UK Property - OneSearch

Remote identity verification is now a routine part of conveyancing, but what it involves, and what makes it compliant, is not always clear.

Here is how the process works, what it covers, and what firms need to get right.

How has conveyancing moved to remote identity verification?

For much of conveyancing’s recent history, identity verification meant a face-to-face meeting, with documents examined in person, copies certified, and records updated manually. The COVID-19 pandemic accelerated a shift that was already underway, and remote identity verification has since become standard practice in many firms.

When implemented correctly, remote verification is not a compromise on security. Modern technology, including biometric matching, NFC chip reading, and liveness detection, can produce a more reliable result than manual document review, while also creating a clear and auditable digital record. Where processes are poorly designed or inconsistently applied, however, the risk increases. Documents may be accepted without proper scrutiny, checks may be incomplete, and audit trails may be insufficient.

Understanding what remote verification involves is essential to applying it correctly.

What does a compliant remote identity verification process include?

A compliant remote identity verification process covers three core elements, all of which must be present to meet the requirements of the Money Laundering Regulations and, for firms seeking HMLR Safe Harbour protection, Practice Guide 81.

The first is document verification, which confirms that the identity document is genuine. For Safe Harbour purposes, this involves reading the NFC chip embedded in biometric passports, EU and EEA identity cards, and UK biometric residence permits. The chip contains cryptographically signed data from the issuing authority, and verifying this data provides a level of assurance that cannot be achieved through visual inspection alone.

The second is biometric matching, which confirms that the person presenting the document is the individual shown on it. This is typically achieved by comparing a live image captured via a smartphone against the image stored on the document’s chip. The comparison is carried out algorithmically and provides a more consistent result than a manual check.

The third is liveness detection, which confirms that the image being captured is genuinely live. It ensures that the individual is physically present and not attempting to use a photograph, mask, or recorded video to impersonate someone else. This is a critical safeguard against increasingly sophisticated spoofing attempts.

What identity documents can be used for remote verification?

Not all identity documents support full remote digital verification. For the process to function correctly, and particularly for NFC chip reading, the document must contain an embedded chip.

The documents that meet this requirement include biometric passports, EU and EEA identity cards with biometric capability, and UK biometric residence permits. These allow the system to carry out full cryptographic verification.

Other documents, such as driving licences or non-biometric passports, can support identity checks but cannot be verified using NFC technology. For firms aiming to meet the HMLR Safe Harbour standard, a chip-enabled document is required.

What does the remote ID process look like for clients?

From the client’s perspective, the process is typically straightforward. They receive a link or access a secure portal, scan their identity document using their smartphone, capture a short video or image, and complete any required prompts. The process usually takes only a few minutes.

Behind the scenes, however, multiple checks are carried out simultaneously. The system performs NFC verification, biometric comparison, and liveness detection, cross-checking the results and flagging any inconsistencies. The outcome should be a clear, auditable record of the checks completed, including the results and timestamps.

This audit trail is important. The SRA expects firms to be able to demonstrate that identity checks were carried out, when they were completed, and what the outcome was.

What risks do firms need to manage with remote verification?

Remote verification introduces specific risks where processes are not properly designed or applied. Common issues include accepting documents that do not support full digital verification without recognising the limitation, relying on systems that do not carry out all required elements, and treating a verification report as the end of the process without reviewing its content.

It is also important to understand the scope of remote verification. It confirms identity, meaning that the individual is who they claim to be. It does not replace other AML requirements, such as source of funds checks, PEP and sanctions screening, or ongoing monitoring. These obligations continue throughout the life of the matter.

Remote identity verification should be seen as one component of a wider AML framework rather than a standalone solution. When all three elements are applied correctly, document verification, biometric matching, and liveness detection, the process can provide a high level of assurance and a clear audit trail. However, its effectiveness depends on how it is implemented and reviewed in practice.

