Risk & Compliance - OneSearch

The SRA’s most current AML report marks a clear shift in enforcement. More inspections, more failures, and far less tolerance for underperforming compliance.

Here’s what the findings actually show, and what firms should be doing about it.

The numbers are difficult to snub. In the year to April 2025, the SRA carried out 935 proactive AML engagements, up from 545 the year before. Of the 833 firms reviewed, nearly one in three were non-compliant, and a further 54% were only partially compliant.

That leaves fewer than one in seven firms fully compliant with their AML obligations.

This is not incremental improvement. It’s systemic underperformance in an area where the regulatory, financial, and reputational stakes are only increasing.

What the SRA found

The report identifies several areas of consistent weakness across the firms it reviewed. None of them are new. What’s changed is the SRA’s tone, the specificity of its findings, and its willingness to act.

Risk assessments are still failing in practice

Up to 39% of reviewed files did not effectively assess AML risk. Firm-wide risk assessments exist on paper but aren’t being applied at client level. High-risk matters are progressing without the senior oversight they require. Defective AML policies, controls and procedures contributed to a significant proportion of enforcement outcomes.

The SRA has been explicit: it expects risk assessments to inform decisions, not just document them.

Identity verification is inconsistently applied

Documents are missing from files, checks are relaxed for familiar clients, enhanced due diligence is not being triggered when risk indicators are present.

Emerging threats, including deepfake ID fraud and remote onboarding risks, are exposing gaps in already inconsistent processes.

Source of funds checks are being treated as a formality

The SRA’s thematic review found that, across more than 5,800 client files reviewed, 11% lacked source of funds checks entirely and 18% showed inadequate scrutiny.

Firms are collecting documents but not reviewing them. The distinction between source of funds and source of wealth is still not being applied consistently, even in higher-risk matters.

Ongoing monitoring remains the most overlooked obligation

For many firms, AML compliance still ends at onboarding. There is no structured mechanism to revisit matters, reassess risk, or refresh PEP and sanctions checks as circumstances change.

The SRA has identified ongoing monitoring as one of the most effective controls available, and one of the most consistently absent.

Training and governance weaknesses underpin the gaps

Template policies are not aligned to real-world practice. Training is not consistently refreshed or embedded. Governance structures, including MLRO oversight, do not always translate into effective day-to-day compliance.

An intensifying direction

The scale of supervisory activity tells its own story. Scrutiny is increasing, and it’s not slowing down. The SRA engaged with nearly twice as many firms in 2024-25 as the year before, and it has signalled clearly that all firms should expect attention.

At the same time, enforcement is intensifying. Combined AML penalties exceeded £1.5 million in 2024-25, the highest total yet based on SRA enforcement outcomes. The number of cases referred to the Solicitors Disciplinary Tribunal rose sharply, and criminal enforcement is no longer theoretical.

The message is clearly that AML compliance is no longer a paper exercise.

The more significant shift however, is structural. The government has confirmed that the Financial Conduct Authority will become the single professional services supervisor for AML, replacing the SRA and other supervisory bodies. The SRA will continue supervising AML through 2026 while legislation is prepared, but the direction of travel is already clear.

The FCA’s approach is more data-driven, and backed by broader enforcement powers. Firms that treat 2026 as a year to prepare for FCA-level scrutiny will be far better positioned than those that wait.

What firms should be doing now

The SRA’s findings point to a clear set of priorities for firms that want to stay on the right side of compliance.

Fix your risk assessment framework first

The firm-wide risk assessment should reflect how the firm actually operates: its client base, transaction types, and geographic exposure. It should be actively used, not filed and forgotten.

Matter-level risk assessments should be completed before work progresses, include clear reasoning, and link back to the firm-wide view.

Stress-test your identity verification process

Are all relevant parties being verified? Are enhanced checks triggered at the right time? Is there a clear and auditable record?

As fraud risks evolve, reliance on manual document checks is becoming increasingly difficult to defend.

Move beyond “box-ticking” on source of funds

Receiving documentation is not the same as assessing it. Firms must actively review what is provided, question inconsistencies, and document their conclusions.

