“Safe Harbour.” We hear this term thrown around in conveyancing teams a lot, but what does it really mean? And is it something you have to do?
Over the years, property fraud has become quite the headache for conveyancers. Fraudsters have been selling properties they don’t own, running off with the cash, and leaving buyers high and dry. The Solicitors Regulation Authority even flagged vendor fraud as an emerging risk in its latest AML Sectoral Risk Assessment.

Naturally, after case law like Dreamvar, lawyers are pretty nervous about getting it wrong. It’s the case that changed the liabilities and responsibilities of lawyers and conveyancers when dealing with residential property transactions. For those who aren’t familiar with the specifics of the case of Dreamvar, here’s what happened…
A fraudster managed to sell a London property worth around £1 million by impersonating the real seller. After the sale, the fraudster (and the money) disappeared into thin air. Fortunately, the Land Registry caught the fraud when the transfer documents came through, so the title never changed hands.
But poor Dreamvar was left with no property and no cash, so they took legal action against their solicitors, alleging negligence and breach of trust. They also sued the fraudster’s solicitor for failing to spot the fraud. Initially, only Dreamvar’s solicitor was found liable, which seemed harsh to many, as the fraudster’s solicitor hadn’t done enough to verify their client’s identity under Money Laundering Regulations (MLR).
The case eventually made its way to the Court of Appeal. There, the judge determined that the solicitors representing the fraudulent property seller should also shoulder some responsibility alongside those representing the deceived buyer for any incurred losses.
Following this, the Law Society updated its Conveyancing Protocol. Now, if you’re acting for the seller (especially if you’re a Conveyancing Quality Scheme (CQS) firm), you need to:
- request details of the bank account for the sale proceeds and
- obtain evidence that the account belongs to the seller, showing that they have had and been using the account for at least 12 months and
- confirm proceeds will only go to that account
This is a great way to ensure the purchase funds are going to the correct person! But let’s face it, fraudsters are still out there trying their luck. Take the case of a Vicar in 2021, who came home to find his house gutted and the locks changed. Someone had stolen his identity and sold his home – and this time, the Land Registry approved the title transfer. It took him two years of legal battles to get his house back!
Safe Harbour protects conveyancers who might unknowingly get caught up in a fraudulent transfer, as the Land Registry won’t hold them liable. The aim is that, by applying the Safe Harbour standard properly, you’ll spot a fraudulent seller right from the start.
This is an excerpt of a guest article written by Kayleigh Smale, of Smale Compliance. To continue reading on the Safe Harbour Standard and its potential implications for your business, you can download our detailed guide: Mastering AML compliance in 2026, which is additionally packed with in-depth analysis and actionable information designed to help you navigate the world of Anti-Money Laundering effectively.



The SRA’s most current AML report marks a clear shift in enforcement. More inspections, more failures, and far less tolerance for underperforming compliance.
Here’s what the findings actually show, and what firms should be doing about it.
The numbers are difficult to snub. In the year to April 2025, the SRA carried out 935 proactive AML engagements, up from 545 the year before. Of the 833 firms reviewed, nearly one in three were non-compliant, and a further 54% were only partially compliant.
That leaves fewer than one in seven firms fully compliant with their AML obligations.
This is not incremental improvement. It’s systemic underperformance in an area where the regulatory, financial, and reputational stakes are only increasing.
What the SRA found
The report identifies several areas of consistent weakness across the firms it reviewed. None of them are new. What’s changed is the SRA’s tone, the specificity of its findings, and its willingness to act.
Risk assessments are still failing in practice
Up to 39% of reviewed files did not effectively assess AML risk. Firm-wide risk assessments exist on paper but aren’t being applied at client level. High-risk matters are progressing without the senior oversight they require. Defective AML policies, controls and procedures contributed to a significant proportion of enforcement outcomes.
The SRA has been explicit: it expects risk assessments to inform decisions, not just document them.
Identity verification is inconsistently applied
Documents are missing from files, checks are relaxed for familiar clients, enhanced due diligence is not being triggered when risk indicators are present.
Emerging threats, including deepfake ID fraud and remote onboarding risks, are exposing gaps in already inconsistent processes.
