KYC for Lawyers: AML Obligations and Client Verification
Complete guide to KYC obligations for UK lawyers. SRA requirements, SAR filing, legal professional privilege, and sanctions for non-compliance.
Summarize this article with
ChatGPT
Claude
Perplexity
Gemini
GrokLawyers in the United Kingdom are obliged entities under anti-money laundering (AML) legislation. The Money Laundering Regulations 2022 (MLR 2022), the Proceeds of Crime Act 2002 (POCA), and the Terrorism Act 2000 impose KYC (Know Your Customer) duties that solicitors and barristers must apply when undertaking regulated work. Yet these obligations sit alongside legal professional privilege (LPP), creating a tension that no other regulated profession faces to the same degree. This guide sets out the current AML framework for lawyers, the client verification process, and the consequences of non-compliance.
KYC obligations for lawyers -- what the law requires
UK lawyers are subject to AML obligations through two parallel regimes: the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (as amended in 2022), and Part 7 of the Proceeds of Crime Act 2002. The Solicitors Regulation Authority (SRA) supervises solicitors, while the Bar Standards Board (BSB) oversees barristers who fall within scope.
The Legal Sector Affinity Group (LSAG) publishes sector-specific guidance that the SRA endorses. The most recent edition, updated in 2024, incorporates the changes brought by the Economic Crime and Corporate Transparency Act 2023 and the MLR 2022 amendments.
Which activities trigger AML duties
AML obligations apply only to lawyers performing work within the "regulated sector" as defined by the MLR 2022. Not all legal work is in scope.
In scope:
- Buying, selling, or transferring real property or interests in land.
- Managing client money, securities, or other assets.
- Creating, operating, or managing companies, limited liability partnerships, trusts, or foundations.
- Acting as a nominee shareholder or director.
- Tax advisory services (outside litigation).
- Financial or investment advice connected to the above activities.
Out of scope:
- Litigation and dispute resolution.
- Criminal defence.
- Employment law advice (not involving financial structuring).
- Family law matters not involving financial arrangements covered by the regulations.
- General legal advice that does not involve the regulated activities listed above.
The three pillars of client due diligence
When regulated work is undertaken, the firm must apply customer due diligence (CDD) at three levels:
Standard CDD. Identify the client (and any beneficial owner), verify identity using reliable and independent sources, and understand the purpose and intended nature of the business relationship.
Simplified CDD. Permitted where the client presents a demonstrably low risk -- for example, a UK-listed company or a public authority. Fewer documents may be required, but the risk assessment must be documented.
Enhanced CDD. Required for politically exposed persons (PEPs), clients established in high-risk third countries, and complex or unusually large transactions with no apparent economic purpose. Additional information on the source of wealth and source of funds must be obtained.
Legal professional privilege vs AML reporting -- the tension
Legal professional privilege is a fundamental right recognised in English law and affirmed by the European Court of Human Rights. It protects communications between a lawyer and client made for the purpose of giving or receiving legal advice (advice privilege) or in connection with litigation (litigation privilege). The tension with AML reporting obligations is not theoretical -- it arises regularly in practice.
Table: which activities trigger AML obligations and which are protected
| Activity | AML obligations apply | SAR required if suspicious | LPP protection |
|---|---|---|---|
| Criminal defence | No | No | Full |
| Civil litigation | No | No | Full |
| Conveyancing (property purchase) | Yes | Yes, to NCA | Partial -- privilege may not apply |
| Company formation | Yes | Yes, to NCA | Partial |
| Trust administration | Yes | Yes, to NCA | Partial |
| Tax planning (non-contentious) | Yes | Yes, to NCA | Partial |
| Legal advice on AML compliance | Depends on context | No, if purely advisory | Full (advice privilege) |
| Settlement negotiations | No (litigation context) | No | Full (litigation privilege) |
When privilege yields to reporting
Under section 330 of POCA, a lawyer in the regulated sector who knows or suspects that a person is engaged in money laundering must file a Suspicious Activity Report (SAR) with the National Crime Agency (NCA). However, section 330(6) provides a carve-out: information received in "privileged circumstances" is exempt from the reporting obligation.