Source of funds should be standard on every file; source of wealth should be assessed in higher-risk matters.

Build ongoing monitoring into your workflow, properly

This requires a defined process, not good intentions. Whether through scheduled file reviews, case management prompts, or automated re-screening, firms need to ensure monitoring actually happens and that changes trigger reassessment.

Strengthen training and governance from the top down

AML training should be current, relevant, and regularly refreshed. Policies should reflect how the firm actually operates, not generic templates.

Governance structures must support consistent application of AML controls across the firm.

Our 2026 AML guide

If this raises questions about where your firm stands, Mastering AML Compliance in 2026 provides a practical starting point.

It covers everything from risk assessments and identity verification to source of funds, Safe Harbour, the DVS Trust Framework, and the role of technology, written specifically for conveyancers who need practical guidance, not regulatory theory.

Download: 'Mastering AML compliance in 2026' here

OneSearch AML is a digital AML offering built specifically for conveyancers. To find out more, visit onesearch.direct/products/onesearch-aml.

Remote identity verification is now a routine part of conveyancing, but what it involves, and what makes it compliant, is not always clear.

Here is how the process works, what it covers, and what firms need to get right.

How has conveyancing moved to remote identity verification?

For much of conveyancing’s recent history, identity verification meant a face-to-face meeting, with documents examined in person, copies certified, and records updated manually. The COVID-19 pandemic accelerated a shift that was already underway, and remote identity verification has since become standard practice in many firms.

When implemented correctly, remote verification is not a compromise on security. Modern technology, including biometric matching, NFC chip reading, and liveness detection, can produce a more reliable result than manual document review, while also creating a clear and auditable digital record. Where processes are poorly designed or inconsistently applied, however, the risk increases. Documents may be accepted without proper scrutiny, checks may be incomplete, and audit trails may be insufficient.

Understanding what remote verification involves is essential to applying it correctly.

What does a compliant remote identity verification process include?

A compliant remote identity verification process covers three core elements, all of which must be present to meet the requirements of the Money Laundering Regulations and, for firms seeking HMLR Safe Harbour protection, Practice Guide 81.

The first is document verification, which confirms that the identity document is genuine. For Safe Harbour purposes, this involves reading the NFC chip embedded in biometric passports, EU and EEA identity cards, and UK biometric residence permits. The chip contains cryptographically signed data from the issuing authority, and verifying this data provides a level of assurance that cannot be achieved through visual inspection alone.

The second is biometric matching, which confirms that the person presenting the document is the individual shown on it. This is typically achieved by comparing a live image captured via a smartphone against the image stored on the document’s chip. The comparison is carried out algorithmically and provides a more consistent result than a manual check.

The third is liveness detection, which confirms that the image being captured is genuinely live. It ensures that the individual is physically present and not attempting to use a photograph, mask, or recorded video to impersonate someone else. This is a critical safeguard against increasingly sophisticated spoofing attempts.

What identity documents can be used for remote verification?

Not all identity documents support full remote digital verification. For the process to function correctly, and particularly for NFC chip reading, the document must contain an embedded chip.

The documents that meet this requirement include biometric passports, EU and EEA identity cards with biometric capability, and UK biometric residence permits. These allow the system to carry out full cryptographic verification.

Other documents, such as driving licences or non-biometric passports, can support identity checks but cannot be verified using NFC technology. For firms aiming to meet the HMLR Safe Harbour standard, a chip-enabled document is required.

What does the remote ID process look like for clients?

From the client’s perspective, the process is typically straightforward. They receive a link or access a secure portal, scan their identity document using their smartphone, capture a short video or image, and complete any required prompts. The process usually takes only a few minutes.

Behind the scenes, however, multiple checks are carried out simultaneously. The system performs NFC verification, biometric comparison, and liveness detection, cross-checking the results and flagging any inconsistencies. The outcome should be a clear, auditable record of the checks completed, including the results and timestamps.

This audit trail is important. The SRA expects firms to be able to demonstrate that identity checks were carried out, when they were completed, and what the outcome was.

