Conveyancing transactions involving overseas clients carry a higher inherent risk of money laundering and come with a higher bar for due diligence.
Here is what enhanced checks involve, why international cases are more complex, and how to manage them effectively, en cinco minutos (we’re helping you with your international language there!)
Why are overseas conveyancing clients considered higher risk?
The UK property market has long attracted international buyers, and with them, an elevated risk of money laundering. Property is a well-established route for converting criminal proceeds into legitimate assets, and overseas clients introduce additional challenges that make due diligence harder to apply and easier to get wrong.
The SRA’s supervisory findings and the UK’s National Risk Assessment both identify international transactions as an area of increased concern. Residential conveyancing remains one of the highest-risk practice areas, and transactions involving overseas clients, particularly those linked to high-risk jurisdictions, overseas-sourced funds, or complex ownership structures, carry a heightened level of exposure.
The starting point for firms is recognising that a standard domestic customer due diligence approach may not be sufficient, and that enhanced due diligence will often be required.
When is enhanced due diligence required for international clients?
Enhanced due diligence is required under the Money Laundering Regulations whenever a higher risk of money laundering is identified. In the context of overseas clients, several factors commonly trigger this threshold.
A client who is not physically present presents a higher risk, as remote verification requires additional safeguards. Clients connected to high-risk third countries require increased scrutiny due to weaknesses in those jurisdictions’ AML frameworks.
Foreign politically exposed persons are treated as higher risk by default and require enhanced due diligence, including source of wealth checks and senior management approval. Where funds originate overseas, particularly where they pass through multiple jurisdictions or accounts, the complexity of verification increases and further scrutiny is required.
Any one of these factors may be sufficient to trigger enhanced due diligence. In practice, international transactions often involve more than one.
What does enhanced due diligence involve in practice?
Enhanced due diligence is not a single additional check, but a higher standard applied across the entire due diligence process.
For identity verification, firms need to consider whether their systems can genuinely support international checks. Not all digital identity providers can verify overseas documents, read foreign biometric chips, or access international data sources. Relying on systems designed for domestic use may create gaps in verification.
For source of funds, the evidential threshold is higher. Foreign bank statements may be more difficult to interpret or verify, and the regulatory environment of the originating country becomes relevant. Funds that move across multiple jurisdictions or accounts require careful tracing, and where the origin cannot be clearly linked to a legitimate source, this should be treated as a significant red flag.
For PEP and sanctions screening, checks must extend beyond UK databases. PEP status and sanctions exposure can vary by jurisdiction, and relying solely on domestic screening risks missing relevant information.
For ongoing monitoring, the same principle of proportionality applies, but risk profiles may change more quickly in response to geopolitical or regulatory developments. This means that reassessment may need to happen more frequently.
What challenges do firms face with international AML checks?
Enhanced due diligence for overseas clients presents practical challenges that go beyond standard domestic processes.
Staff may not be familiar with risk indicators associated with specific jurisdictions, making it harder to identify when something is unusual. Document verification is more complex, as overseas documents may not support NFC chip reading, may be issued in different formats, or may require translation.
Establishing ultimate beneficial ownership can also be more difficult. Corporate structures involving offshore entities and multiple layers of ownership can obscure who ultimately controls a transaction. Language barriers can slow the process and create gaps in understanding that introduce additional risk.
Firms should assess whether their current processes, systems, and expertise are sufficient for the type of international work they are undertaking
What does good AML practice look like for overseas clients?
Firms that handle international clients effectively tend to adopt a structured and proactive approach. This includes clearly distinguishing between domestic and international matters at the outset, ensuring staff are trained on jurisdiction-specific risk indicators, and using verification and screening tools with genuine international capability.
They are also prepared to ask more detailed questions, request additional documentation, and escalate concerns to the MLRO at an earlier stage where the risk profile is unclear. A cautious and enquiring approach is often the most effective safeguard.
OneSearch AML supports international due diligence through access to global PEP and sanctions datasets, adverse media screening, and international identity verification tools designed for cross-border transactions.