Source of funds checks are being treated as a formality
The SRA’s thematic review found that, across more than 5,800 client files reviewed, 11% lacked source of funds checks entirely and 18% showed inadequate scrutiny.
Firms are collecting documents but not reviewing them. The distinction between source of funds and source of wealth is still not being applied consistently, even in higher-risk matters.
Ongoing monitoring remains the most overlooked obligation
For many firms, AML compliance still ends at onboarding. There is no structured mechanism to revisit matters, reassess risk, or refresh PEP and sanctions checks as circumstances change.
The SRA has identified ongoing monitoring as one of the most effective controls available, and one of the most consistently absent.
Training and governance weaknesses underpin the gaps
Template policies are not aligned to real-world practice. Training is not consistently refreshed or embedded. Governance structures, including MLRO oversight, do not always translate into effective day-to-day compliance.
An intensifying direction
The scale of supervisory activity tells its own story. Scrutiny is increasing, and it’s not slowing down. The SRA engaged with nearly twice as many firms in 2024-25 as the year before, and it has signalled clearly that all firms should expect attention.
At the same time, enforcement is intensifying. Combined AML penalties exceeded £1.5 million in 2024-25, the highest total yet based on SRA enforcement outcomes. The number of cases referred to the Solicitors Disciplinary Tribunal rose sharply, and criminal enforcement is no longer theoretical.
The message is clearly that AML compliance is no longer a paper exercise.
The more significant shift however, is structural. The government has confirmed that the Financial Conduct Authority will become the single professional services supervisor for AML, replacing the SRA and other supervisory bodies. The SRA will continue supervising AML through 2026 while legislation is prepared, but the direction of travel is already clear.
The FCA’s approach is more data-driven, and backed by broader enforcement powers. Firms that treat 2026 as a year to prepare for FCA-level scrutiny will be far better positioned than those that wait.
What firms should be doing now
The SRA’s findings point to a clear set of priorities for firms that want to stay on the right side of compliance.
- Fix your risk assessment framework first
The firm-wide risk assessment should reflect how the firm actually operates: its client base, transaction types, and geographic exposure. It should be actively used, not filed and forgotten.
Matter-level risk assessments should be completed before work progresses, include clear reasoning, and link back to the firm-wide view.
- Stress-test your identity verification process
Are all relevant parties being verified? Are enhanced checks triggered at the right time? Is there a clear and auditable record?
As fraud risks evolve, reliance on manual document checks is becoming increasingly difficult to defend.
- Move beyond “box-ticking” on source of funds
Receiving documentation is not the same as assessing it. Firms must actively review what is provided, question inconsistencies, and document their conclusions.
Source of funds should be standard on every file; source of wealth should be assessed in higher-risk matters.
- Build ongoing monitoring into your workflow, properly
This requires a defined process, not good intentions. Whether through scheduled file reviews, case management prompts, or automated re-screening, firms need to ensure monitoring actually happens and that changes trigger reassessment.
- Strengthen training and governance from the top down
AML training should be current, relevant, and regularly refreshed. Policies should reflect how the firm actually operates, not generic templates.
Governance structures must support consistent application of AML controls across the firm.
Our 2026 AML guide
If this raises questions about where your firm stands, Mastering AML Compliance in 2026 provides a practical starting point.
It covers everything from risk assessments and identity verification to source of funds, Safe Harbour, the DVS Trust Framework, and the role of technology, written specifically for conveyancers who need practical guidance, not regulatory theory.
OneSearch AML is a digital AML offering built specifically for conveyancers. To find out more, visit onesearch.direct/products/onesearch-aml.
We are delighted with the response to OneSearch AML since we unveiled the product two years ago; we hope you’ve had the opportunity to explore yourselves into the solutions it can provide your firm when it comes to managing risk and protecting your firm.
We understand the world of Anti Money Laundering can seem overwhelming at times: new regulations, confusing jargon and acronyms… and that’s not forgetting keeping on top of ever-evolving fraud strategies. On top of all that, you may often find yourself explaining this to your clients as well.
To help you conquer compliance, and master your firms AML checks, we’re offering a downloadable guide packed with practical advice and best practices for conveyancers.
