Law and Legal services

AML and KYC vulnerabilities

Where Law firms and Legal Services may be vulnerable to AML risk

The sector has long faced criticism for not taking AML and CFT regulation seriously – and has even been accused of aiding and abetting criminal activity. But recent scandals, including the Panama Papers affair and suggestions that law firms are helping Russian oligarchs to evade sanctions following the invasion of Ukraine, have caught the attention of authorities across multiple jurisdictions.

Nevertheless, law firms continue to struggle with their AML and know your customer (KYC) responsibilities. A review carried out by the Solicitors Regulation Authority in 2021 found many firms were experiencing problems ranging from lack of resources to push-back from clients. Furthermore, data from the SRA published in the summer of 2022 revealed a sharp increase in the number and value of enforcement fines issued to law firms, with the trend largely driven by cases of AML failings.

Man at desk

In one of the most high-profile cases, the London law firm Mishcon de Reya was fined £232,500 over a string of breaches of AML rules. The fine, imposed in January 2022, was leviedas a percentage of the firm’s turnover.

And it’s not only the firm itself that can face penalties, with individuals also potentially at risk of disciplinary action. In another recent case, a partner at London-based Karam, Missick and Traube was fined £25,000 by the Solicitors Disciplinary Tribunal for failures such as not making adequate identity checks.

With regulators and policymakers stepping up their scrutiny of the legal services sector, the risks for firms not taking AML seriously are increasing – and there is potential for further jeopardy.

In the UK, MPs have recently called for tighter supervision of the sector and harsher penalties for wrongdoing. Other jurisdictions, including the European Union and the United States, are taking a similar approach.

Against this backdrop, it is now essential that legal professionals take their AML responsibilities more seriously, by putting clear structures and practices into place to fulfil their duties.


Many are regulated businesses under AML legislation and therefore face serious penalties for falling foul of legislation. This includes the risk of prison sentences as well as punitive fines, while the reputational damage caused by a failure that becomes public is likely to be substantial.

KYC and AML are powerful complements to each other and important elements for legal firms looking to protect themselves against fraud and financial crime. Both involve verifying the identity and legitimacy of individuals and organisations through rigorous checks. In itself, that makes it harder for criminals to operate. In addition, AML checks help to uncover the money trail, understanding where money comes from and how it’s spent so that legal firms can ensure it’s managed in the correct way.

Where the legal services may be vulnerable to AML risk

Law firms and solicitors are attractive to money launderers because of the services they provide and the position of trust they hold and regulators have long recognised this.

The Financial Action Task Force (FATF), the inter-governmental body that is responsible for setting worldwide AML standards, published guidance for the legal sector as early as 2008, updating this work most recently in 2019.

However, anti-corruption campaigners argue that such interventions have not galvanised sufficiently robust action.

Transparency International has accused the legal profession of turning a blind eye to money laundering. While Spotlight on Corruption has described law firms as “witting or unwitting enablers” of money laundering.

The bottom line is that criminals see the potential to use legitimate legal services to make their illicit financial, corporate, or real estate transactions look legitimate.

Potential danger areas include:

Resources Financial_Services Data_Providers

Conveyancing and real estate work

Both residential and commercial property provide a real and tangible asset into which criminals can channel illicit funds in order to create the appearance of legitimacy. They use legal services firms to manage such transactions, effectively moving dirty money into a clean asset.

Handling of client money

Where law firms have responsibilities that encompass handling client cash, even through designated client accounts, there is an opportunity for criminals to move the proceeds of crime into apparently legitimate funds.


Setting up trusts and company structures

Where law firms are engaged to create structures, such as trusts and shell companies, there is potential for criminals to funnel illegitimate cash through these vehicles. By concealing the connection between perpetrators and the proceeds from their crimes, this facilitates money laundering.



In the UK, the Proceeds of Crime Act 2002 is the overarching legislation that sets out the UK’s AML and CFT regulatory regimes. The law defines the various primary money laundering offences, but also imposes a duty on anyone encountering suspicious activity, including law firms and individual lawyers, to report it. Failing to do so is a criminal offence in itself, with a maximum penalty of five years’ imprisonment.

In addition, the Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 introduced specific AML responsibilities for a number of key business sectors regarded as posing the greatest risk for criminal activity. Not every law firm will be within the scope of this regulation – for example, those concerned solely with criminal litigation may be outside the regime – but very large numbers of firms will be covered.