Working with overseas clients requires a shift from standard due diligence to a more investigative and risk-sensitive approach. The presence of international elements, whether in the client, the funds, or the ownership structure, increases complexity and reduces the reliability of assumptions that might hold in domestic cases. Enhanced due diligence is therefore not just a regulatory requirement, but a practical necessity.
Firms that approach these transactions with the right tools, clear processes, and a willingness to probe further are better placed to manage risk effectively and demonstrate compliance if challenged.
Remote identity verification is now a routine part of conveyancing, but what it involves, and what makes it compliant, is not always clear.
Here is how the process works, what it covers, and what firms need to get right.
How has conveyancing moved to remote identity verification?
For much of conveyancing’s recent history, identity verification meant a face-to-face meeting, with documents examined in person, copies certified, and records updated manually. The COVID-19 pandemic accelerated a shift that was already underway, and remote identity verification has since become standard practice in many firms.
When implemented correctly, remote verification is not a compromise on security. Modern technology, including biometric matching, NFC chip reading, and liveness detection, can produce a more reliable result than manual document review, while also creating a clear and auditable digital record. Where processes are poorly designed or inconsistently applied, however, the risk increases. Documents may be accepted without proper scrutiny, checks may be incomplete, and audit trails may be insufficient.
Understanding what remote verification involves is essential to applying it correctly.
What does a compliant remote identity verification process include?
A compliant remote identity verification process covers three core elements, all of which must be present to meet the requirements of the Money Laundering Regulations and, for firms seeking HMLR Safe Harbour protection, Practice Guide 81.
The first is document verification, which confirms that the identity document is genuine. For Safe Harbour purposes, this involves reading the NFC chip embedded in biometric passports, EU and EEA identity cards, and UK biometric residence permits. The chip contains cryptographically signed data from the issuing authority, and verifying this data provides a level of assurance that cannot be achieved through visual inspection alone.
The second is biometric matching, which confirms that the person presenting the document is the individual shown on it. This is typically achieved by comparing a live image captured via a smartphone against the image stored on the document’s chip. The comparison is carried out algorithmically and provides a more consistent result than a manual check.
The third is liveness detection, which confirms that the image being captured is genuinely live. It ensures that the individual is physically present and not attempting to use a photograph, mask, or recorded video to impersonate someone else. This is a critical safeguard against increasingly sophisticated spoofing attempts.
What identity documents can be used for remote verification?
Not all identity documents support full remote digital verification. For the process to function correctly, and particularly for NFC chip reading, the document must contain an embedded chip.
The documents that meet this requirement include biometric passports, EU and EEA identity cards with biometric capability, and UK biometric residence permits. These allow the system to carry out full cryptographic verification.
Other documents, such as driving licences or non-biometric passports, can support identity checks but cannot be verified using NFC technology. For firms aiming to meet the HMLR Safe Harbour standard, a chip-enabled document is required.
What does the remote ID process look like for clients?
From the client’s perspective, the process is typically straightforward. They receive a link or access a secure portal, scan their identity document using their smartphone, capture a short video or image, and complete any required prompts. The process usually takes only a few minutes.
Behind the scenes, however, multiple checks are carried out simultaneously. The system performs NFC verification, biometric comparison, and liveness detection, cross-checking the results and flagging any inconsistencies. The outcome should be a clear, auditable record of the checks completed, including the results and timestamps.
This audit trail is important. The SRA expects firms to be able to demonstrate that identity checks were carried out, when they were completed, and what the outcome was.
What risks do firms need to manage with remote verification?
Remote verification introduces specific risks where processes are not properly designed or applied. Common issues include accepting documents that do not support full digital verification without recognising the limitation, relying on systems that do not carry out all required elements, and treating a verification report as the end of the process without reviewing its content.
It is also important to understand the scope of remote verification. It confirms identity, meaning that the individual is who they claim to be. It does not replace other AML requirements, such as source of funds checks, PEP and sanctions screening, or ongoing monitoring. These obligations continue throughout the life of the matter.
