Identifying politically exposed persons and sanctioned individuals is a core AML obligation, but it is one where the rules have recently shifted.
Here is what PEP and sanctions checks involve, who they apply to, and what the updated rules mean for how firms should approach them.
Why do PEP and sanctions checks matter in AML compliance?
PEP and sanctions screening sit within the broader customer due diligence framework, but they carry particular weight. The concern with politically exposed persons is that their public position creates an elevated risk of corruption or bribery, and that property transactions are a well-established route for laundering the proceeds.
Sanctions checks serve a different but equally serious purpose. They ensure that firms are not facilitating transactions involving individuals or entities subject to legal restrictions.
Both checks are required at onboarding, and both must be kept up to date throughout the life of a matter. A client who was not a PEP at the outset may become one, and sanctions lists are updated frequently.
What is a politically exposed person (PEP)?
A PEP is an individual who is, or has been, entrusted with a prominent public function. This includes heads of state and government, ministers, members of parliament, senior members of the judiciary, senior military officials, members of central banks, and ambassadors, along with their close family members and known close associates.
Under the Money Laundering Regulations, identifying a client as a PEP triggers enhanced due diligence. This includes obtaining senior management approval, taking steps to establish the source of wealth and source of funds, and applying closer ongoing monitoring.
Importantly, being a PEP does not mean refusing to act. It means applying additional scrutiny and documenting the approach taken.
How have the rules on domestic PEPs changed?
The treatment of domestic PEPs, meaning those who hold or have held public functions in the UK, has changed in recent years.
Since January 2024, the Money Laundering and Terrorist Financing (Amendment) Regulations 2023 require firms to treat domestic PEPs as lower risk than foreign PEPs as a starting point. This is now set out in legislation, rather than guidance. Unless other risk factors are present, firms should apply a proportionate level of enhanced due diligence.
Further clarification was provided in FCA guidance FG 25/3, published in July 2025. This confirms that non-executive directors of UK civil service bodies should not be treated as PEPs, and reinforces that firms should not refuse or exit relationships solely because a client meets the PEP definition.
In practice, this means risk should be assessed on a case-by-case basis, rather than applied automatically based on a public role.
What are sanctions and how do they apply to law firms?
Sanctions are legal restrictions imposed by governments or international bodies on individuals, companies, or countries, often in response to national security concerns, human rights issues, or foreign policy objectives. In the UK, the Office of Financial Sanctions Implementation within HM Treasury administers the sanctions regime.
Firms in the regulated sector must not provide services to sanctioned individuals or entities, or facilitate transactions that would benefit them. Breaching sanctions can result in significant criminal and civil penalties, including fines and imprisonment.
Unlike PEP status, which requires judgement around risk, a sanctions match is a clear prohibition. If a client appears on a sanctions list, the matter cannot proceed without specialist legal advice, and reporting obligations may arise.
How often should PEP and sanctions checks be updated?
PEP and sanctions checks should not be treated as a one-off exercise. Both need to be refreshed throughout the life of a matter.
PEP status can change if a client takes on a new public role, and sanctions lists can be updated at short notice in response to international developments. Relying on a single check at onboarding creates a risk that changes will go unnoticed.
Manual processes make this difficult to manage consistently. Automated screening tools that re-check clients against current databases at regular intervals provide a more reliable way to identify changes in status.
Taken together, PEP and sanctions checks are not just about identifying risk at the outset, but about maintaining an accurate and up-to-date understanding of a client’s status throughout the life of a matter. While PEP classification requires proportionate judgement and a risk-based approach, sanctions obligations are absolute and leave no room for discretion.
The direction of travel in regulation is clear: firms are expected to apply these checks consistently, keep them current, and ensure that any changes in status are identified and acted on promptly.
AML compliance is not just about checking individual clients. Every firm in the regulated sector must also have a set of firm-level obligations in place that are documented, approved, and actively maintained.
Here is what the law actually requires, and what good governance looks like in practice, in just 5 minutes.