Firms that treat remote verification as a complete solution risk overlooking the broader obligations that sit alongside it, while those that embed it within a structured and consistent process are better placed to meet both regulatory expectations and client needs.

Download: 'Mastering AML compliance in 2026' here

Identifying politically exposed persons and sanctioned individuals is a core AML obligation, but it is one where the rules have recently shifted.

Here is what PEP and sanctions checks involve, who they apply to, and what the updated rules mean for how firms should approach them.

Why do PEP and sanctions checks matter in AML compliance?

PEP and sanctions screening sit within the broader customer due diligence framework, but they carry particular weight. The concern with politically exposed persons is that their public position creates an elevated risk of corruption or bribery, and that property transactions are a well-established route for laundering the proceeds.

Sanctions checks serve a different but equally serious purpose. They ensure that firms are not facilitating transactions involving individuals or entities subject to legal restrictions.

Both checks are required at onboarding, and both must be kept up to date throughout the life of a matter. A client who was not a PEP at the outset may become one, and sanctions lists are updated frequently.

What is a politically exposed person (PEP)?

A PEP is an individual who is, or has been, entrusted with a prominent public function. This includes heads of state and government, ministers, members of parliament, senior members of the judiciary, senior military officials, members of central banks, and ambassadors, along with their close family members and known close associates.

Under the Money Laundering Regulations, identifying a client as a PEP triggers enhanced due diligence. This includes obtaining senior management approval, taking steps to establish the source of wealth and source of funds, and applying closer ongoing monitoring.

Importantly, being a PEP does not mean refusing to act. It means applying additional scrutiny and documenting the approach taken.

How have the rules on domestic PEPs changed?

The treatment of domestic PEPs, meaning those who hold or have held public functions in the UK, has changed in recent years.

Since January 2024, the Money Laundering and Terrorist Financing (Amendment) Regulations 2023 require firms to treat domestic PEPs as lower risk than foreign PEPs as a starting point. This is now set out in legislation, rather than guidance. Unless other risk factors are present, firms should apply a proportionate level of enhanced due diligence.

Further clarification was provided in FCA guidance FG 25/3, published in July 2025. This confirms that non-executive directors of UK civil service bodies should not be treated as PEPs, and reinforces that firms should not refuse or exit relationships solely because a client meets the PEP definition.

In practice, this means risk should be assessed on a case-by-case basis, rather than applied automatically based on a public role.

What are sanctions and how do they apply to law firms?

Sanctions are legal restrictions imposed by governments or international bodies on individuals, companies, or countries, often in response to national security concerns, human rights issues, or foreign policy objectives. In the UK, the Office of Financial Sanctions Implementation within HM Treasury administers the sanctions regime.

Firms in the regulated sector must not provide services to sanctioned individuals or entities, or facilitate transactions that would benefit them. Breaching sanctions can result in significant criminal and civil penalties, including fines and imprisonment.

Unlike PEP status, which requires judgement around risk, a sanctions match is a clear prohibition. If a client appears on a sanctions list, the matter cannot proceed without specialist legal advice, and reporting obligations may arise.

How often should PEP and sanctions checks be updated?

PEP and sanctions checks should not be treated as a one-off exercise. Both need to be refreshed throughout the life of a matter.

PEP status can change if a client takes on a new public role, and sanctions lists can be updated at short notice in response to international developments. Relying on a single check at onboarding creates a risk that changes will go unnoticed.

Manual processes make this difficult to manage consistently. Automated screening tools that re-check clients against current databases at regular intervals provide a more reliable way to identify changes in status.

Taken together, PEP and sanctions checks are not just about identifying risk at the outset, but about maintaining an accurate and up-to-date understanding of a client’s status throughout the life of a matter. While PEP classification requires proportionate judgement and a risk-based approach, sanctions obligations are absolute and leave no room for discretion.

The direction of travel in regulation is clear: firms are expected to apply these checks consistently, keep them current, and ensure that any changes in status are identified and acted on promptly.