Remote identity verification should be seen as one component of a wider AML framework rather than a standalone solution. When all three elements are applied correctly, document verification, biometric matching, and liveness detection, the process can provide a high level of assurance and a clear audit trail. However, its effectiveness depends on how it is implemented and reviewed in practice.
Firms that treat remote verification as a complete solution risk overlooking the broader obligations that sit alongside it, while those that embed it within a structured and consistent process are better placed to meet both regulatory expectations and client needs.
Digital identity verification is now standard practice in conveyancing. However, the technology behind it, including biometrics, NFC chip reading, and liveness detection, is not always well understood.
Here is how it works, what each component does, and why it matters for AML compliance.
How has identity verification in conveyancing changed?
For most of conveyancing’s history, verifying a client’s identity meant checking physical documents in person, such as a passport across a desk, a utility bill, or a driving licence. The process was time-consuming, inconsistent, and increasingly inadequate as fraud became more sophisticated.
Digital identity verification has changed that. Clients can now complete checks remotely using a smartphone, with technology performing in seconds what manual review cannot do reliably. It can confirm not only that a document appears genuine, but that its underlying data is authentic and that the person presenting it is physically present.
In March 2021, HM Land Registry formalised this shift through Practice Guide 81, which introduced the Safe Harbour standard. This set out the requirements for digital identity checks that, if met, protect conveyancers from liability where identity fraud later emerges. Understanding the underlying technology is key to understanding what those requirements mean in practice.
What is biometric verification and how does it work?
Biometric verification forms the foundation of digital identity checks. It uses physical characteristics to confirm that a person is who they claim to be.
In most AML contexts, this involves facial recognition. The client takes a photograph or short video using their device, and the system compares it against the image stored on their identity document. This comparison is carried out algorithmically, analysing the geometry of facial features in a way that is more consistent and reliable than a manual visual check.
Biometric verification is a core requirement of the Safe Harbour standard. The system must confirm that the person presenting the identity matches the image held on the document, rather than simply accepting an uploaded file.
What is NFC chip reading and why is it important?
Modern passports, EU and EEA ID cards, and UK biometric residence permits contain an embedded NFC chip. This chip stores a digital copy of the document’s data, including biometric information and a cryptographic signature from the issuing authority.
When a client places their document against a smartphone, the chip transmits this data. The system can then verify that the digital signature is genuine, confirm that the signing key is valid, and extract the biometric data for comparison against the live image.
This is the most secure form of document verification currently available. While a physical document can be forged, replicating a valid cryptographic signature from an issuing authority is not realistically achievable. For this reason, NFC chip reading is a core part of the Safe Harbour standard.
What is liveness detection and how does it prevent fraud?
Biometric matching and chip reading confirm that a genuine document exists and that the image matches the person presenting it. Liveness detection adds a further layer by confirming that the individual is physically present, rather than using a photograph, mask, or recorded video.
Active liveness requires the user to perform an action, such as blinking or turning their head, to demonstrate that they are present. Because the action is prompted, it can potentially be anticipated and mimicked.
Passive liveness operates in the background without requiring any action from the user. Using machine learning techniques, the system analyses image data to distinguish between a live person and a static or replayed image. Because the user is unaware of the check, passive liveness is generally considered more resilient to spoofing attempts.
Both approaches are used in practice, and understanding the difference is important when assessing providers.
What does the Safe Harbour standard require in practice?
The Safe Harbour standard requires a combination of checks. These include obtaining evidence from a biometric identity document, verifying that document using NFC chip reading, and matching the individual to the document using biometric verification.
For conveyancers acting for sellers, there is an additional requirement to establish a connection between the client and the property.
Where these requirements are met, conveyancers benefit from protection. If a client’s identity is later found to be fraudulent, HM Land Registry will not pursue recourse, provided the checks were carried out correctly.
It is also important to distinguish between standards. The Safe Harbour framework defines the process that must be followed, while the Digital Verification Services Trust Framework governs the providers offering these services. Using a provider listed on the DVS register is increasingly seen as evidence that the underlying technology meets a credible and recognised standard.
