AML Updates for the Legal Sector

Regulators told to get tougher

OPBAS - the Office for Professional Body Anti-Money Laundering Supervision - has delivered a pointed warning to legal and accountancy regulators: disciplinary action on AML breaches is not sufficiently dissuasive. When you compare some of the fines handed down by the FCA against those issued by the SRA, you can see why that concern exists. The message is clear - low-level fines are no longer considered an adequate deterrent, and this will only sharpen once the FCA takes over AML supervision of law firms.

At the same time, the Council for Licensed Conveyancers has been operating an "assisted compliance" regime, and the new SRA CEO has signalled something similar. But OPBAS's stance makes it hard to see how a soft approach will survive for long. Expect the enforcement dial to turn up, not down.

Deepfakes are now a live threat to CDD

The National Economic Crime Centre has issued an alert confirming that AI-generated deepfakes are being detected in customer due diligence processes. This is not theoretical - manipulated identity documents and synthetic liveness videos have already bypassed some controls. Accounts created using AI have been linked to fraud and money laundering.

If your firm conducts any part of its due diligence at a distance or online, this needs to feature prominently in your firm-wide risk assessment. Consider how you verify identity documents, what technology you use, and whether your CDD providers are certified under the UK government's Digital Identity and Attributes Trust Framework. Remember the SRA's repeated guidance: you must understand the systems you use and be able to interrogate their outputs - a green tick on a report does not automatically mean you have properly verified the client.

SRA enforcement: the numbers keep climbing

By mid-April 2026, 18 law firms had already been sanctioned for AML failures this year. The recurring themes remain stubbornly familiar: no firm-wide risk assessment, inadequate policies, controls and procedures, no client or matter risk assessments, and deficient source of funds checks. A striking 88% of sanctioned firms held the Conveyancing Quality Scheme accreditation - a figure that raises serious questions about the effectiveness of accreditation assessments.

One appeal case this quarter was particularly telling. A firm fined £68,000 for fundamental AML breaches appealed the decision, but it emerged that 12 months after being told by the SRA to get its house in order, the firm still had not complied. That firm also held Lexcel accreditation, which requires annual on-site assessment. The question has to be asked: why did neither the CQS nor the Lexcel assessor pick up these failures?

Another case involved a CQS-accredited conveyancing firm with near nine-year AML non-compliance. With the FCA transition approaching, firms with enforcement histories need to consider how that record will look under the FCA's fit and proper test.

Crypto money laundering: an eight-fold surge

According to the Chainalysis 2025 report, crypto-related money laundering has surged from $10 billion in 2020 to $82 billion in 2025 - an eight-fold increase. Chinese-language money laundering networks emerged during the pandemic and are now processing $40 million per day in crypto.

For law firms, the practical implication is straightforward: if a client's source of funds involves cryptocurrency, you cannot simply accept that at face value. You need to trace the money back to its origin before it entered the crypto ecosystem. Ask the right questions - how did they invest, through which platform, how did they learn about the opportunity? Bear in mind that your client may themselves be a victim of a crypto scam, so probe gently but thoroughly. Crypto is no longer a niche risk - it needs to be in your firm-wide risk assessment and your PCPs.

Digital identity guidance - progress, but questions remain

HM Treasury and DSIT have released new guidance on using digital identities with the Money Laundering Regulations, aimed at streamlining due diligence for regulated firms. This is a welcome step, but questions around the reliance provisions remain unanswered - particularly whether some of the proposed digital ID mechanisms fall within the regulatory definition of reliance.

If you use electronic CDD providers, make sure the specific service you subscribe to is certified under the government scheme - not just that the provider itself is a well-known name. Different subscription tiers may carry different levels of accreditation. And remember that an electronic check confirming a person exists is not the same as confirming that person is your client.

Preparing for the FCA: start benchmarking now

The FCA has published updated findings on customer due diligence processes and controls. With AML supervision of legal services transferring to the FCA, this report is essential reading. Firms should be benchmarking their CDD frameworks against the FCA's expectations now rather than waiting for the transition.

