UK Property - OneSearch

The SRA’s most current AML report marks a clear shift in enforcement. More inspections, more failures, and far less tolerance for underperforming compliance.

Here’s what the findings actually show, and what firms should be doing about it.

The numbers are difficult to snub. In the year to April 2025, the SRA carried out 935 proactive AML engagements, up from 545 the year before. Of the 833 firms reviewed, nearly one in three were non-compliant, and a further 54% were only partially compliant.

That leaves fewer than one in seven firms fully compliant with their AML obligations.

This is not incremental improvement. It’s systemic underperformance in an area where the regulatory, financial, and reputational stakes are only increasing.

What the SRA found

The report identifies several areas of consistent weakness across the firms it reviewed. None of them are new. What’s changed is the SRA’s tone, the specificity of its findings, and its willingness to act.

Risk assessments are still failing in practice

Up to 39% of reviewed files did not effectively assess AML risk. Firm-wide risk assessments exist on paper but aren’t being applied at client level. High-risk matters are progressing without the senior oversight they require. Defective AML policies, controls and procedures contributed to a significant proportion of enforcement outcomes.

The SRA has been explicit: it expects risk assessments to inform decisions, not just document them.

Identity verification is inconsistently applied

Documents are missing from files, checks are relaxed for familiar clients, enhanced due diligence is not being triggered when risk indicators are present.

Emerging threats, including deepfake ID fraud and remote onboarding risks, are exposing gaps in already inconsistent processes.

Source of funds checks are being treated as a formality

The SRA’s thematic review found that, across more than 5,800 client files reviewed, 11% lacked source of funds checks entirely and 18% showed inadequate scrutiny.

Firms are collecting documents but not reviewing them. The distinction between source of funds and source of wealth is still not being applied consistently, even in higher-risk matters.

Ongoing monitoring remains the most overlooked obligation

For many firms, AML compliance still ends at onboarding. There is no structured mechanism to revisit matters, reassess risk, or refresh PEP and sanctions checks as circumstances change.

The SRA has identified ongoing monitoring as one of the most effective controls available, and one of the most consistently absent.

Training and governance weaknesses underpin the gaps

Template policies are not aligned to real-world practice. Training is not consistently refreshed or embedded. Governance structures, including MLRO oversight, do not always translate into effective day-to-day compliance.

An intensifying direction

The scale of supervisory activity tells its own story. Scrutiny is increasing, and it’s not slowing down. The SRA engaged with nearly twice as many firms in 2024-25 as the year before, and it has signalled clearly that all firms should expect attention.

At the same time, enforcement is intensifying. Combined AML penalties exceeded £1.5 million in 2024-25, the highest total yet based on SRA enforcement outcomes. The number of cases referred to the Solicitors Disciplinary Tribunal rose sharply, and criminal enforcement is no longer theoretical.

The message is clearly that AML compliance is no longer a paper exercise.

The more significant shift however, is structural. The government has confirmed that the Financial Conduct Authority will become the single professional services supervisor for AML, replacing the SRA and other supervisory bodies. The SRA will continue supervising AML through 2026 while legislation is prepared, but the direction of travel is already clear.

The FCA’s approach is more data-driven, and backed by broader enforcement powers. Firms that treat 2026 as a year to prepare for FCA-level scrutiny will be far better positioned than those that wait.

What firms should be doing now

The SRA’s findings point to a clear set of priorities for firms that want to stay on the right side of compliance.

Fix your risk assessment framework first

The firm-wide risk assessment should reflect how the firm actually operates: its client base, transaction types, and geographic exposure. It should be actively used, not filed and forgotten.

Matter-level risk assessments should be completed before work progresses, include clear reasoning, and link back to the firm-wide view.

Stress-test your identity verification process

Are all relevant parties being verified? Are enhanced checks triggered at the right time? Is there a clear and auditable record?

As fraud risks evolve, reliance on manual document checks is becoming increasingly difficult to defend.

Move beyond “box-ticking” on source of funds

Receiving documentation is not the same as assessing it. Firms must actively review what is provided, question inconsistencies, and document their conclusions.

Source of funds should be standard on every file; source of wealth should be assessed in higher-risk matters.

Build ongoing monitoring into your workflow, properly

This requires a defined process, not good intentions. Whether through scheduled file reviews, case management prompts, or automated re-screening, firms need to ensure monitoring actually happens and that changes trigger reassessment.

