Skip to main content

    For solicitors

    AML client due diligence for solicitors

    Client due diligence is not a single identity check. It combines identity, ownership, the purpose of the matter, risk and ongoing scrutiny in a record your firm can explain.

    8 minute read
    A solicitor reviewing an identity document beside a digital compliance screen

    This guide is general information for solicitors and law firms. It does not replace the Money Laundering Regulations, Legal Sector Affinity Group guidance, SRA guidance or your firm's risk-based policies.

    01

    Understand who the client is

    Customer due diligence starts by identifying the client and checking that they are who they say they are. For an individual, firms commonly collect a name, date of birth, residential address and suitable identity evidence. For a company, trust or other legal arrangement, the work can extend to ownership, control and beneficial owners.

    Also record anyone acting for the client and the basis of their authority. The person using your service, the person instructing you and the person who ultimately owns or controls an entity are not always the same.

    • Identify the client and verify their identity using reliable evidence.
    • Identify beneficial owners where the client is an entity or arrangement.
    • Understand the ownership and control structure.
    • Verify the authority of anyone acting on the client's behalf.
    • Provide a workable route for clients who cannot produce standard documents.

    02

    Match the work to the risk

    The amount of due diligence should reflect the risk associated with the client, matter and transaction. A low-risk label is not a reason to skip identification, and a high-risk matter needs more than a larger document pile. The file should show which risks were identified and how the extra work addressed them.

    Consider the purpose and intended nature of the relationship, the services being used, geography, delivery channel, client profile and any unusual transaction features. Apply enhanced due diligence where the Regulations and your firm's assessment require it.

    • Record the matter-level risk assessment before final acceptance.
    • Distinguish standard, simplified and enhanced measures.
    • Explain why the selected level of checking is proportionate.
    • Revisit the assessment if the client or matter changes.

    03

    Treat screening as evidence, not the final decision

    PEP, sanctions and adverse-media screening can surface possible matches. A result still needs to be checked against the person's details and the wider matter. Record false-positive reasoning and escalate genuine concerns through the firm's process.

    Keep provider status, evidence collection and firm review as separate states. That makes it possible to see whether information is missing, a check is still running or a qualified user needs to make a decision.

    • Record the screening provider outcome and time of the check.
    • Review possible matches against reliable identifying information.
    • Keep the reviewer's decision and rationale.
    • Rescreen or refresh checks when the firm's policy requires it.

    04

    Keep a record another reviewer can follow

    A good AML file shows the information obtained, the checks performed and the decisions made. It should also show when information changed and whether ongoing monitoring remains consistent with what the firm knows about the client and the matter.

    Digital identity services can form part of customer due diligence, but firms must check the current rules and the assurance of the service they choose. A digital result does not remove the need for a risk-based assessment or scrutiny of the relationship.

    • Retain the identity and ownership evidence used for the decision.
    • Keep the risk assessment, screening outcomes and review notes together.
    • Record material changes, repeat checks and escalation decisions.
    • Limit access to sensitive evidence and follow the firm's retention policy.

    Questions clients and firms ask

    Is AML client due diligence the same as an identity check?

    No. Identity verification is one part of due diligence. Firms may also need to understand beneficial ownership, the purpose of the relationship, the source of funds, risk factors and ongoing activity.

    Can a firm rely on an automated screening result?

    Screening can identify possible matches and organise evidence. A qualified user still needs to review relevant results and record the firm's decision.

    When should due diligence be refreshed?

    Follow the Regulations, current sector guidance and your firm's policy. Refresh work when risk, client information or the nature of the matter changes, and when ongoing monitoring calls for it.

    Sources and further reading

    1. HMRC guidance on customer due diligence
    2. HM Treasury guidance on digital identities and the Money Laundering Regulations
    3. SRA money laundering questions and answers