AML compliance is not just about checking individual clients. Every firm in the regulated sector must also have a set of firm-level obligations in place that are documented, approved, and actively maintained.

Here is what the law actually requires, and what good governance looks like in practice, in just 5 minutes.

Why is AML compliance more than just client checks?

When people think about AML compliance in conveyancing, they tend to focus on client-facing checks such as verifying identity, understanding source of funds, and screening for PEPs and sanctions. These obligations are real and important, but they sit on top of a layer of firm-wide requirements that must be in place first.

The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 impose obligations on the firm as an entity, not just on individual fee-earners dealing with specific matters. Getting these foundations right is critical, as the SRA’s supervisory findings consistently show that weaknesses at firm level tend to flow directly into weaknesses at matter level.

What is a firm-wide AML risk assessment and why does it matter?

The starting point is Regulation 18, which requires every firm in the regulated sector to carry out and document a firm-wide risk assessment. This is a written analysis of the money laundering and terrorist financing risks the firm is exposed to, taking into account its size, client base, the services it offers, the geographic areas it operates in, and the types of transactions it handles.

The assessment must be approved by senior management and kept up to date. It is not a one-off exercise. It should be reviewed whenever the firm’s circumstances change materially, and at regular intervals regardless.

This matters because it sets the context for everything that follows. It defines what higher and lower risk look like for the firm, which in turn informs how individual client and matter risk assessments should be approached.

Who is responsible for AML compliance in a law firm?

Every firm in the regulated sector must appoint a Money Laundering Reporting Officer (MLRO). This is a named individual, typically a senior person within the firm, who is responsible for receiving internal reports of suspicious activity, deciding whether to submit a Suspicious Activity Report to the National Crime Agency, and overseeing the firm’s AML compliance more broadly.

The MLRO role carries real responsibility. The individual appointed needs sufficient seniority, authority, and access to information to carry out the role effectively. In smaller firms, this is often a principal or partner. In larger firms, it may be a dedicated compliance professional. In all cases, the appointment must be documented and properly supported, rather than treated as a formality.

What AML policies, controls and procedures are required?

Regulation 19 requires firms to establish and maintain written AML policies, controls and procedures. These should cover how the firm identifies and verifies clients, how it assesses risk, how it monitors ongoing matters, how suspicious activity is reported internally, how staff are trained, and how compliance is audited.

The policies do not need to be lengthy, but they do need to be meaningful. The SRA has identified cases where firms have adopted template policies without tailoring them to their actual practice, which fails the requirement. Policies should reflect how the firm operates in reality, and staff should understand and follow them in practice.

What AML training do staff need to receive?

All relevant staff must receive regular AML training. This includes not only fee-earners, but anyone involved in client onboarding, financial transactions, or file management. Training should cover what money laundering is, what the firm’s obligations are, how to identify suspicious activity, and how to report concerns internally.

Training also needs to be kept current. A one-off session delivered several years ago is not sufficient. Firms should be able to demonstrate when training was delivered, who received it, and what it covered.

When is an independent AML audit required?

Larger firms, or those with a higher-risk profile, are required under Regulation 21 to have their AML policies and controls independently audited. This does not necessarily mean appointing an external auditor. In some firms, it can be an internal function that sits outside the compliance team.

The key requirement is independence. The purpose of the audit is to assess whether the firm’s AML framework is actually working in practice, rather than simply existing on paper.

Taken together, firm-wide AML obligations form the foundation of effective compliance. A documented risk assessment, a clearly defined MLRO role, tailored policies, regular training, and independent oversight are not separate requirements but parts of a single system.

Where firms fall short is often not in having these elements in place, but in failing to connect them or keep them active. The regulatory expectation is clear: these controls should shape how the firm operates day to day, not exist as static documents created to satisfy a requirement.

Digital identity verification has been quietly reshaping how conveyancers carry out AML checks for several years.