Strengthen training and governance from the top down

AML training should be current, relevant, and regularly refreshed. Policies should reflect how the firm actually operates, not generic templates.

Governance structures must support consistent application of AML controls across the firm.

Our 2026 AML guide

If this raises questions about where your firm stands, Mastering AML Compliance in 2026 provides a practical starting point.

It covers everything from risk assessments and identity verification to source of funds, Safe Harbour, the DVS Trust Framework, and the role of technology, written specifically for conveyancers who need practical guidance, not regulatory theory.

Download: 'Mastering AML compliance in 2026' here

OneSearch AML is a digital AML offering built specifically for conveyancers. To find out more, visit onesearch.direct/products/onesearch-aml.

We are delighted with the response to OneSearch AML since we unveiled the product two years ago; we hope you’ve had the opportunity to explore yourselves into the solutions it can provide your firm when it comes to managing risk and protecting your firm.

We understand the world of Anti Money Laundering can seem overwhelming at times: new regulations, confusing jargon and acronyms… and that’s not forgetting keeping on top of ever-evolving fraud strategies. On top of all that, you may often find yourself explaining this to your clients as well.

To help you conquer compliance, and master your firms AML checks, we’re offering a downloadable guide packed with practical advice and best practices for conveyancers.

In our guide, you’ll learn about:

Understanding your KYC/AML Obligations in 2026
A comparison of Manual vs Digital AML Checks 
A detailed explanation about the Safe Harbour Standard
A guide to the most common AML phrases and what they actually mean

And also:
A full breakdown on the features and benefits of OneSearch AML, the most comprehensive anti-money laundering solution on the market.

Conveyancing transactions involving overseas clients carry a higher inherent risk of money laundering and come with a higher bar for due diligence.

Here is what enhanced checks involve, why international cases are more complex, and how to manage them effectively, en cinco minutos (we’re helping you with your international language there!)

Why are overseas conveyancing clients considered higher risk?

The UK property market has long attracted international buyers, and with them, an elevated risk of money laundering. Property is a well-established route for converting criminal proceeds into legitimate assets, and overseas clients introduce additional challenges that make due diligence harder to apply and easier to get wrong.

The SRA’s supervisory findings and the UK’s National Risk Assessment both identify international transactions as an area of increased concern. Residential conveyancing remains one of the highest-risk practice areas, and transactions involving overseas clients, particularly those linked to high-risk jurisdictions, overseas-sourced funds, or complex ownership structures, carry a heightened level of exposure.

The starting point for firms is recognising that a standard domestic customer due diligence approach may not be sufficient, and that enhanced due diligence will often be required.

When is enhanced due diligence required for international clients?

Enhanced due diligence is required under the Money Laundering Regulations whenever a higher risk of money laundering is identified. In the context of overseas clients, several factors commonly trigger this threshold.

A client who is not physically present presents a higher risk, as remote verification requires additional safeguards. Clients connected to high-risk third countries require increased scrutiny due to weaknesses in those jurisdictions’ AML frameworks.

Foreign politically exposed persons are treated as higher risk by default and require enhanced due diligence, including source of wealth checks and senior management approval. Where funds originate overseas, particularly where they pass through multiple jurisdictions or accounts, the complexity of verification increases and further scrutiny is required.

Any one of these factors may be sufficient to trigger enhanced due diligence. In practice, international transactions often involve more than one.

What does enhanced due diligence involve in practice?

Enhanced due diligence is not a single additional check, but a higher standard applied across the entire due diligence process.

For identity verification, firms need to consider whether their systems can genuinely support international checks. Not all digital identity providers can verify overseas documents, read foreign biometric chips, or access international data sources. Relying on systems designed for domestic use may create gaps in verification.

For source of funds, the evidential threshold is higher. Foreign bank statements may be more difficult to interpret or verify, and the regulatory environment of the originating country becomes relevant. Funds that move across multiple jurisdictions or accounts require careful tracing, and where the origin cannot be clearly linked to a legitimate source, this should be treated as a significant red flag.

For PEP and sanctions screening, checks must extend beyond UK databases. PEP status and sanctions exposure can vary by jurisdiction, and relying solely on domestic screening risks missing relevant information.

For ongoing monitoring, the same principle of proportionality applies, but risk profiles may change more quickly in response to geopolitical or regulatory developments. This means that reassessment may need to happen more frequently.

What challenges do firms face with international AML checks?

