ICAEW.com works better with JavaScript enabled.

Guidance on Customer Due Diligence on Law firms/solicitors

Helpsheets and support

Published: 29 Mar 2022 Updated: 29 Mar 2022 Update History

Firms ask us about the level of due diligence required for UK law firms and whether ID is required for individual solicitors. This guidance is designed to supplement the requirements within the CCAB AML Guidance for the Accountancy Sector.

Can I automatically apply simplified due diligence to all clients who are law firms?

No. Regulation 37 of The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 17) allows simplified due diligence to be applied where the firm has identified the risk to be low. It goes on to explain the attributes of a client that might suggest low risk is appropriate. If you conclude a law firm is low risk, you must have a clear justification of this – based on both the nature of the law firm itself and the service you are providing to the client. You cannot automatically apply simplified due diligence to all clients who are law firms/solicitors.

How do I risk assess and verify a law firm?

You risk assess and verify in the same way as you would for any other client, on a case-by-case basis. Your firm wide risk assessment should direct your approach to the process of assessing risk This will consider guidance from your AML supervisor and the National Risk Assessment.

The National Risk Assessment 2020 states that the risk of abuse of legal services for money laundering purposes remains high overall. Legal service providers (LSPs) offer a wide range of services and the services most at risk of exploitation by criminals and corrupt elites for money laundering purposes continue to be conveyancing, trust and company services and client accounts.

As with any other client consider the services you are offering alongside the countries or geographic areas in which the firm operates, its product and services, transactions and delivery channels.

If you have considered the above factors and you assess a law firm client to be low risk, then you may decide to perform simplified due diligence, but your risk assessment should be documented and justified.

Ongoing monitoring is still required to ensure that additional measures can be applied if there is a change in the client or engagement risk.

Do I need to identify and verify any partner in the law firm?

In cases where simplified due diligence is not appropriate, standard or enhanced due diligence would apply. This would require the identification and verification of those who own and control the partnership on a risk basis. This includes identification and verification of at least one of the key members of the partnership (and more than one where the risk rating is higher). It is not sufficient to rely on the entry in the register of the SRA, since this does not verify identity.

What if the solicitor is acting on behalf of a client and engages my firm’s services?

If your business relationship/engagement is with the solicitor/law firm, then Regulation 28 (10) would normally apply.

You must:

  • identify the solicitor/law firm
  • satisfy yourself that they have the authority to act on behalf of the underlying client.
  • verify the identity of the solicitor

In general, the engagement will be with the firm of solicitors, not with the individual instructing solicitor who will be acting in the capacity of partner or staff member of the firm, so it would be the authority of that firm and the firm that should be identified and verified.

Do I ever have to get Identity documents for an individual solicitor?

If the individual solicitor is a client (eg, for tax compliance services) then, yes, identification and verification on a risk basis is required as for any other client.