Why is AML compliance more than just client checks?
When people think about AML compliance in conveyancing, they tend to focus on client-facing checks such as verifying identity, understanding source of funds, and screening for PEPs and sanctions. These obligations are real and important, but they sit on top of a layer of firm-wide requirements that must be in place first.
The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 impose obligations on the firm as an entity, not just on individual fee-earners dealing with specific matters. Getting these foundations right is critical, as the SRA’s supervisory findings consistently show that weaknesses at firm level tend to flow directly into weaknesses at matter level.
What is a firm-wide AML risk assessment and why does it matter?
The starting point is Regulation 18, which requires every firm in the regulated sector to carry out and document a firm-wide risk assessment. This is a written analysis of the money laundering and terrorist financing risks the firm is exposed to, taking into account its size, client base, the services it offers, the geographic areas it operates in, and the types of transactions it handles.
The assessment must be approved by senior management and kept up to date. It is not a one-off exercise. It should be reviewed whenever the firm’s circumstances change materially, and at regular intervals regardless.
This matters because it sets the context for everything that follows. It defines what higher and lower risk look like for the firm, which in turn informs how individual client and matter risk assessments should be approached.
Who is responsible for AML compliance in a law firm?
Every firm in the regulated sector must appoint a Money Laundering Reporting Officer (MLRO). This is a named individual, typically a senior person within the firm, who is responsible for receiving internal reports of suspicious activity, deciding whether to submit a Suspicious Activity Report to the National Crime Agency, and overseeing the firm’s AML compliance more broadly.
The MLRO role carries real responsibility. The individual appointed needs sufficient seniority, authority, and access to information to carry out the role effectively. In smaller firms, this is often a principal or partner. In larger firms, it may be a dedicated compliance professional. In all cases, the appointment must be documented and properly supported, rather than treated as a formality.
What AML policies, controls and procedures are required?
Regulation 19 requires firms to establish and maintain written AML policies, controls and procedures. These should cover how the firm identifies and verifies clients, how it assesses risk, how it monitors ongoing matters, how suspicious activity is reported internally, how staff are trained, and how compliance is audited.
The policies do not need to be lengthy, but they do need to be meaningful. The SRA has identified cases where firms have adopted template policies without tailoring them to their actual practice, which fails the requirement. Policies should reflect how the firm operates in reality, and staff should understand and follow them in practice.
What AML training do staff need to receive?
All relevant staff must receive regular AML training. This includes not only fee-earners, but anyone involved in client onboarding, financial transactions, or file management. Training should cover what money laundering is, what the firm’s obligations are, how to identify suspicious activity, and how to report concerns internally.
Training also needs to be kept current. A one-off session delivered several years ago is not sufficient. Firms should be able to demonstrate when training was delivered, who received it, and what it covered.
When is an independent AML audit required?
Larger firms, or those with a higher-risk profile, are required under Regulation 21 to have their AML policies and controls independently audited. This does not necessarily mean appointing an external auditor. In some firms, it can be an internal function that sits outside the compliance team.
The key requirement is independence. The purpose of the audit is to assess whether the firm’s AML framework is actually working in practice, rather than simply existing on paper.
Taken together, firm-wide AML obligations form the foundation of effective compliance. A documented risk assessment, a clearly defined MLRO role, tailored policies, regular training, and independent oversight are not separate requirements but parts of a single system.
Where firms fall short is often not in having these elements in place, but in failing to connect them or keep them active. The regulatory expectation is clear: these controls should shape how the firm operates day to day, not exist as static documents created to satisfy a requirement.
Digital identity verification has been quietly reshaping how conveyancers carry out AML checks for several years.
In December 2025, it took a significant step forward: the Digital Verification Services Trust Framework was placed on a statutory footing under the Data (Use and Access) Act 2025.
For this ‘Five Minutes on…’, we take a deep dive into what that means and what it changes for your firm.