In December 2025, it took a significant step forward: the Digital Verification Services Trust Framework was placed on a statutory footing under the Data (Use and Access) Act 2025.

For this ‘Five Minutes on…’, we take a deep dive into what that means and what it changes for your firm.

What changed when the DVS Trust Framework became law?

For several years, digital identity providers operating in the UK worked within a voluntary framework, a set of standards published by the government against which they could be assessed and certified. Choosing a certified provider gave conveyancers confidence that the technology met a recognised benchmark, but certification was optional and the framework carried no statutory weight.

That changed in December 2025. Under the Data (Use and Access) Act 2025, the Digital Verification Services (DVS) Trust Framework became a statutory framework, the first of its kind in the UK. Providers of digital identity services can now apply to be formally registered by the government, and that registration carries legal backing that was previously absent.

For conveyancers, this matters. The tools used to verify client identities are increasingly subject to a formal, legally grounded standard, rather than just an industry benchmark.

What is the DVS Trust Framework and how does it work?

The DVS Trust Framework sets out the rules and technical requirements organisations must meet to provide digital identity and attribute verification services in the UK. It covers how identity data is collected, checked, and stored, what security standards apply, and how providers must handle fraud, errors, and complaints.

Providers that meet these requirements can apply to be listed on a government register of certified DVS providers. That register is publicly accessible, meaning conveyancers, law firms, and their clients can check whether a given identity service is formally recognised.

The framework is overseen by the Office for Digital Identities and Attributes (ODIA), within the Department for Science, Innovation and Technology.

How does the DVS Trust Framework compare to HMLR Safe Harbour?

The DVS Trust Framework and the HMLR Safe Harbour standard are related but distinct, and it is important to understand the difference.

Safe Harbour is HM Land Registry’s standard for identity verification in property transactions, introduced in 2021. It sets out specific requirements around biometric checks, NFC chip reading, and evidence of connection to a property. Meeting those requirements means HMLR will treat the conveyancer as having taken reasonable steps to verify identity, providing protection if fraud later comes to light.

The DVS Trust Framework operates at a different level. It governs the identity providers themselves, the platforms conveyancers rely on to carry out checks. A provider listed on the DVS register has been assessed against the government’s standards. Using a registered provider does not automatically mean Safe Harbour has been achieved, but it is a strong indicator that the underlying technology meets a credible, legally recognised standard.

In practice, the two often work together. A conveyancer using a DVS-registered provider to carry out biometric and NFC checks in line with HMLR requirements will be well positioned on both fronts.

What does the DVS Trust Framework mean for conveyancers?

For most firms already using a reputable digital ID provider, the immediate practical change is modest. If your current provider was certified under the previous voluntary framework, they will likely be working towards registration under the statutory version, or may already have it.

The more meaningful shift is what the framework signals for the future. Making DVS statutory reflects a broader government intention to establish digital identity as a trusted, legally grounded part of UK infrastructure. Lenders, regulators, and professional bodies are likely to place increasing weight on whether firms use registered providers.

It is worth checking whether your digital identity provider is listed on the government’s DVS register, or has confirmed its intention to register. If you are evaluating new providers, DVS registration should form part of that assessment.

What has not changed under the DVS Trust Framework?

The DVS Trust Framework does not make digital identity verification compulsory. Manual identity checks remain legally permissible, provided they meet the requirements of the Money Laundering Regulations.

It also does not replace the HMLR Safe Harbour standard, or make it compulsory. Safe Harbour remains optional. However, as expectations around identity verification continue to rise, the practical case for meeting it becomes stronger.

Taken together, the DVS Trust Framework marks a shift towards more formalised standards for digital identity verification. Now set in law under the Data (Use and Access) Act 2025, it establishes the criteria providers must meet to be listed on the government’s public register, giving conveyancers a clearer way to assess whether a provider is formally recognised.

While DVS registration and HMLR Safe Harbour serve different purposes, one governing providers and the other the verification process, they are closely connected in practice. Using a DVS-registered provider does not automatically mean Safe Harbour has been achieved, but it provides a strong foundation.