Enhanced due diligence for overseas clients presents practical challenges that go beyond standard domestic processes.

Staff may not be familiar with risk indicators associated with specific jurisdictions, making it harder to identify when something is unusual. Document verification is more complex, as overseas documents may not support NFC chip reading, may be issued in different formats, or may require translation.

Establishing ultimate beneficial ownership can also be more difficult. Corporate structures involving offshore entities and multiple layers of ownership can obscure who ultimately controls a transaction. Language barriers can slow the process and create gaps in understanding that introduce additional risk.

Firms should assess whether their current processes, systems, and expertise are sufficient for the type of international work they are undertaking

What does good AML practice look like for overseas clients?

Firms that handle international clients effectively tend to adopt a structured and proactive approach. This includes clearly distinguishing between domestic and international matters at the outset, ensuring staff are trained on jurisdiction-specific risk indicators, and using verification and screening tools with genuine international capability.

They are also prepared to ask more detailed questions, request additional documentation, and escalate concerns to the MLRO at an earlier stage where the risk profile is unclear. A cautious and enquiring approach is often the most effective safeguard.

OneSearch AML supports international due diligence through access to global PEP and sanctions datasets, adverse media screening, and international identity verification tools designed for cross-border transactions.

Working with overseas clients requires a shift from standard due diligence to a more investigative and risk-sensitive approach. The presence of international elements, whether in the client, the funds, or the ownership structure, increases complexity and reduces the reliability of assumptions that might hold in domestic cases. Enhanced due diligence is therefore not just a regulatory requirement, but a practical necessity.

Firms that approach these transactions with the right tools, clear processes, and a willingness to probe further are better placed to manage risk effectively and demonstrate compliance if challenged.

Remote identity verification is now a routine part of conveyancing, but what it involves, and what makes it compliant, is not always clear.

Here is how the process works, what it covers, and what firms need to get right.

How has conveyancing moved to remote identity verification?

For much of conveyancing’s recent history, identity verification meant a face-to-face meeting, with documents examined in person, copies certified, and records updated manually. The COVID-19 pandemic accelerated a shift that was already underway, and remote identity verification has since become standard practice in many firms.

When implemented correctly, remote verification is not a compromise on security. Modern technology, including biometric matching, NFC chip reading, and liveness detection, can produce a more reliable result than manual document review, while also creating a clear and auditable digital record. Where processes are poorly designed or inconsistently applied, however, the risk increases. Documents may be accepted without proper scrutiny, checks may be incomplete, and audit trails may be insufficient.

Understanding what remote verification involves is essential to applying it correctly.

What does a compliant remote identity verification process include?

A compliant remote identity verification process covers three core elements, all of which must be present to meet the requirements of the Money Laundering Regulations and, for firms seeking HMLR Safe Harbour protection, Practice Guide 81.

The first is document verification, which confirms that the identity document is genuine. For Safe Harbour purposes, this involves reading the NFC chip embedded in biometric passports, EU and EEA identity cards, and UK biometric residence permits. The chip contains cryptographically signed data from the issuing authority, and verifying this data provides a level of assurance that cannot be achieved through visual inspection alone.

The second is biometric matching, which confirms that the person presenting the document is the individual shown on it. This is typically achieved by comparing a live image captured via a smartphone against the image stored on the document’s chip. The comparison is carried out algorithmically and provides a more consistent result than a manual check.

The third is liveness detection, which confirms that the image being captured is genuinely live. It ensures that the individual is physically present and not attempting to use a photograph, mask, or recorded video to impersonate someone else. This is a critical safeguard against increasingly sophisticated spoofing attempts.

What identity documents can be used for remote verification?

Not all identity documents support full remote digital verification. For the process to function correctly, and particularly for NFC chip reading, the document must contain an embedded chip.

The documents that meet this requirement include biometric passports, EU and EEA identity cards with biometric capability, and UK biometric residence permits. These allow the system to carry out full cryptographic verification.

Other documents, such as driving licences or non-biometric passports, can support identity checks but cannot be verified using NFC technology. For firms aiming to meet the HMLR Safe Harbour standard, a chip-enabled document is required.

What does the remote ID process look like for clients?

From the client’s perspective, the process is typically straightforward. They receive a link or access a secure portal, scan their identity document using their smartphone, capture a short video or image, and complete any required prompts. The process usually takes only a few minutes.