Privileged circumstances means information communicated for the purpose of giving legal advice, or in connection with actual or contemplated legal proceedings. The exemption falls away if the lawyer knows or suspects that the information is communicated with the intention of furthering a criminal purpose -- this is the "crime/fraud exception."
In practice, this means:
- A solicitor advising on a property transaction who suspects the purchase price is funded by criminal proceeds must file a SAR, because conveyancing is not protected by litigation privilege and the advice does not meet the conditions for the exemption.
- A barrister representing a defendant in a fraud trial who learns of potential money laundering through the defence case does not file a SAR, because the information was received in privileged circumstances.
The crime/fraud exception
The protection of privilege does not extend to communications made with the intention of furthering a criminal purpose. If a client seeks legal advice in order to facilitate money laundering, that communication is not privileged, and the lawyer must report. The assessment of whether the crime/fraud exception applies is one of the most difficult judgements a lawyer must make, and the LSAG guidance provides detailed scenarios to assist.
Client verification process -- step-by-step workflow
A structured CDD process reduces both compliance risk and the time spent on manual checks.
Step 1: determine whether the engagement is in the regulated sector
Before any verification, the firm must assess whether the proposed work falls within the scope of the MLR 2022. If the work is purely contentious, AML obligations do not apply. If the engagement spans both contentious and non-contentious work, the firm must apply CDD to the non-contentious component while respecting privilege over the contentious elements.
Step 2: identify the client and beneficial owner
For individuals, collect full name, date of birth, residential address, and nationality. For corporate clients, obtain the registered name, company number, registered office, and the identity of all beneficial owners holding 25% or more of the shares or voting rights (reduced to 15% for high-risk entities under AMLD6 provisions being transposed into UK law).
Step 3: verify identity
Verification must be based on documents, data, or information from a reliable and independent source:
- Individuals. Current passport or driving licence, supplemented by a utility bill or bank statement (dated within 3 months) for address verification.
- Companies. Companies House certificate of incorporation, most recent confirmation statement, and a register of persons with significant control (PSC register).
- Trusts. Trust deed, identification of all trustees and beneficiaries, and a structure chart where relevant.
Automated document validation reduces verification time from 30-45 minutes per client to under 5 minutes, while flagging inconsistencies that manual review might miss.
Step 4: assess risk and apply proportionate measures
Apply the firm's risk assessment framework, considering:
| Factor | Lower risk | Standard risk | Higher risk |
|---|---|---|---|
| Client type | UK listed company, public authority | UK private company, individual | PEP, trust, overseas entity |
| Geographic risk | UK, EEA | Non-high-risk third country | FATF high-risk jurisdiction |
| Service type | Standard conveyancing | Commercial property | Multi-jurisdictional structuring |
| Transaction value | Below GBP 10,000 | GBP 10,000 - 100,000 | Above GBP 100,000 |
| Source of funds | Employment income, verified savings | Business proceeds | Unclear or undocumented |
Step 5: ongoing monitoring and record retention
CDD is not a one-off exercise. Firms must monitor the business relationship on an ongoing basis and update verification records when circumstances change. All CDD records must be retained for at least 5 years from the end of the business relationship or the completion of the occasional transaction.
Sanctions and penalties for non-compliance
Non-compliance with AML obligations carries significant consequences for UK lawyers, ranging from regulatory censure to criminal prosecution.
SRA enforcement
The SRA has the power to impose fines of up to GBP 25,000 on individuals and unlimited fines on firms. It can also impose conditions on practising certificates, suspend solicitors, or initiate proceedings before the Solicitors Disciplinary Tribunal (SDT), which has the power to strike off. The SRA published 47 AML-related enforcement decisions in 2024-2025, an increase of 32% over the previous period.