In our guide, you’ll learn about:
- Understanding your KYC/AML Obligations in 2026
- A comparison of Manual vs Digital AML Checks
- A detailed explanation about the Safe Harbour Standard
- A guide to the most common AML phrases and what they actually mean
And also: - A full breakdown on the features and benefits of OneSearch AML, the most comprehensive anti-money laundering solution on the market.
Conveyancing transactions involving overseas clients carry a higher inherent risk of money laundering and come with a higher bar for due diligence.
Here is what enhanced checks involve, why international cases are more complex, and how to manage them effectively, en cinco minutos (we’re helping you with your international language there!)
Why are overseas conveyancing clients considered higher risk?
The UK property market has long attracted international buyers, and with them, an elevated risk of money laundering. Property is a well-established route for converting criminal proceeds into legitimate assets, and overseas clients introduce additional challenges that make due diligence harder to apply and easier to get wrong.
The SRA’s supervisory findings and the UK’s National Risk Assessment both identify international transactions as an area of increased concern. Residential conveyancing remains one of the highest-risk practice areas, and transactions involving overseas clients, particularly those linked to high-risk jurisdictions, overseas-sourced funds, or complex ownership structures, carry a heightened level of exposure.
The starting point for firms is recognising that a standard domestic customer due diligence approach may not be sufficient, and that enhanced due diligence will often be required.
When is enhanced due diligence required for international clients?
Enhanced due diligence is required under the Money Laundering Regulations whenever a higher risk of money laundering is identified. In the context of overseas clients, several factors commonly trigger this threshold.
A client who is not physically present presents a higher risk, as remote verification requires additional safeguards. Clients connected to high-risk third countries require increased scrutiny due to weaknesses in those jurisdictions’ AML frameworks.
Foreign politically exposed persons are treated as higher risk by default and require enhanced due diligence, including source of wealth checks and senior management approval. Where funds originate overseas, particularly where they pass through multiple jurisdictions or accounts, the complexity of verification increases and further scrutiny is required.
Any one of these factors may be sufficient to trigger enhanced due diligence. In practice, international transactions often involve more than one.
What does enhanced due diligence involve in practice?
Enhanced due diligence is not a single additional check, but a higher standard applied across the entire due diligence process.
For identity verification, firms need to consider whether their systems can genuinely support international checks. Not all digital identity providers can verify overseas documents, read foreign biometric chips, or access international data sources. Relying on systems designed for domestic use may create gaps in verification.
For source of funds, the evidential threshold is higher. Foreign bank statements may be more difficult to interpret or verify, and the regulatory environment of the originating country becomes relevant. Funds that move across multiple jurisdictions or accounts require careful tracing, and where the origin cannot be clearly linked to a legitimate source, this should be treated as a significant red flag.
For PEP and sanctions screening, checks must extend beyond UK databases. PEP status and sanctions exposure can vary by jurisdiction, and relying solely on domestic screening risks missing relevant information.
For ongoing monitoring, the same principle of proportionality applies, but risk profiles may change more quickly in response to geopolitical or regulatory developments. This means that reassessment may need to happen more frequently.
What challenges do firms face with international AML checks?
Enhanced due diligence for overseas clients presents practical challenges that go beyond standard domestic processes.
Staff may not be familiar with risk indicators associated with specific jurisdictions, making it harder to identify when something is unusual. Document verification is more complex, as overseas documents may not support NFC chip reading, may be issued in different formats, or may require translation.
Establishing ultimate beneficial ownership can also be more difficult. Corporate structures involving offshore entities and multiple layers of ownership can obscure who ultimately controls a transaction. Language barriers can slow the process and create gaps in understanding that introduce additional risk.
Firms should assess whether their current processes, systems, and expertise are sufficient for the type of international work they are undertaking
What does good AML practice look like for overseas clients?
Firms that handle international clients effectively tend to adopt a structured and proactive approach. This includes clearly distinguishing between domestic and international matters at the outset, ensuring staff are trained on jurisdiction-specific risk indicators, and using verification and screening tools with genuine international capability.
They are also prepared to ask more detailed questions, request additional documentation, and escalate concerns to the MLRO at an earlier stage where the risk profile is unclear. A cautious and enquiring approach is often the most effective safeguard.
OneSearch AML supports international due diligence through access to global PEP and sanctions datasets, adverse media screening, and international identity verification tools designed for cross-border transactions.