Taken together, digital identity verification relies on multiple layers working in combination. Biometric matching confirms identity, NFC chip reading verifies the integrity of the document, and liveness detection ensures the person is genuinely present. The Safe Harbour standard brings these elements together into a defined process that, when followed correctly, provides both compliance and protection.
As expectations continue to evolve, understanding how these components work is essential for assessing providers and ensuring that identity checks are not only completed, but carried out to a standard that stands up to scrutiny.
Identifying politically exposed persons and sanctioned individuals is a core AML obligation, but it is one where the rules have recently shifted.
Here is what PEP and sanctions checks involve, who they apply to, and what the updated rules mean for how firms should approach them.
Why do PEP and sanctions checks matter in AML compliance?
PEP and sanctions screening sit within the broader customer due diligence framework, but they carry particular weight. The concern with politically exposed persons is that their public position creates an elevated risk of corruption or bribery, and that property transactions are a well-established route for laundering the proceeds.
Sanctions checks serve a different but equally serious purpose. They ensure that firms are not facilitating transactions involving individuals or entities subject to legal restrictions.
Both checks are required at onboarding, and both must be kept up to date throughout the life of a matter. A client who was not a PEP at the outset may become one, and sanctions lists are updated frequently.
What is a politically exposed person (PEP)?
A PEP is an individual who is, or has been, entrusted with a prominent public function. This includes heads of state and government, ministers, members of parliament, senior members of the judiciary, senior military officials, members of central banks, and ambassadors, along with their close family members and known close associates.
Under the Money Laundering Regulations, identifying a client as a PEP triggers enhanced due diligence. This includes obtaining senior management approval, taking steps to establish the source of wealth and source of funds, and applying closer ongoing monitoring.
Importantly, being a PEP does not mean refusing to act. It means applying additional scrutiny and documenting the approach taken.
How have the rules on domestic PEPs changed?
The treatment of domestic PEPs, meaning those who hold or have held public functions in the UK, has changed in recent years.
Since January 2024, the Money Laundering and Terrorist Financing (Amendment) Regulations 2023 require firms to treat domestic PEPs as lower risk than foreign PEPs as a starting point. This is now set out in legislation, rather than guidance. Unless other risk factors are present, firms should apply a proportionate level of enhanced due diligence.
Further clarification was provided in FCA guidance FG 25/3, published in July 2025. This confirms that non-executive directors of UK civil service bodies should not be treated as PEPs, and reinforces that firms should not refuse or exit relationships solely because a client meets the PEP definition.
In practice, this means risk should be assessed on a case-by-case basis, rather than applied automatically based on a public role.
What are sanctions and how do they apply to law firms?
Sanctions are legal restrictions imposed by governments or international bodies on individuals, companies, or countries, often in response to national security concerns, human rights issues, or foreign policy objectives. In the UK, the Office of Financial Sanctions Implementation within HM Treasury administers the sanctions regime.
Firms in the regulated sector must not provide services to sanctioned individuals or entities, or facilitate transactions that would benefit them. Breaching sanctions can result in significant criminal and civil penalties, including fines and imprisonment.
Unlike PEP status, which requires judgement around risk, a sanctions match is a clear prohibition. If a client appears on a sanctions list, the matter cannot proceed without specialist legal advice, and reporting obligations may arise.
How often should PEP and sanctions checks be updated?
PEP and sanctions checks should not be treated as a one-off exercise. Both need to be refreshed throughout the life of a matter.
PEP status can change if a client takes on a new public role, and sanctions lists can be updated at short notice in response to international developments. Relying on a single check at onboarding creates a risk that changes will go unnoticed.
Manual processes make this difficult to manage consistently. Automated screening tools that re-check clients against current databases at regular intervals provide a more reliable way to identify changes in status.
Taken together, PEP and sanctions checks are not just about identifying risk at the outset, but about maintaining an accurate and up-to-date understanding of a client’s status throughout the life of a matter. While PEP classification requires proportionate judgement and a risk-based approach, sanctions obligations are absolute and leave no room for discretion.
The direction of travel in regulation is clear: firms are expected to apply these checks consistently, keep them current, and ensure that any changes in status are identified and acted on promptly.