Behind the scenes, however, multiple checks are carried out simultaneously. The system performs NFC verification, biometric comparison, and liveness detection, cross-checking the results and flagging any inconsistencies. The outcome should be a clear, auditable record of the checks completed, including the results and timestamps.

This audit trail is important. The SRA expects firms to be able to demonstrate that identity checks were carried out, when they were completed, and what the outcome was.

What risks do firms need to manage with remote verification?

Remote verification introduces specific risks where processes are not properly designed or applied. Common issues include accepting documents that do not support full digital verification without recognising the limitation, relying on systems that do not carry out all required elements, and treating a verification report as the end of the process without reviewing its content.

It is also important to understand the scope of remote verification. It confirms identity, meaning that the individual is who they claim to be. It does not replace other AML requirements, such as source of funds checks, PEP and sanctions screening, or ongoing monitoring. These obligations continue throughout the life of the matter.

Remote identity verification should be seen as one component of a wider AML framework rather than a standalone solution. When all three elements are applied correctly, document verification, biometric matching, and liveness detection, the process can provide a high level of assurance and a clear audit trail. However, its effectiveness depends on how it is implemented and reviewed in practice.

Firms that treat remote verification as a complete solution risk overlooking the broader obligations that sit alongside it, while those that embed it within a structured and consistent process are better placed to meet both regulatory expectations and client needs.

Identifying politically exposed persons and sanctioned individuals is a core AML obligation, but it is one where the rules have recently shifted.

Here is what PEP and sanctions checks involve, who they apply to, and what the updated rules mean for how firms should approach them.

Why do PEP and sanctions checks matter in AML compliance?

PEP and sanctions screening sit within the broader customer due diligence framework, but they carry particular weight. The concern with politically exposed persons is that their public position creates an elevated risk of corruption or bribery, and that property transactions are a well-established route for laundering the proceeds.

Sanctions checks serve a different but equally serious purpose. They ensure that firms are not facilitating transactions involving individuals or entities subject to legal restrictions.

Both checks are required at onboarding, and both must be kept up to date throughout the life of a matter. A client who was not a PEP at the outset may become one, and sanctions lists are updated frequently.

What is a politically exposed person (PEP)?

A PEP is an individual who is, or has been, entrusted with a prominent public function. This includes heads of state and government, ministers, members of parliament, senior members of the judiciary, senior military officials, members of central banks, and ambassadors, along with their close family members and known close associates.

Under the Money Laundering Regulations, identifying a client as a PEP triggers enhanced due diligence. This includes obtaining senior management approval, taking steps to establish the source of wealth and source of funds, and applying closer ongoing monitoring.

Importantly, being a PEP does not mean refusing to act. It means applying additional scrutiny and documenting the approach taken.

How have the rules on domestic PEPs changed?

The treatment of domestic PEPs, meaning those who hold or have held public functions in the UK, has changed in recent years.

Since January 2024, the Money Laundering and Terrorist Financing (Amendment) Regulations 2023 require firms to treat domestic PEPs as lower risk than foreign PEPs as a starting point. This is now set out in legislation, rather than guidance. Unless other risk factors are present, firms should apply a proportionate level of enhanced due diligence.

Further clarification was provided in FCA guidance FG 25/3, published in July 2025. This confirms that non-executive directors of UK civil service bodies should not be treated as PEPs, and reinforces that firms should not refuse or exit relationships solely because a client meets the PEP definition.

In practice, this means risk should be assessed on a case-by-case basis, rather than applied automatically based on a public role.

What are sanctions and how do they apply to law firms?

Sanctions are legal restrictions imposed by governments or international bodies on individuals, companies, or countries, often in response to national security concerns, human rights issues, or foreign policy objectives. In the UK, the Office of Financial Sanctions Implementation within HM Treasury administers the sanctions regime.

Firms in the regulated sector must not provide services to sanctioned individuals or entities, or facilitate transactions that would benefit them. Breaching sanctions can result in significant criminal and civil penalties, including fines and imprisonment.

Unlike PEP status, which requires judgement around risk, a sanctions match is a clear prohibition. If a client appears on a sanctions list, the matter cannot proceed without specialist legal advice, and reporting obligations may arise.

How often should PEP and sanctions checks be updated?

PEP and sanctions checks should not be treated as a one-off exercise. Both need to be refreshed throughout the life of a matter.

PEP status can change if a client takes on a new public role, and sanctions lists can be updated at short notice in response to international developments. Relying on a single check at onboarding creates a risk that changes will go unnoticed.