Working with overseas clients requires a shift from standard due diligence to a more investigative and risk-sensitive approach. The presence of international elements, whether in the client, the funds, or the ownership structure, increases complexity and reduces the reliability of assumptions that might hold in domestic cases. Enhanced due diligence is therefore not just a regulatory requirement, but a practical necessity.
Firms that approach these transactions with the right tools, clear processes, and a willingness to probe further are better placed to manage risk effectively and demonstrate compliance if challenged.
Remote identity verification is now a routine part of conveyancing, but what it involves, and what makes it compliant, is not always clear.
Here is how the process works, what it covers, and what firms need to get right.
How has conveyancing moved to remote identity verification?
For much of conveyancing’s recent history, identity verification meant a face-to-face meeting, with documents examined in person, copies certified, and records updated manually. The COVID-19 pandemic accelerated a shift that was already underway, and remote identity verification has since become standard practice in many firms.
When implemented correctly, remote verification is not a compromise on security. Modern technology, including biometric matching, NFC chip reading, and liveness detection, can produce a more reliable result than manual document review, while also creating a clear and auditable digital record. Where processes are poorly designed or inconsistently applied, however, the risk increases. Documents may be accepted without proper scrutiny, checks may be incomplete, and audit trails may be insufficient.
Understanding what remote verification involves is essential to applying it correctly.
What does a compliant remote identity verification process include?
A compliant remote identity verification process covers three core elements, all of which must be present to meet the requirements of the Money Laundering Regulations and, for firms seeking HMLR Safe Harbour protection, Practice Guide 81.
The first is document verification, which confirms that the identity document is genuine. For Safe Harbour purposes, this involves reading the NFC chip embedded in biometric passports, EU and EEA identity cards, and UK biometric residence permits. The chip contains cryptographically signed data from the issuing authority, and verifying this data provides a level of assurance that cannot be achieved through visual inspection alone.
The second is biometric matching, which confirms that the person presenting the document is the individual shown on it. This is typically achieved by comparing a live image captured via a smartphone against the image stored on the document’s chip. The comparison is carried out algorithmically and provides a more consistent result than a manual check.
The third is liveness detection, which confirms that the image being captured is genuinely live. It ensures that the individual is physically present and not attempting to use a photograph, mask, or recorded video to impersonate someone else. This is a critical safeguard against increasingly sophisticated spoofing attempts.
What identity documents can be used for remote verification?
Not all identity documents support full remote digital verification. For the process to function correctly, and particularly for NFC chip reading, the document must contain an embedded chip.
The documents that meet this requirement include biometric passports, EU and EEA identity cards with biometric capability, and UK biometric residence permits. These allow the system to carry out full cryptographic verification.
Other documents, such as driving licences or non-biometric passports, can support identity checks but cannot be verified using NFC technology. For firms aiming to meet the HMLR Safe Harbour standard, a chip-enabled document is required.
What does the remote ID process look like for clients?
From the client’s perspective, the process is typically straightforward. They receive a link or access a secure portal, scan their identity document using their smartphone, capture a short video or image, and complete any required prompts. The process usually takes only a few minutes.
Behind the scenes, however, multiple checks are carried out simultaneously. The system performs NFC verification, biometric comparison, and liveness detection, cross-checking the results and flagging any inconsistencies. The outcome should be a clear, auditable record of the checks completed, including the results and timestamps.
This audit trail is important. The SRA expects firms to be able to demonstrate that identity checks were carried out, when they were completed, and what the outcome was.
What risks do firms need to manage with remote verification?
Remote verification introduces specific risks where processes are not properly designed or applied. Common issues include accepting documents that do not support full digital verification without recognising the limitation, relying on systems that do not carry out all required elements, and treating a verification report as the end of the process without reviewing its content.
It is also important to understand the scope of remote verification. It confirms identity, meaning that the individual is who they claim to be. It does not replace other AML requirements, such as source of funds checks, PEP and sanctions screening, or ongoing monitoring. These obligations continue throughout the life of the matter.
Remote identity verification should be seen as one component of a wider AML framework rather than a standalone solution. When all three elements are applied correctly, document verification, biometric matching, and liveness detection, the process can provide a high level of assurance and a clear audit trail. However, its effectiveness depends on how it is implemented and reviewed in practice.