AML compliance is not just about checking individual clients. Every firm in the regulated sector must also have a set of firm-level obligations in place that are documented, approved, and actively maintained.
Here is what the law actually requires, and what good governance looks like in practice, in just 5 minutes.
Why is AML compliance more than just client checks?
When people think about AML compliance in conveyancing, they tend to focus on client-facing checks such as verifying identity, understanding source of funds, and screening for PEPs and sanctions. These obligations are real and important, but they sit on top of a layer of firm-wide requirements that must be in place first.
The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 impose obligations on the firm as an entity, not just on individual fee-earners dealing with specific matters. Getting these foundations right is critical, as the SRA’s supervisory findings consistently show that weaknesses at firm level tend to flow directly into weaknesses at matter level.
What is a firm-wide AML risk assessment and why does it matter?
The starting point is Regulation 18, which requires every firm in the regulated sector to carry out and document a firm-wide risk assessment. This is a written analysis of the money laundering and terrorist financing risks the firm is exposed to, taking into account its size, client base, the services it offers, the geographic areas it operates in, and the types of transactions it handles.
The assessment must be approved by senior management and kept up to date. It is not a one-off exercise. It should be reviewed whenever the firm’s circumstances change materially, and at regular intervals regardless.
This matters because it sets the context for everything that follows. It defines what higher and lower risk look like for the firm, which in turn informs how individual client and matter risk assessments should be approached.
Who is responsible for AML compliance in a law firm?
Every firm in the regulated sector must appoint a Money Laundering Reporting Officer (MLRO). This is a named individual, typically a senior person within the firm, who is responsible for receiving internal reports of suspicious activity, deciding whether to submit a Suspicious Activity Report to the National Crime Agency, and overseeing the firm’s AML compliance more broadly.
The MLRO role carries real responsibility. The individual appointed needs sufficient seniority, authority, and access to information to carry out the role effectively. In smaller firms, this is often a principal or partner. In larger firms, it may be a dedicated compliance professional. In all cases, the appointment must be documented and properly supported, rather than treated as a formality.
What AML policies, controls and procedures are required?
Regulation 19 requires firms to establish and maintain written AML policies, controls and procedures. These should cover how the firm identifies and verifies clients, how it assesses risk, how it monitors ongoing matters, how suspicious activity is reported internally, how staff are trained, and how compliance is audited.
The policies do not need to be lengthy, but they do need to be meaningful. The SRA has identified cases where firms have adopted template policies without tailoring them to their actual practice, which fails the requirement. Policies should reflect how the firm operates in reality, and staff should understand and follow them in practice.
What AML training do staff need to receive?
All relevant staff must receive regular AML training. This includes not only fee-earners, but anyone involved in client onboarding, financial transactions, or file management. Training should cover what money laundering is, what the firm’s obligations are, how to identify suspicious activity, and how to report concerns internally.
Training also needs to be kept current. A one-off session delivered several years ago is not sufficient. Firms should be able to demonstrate when training was delivered, who received it, and what it covered.
When is an independent AML audit required?
Larger firms, or those with a higher-risk profile, are required under Regulation 21 to have their AML policies and controls independently audited. This does not necessarily mean appointing an external auditor. In some firms, it can be an internal function that sits outside the compliance team.
The key requirement is independence. The purpose of the audit is to assess whether the firm’s AML framework is actually working in practice, rather than simply existing on paper.
Taken together, firm-wide AML obligations form the foundation of effective compliance. A documented risk assessment, a clearly defined MLRO role, tailored policies, regular training, and independent oversight are not separate requirements but parts of a single system.
Where firms fall short is often not in having these elements in place, but in failing to connect them or keep them active. The regulatory expectation is clear: these controls should shape how the firm operates day to day, not exist as static documents created to satisfy a requirement.
Digital identity verification has been quietly reshaping how conveyancers carry out AML checks for several years.
In December 2025, it took a significant step forward: the Digital Verification Services Trust Framework was placed on a statutory footing under the Data (Use and Access) Act 2025.