Importantly, digital identity checks remain optional, and manual verification is still permissible, though expectations are clearly evolving. As a result, firms should be considering whether their current provider is registered, or actively working towards it.

Source of funds checks are a core part of AML due diligence, yet they remain one of the areas where conveyancing firms most commonly fall short.

Here is what the obligation actually requires, what good evidencing looks like, and the red flags that should prompt further questions.

Why Source of Funds Trips Firms Up

Of all the AML checks a conveyancing firm carries out, source of funds is the one most likely to feel like it has been done when it has not. A bank statement has been received, a box has been ticked, and the matter moves on. But receiving a document is not the same as scrutinising it, and scrutiny is what the obligation requires.

The SRA’s supervisory findings consistently identify source of funds as an area of weakness. The most common failures are not firms ignoring the check entirely; they are firms accepting documents at face value, failing to follow up on inconsistencies, or not asking for evidence in the first place when the client’s profile and transaction give good reason to.

What the Obligation Actually Is

The requirement to understand source of funds sits within the broader customer due diligence obligations under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017. Firms must take reasonable steps to understand where the money used in a transaction originates and whether it is consistent with what they know about the client.

“Reasonable steps” is not a fixed standard. It scales with risk. For a straightforward residential purchase funded by a mortgage and a modest deposit from a current account, a bank statement showing the funds may be sufficient. For a cash purchase, a high-value transaction, an overseas client, or any situation where the source of funds is unclear or unexpected, considerably more is required.

Source of funds is distinct from source of wealth, though the two are related. Source of funds focuses on the specific money being used in the transaction. Source of wealth is broader and considers how the client accumulated their assets overall. In higher-risk matters, both may need to be established.

What Good Evidencing Looks Like

Good source of funds evidence answers a simple question: can the money be traced to a legitimate, plausible origin?

For most residential transactions, this means bank statements showing the deposit funds building up over time, or a clear single event such as a property sale, an inheritance, or a gift that explains their arrival. The statement should be recent, unredacted in the relevant sections, and consistent with what the client has told you.

Where funds come from a property sale, the completion statement from that transaction is the natural supporting document. Where funds are a gift, a signed letter confirming the amount, the relationship, and that it is not a loan is standard. This should be supported by evidence that the donor actually holds the funds.

Where funds originate overseas, the bar is higher. Exchange rate movements, international transfer records, and the regulatory environment of the originating country all become relevant. A foreign bank statement should not be accepted without considering whether additional verification is appropriate.

Red Flags in Bank Statements

Receiving a bank statement is the beginning of the process, not the end. When reviewing statements, certain patterns should prompt further questions.

Large, unexplained deposits can indicate layering, where illicit funds are introduced into an account to appear legitimate. Multiple smaller deposits from different sources may suggest structuring, where funds are broken up to avoid detection thresholds.

Inconsistencies with the client’s profile should also be treated carefully. Funds that appear disproportionate to what is known about the client’s occupation, income, or circumstances warrant further enquiry rather than acceptance.

Any indication that documents have been altered, cropped, or are incomplete should be treated as a serious concern. Original documents, or verified electronic statements from the bank, are preferable where there is any doubt.

When to Ask More Questions

A useful test is whether the explanation of funds feels plausible when set against everything else known about the client. If it does not, that instinct is worth acting on.

The obligation is not to prove that funds are clean, but to take reasonable steps to be satisfied that they are. Where something does not add up, further questions are required. If a satisfactory explanation cannot be obtained, the matter may need to be referred to the MLRO.

Proceeding without adequate source of funds evidence exposes the firm to regulatory risk and, in some cases, criminal liability.

Ultimately, source of funds checks are not about collecting documents, but about forming a clear and defensible understanding of where money has come from. The standard applied should reflect the level of risk, increasing where transactions are higher value, more complex, or less predictable. Where firms fall short is not usually in starting the process, but in stopping too early. The SRA’s expectation is clear: scrutiny matters, and if something does not make sense, it is not enough to record it and move on.

