case also has a specific lesson about acquisitions and inherited clients that is easy to overlook. Client A came to Dentons via the Salans acquisition. Concerns were raised internally from the outset. The firm nonetheless proceeded. The Court of Appeal's judgment does not resolve whether that combination of facts, inherited client, internal objection, sustained conduct of retainer, satisfies the seriousness threshold. But it puts firms on notice that "we inherited the client" is not itself a compliance answer. Inherited clients carry inherited risk, and that risk requires current, evidence-based assessment, not reliance on assumptions formed under a different firm's due diligence regime.

The Doughty Street Chambers analysis of this judgment by Peter Caldwell KC and Natalie Lucas makes a related point about the emerging regulatory posture. The SRA's sanctions guidance and the OFSI strategy together signal a step change in expectations: more exacting standards, more proactive enforcement, and greater scrutiny of firms operating in higher-risk areas. Against that backdrop, the Court of Appeal's confirmation that professional discipline requires a seriousness assessment is a genuine and important safeguard. But it is not, as the same analysis notes, a safe harbour.

What should firms do now?

Several practical steps follow directly from the judgment and the surrounding regulatory picture.

First, review how AML seriousness is assessed within the firm. If an MLR breach is identified, is there a documented process for deciding whether it constitutes professional misconduct? Is that process informed by the correct legal test, whether competent and reputable solicitors would regard the conduct as serious enough, rather than a more instinctive or optimistic judgment?

Secondly, review how high-risk clients, and particularly PEPs, are handled on an ongoing basis. The Dentons facts involved not just initial onboarding but continued conduct of retainer across four years and 38 matters. The question is not only whether the CDD was adequate at inception but whether it was maintained, updated and documented throughout.

Thirdly, revisit your position on inherited clients. Mergers, lateral hires and portfolio acquisitions all create situations where a firm may be continuing to act for clients whose original due diligence was conducted by others, under different regulatory expectations, and at a different point in time. Where that client is high risk, the current firm cannot simply rely on historical work.

Fourthly, consider the escalation architecture. Who decides when a compliance failure becomes a reportable matter? On what basis is that decision made? Is it recorded? The thematic review's findings about the gap between internal reports and SRA notifications suggest that many firms are making these decisions in an ad hoc way that may not withstand scrutiny.

Finally, and most fundamentally, ensure that the firm can evidence its judgement at the time decisions were made. Regulators, tribunals and appellate courts are unlikely to be satisfied by assurances that risk was considered. They will ask what was considered, by whom, on what evidence, and why the firm was satisfied that its response was adequate. Defensible compliance is not the same as technical compliance. The Dentons case, while not yet concluded, is a demonstration of what the gap between the two can cost.