For this ‘Five Minutes on…’, we take a deep dive into what that means and what it changes for your firm.
What changed when the DVS Trust Framework became law?
For several years, digital identity providers operating in the UK worked within a voluntary framework, a set of standards published by the government against which they could be assessed and certified. Choosing a certified provider gave conveyancers confidence that the technology met a recognised benchmark, but certification was optional and the framework carried no statutory weight.
That changed in December 2025. Under the Data (Use and Access) Act 2025, the Digital Verification Services (DVS) Trust Framework became a statutory framework, the first of its kind in the UK. Providers of digital identity services can now apply to be formally registered by the government, and that registration carries legal backing that was previously absent.
For conveyancers, this matters. The tools used to verify client identities are increasingly subject to a formal, legally grounded standard, rather than just an industry benchmark.
What is the DVS Trust Framework and how does it work?
The DVS Trust Framework sets out the rules and technical requirements organisations must meet to provide digital identity and attribute verification services in the UK. It covers how identity data is collected, checked, and stored, what security standards apply, and how providers must handle fraud, errors, and complaints.
Providers that meet these requirements can apply to be listed on a government register of certified DVS providers. That register is publicly accessible, meaning conveyancers, law firms, and their clients can check whether a given identity service is formally recognised.
The framework is overseen by the Office for Digital Identities and Attributes (ODIA), within the Department for Science, Innovation and Technology.
How does the DVS Trust Framework compare to HMLR Safe Harbour?
The DVS Trust Framework and the HMLR Safe Harbour standard are related but distinct, and it is important to understand the difference.
Safe Harbour is HM Land Registry’s standard for identity verification in property transactions, introduced in 2021. It sets out specific requirements around biometric checks, NFC chip reading, and evidence of connection to a property. Meeting those requirements means HMLR will treat the conveyancer as having taken reasonable steps to verify identity, providing protection if fraud later comes to light.
The DVS Trust Framework operates at a different level. It governs the identity providers themselves, the platforms conveyancers rely on to carry out checks. A provider listed on the DVS register has been assessed against the government’s standards. Using a registered provider does not automatically mean Safe Harbour has been achieved, but it is a strong indicator that the underlying technology meets a credible, legally recognised standard.
In practice, the two often work together. A conveyancer using a DVS-registered provider to carry out biometric and NFC checks in line with HMLR requirements will be well positioned on both fronts.
What does the DVS Trust Framework mean for conveyancers?
For most firms already using a reputable digital ID provider, the immediate practical change is modest. If your current provider was certified under the previous voluntary framework, they will likely be working towards registration under the statutory version, or may already have it.
The more meaningful shift is what the framework signals for the future. Making DVS statutory reflects a broader government intention to establish digital identity as a trusted, legally grounded part of UK infrastructure. Lenders, regulators, and professional bodies are likely to place increasing weight on whether firms use registered providers.
It is worth checking whether your digital identity provider is listed on the government’s DVS register, or has confirmed its intention to register. If you are evaluating new providers, DVS registration should form part of that assessment.
What has not changed under the DVS Trust Framework?
The DVS Trust Framework does not make digital identity verification compulsory. Manual identity checks remain legally permissible, provided they meet the requirements of the Money Laundering Regulations.
It also does not replace the HMLR Safe Harbour standard, or make it compulsory. Safe Harbour remains optional. However, as expectations around identity verification continue to rise, the practical case for meeting it becomes stronger.
Taken together, the DVS Trust Framework marks a shift towards more formalised standards for digital identity verification. Now set in law under the Data (Use and Access) Act 2025, it establishes the criteria providers must meet to be listed on the government’s public register, giving conveyancers a clearer way to assess whether a provider is formally recognised.
While DVS registration and HMLR Safe Harbour serve different purposes, one governing providers and the other the verification process, they are closely connected in practice. Using a DVS-registered provider does not automatically mean Safe Harbour has been achieved, but it provides a strong foundation.
Importantly, digital identity checks remain optional, and manual verification is still permissible, though expectations are clearly evolving. As a result, firms should be considering whether their current provider is registered, or actively working towards it.