In 2023, a solicitor was convicted for the first time ever for tipping off, alerting a client that they were under investigation for money laundering. It was a landmark moment.

Here is what tipping off means in practice, where the line is, and how to stay well clear of it.

Why has tipping off become a focus for law firms?

For years, tipping off appeared in AML training as a theoretical risk. Solicitors understood it was an offence, but many assumed enforcement actions were rare or confined to other sectors.

The 2023 conviction changed that perception. A solicitor was found guilty under section 333A of the Proceeds of Crime Act 2002, marking the first time a member of the legal profession had been convicted of this specific offence. The case sent a clear signal that the legal sector is within scope for enforcement and that regulators are taking a more active interest.

Understanding what tipping off means in practice, and where the risks arise in day-to-day work, is now an essential part of AML compliance.

What is tipping off under UK AML law?

Tipping off occurs when someone who knows or suspects that a Suspicious Activity Report has been made discloses information to another person in a way that is likely to prejudice any resulting investigation.

In practical terms, if a report has been submitted or is suspected to have been submitted, the firm must not inform the client. This includes avoiding any statements or behaviour that could suggest they are under scrutiny.

The offence applies across the regulated sector, including legal professionals, and carries a maximum penalty of two years’ imprisonment and an unlimited fine.

Where is the line between communication and tipping off?

Two conditions must be met for the offence to arise. The person making the disclosure must know or suspect that a report has been made, and the disclosure must be likely to prejudice an investigation.

In practice, the definition of what may prejudice an investigation is broad. Referring to delays as being due to “compliance reasons”, providing vague or evasive explanations, or indicating that a matter has been escalated internally may create risk depending on the context.

The safest approach is to avoid any reference to the existence of a report. Where a transaction is delayed, a neutral explanation such as the need to complete standard checks or allow more time is generally acceptable, provided it does not imply that a report has been made.

What is the SAR moratorium period and why does it matter?

Where a Suspicious Activity Report is submitted requesting consent to proceed with a transaction, the firm must wait for a response from the National Crime Agency.

The initial period is seven working days. If no refusal is received within that time, consent is deemed to have been granted. If consent is refused, a further 31-day moratorium period applies during which the transaction cannot proceed.

During this time, the client cannot be told why the matter is delayed. This creates a practical challenge, as clients may expect progress and seek explanations. Firms that manage this risk effectively tend to prepare standard responses in advance rather than relying on ad hoc explanations.

What related offences should firms be aware of?

Section 342 of the Proceeds of Crime Act 2002 creates a separate offence of prejudicing an investigation. Unlike tipping off, this does not require a report to have been made. If someone knows or suspects that an investigation is underway and takes steps that could interfere with it, the offence may apply.

This reinforces the need for caution at an early stage. The risk does not begin only once a report is submitted, but from the point at which suspicion arises.

How should firms manage tipping off risk in practice?

Managing tipping off risk requires preparation rather than improvisation. All staff involved in client work should understand what tipping off is and why careful communication matters.

The Money Laundering Reporting Officer should be involved as soon as a report is being considered, so that communication with the client can be managed consistently. Firms should also develop agreed language for responding to delays or questions, ensuring that fee-earners are not required to decide how to respond in real time.

It is also important to recognise that internal reporting to the MLRO is not tipping off. It is a separate legal obligation and a critical part of the firm’s AML framework.

Tipping off is best understood as a risk that arises from how information is communicated, rather than from the act of reporting itself. Once suspicion exists, even well-intentioned explanations can create exposure if they suggest what is happening behind the scenes. The legal threshold is broad, and the consequences are significant.

Firms that manage this effectively do so by putting clear processes, training, and agreed client communication in place so that responses are measured, consistent, and do not depend on judgement in the moment.