What changed when the DVS Trust Framework became law?
For several years, digital identity providers operating in the UK worked within a voluntary framework, a set of standards published by the government against which they could be assessed and certified. Choosing a certified provider gave conveyancers confidence that the technology met a recognised benchmark, but certification was optional and the framework carried no statutory weight.
That changed in December 2025. Under the Data (Use and Access) Act 2025, the Digital Verification Services (DVS) Trust Framework became a statutory framework, the first of its kind in the UK. Providers of digital identity services can now apply to be formally registered by the government, and that registration carries legal backing that was previously absent.
For conveyancers, this matters. The tools used to verify client identities are increasingly subject to a formal, legally grounded standard, rather than just an industry benchmark.
What is the DVS Trust Framework and how does it work?
The DVS Trust Framework sets out the rules and technical requirements organisations must meet to provide digital identity and attribute verification services in the UK. It covers how identity data is collected, checked, and stored, what security standards apply, and how providers must handle fraud, errors, and complaints.
Providers that meet these requirements can apply to be listed on a government register of certified DVS providers. That register is publicly accessible, meaning conveyancers, law firms, and their clients can check whether a given identity service is formally recognised.
The framework is overseen by the Office for Digital Identities and Attributes (ODIA), within the Department for Science, Innovation and Technology.
How does the DVS Trust Framework compare to HMLR Safe Harbour?
The DVS Trust Framework and the HMLR Safe Harbour standard are related but distinct, and it is important to understand the difference.
Safe Harbour is HM Land Registry’s standard for identity verification in property transactions, introduced in 2021. It sets out specific requirements around biometric checks, NFC chip reading, and evidence of connection to a property. Meeting those requirements means HMLR will treat the conveyancer as having taken reasonable steps to verify identity, providing protection if fraud later comes to light.
The DVS Trust Framework operates at a different level. It governs the identity providers themselves, the platforms conveyancers rely on to carry out checks. A provider listed on the DVS register has been assessed against the government’s standards. Using a registered provider does not automatically mean Safe Harbour has been achieved, but it is a strong indicator that the underlying technology meets a credible, legally recognised standard.
In practice, the two often work together. A conveyancer using a DVS-registered provider to carry out biometric and NFC checks in line with HMLR requirements will be well positioned on both fronts.
What does the DVS Trust Framework mean for conveyancers?
For most firms already using a reputable digital ID provider, the immediate practical change is modest. If your current provider was certified under the previous voluntary framework, they will likely be working towards registration under the statutory version, or may already have it.
The more meaningful shift is what the framework signals for the future. Making DVS statutory reflects a broader government intention to establish digital identity as a trusted, legally grounded part of UK infrastructure. Lenders, regulators, and professional bodies are likely to place increasing weight on whether firms use registered providers.
It is worth checking whether your digital identity provider is listed on the government’s DVS register, or has confirmed its intention to register. If you are evaluating new providers, DVS registration should form part of that assessment.
What has not changed under the DVS Trust Framework?
The DVS Trust Framework does not make digital identity verification compulsory. Manual identity checks remain legally permissible, provided they meet the requirements of the Money Laundering Regulations.
It also does not replace the HMLR Safe Harbour standard, or make it compulsory. Safe Harbour remains optional. However, as expectations around identity verification continue to rise, the practical case for meeting it becomes stronger.
Taken together, the DVS Trust Framework marks a shift towards more formalised standards for digital identity verification. Now set in law under the Data (Use and Access) Act 2025, it establishes the criteria providers must meet to be listed on the government’s public register, giving conveyancers a clearer way to assess whether a provider is formally recognised.
While DVS registration and HMLR Safe Harbour serve different purposes, one governing providers and the other the verification process, they are closely connected in practice. Using a DVS-registered provider does not automatically mean Safe Harbour has been achieved, but it provides a strong foundation.
Importantly, digital identity checks remain optional, and manual verification is still permissible, though expectations are clearly evolving. As a result, firms should be considering whether their current provider is registered, or actively working towards it.