These primarily include:


Law firms and legal professionals that provide legal or notarial services on behalf of clients engaging in financial or property transactions concerning:

  • The buying and selling of real estate property or business entities
  • Management of client money, securities, or other assets
  • The opening or management of bank, savings, or securities accounts,
  • The organisation of contributions necessary for the creation, operation, or management of companies
The creation, operation, or management of trusts, companies, foundations, or similar structures


Trust and company service providers (TCSPs) that provide services including:

  • Forming companies or other legal structures
  • Acting, or arranging for another person to act, as a director or secretary of a company, as a partner in a partnership, or as the host of a registered office, business address, correspondence, or administrative address
  • Acting, or arranging for another person to act, as a trustee, or as a nominee shareholder for a person other than a company whose securities are listed on a regulated market


Tax advisers that provide material aid, assistance, or advice in connection with the tax affairs of others, whether provided directly or through a third party.

For those law firms that do fall within the scope of the regulation, the Legal Sector Affinity Group (LSAG), which comprises the legal sector’s various AML supervisors, publishes detailed guidance on their duties and responsibilities under the 2017 legislation.

The guidance makes clear that the law firm’s senior managers are responsible for oversight of activities to meet the regulation – and that they can be held personally liable if they fail to protect their business from money laundering and terrorist risk.


As a result, senior managers are required to:

  • Identify, assess, and effectively manage the risks of their business being exploited to launder money or finance terrorism – there should be an up-to-date practice-wide risk assessment in place
  • Take a risk-based approach to managing these risks with more attention devoted to high-risk areas
  • Appoint a nominated officer with responsibility for reporting suspicious activity to the National Crime Agency
  • Devote sufficient resources to properly address the risk of money laundering and terrorist financing

It’s also worth noting that two amendments to the 2017 money laundering regulations have come into force.

These require supervised firms, including in-scope law firms, to provide data on the scale and potential risks of their work; firms must also be prepared for regulators to inspect the quality of the suspicious activity reports they submit.

In addition, the sector faces the possibility of more fundamental reforms. Bodies including the FATF have criticised the way in which the UK’s AML regulatory system is fragmented in regard to the legal and accountancy professions. While a single authority, the Office for Professional Body Anti-Money Laundering Supervision, oversees all legal and accountancy AML supervisors in the UK, these include 22 bodies across both sectors, including nine bodies in the legal sector.



The international perspective

Most international jurisdictions regard legal services as a high-risk sector from an AML and CFT perspective and have introduced specific regulation that covers large numbers of law firms.

This typically mirrors the principles set out by the FATF, but the precise detail of frameworks and standards varies from one jurisdiction to another. Even so, one commonality is that many jurisdictions are considering further regulation.

In the European Union, the relevant regulation is set out in the 5th Anti-Money Laundering Directive, though this is due to be superseded by the 6th Anti-Money Laundering Directive in 2024. The EU is also working on plans to harmonise its AML rule books and to establish an EU-wide AML supervisory authority; this has met with some push back from the legal profession, including the Council of Bars and Law Societies of Europe. The EU’s proposals would extend the scope of coverage of legal firms from an AML perspective – and take powers away from supervisory authorities in the member states.

In the US, the Biden administration is currently seeking to increase scrutiny of professional services businesses, including law firms, as part of tighter regulation of so-called “gatekeeper” firms. The Establishing New Authorities for Businesses Laundering and Enabling Risks to Security (ENABLERS) Act has bi-partisan support and looks likely to pass into law in 2023.

The legislation is likely to bring many law firms within the scope of existing AML regulation in the US – through similar provisions on coverage to UK regulation – with the Financial Crimes Enforcement Network (FinCEN) responsible for scrutinising them.


Guidance from the Legal Support Advisory Group (LSAG) should be the starting point for UK law firms seeking to understand exactly what is necessary from an AML perspective. Compliance work will require action in a number of key areas.




Complying with sanctions

All organisations are required to comply with sanctions and export controls that may be imposed by the UK Government or other jurisdictions on specific individuals or corporate entities. The number of these sanctions currently in force has increased significantly as the international community has targeted Russia and Russian entities following its illegal invasion of Ukraine. The Law Society has published a detailed guide to the UK’s sanctions regime to help law firms cope with these responsibilities.




Customer due diligence

Customer due diligence (CDD) rules set out the checks that law firms must make on their clients – these begin with identifying the client and verifying that they are who they say they are, but also encompass a broad range of additional duties.