Criminal penalties under POCA
Failure to disclose knowledge or suspicion of money laundering is an offence under section 330 of POCA, punishable by up to 5 years' imprisonment and an unlimited fine. "Tipping off" -- informing the client that a SAR has been filed -- carries the same maximum sentence under section 333A.
Office for Professional Body Anti-Money Laundering Supervision (OPBAS)
OPBAS, operated by the Financial Conduct Authority, oversees the SRA and BSB in their role as AML supervisors. OPBAS has criticised legal sector supervisors for inconsistent enforcement and has pushed for higher standards, resulting in a more aggressive approach from the SRA since 2023.
Reputational consequences
SRA enforcement decisions are published and searchable. A firm found to have failed in its AML duties faces not only formal sanctions but lasting damage to its market position, client relationships, and ability to attract talent.
Automating KYC while preserving client privilege
Automation addresses both the efficiency challenge and the compliance challenge, provided the chosen tool respects the boundaries of legal professional privilege.
What a law firm needs from a KYC tool
- Data compartmentalisation. CDD data must be segregated from the legal file. No information from privileged communications should be accessible to the verification system.
- UK/EU data residency. Client data must be hosted within a jurisdiction that meets GDPR and UK GDPR standards.
- Full audit trail. Every verification step must be timestamped and logged, producing an evidence file that satisfies SRA inspection requirements.
- Sanctions and PEP screening. Real-time checks against UK sanctions lists, HMT consolidated list, and international PEP databases.
CheckFile.ai provides automated document validation with European hosting, native file compartmentalisation, and a complete audit trail. View our pricing for a solution scaled to your firm's volume.
For a detailed look at automating KYC in law firms while protecting privilege, read our companion guide on law firm KYC automation and client privilege. You can also explore our industry verification guide for a cross-sector comparison of AML obligations.
The business case
A mid-sized firm onboarding 150 new matters per month spends an estimated 75 to 110 hours on manual CDD. Automated verification reduces this by 70-80%, freeing fee earners for billable work. Flexible financing and leasing options allow firms to implement without a large upfront outlay.
Frequently asked questions
Can a solicitor refuse to file a SAR by claiming legal professional privilege?
Only if the information was received in genuinely privileged circumstances -- that is, for the purpose of giving legal advice or in connection with litigation. If the work is transactional (conveyancing, company formation, trust administration), privilege does not shield the lawyer from the obligation to report. The crime/fraud exception also removes privilege protection if the communication is intended to further a criminal purpose.
What is the difference between a SAR and a DAML request?
A SAR (Suspicious Activity Report) informs the NCA that a person may be involved in money laundering. A DAML (Defence Against Money Laundering) request is a specific type of SAR filed when the lawyer seeks consent from the NCA to proceed with a transaction that may involve criminal property. Without NCA consent, proceeding with the transaction could constitute a money laundering offence under section 328 of POCA.
How long must CDD records be kept?
A minimum of 5 years from the date the business relationship ends or the occasional transaction is completed. The SRA recommends retaining records for longer where there is a higher risk profile or where proceedings are anticipated.
Does the BSB supervise barristers for AML compliance?
Yes, for barristers who undertake work within the regulated sector. In practice, this is a smaller subset than for solicitors, because barristers less commonly handle client money or conduct transactional work. However, barristers advising on tax, trust structures, or company formations are within scope and must comply.
What happens if a firm has no AML policy in place?
The SRA treats the absence of a firm-wide AML policy as a serious compliance failure. Regulation 21 of the MLR 2022 requires firms to maintain written policies, controls, and procedures proportionate to their size and risk profile. Failure to do so can result in enforcement action even if no actual money laundering has occurred.
Strengthen your firm's AML compliance
AML compliance is a legal obligation and a mark of professional credibility. Automating client verification with a tool designed for the legal sector saves time, reduces error rates, and produces the audit trail that regulators expect. Contact us for a demonstration tailored to your firm's requirements.