Source of funds checks are a core part of AML due diligence, yet they remain one of the areas where conveyancing firms most commonly fall short.
Here is what the obligation actually requires, what good evidencing looks like, and the red flags that should prompt further questions.
Why Source of Funds Trips Firms Up
Of all the AML checks a conveyancing firm carries out, source of funds is the one most likely to feel like it has been done when it has not. A bank statement has been received, a box has been ticked, and the matter moves on. But receiving a document is not the same as scrutinising it, and scrutiny is what the obligation requires.
The SRA’s supervisory findings consistently identify source of funds as an area of weakness. The most common failures are not firms ignoring the check entirely; they are firms accepting documents at face value, failing to follow up on inconsistencies, or not asking for evidence in the first place when the client’s profile and transaction give good reason to.
What the Obligation Actually Is
The requirement to understand source of funds sits within the broader customer due diligence obligations under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017. Firms must take reasonable steps to understand where the money used in a transaction originates and whether it is consistent with what they know about the client.
“Reasonable steps” is not a fixed standard. It scales with risk. For a straightforward residential purchase funded by a mortgage and a modest deposit from a current account, a bank statement showing the funds may be sufficient. For a cash purchase, a high-value transaction, an overseas client, or any situation where the source of funds is unclear or unexpected, considerably more is required.
Source of funds is distinct from source of wealth, though the two are related. Source of funds focuses on the specific money being used in the transaction. Source of wealth is broader and considers how the client accumulated their assets overall. In higher-risk matters, both may need to be established.
What Good Evidencing Looks Like
Good source of funds evidence answers a simple question: can the money be traced to a legitimate, plausible origin?
For most residential transactions, this means bank statements showing the deposit funds building up over time, or a clear single event such as a property sale, an inheritance, or a gift that explains their arrival. The statement should be recent, unredacted in the relevant sections, and consistent with what the client has told you.
Where funds come from a property sale, the completion statement from that transaction is the natural supporting document. Where funds are a gift, a signed letter confirming the amount, the relationship, and that it is not a loan is standard. This should be supported by evidence that the donor actually holds the funds.
Where funds originate overseas, the bar is higher. Exchange rate movements, international transfer records, and the regulatory environment of the originating country all become relevant. A foreign bank statement should not be accepted without considering whether additional verification is appropriate.
Red Flags in Bank Statements
Receiving a bank statement is the beginning of the process, not the end. When reviewing statements, certain patterns should prompt further questions.
Large, unexplained deposits can indicate layering, where illicit funds are introduced into an account to appear legitimate. Multiple smaller deposits from different sources may suggest structuring, where funds are broken up to avoid detection thresholds.
Inconsistencies with the client’s profile should also be treated carefully. Funds that appear disproportionate to what is known about the client’s occupation, income, or circumstances warrant further enquiry rather than acceptance.
Any indication that documents have been altered, cropped, or are incomplete should be treated as a serious concern. Original documents, or verified electronic statements from the bank, are preferable where there is any doubt.
When to Ask More Questions
A useful test is whether the explanation of funds feels plausible when set against everything else known about the client. If it does not, that instinct is worth acting on.
The obligation is not to prove that funds are clean, but to take reasonable steps to be satisfied that they are. Where something does not add up, further questions are required. If a satisfactory explanation cannot be obtained, the matter may need to be referred to the MLRO.
Proceeding without adequate source of funds evidence exposes the firm to regulatory risk and, in some cases, criminal liability.
Ultimately, source of funds checks are not about collecting documents, but about forming a clear and defensible understanding of where money has come from. The standard applied should reflect the level of risk, increasing where transactions are higher value, more complex, or less predictable. Where firms fall short is not usually in starting the process, but in stopping too early. The SRA’s expectation is clear: scrutiny matters, and if something does not make sense, it is not enough to record it and move on.