In practice, law firms are entitled to take a risk-based approach to CDD – more basic checks are acceptable for customers assessed as low-risk, but practices must have a policy in place to make that assessment in the first place. It is also important to note that CDD is an ongoing responsibility, and not limited to work with new clients. Firms will need to conduct ongoing monitoring, scrutinise transactions, and ensure CDD documents are up to date.




Enhanced customer due diligence

Clients who are assessed as higher risk must be subjected to enhanced due diligence requirements. Examples include situations where the client is from a high-risk country identified by the UK Treasury, the EU, or the FATF; where a transaction is complex, large, or unusual in some other way.

There is also a more generalised duty on law firms to perform enhance diligence if they have any reason to think a client or transaction poses an increased risk of money laundering.

In such cases, law firms are expected to go further to identify and verify clients, such as seeking independent verification sources, to take additional measures to understand the background of a client or to a transaction. Regular and ongoing monitoring will also need to be prioritised.




PEP screening

Politically exposed persons (PEPs) are individuals (and their close associates) who may be more susceptible to being involved in bribery or corruption because they hold a prominent position or influence.

Where a client is identified as a PEP, a law firm will be automatically required to make enhanced AML checks; senior management approval must be given before the firm establishes a business relationship with the individual.

These requirements mean the practice must have processes in place to identify PEPs, typically at the onboarding stage, but also through regular checks where the business relationship is ongoing.

There is no single global definition of a PEP, but the FATF has issued guidelines on how to identify such individuals; these have largely been accepted in legislation in the UK and the EU. LSAG also offers guidelines on identifying PEPs in its guidance.




Beneficial Owners

A beneficial owner is an individual who ultimately owns or controls the client, or on whose behalf a transaction is being conducted. When dealing with clients working on behalf of beneficial owners, law firms must take reasonable steps to establish that owner’s identity, so that due diligence can be undertaken.

Where the identity of the beneficial ownership can’t be established, the firm will need to consider whether the client relationship therefore represents an increased risk from an AML perspective – and whether it should continue to act for the client.




Sanctions screening

New customers may be subject to specific sanctions and export controls themselves or have links to individuals and countries that have been targeted. Operators therefore need to monitor the sanctions lists published by governments and other international organisations in order to ensure they are not in breach of these sanctions. The UK Government publishes and updates the UK Sanctions List online, with other jurisdictions following similar practices. 




Transaction monitoring and reporting

Without robust transaction monitoring processes, gaming and gambling operators cannot be confident their services are not being used for criminal purposes. It is therefore important to have systems capable of identifying red flag transactions and sounding an alert. And where a transaction does raise concerns, operators will typically be required to file a suspicious activity report (SAR) to the National Crime Agency. 

In practice, it is difficult to define precisely what constitutes suspicious activity, but regulators deliberately set out broad guidance. The Gambling Commission warns: “Operators and employees working in remote and non-remote casinos are required to submit a SAR in respect of information that comes to them in the course of their business if they know, or suspect or have reasonable grounds for knowing or suspecting, that a person is engaged in, or attempting, money laundering or terrorist financing.” 


The role of technology

Manual approaches to AML and KYC compliance are increasingly impractical. The workload is simply too onerous, putting TCSPs at risk of regulatory sanction and reputational damage in the event that staff make mistakes or overlook problem cases. For this reason, technologies that harness tools such as automation and machine learning are increasingly important to AML compliance.

Automating AML and KYC processes provides comfort that activities such as screening and monitoring can take place quickly and accurately, reducing the risk of a compliance failure. There is also an opportunity to leverage external data sources in order to strengthen compliance even further.

Another advantage of using such tools is they automatically create an audit trail, providing the business with a means through which to account for their actions to regulators and other stakeholders. Together, AML and KYC are necessary requirements to effectively manage the end-to-end customer lifecycle.


Until now, compliance has been a barrier to business - it’s made doing business slower and more difficult by creating friction through clunky processes, siloed data and human error. The opportunity now exists for organisations to outperform commercially through the way they comply. Compliance has evolved from being a barrier to becoming a major point of difference in how businesses accelerate time to revenue, increase profitability and improve customer experience.

Our Customer Lifecycle Management SaaS Platform takes care of all aspects, from creating the right first impression with rapid risk-based onboarding, through to award-winning screening and KYC refresh that enable your business to:

  • Realise massive operational efficiencies

  • Achieve rapid ROI through the speedy deployment of our no-code solutions and

  • Master complexity with solutions that evolve as regulations change

All at the same time as delivering even higher levels of compliance assurance.