A side-by-side comparison of recent FCA and SRA reports reveals notable differences in focus between the two regulators. The FCA, for example, places greater emphasis on senior management accountability through its fit and proper regime - not just the firm's MLRO or COLP, but board members and partners individually.

There is also the unresolved question of dual prosecution. Once the FCA holds AML supervisory responsibility, will firms face enforcement from the FCA on AML grounds and separately from the SRA for breaches of its codes of conduct arising from the same underlying failures? Indications suggest this should not happen, but until it is firmly resolved, it remains a concern.

Sanctions: major changes on the horizon

This quarter saw a heavy volume of sanctions-related updates.

OFSI civil enforcement overhaul. Following its consultation, OFSI has confirmed significant changes to civil enforcement for financial sanctions. The voluntary disclosure and cooperation discount will drop from 50% to 30%, though a new settlement scheme discount of an additional 20% will be introduced, bringing the potential total discount to 44%. Civil monetary penalties are doubling - from up to £1 million or 50% of the breach value to up to £2 million or 100% of the breach value. New penalties of £5,000 to £10,000 will be introduced for information, reporting and licensing offences.

Sanctions fines in practice. Bank of Scotland was fined £160,000 for allowing 24 payments to and from a sanctioned individual's account. The individual had used a UK passport to open the account, but there were discrepancies in the spelling of his name compared to his Russian passport - his middle name was missing entirely. The bank's automated screening tool failed to match the name. The lesson for firms is clear: pay close attention to transliterated names and spelling inconsistencies across different-alphabet passports.

Cyprus as a sanctions evasion risk. A case involving a sanctioned Iranian national who owns a luxury villa in Spain via a UK company - using his Cypriot passport to obscure the connection - illustrates why screening must cover all nationalities and passports held by a person, not just the most obvious one. This reinforces the SRA's own guidance flagging Cyprus as a higher-risk country for sanctions evasion purposes.

Ownership and control. OFSI's call for evidence on ownership and control in financial sanctions regulations proposes aligning with international standards by changing the threshold from "more than 50%" to "50% or more." If you regularly act for corporate entities and conduct sanctions screening, this subtle but important shift is worth responding to before the consultation closes.

Key publications to read

The quarter produced a substantial reading list. Among the most important items:

The NCA National Strategy Risk Assessment is a strong resource on emerging threats. It highlights how technology is reshaping serious and organised crime, how criminal markets are converging and expanding, and how global instability is creating new criminal opportunities.

The OPBAS 2024/25 supervisory report calls for clearer SAR processes and encourages professional body supervisors to promote a self-reporting culture for AML breaches.

The Institute for Economics and Peace Global Terrorism Index includes a world map showing terrorism impact by country - a useful tool for assessing risk on matters with international links.

FATF publications this quarter are particularly relevant for sanctions risk assessments. FATF data shows that 80% of sanctions evasion uses shell or front companies, virtual assets feature in one in four cases, formal banking channels in 66%, and professional intermediaries including solicitors in 45%.

The UK Government Fraud Strategy 2026 - 2029 and the Home Office's policing restructure proposals are worth reviewing, particularly for larger firms subject to the failure to prevent fraud offence.

Key takeaways

• Review the referenced documents. There is a lot to absorb, but the SRA and SDT have made it quite clear that being too busy with client work is not an acceptable reason for failing to read relevant guidance and practice notes.
• Update your firm-wide risk assessment. Deepfakes, crypto, sanctions changes, digital ID - all of these may need reflecting in your FWRA, and anything flowing from that must cascade through into your policies, controls, procedures and training.
• Prepare for the move to the FCA. Benchmark your current frameworks against FCA expectations. Understand the differences in supervisory approach. Consider the fit and proper implications for your firm and its individuals.
• Ensure your MLRO and MLCO are appropriately trained. Recent SRA reports found that only one compliance officer in 36 surveyed understood the full scope of their role. With increased scrutiny likely, this is an area where firms cannot afford gaps.

The next quarterly AML update webinar is scheduled for July 2026. For questions or further information, contact Brian Rogers at [email protected] or connect on LinkedIn.