In 2023, a solicitor was convicted for the first time ever for tipping off, alerting a client that they were under investigation for money laundering. It was a landmark moment.
Here is what tipping off means in practice, where the line is, and how to stay well clear of it.
Why has tipping off become a focus for law firms?
For years, tipping off appeared in AML training as a theoretical risk. Solicitors understood it was an offence, but many assumed enforcement actions were rare or confined to other sectors.
The 2023 conviction changed that perception. A solicitor was found guilty under section 333A of the Proceeds of Crime Act 2002, marking the first time a member of the legal profession had been convicted of this specific offence. The case sent a clear signal that the legal sector is within scope for enforcement and that regulators are taking a more active interest.
Understanding what tipping off means in practice, and where the risks arise in day-to-day work, is now an essential part of AML compliance.
What is tipping off under UK AML law?
Tipping off occurs when someone who knows or suspects that a Suspicious Activity Report has been made discloses information to another person in a way that is likely to prejudice any resulting investigation.
In practical terms, if a report has been submitted or is suspected to have been submitted, the firm must not inform the client. This includes avoiding any statements or behaviour that could suggest they are under scrutiny.
The offence applies across the regulated sector, including legal professionals, and carries a maximum penalty of two years’ imprisonment and an unlimited fine.
Where is the line between communication and tipping off?
Two conditions must be met for the offence to arise. The person making the disclosure must know or suspect that a report has been made, and the disclosure must be likely to prejudice an investigation.
In practice, the definition of what may prejudice an investigation is broad. Referring to delays as being due to “compliance reasons”, providing vague or evasive explanations, or indicating that a matter has been escalated internally may create risk depending on the context.
The safest approach is to avoid any reference to the existence of a report. Where a transaction is delayed, a neutral explanation such as the need to complete standard checks or allow more time is generally acceptable, provided it does not imply that a report has been made.
What is the SAR moratorium period and why does it matter?
Where a Suspicious Activity Report is submitted requesting consent to proceed with a transaction, the firm must wait for a response from the National Crime Agency.
The initial period is seven working days. If no refusal is received within that time, consent is deemed to have been granted. If consent is refused, a further 31-day moratorium period applies during which the transaction cannot proceed.
During this time, the client cannot be told why the matter is delayed. This creates a practical challenge, as clients may expect progress and seek explanations. Firms that manage this risk effectively tend to prepare standard responses in advance rather than relying on ad hoc explanations.
What related offences should firms be aware of?
Section 342 of the Proceeds of Crime Act 2002 creates a separate offence of prejudicing an investigation. Unlike tipping off, this does not require a report to have been made. If someone knows or suspects that an investigation is underway and takes steps that could interfere with it, the offence may apply.
This reinforces the need for caution at an early stage. The risk does not begin only once a report is submitted, but from the point at which suspicion arises.
How should firms manage tipping off risk in practice?
Managing tipping off risk requires preparation rather than improvisation. All staff involved in client work should understand what tipping off is and why careful communication matters.
The Money Laundering Reporting Officer should be involved as soon as a report is being considered, so that communication with the client can be managed consistently. Firms should also develop agreed language for responding to delays or questions, ensuring that fee-earners are not required to decide how to respond in real time.
It is also important to recognise that internal reporting to the MLRO is not tipping off. It is a separate legal obligation and a critical part of the firm’s AML framework.
Tipping off is best understood as a risk that arises from how information is communicated, rather than from the act of reporting itself. Once suspicion exists, even well-intentioned explanations can create exposure if they suggest what is happening behind the scenes. The legal threshold is broad, and the consequences are significant.
Firms that manage this effectively do so by putting clear processes, training, and agreed client communication in place so that responses are measured, consistent, and do not depend on judgement in the moment.

Risk assessments are the foundation of AML compliance and, according to the SRA, the area where law firms most commonly get it wrong.
Here’s what a good one actually looks like, and why the tick-box approach keeps getting firms into trouble. All of that, in a five minute blog.