What risks do firms need to manage with remote verification?

Remote verification introduces specific risks where processes are not properly designed or applied. Common issues include accepting documents that do not support full digital verification without recognising the limitation, relying on systems that do not carry out all required elements, and treating a verification report as the end of the process without reviewing its content.

It is also important to understand the scope of remote verification. It confirms identity, meaning that the individual is who they claim to be. It does not replace other AML requirements, such as source of funds checks, PEP and sanctions screening, or ongoing monitoring. These obligations continue throughout the life of the matter.

Remote identity verification should be seen as one component of a wider AML framework rather than a standalone solution. When all three elements are applied correctly, document verification, biometric matching, and liveness detection, the process can provide a high level of assurance and a clear audit trail. However, its effectiveness depends on how it is implemented and reviewed in practice.

Firms that treat remote verification as a complete solution risk overlooking the broader obligations that sit alongside it, while those that embed it within a structured and consistent process are better placed to meet both regulatory expectations and client needs.

Digital identity verification is now standard practice in conveyancing. However, the technology behind it, including biometrics, NFC chip reading, and liveness detection, is not always well understood.

Here is how it works, what each component does, and why it matters for AML compliance.

How has identity verification in conveyancing changed?

For most of conveyancing’s history, verifying a client’s identity meant checking physical documents in person, such as a passport across a desk, a utility bill, or a driving licence. The process was time-consuming, inconsistent, and increasingly inadequate as fraud became more sophisticated.

Digital identity verification has changed that. Clients can now complete checks remotely using a smartphone, with technology performing in seconds what manual review cannot do reliably. It can confirm not only that a document appears genuine, but that its underlying data is authentic and that the person presenting it is physically present.

In March 2021, HM Land Registry formalised this shift through Practice Guide 81, which introduced the Safe Harbour standard. This set out the requirements for digital identity checks that, if met, protect conveyancers from liability where identity fraud later emerges. Understanding the underlying technology is key to understanding what those requirements mean in practice.

What is biometric verification and how does it work?

Biometric verification forms the foundation of digital identity checks. It uses physical characteristics to confirm that a person is who they claim to be.

In most AML contexts, this involves facial recognition. The client takes a photograph or short video using their device, and the system compares it against the image stored on their identity document. This comparison is carried out algorithmically, analysing the geometry of facial features in a way that is more consistent and reliable than a manual visual check.

Biometric verification is a core requirement of the Safe Harbour standard. The system must confirm that the person presenting the identity matches the image held on the document, rather than simply accepting an uploaded file.

What is NFC chip reading and why is it important?

Modern passports, EU and EEA ID cards, and UK biometric residence permits contain an embedded NFC chip. This chip stores a digital copy of the document’s data, including biometric information and a cryptographic signature from the issuing authority.

When a client places their document against a smartphone, the chip transmits this data. The system can then verify that the digital signature is genuine, confirm that the signing key is valid, and extract the biometric data for comparison against the live image.

This is the most secure form of document verification currently available. While a physical document can be forged, replicating a valid cryptographic signature from an issuing authority is not realistically achievable. For this reason, NFC chip reading is a core part of the Safe Harbour standard.

What is liveness detection and how does it prevent fraud?

Biometric matching and chip reading confirm that a genuine document exists and that the image matches the person presenting it. Liveness detection adds a further layer by confirming that the individual is physically present, rather than using a photograph, mask, or recorded video.

Active liveness requires the user to perform an action, such as blinking or turning their head, to demonstrate that they are present. Because the action is prompted, it can potentially be anticipated and mimicked.

Passive liveness operates in the background without requiring any action from the user. Using machine learning techniques, the system analyses image data to distinguish between a live person and a static or replayed image. Because the user is unaware of the check, passive liveness is generally considered more resilient to spoofing attempts.

Both approaches are used in practice, and understanding the difference is important when assessing providers.

What does the Safe Harbour standard require in practice?

The Safe Harbour standard requires a combination of checks. These include obtaining evidence from a biometric identity document, verifying that document using NFC chip reading, and matching the individual to the document using biometric verification.