Firms that treat remote verification as a complete solution risk overlooking the broader obligations that sit alongside it, while those that embed it within a structured and consistent process are better placed to meet both regulatory expectations and client needs.
Digital identity verification is now standard practice in conveyancing. However, the technology behind it, including biometrics, NFC chip reading, and liveness detection, is not always well understood.
Here is how it works, what each component does, and why it matters for AML compliance.
How has identity verification in conveyancing changed?
For most of conveyancing’s history, verifying a client’s identity meant checking physical documents in person, such as a passport across a desk, a utility bill, or a driving licence. The process was time-consuming, inconsistent, and increasingly inadequate as fraud became more sophisticated.
Digital identity verification has changed that. Clients can now complete checks remotely using a smartphone, with technology performing in seconds what manual review cannot do reliably. It can confirm not only that a document appears genuine, but that its underlying data is authentic and that the person presenting it is physically present.
In March 2021, HM Land Registry formalised this shift through Practice Guide 81, which introduced the Safe Harbour standard. This set out the requirements for digital identity checks that, if met, protect conveyancers from liability where identity fraud later emerges. Understanding the underlying technology is key to understanding what those requirements mean in practice.
What is biometric verification and how does it work?
Biometric verification forms the foundation of digital identity checks. It uses physical characteristics to confirm that a person is who they claim to be.
In most AML contexts, this involves facial recognition. The client takes a photograph or short video using their device, and the system compares it against the image stored on their identity document. This comparison is carried out algorithmically, analysing the geometry of facial features in a way that is more consistent and reliable than a manual visual check.
Biometric verification is a core requirement of the Safe Harbour standard. The system must confirm that the person presenting the identity matches the image held on the document, rather than simply accepting an uploaded file.
What is NFC chip reading and why is it important?
Modern passports, EU and EEA ID cards, and UK biometric residence permits contain an embedded NFC chip. This chip stores a digital copy of the document’s data, including biometric information and a cryptographic signature from the issuing authority.
When a client places their document against a smartphone, the chip transmits this data. The system can then verify that the digital signature is genuine, confirm that the signing key is valid, and extract the biometric data for comparison against the live image.
This is the most secure form of document verification currently available. While a physical document can be forged, replicating a valid cryptographic signature from an issuing authority is not realistically achievable. For this reason, NFC chip reading is a core part of the Safe Harbour standard.
What is liveness detection and how does it prevent fraud?
Biometric matching and chip reading confirm that a genuine document exists and that the image matches the person presenting it. Liveness detection adds a further layer by confirming that the individual is physically present, rather than using a photograph, mask, or recorded video.
Active liveness requires the user to perform an action, such as blinking or turning their head, to demonstrate that they are present. Because the action is prompted, it can potentially be anticipated and mimicked.
Passive liveness operates in the background without requiring any action from the user. Using machine learning techniques, the system analyses image data to distinguish between a live person and a static or replayed image. Because the user is unaware of the check, passive liveness is generally considered more resilient to spoofing attempts.
Both approaches are used in practice, and understanding the difference is important when assessing providers.
What does the Safe Harbour standard require in practice?
The Safe Harbour standard requires a combination of checks. These include obtaining evidence from a biometric identity document, verifying that document using NFC chip reading, and matching the individual to the document using biometric verification.
For conveyancers acting for sellers, there is an additional requirement to establish a connection between the client and the property.
Where these requirements are met, conveyancers benefit from protection. If a client’s identity is later found to be fraudulent, HM Land Registry will not pursue recourse, provided the checks were carried out correctly.
It is also important to distinguish between standards. The Safe Harbour framework defines the process that must be followed, while the Digital Verification Services Trust Framework governs the providers offering these services. Using a provider listed on the DVS register is increasingly seen as evidence that the underlying technology meets a credible and recognised standard.
Taken together, digital identity verification relies on multiple layers working in combination. Biometric matching confirms identity, NFC chip reading verifies the integrity of the document, and liveness detection ensures the person is genuinely present. The Safe Harbour standard brings these elements together into a defined process that, when followed correctly, provides both compliance and protection.
As expectations continue to evolve, understanding how these components work is essential for assessing providers and ensuring that identity checks are not only completed, but carried out to a standard that stands up to scrutiny.