Why Risk Assessments Keep Coming Up
Every year, the SRA publishes its findings from AML supervisory visits across the legal sector. And every year, risk assessments sit at the top of the failure list.
In the most recent reporting period, the SRA carried out 935 proactive AML engagements across 833 firms. Around one in three were found to be non-compliant. The most common reasons were gaps in firm-wide and client risk assessments, weaknesses in AML controls, and limited internal monitoring. Risk assessments appear in almost every category of failure.
This isn’t a new problem, but the SRA’s tone has sharpened. Firms are increasingly expected to demonstrate that their risk assessments are active, documented, and driving real decisions, not sitting in a folder as evidence of compliance.
Two Separate Assessments, Two Separate Obligations
There’s a distinction worth being clear on, because conflating the two is itself a common failure.
The firm-wide risk assessment is required under Regulation 18 of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017. It must be a written document, approved by senior management, that identifies the money laundering and terrorist financing risks the practice is exposed to, based on its client base, geographic exposure, services offered, and transaction types. It should be reviewed regularly and updated when the firm’s circumstances change.
The client and matter risk assessment is required under Regulations 28(12) and (13) and must be completed for every single instruction. It needs to reflect both the specific characteristics of that matter, including the client, the transaction, the source of funds, and any risk indicators, and the broader context set by the firm-wide assessment. One informs the other.
The SRA has been clear that the firm-wide assessment is not a substitute for individual matter-level assessments. Both are required. Both must be documented.
What the SRA Keeps Finding
Across its 2024–25 supervisory activity, the most persistent risk assessment failures cluster around a few consistent themes.
Assessments are not always completed consistently or in full. Client and matter risk assessments are sometimes skipped entirely, partially completed, or completed after the matter has already progressed, which defeats the purpose.
Tick-box approaches are still common. Forms are filled in, but the answers do not reflect genuine consideration of the matter. Risk ratings are applied without reasoning, despite the SRA making clear it expects to see evidence that the assessment informed a decision, not just that it was done.
Firm-wide risks are not always carried through to client level. If a firm’s firm-wide assessment identifies elevated risk areas, that should be visible in how individual matters are assessed. Where there is no connection between the two, it is a clear red flag.
High-risk matters do not always receive appropriate oversight. Situations involving PEPs, complex ownership structures, or source of funds concerns should trigger escalation, but the SRA has found cases where this has not happened.
Assessments are often completed once and never revisited. Risk does not stop at onboarding, and where circumstances change, the assessment should change with them.
What a Good Risk Assessment Actually Looks Like
The SRA’s guidance, along with practical experience across the sector, points to a consistent set of characteristics.
Effective risk assessments are completed before the matter progresses, not retrospectively. They contain clear reasoning rather than just a risk rating, explaining what factors were considered and what that means in practice.
They are connected to the firm-wide picture, reflecting the risks identified at firm level in individual matters. They are also treated as live documents, revisited when circumstances change rather than filed away and forgotten.
Finally, they create a clear audit trail. It should be obvious when the assessment was completed, who carried it out, and what actions followed as a result.
The Difference Technology Makes
Manual risk assessments inevitably introduce inconsistency. Some fee-earners apply them rigorously, others less so. Digital AML workflows help address this by embedding risk assessment into the process itself.
They can make completion mandatory at the point of matter creation, prompt the right questions based on the specific context, automatically flag higher-risk scenarios, and create a clear, auditable record of decisions made.
This does not replace professional judgement. It supports it, ensuring that risk assessment is applied consistently and at the right time, rather than retrospectively or unevenly.
Taken together, the SRA’s message is consistent. Firms need both a firm-wide risk assessment and a matter-level assessment for every instruction, and both must be properly documented, actively used, and kept up to date. Completing them after the fact, or treating them as a formality, misses the point entirely. The real test is whether the assessment has shaped how the matter is handled, particularly where higher-risk scenarios require escalation or further scrutiny.