For conveyancers acting for sellers, there is an additional requirement to establish a connection between the client and the property.

Where these requirements are met, conveyancers benefit from protection. If a client’s identity is later found to be fraudulent, HM Land Registry will not pursue recourse, provided the checks were carried out correctly.

It is also important to distinguish between standards. The Safe Harbour framework defines the process that must be followed, while the Digital Verification Services Trust Framework governs the providers offering these services. Using a provider listed on the DVS register is increasingly seen as evidence that the underlying technology meets a credible and recognised standard.

Taken together, digital identity verification relies on multiple layers working in combination. Biometric matching confirms identity, NFC chip reading verifies the integrity of the document, and liveness detection ensures the person is genuinely present. The Safe Harbour standard brings these elements together into a defined process that, when followed correctly, provides both compliance and protection.

As expectations continue to evolve, understanding how these components work is essential for assessing providers and ensuring that identity checks are not only completed, but carried out to a standard that stands up to scrutiny.

Identifying politically exposed persons and sanctioned individuals is a core AML obligation, but it is one where the rules have recently shifted.

Here is what PEP and sanctions checks involve, who they apply to, and what the updated rules mean for how firms should approach them.

Why do PEP and sanctions checks matter in AML compliance?

PEP and sanctions screening sit within the broader customer due diligence framework, but they carry particular weight. The concern with politically exposed persons is that their public position creates an elevated risk of corruption or bribery, and that property transactions are a well-established route for laundering the proceeds.

Sanctions checks serve a different but equally serious purpose. They ensure that firms are not facilitating transactions involving individuals or entities subject to legal restrictions.

Both checks are required at onboarding, and both must be kept up to date throughout the life of a matter. A client who was not a PEP at the outset may become one, and sanctions lists are updated frequently.

What is a politically exposed person (PEP)?

A PEP is an individual who is, or has been, entrusted with a prominent public function. This includes heads of state and government, ministers, members of parliament, senior members of the judiciary, senior military officials, members of central banks, and ambassadors, along with their close family members and known close associates.

Under the Money Laundering Regulations, identifying a client as a PEP triggers enhanced due diligence. This includes obtaining senior management approval, taking steps to establish the source of wealth and source of funds, and applying closer ongoing monitoring.

Importantly, being a PEP does not mean refusing to act. It means applying additional scrutiny and documenting the approach taken.

How have the rules on domestic PEPs changed?

The treatment of domestic PEPs, meaning those who hold or have held public functions in the UK, has changed in recent years.

Since January 2024, the Money Laundering and Terrorist Financing (Amendment) Regulations 2023 require firms to treat domestic PEPs as lower risk than foreign PEPs as a starting point. This is now set out in legislation, rather than guidance. Unless other risk factors are present, firms should apply a proportionate level of enhanced due diligence.

Further clarification was provided in FCA guidance FG 25/3, published in July 2025. This confirms that non-executive directors of UK civil service bodies should not be treated as PEPs, and reinforces that firms should not refuse or exit relationships solely because a client meets the PEP definition.

In practice, this means risk should be assessed on a case-by-case basis, rather than applied automatically based on a public role.

What are sanctions and how do they apply to law firms?

Sanctions are legal restrictions imposed by governments or international bodies on individuals, companies, or countries, often in response to national security concerns, human rights issues, or foreign policy objectives. In the UK, the Office of Financial Sanctions Implementation within HM Treasury administers the sanctions regime.

Firms in the regulated sector must not provide services to sanctioned individuals or entities, or facilitate transactions that would benefit them. Breaching sanctions can result in significant criminal and civil penalties, including fines and imprisonment.

Unlike PEP status, which requires judgement around risk, a sanctions match is a clear prohibition. If a client appears on a sanctions list, the matter cannot proceed without specialist legal advice, and reporting obligations may arise.

How often should PEP and sanctions checks be updated?

PEP and sanctions checks should not be treated as a one-off exercise. Both need to be refreshed throughout the life of a matter.