Manual processes make this difficult to manage consistently. Automated screening tools that re-check clients against current databases at regular intervals provide a more reliable way to identify changes in status.

Taken together, PEP and sanctions checks are not just about identifying risk at the outset, but about maintaining an accurate and up-to-date understanding of a client’s status throughout the life of a matter. While PEP classification requires proportionate judgement and a risk-based approach, sanctions obligations are absolute and leave no room for discretion.

The direction of travel in regulation is clear: firms are expected to apply these checks consistently, keep them current, and ensure that any changes in status are identified and acted on promptly.

AML compliance is not just about checking individual clients. Every firm in the regulated sector must also have a set of firm-level obligations in place that are documented, approved, and actively maintained.

Here is what the law actually requires, and what good governance looks like in practice, in just 5 minutes.

Why is AML compliance more than just client checks?

When people think about AML compliance in conveyancing, they tend to focus on client-facing checks such as verifying identity, understanding source of funds, and screening for PEPs and sanctions. These obligations are real and important, but they sit on top of a layer of firm-wide requirements that must be in place first.

The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 impose obligations on the firm as an entity, not just on individual fee-earners dealing with specific matters. Getting these foundations right is critical, as the SRA’s supervisory findings consistently show that weaknesses at firm level tend to flow directly into weaknesses at matter level.

What is a firm-wide AML risk assessment and why does it matter?

The starting point is Regulation 18, which requires every firm in the regulated sector to carry out and document a firm-wide risk assessment. This is a written analysis of the money laundering and terrorist financing risks the firm is exposed to, taking into account its size, client base, the services it offers, the geographic areas it operates in, and the types of transactions it handles.

The assessment must be approved by senior management and kept up to date. It is not a one-off exercise. It should be reviewed whenever the firm’s circumstances change materially, and at regular intervals regardless.

This matters because it sets the context for everything that follows. It defines what higher and lower risk look like for the firm, which in turn informs how individual client and matter risk assessments should be approached.

Who is responsible for AML compliance in a law firm?

Every firm in the regulated sector must appoint a Money Laundering Reporting Officer (MLRO). This is a named individual, typically a senior person within the firm, who is responsible for receiving internal reports of suspicious activity, deciding whether to submit a Suspicious Activity Report to the National Crime Agency, and overseeing the firm’s AML compliance more broadly.

The MLRO role carries real responsibility. The individual appointed needs sufficient seniority, authority, and access to information to carry out the role effectively. In smaller firms, this is often a principal or partner. In larger firms, it may be a dedicated compliance professional. In all cases, the appointment must be documented and properly supported, rather than treated as a formality.

What AML policies, controls and procedures are required?

Regulation 19 requires firms to establish and maintain written AML policies, controls and procedures. These should cover how the firm identifies and verifies clients, how it assesses risk, how it monitors ongoing matters, how suspicious activity is reported internally, how staff are trained, and how compliance is audited.

The policies do not need to be lengthy, but they do need to be meaningful. The SRA has identified cases where firms have adopted template policies without tailoring them to their actual practice, which fails the requirement. Policies should reflect how the firm operates in reality, and staff should understand and follow them in practice.

What AML training do staff need to receive?

All relevant staff must receive regular AML training. This includes not only fee-earners, but anyone involved in client onboarding, financial transactions, or file management. Training should cover what money laundering is, what the firm’s obligations are, how to identify suspicious activity, and how to report concerns internally.

Training also needs to be kept current. A one-off session delivered several years ago is not sufficient. Firms should be able to demonstrate when training was delivered, who received it, and what it covered.

When is an independent AML audit required?

Larger firms, or those with a higher-risk profile, are required under Regulation 21 to have their AML policies and controls independently audited. This does not necessarily mean appointing an external auditor. In some firms, it can be an internal function that sits outside the compliance team.

The key requirement is independence. The purpose of the audit is to assess whether the firm’s AML framework is actually working in practice, rather than simply existing on paper.

Taken together, firm-wide AML obligations form the foundation of effective compliance. A documented risk assessment, a clearly defined MLRO role, tailored policies, regular training, and independent oversight are not separate requirements but parts of a single system.

Where firms fall short is often not in having these elements in place, but in failing to connect them or keep them active. The regulatory expectation is clear: these controls should shape how the firm operates day to day, not exist as static documents created to satisfy a requirement.