PEP status can change if a client takes on a new public role, and sanctions lists can be updated at short notice in response to international developments. Relying on a single check at onboarding creates a risk that changes will go unnoticed.

Manual processes make this difficult to manage consistently. Automated screening tools that re-check clients against current databases at regular intervals provide a more reliable way to identify changes in status.

Taken together, PEP and sanctions checks are not just about identifying risk at the outset, but about maintaining an accurate and up-to-date understanding of a client’s status throughout the life of a matter. While PEP classification requires proportionate judgement and a risk-based approach, sanctions obligations are absolute and leave no room for discretion.

The direction of travel in regulation is clear: firms are expected to apply these checks consistently, keep them current, and ensure that any changes in status are identified and acted on promptly.

🎥 Watch on YouTube | 🎧 Listen on Spotify

Stamp Duty Land Tax (SDLT) is one of the most misunderstood areas of property law – and one of the most frequently misquoted by clients.

In this special session, our Managing Director Liz Jarvis is joined by Richard Friend of 4Stamp to tackle some of the most common SDLT myths and misconceptions. From first-time buyer confusion to gifting property, mixed-use quirks and company purchases, they separate fact from fiction with clarity, context, and a few laughs along the way.

Whether you’re a seasoned conveyancer or just looking to sharpen your SDLT knowledge, this is a must-watch (or listen) for 2026.

🔍 What’s covered?

First-time buyer relief: why it’s a one-time benefit
Gifting property: when a mortgage triggers SDLT
Mixed-use properties: how they’re taxed differently
Reclaiming the 5% surcharge after selling a main residence
Divorce exemptions, company purchases, and more

A little knowledge about SDLT can be dangerous – but 30 minutes with Liz and Richard might just save you from your next client conversation that starts with, “I read somewhere that…”

▶️ Watch the video

🎧 Listen on Spotify

Property professionals can now enjoy greater confidence and peace of mind in every transaction, thanks to OneSearch’s new partnership with 4Stamp: the definitive SDLT solution.

From today, OneSearch customers can manage and track their post-completion SDLT and LTT calculations directly within our platform, alongside local authority searches, environmental reports, and other essential conveyancing tools. This integration brings everything together in one place, saving time and reducing risk.

4Stamp is a cloud-based solution which allows all parties access to all the updates, data, and information required to provide a certified, accurate assessment of the purchasers’ property tax liability

“We have always been dedicated to setting the gold standard for accuracy and trust in the property market,” said Liz Jarvis, Managing Director of OneSearch. “Our partnership with 4Stamp is a natural extension of this promise. By integrating their certified, expert-backed solution into our platform, we are giving our clients end-to-end confidence, from the initial search all the way through to the final tax calculation.”

Richard Friend, Managing Director at 4Stamp Ltd added, “We are thrilled to partner with OneSearch, a company that shares our core values of data integrity and professional excellence. Their market-leading platform provides the perfect home for our service. Together, we are taking the mystery out of Stamp Duty Land Tax and empowering legal professionals to eliminate risk and streamline their workflow.”

Generic online calculators can be risky, often failing to account for all variables and exposing your firm to potential liability. In fact, 8% of customers overpay on their property tax, a statistic that highlights the need for a better solution.

4Stamp is not another calculator. It’s a comprehensive, certified assessment that considers the purchaser’s circumstances, the property, and the transaction vehicle. This is why it’s trusted by professionals.

By using 4Stamp via OneSearch, you will:

Eliminate Risk: Move beyond generic calculators and get a precise, certified tax assessment.
Gain Protection: Every calculation is backed by professional indemnity insurance, transferring liability away from your firm.
Save Time: Instantly get a certified value or immediate access to tax advisors for complex cases.
Ensure Compliance: Every assessment includes a certified PDF and a full audit trail for your records.

At OneSearch, we have always been about empowering legal professionals with speed, confidence, and protection. Now, we’re bringing that same promise to the final, critical step of every property transaction.

Ready to transform your conveyancing process? Learn more about the OneSearch and 4Stamp partnership and discover the value for yourself.