Risk Management

What does beneficial ownership mean for AML compliance

What does Beneficial Ownership mean for law firm AML compliance?

Anti-Money Laundering, Audit, Blogs, Legal Compliance, Regulatory Compliance, Risk Management / Mark

Whether you’re based in the UK or Australia (where our sister firm AML Sorted is based), are a law firm whose areas of law offer corporate and commercial law, you’re going to need to know what Beneficial Ownership means.

The UK and Australian governments and regulatory bodies are pretty clued up on these risks, which is why they’ve brought in some stringent anti-money laundering (AML) regulations. Understanding beneficial ownership information is a central requirement of those regulations, and it’s critical to your firm’s AML compliance and control structures.

Understanding beneficial ownership
Definition of an individual PSC of a UK company
Definition of a beneficial owner of an overseas entity
Examples of concealing beneficial ownership
Don’t rely on the corporate veil — lift it
Challenge vague answers
Document the risk rationale
Verify control, not just ownership
Watch for layered structures
US Legislation News

Understanding beneficial ownership

When we talk about ‘beneficial ownership,’ it’s all about figuring out who really owns or controls something, whether it’s a property or a company. It’s not just about the names on the official paperwork, ie…. the ‘legal owners.’ For specialists like us at Teal Compliance, and AML Sorted, we’re like detectives, digging deeper and deeper until the ownership and control is truly transparent. In another life instead of solicitors and AML compliance experts we’d be investigative journalists!

In the world of property and conveyancing, as an example, we’ve got to identify and check who’s actually pulling the strings and getting any benefit from a property deal, even if they’re not the ones listed on the deeds. Our job in AML compliance is to support you, the law firms and the MLROs, protect your bottom line and your reputation whilst ensuring financial criminals are held to account.

Identifying beneficial owners is really important when we’re trying to stop money laundering because criminals are sneaky. They often hide their dirty money by owning entities that are set up through complicated setups like shell companies and trusts. It makes it really hard for anyone to trace where the money really came from.

In this blog, when we use the acronym PSC, this means person with significant control.

Definition of an individual PSC of a UK company

In accordance with the Economic Crime and Corporate Transparency Act: beneficial ownership (last updated on 1st March 2024) the definition of an individual PSC of a UK company comes under Schedule 1A, where it states that if an individual (“X”) meets one or more of the following conditions in relation to a company (“Y”), they must be registered as a PSC in respect of Y:

X holds, directly or indirectly, more than 25% of the shares in company Y.
X holds, directly or indirectly, more than 25% of the voting rights in company Y.
X holds the right, directly or indirectly, to appoint or remove a majority of the board of directors of company Y.
X has the right to exercise, or actually exercises, significant influence or control over company Y.
The trustees of a trust or the members of a firm that, under the law by which it is governed, is not a legal person meet any of the other specified conditions in relation to company Y, or would do so if they were individuals, and, X has the right to exercise, or actually exercises, significant influence or control over the activities of that trust or firm.
1. If you want to dig deeper into LSAG’s definition of a beneficial owner when it comes to the topic of TRUSTS, law firms should verify settlors, beneficiaries, protectors, and the assets the trust holds (not just the trustee). You can read more under LSAG Section 6.14.12.2) or of course, get in touch with us or become an ASK TEAL client.

Definition of a beneficial owner of an overseas entity

Under paragraph 6 of Schedule 2 to the Economic Crime (Transparency and Enforcement) Act 2022, a person (“X”) is a beneficial owner of an overseas entity or other legal entity (“Y”) if one or more of the following conditions are met:

X holds, directly or indirectly, more than 25% of the shares in Y.
X holds, directly or indirectly, more than 25% of the voting rights in Y.
X holds the right, directly or indirectly, to appoint or remove a majority of the board of directors of Y.
X has the right to exercise, or actually exercises, significant influence or control over Y.
The trustees of a trust, or the members of a partnership, unincorporated association or other entity, that is not a legal person under the law by which it is governed meet any of the conditions specified above in relation to Y, and, X has the right to exercise, or actually exercises, significant influence or control over the activities of that trust or entity. Note: please reference 5.a above for more information on LSAG and trusts.

Examples of concealing beneficial ownership

The National Crime Agency’s (NCA) news page is full of crimes and it’s worth having a read to keep you and your compliance officers on their toes. The agency always says to keep a look out for changes in client circumstances. Are the international sanctions’ listings checked on a daily basis? If your client is an art dealer or auction house and your diligence measures flag up questions over their source of funds on their artwork, get them to check these red flags:

Attempts to transfer artwork or cultural property ownership to a family member, close contact, business associate or other intermediary, or
Attempts to sell artwork or cultural property quickly, or move it to another jurisdiction.

Be especially vigilant when dealing with front or shell companies, or intricate corporate or trust structures that obscure the ultimate beneficial owner. While it’s tempting to prioritise well-paying, existing clients, the heightened focus on combating money laundering means your firm faces significant risk if you’re flagged for inadequate AML compliance by the SRA.

Definition of Beneficial Owners: those that might benefit from their ownership of an entity or asset (eg a company.) You will need to identify and undertake reasonable measures to verify the identity of your clients, especially when dealing with high-risk clients or transactions.

Don’t rely on the corporate veil — lift it

Always identify the natural person(s) behind any legal entities. Shell companies and complex structures can hide risk — dig and keep digging, until you find the ultimate beneficial owner (UBO), not just the named shareholders.

If you are concerned about upsetting your client, find ways of carrying out your due diligence and be specific and clear about what you need at the outset.

Why not provide a list to your client with the information you need and if they push back have the back up to explain the purpose.

You should always ask for their details – see below (where applicable) to support and evidence your AML processes and controls. The SRA and your insurer will thank you for this….

Shareholder registers
Company structure charts
Trust deeds

Challenge vague answers

Here’s an example of what your MLRO might be up against….

Client: “Oh, the company is owned by a few investors.”

Reply with… “To comply with regulations, we need to identify the individuals who ultimately own or control the company. Could you please provide a list of all shareholders with more than 25% ownership, and details about anyone who has significant control over the company’s decisions? We really want to protect your own interests and this information will support this.”

Document the risk rationale

Keep clear notes on why a client is low, medium, or high risk, especially if beneficial ownership is complex. You’ll thank yourself during audits or inspections.

Our own software, the TEAL TRACKER, supports your documentation and evidence in this regard because it includes a high-risk client register, an undertakings register, incident management tracker, file reviews and more.

Here’s the framework we are aligning ourselves to, and knowing which legislation your tracking and note taking adhere to will help you and your team.

Money Laundering Regulations 2017: These regulations are the cornerstone of AML compliance in the UK and place a legal obligation on firms to identify beneficial owners.

Economic Crime (Transparency and Enforcement) Act 2022: This Act introduced the Register of Overseas Entities, further emphasizing the importance of beneficial ownership transparency, especially in relation to UK property.

Proceeds of Crime Act 2002 (POCA): This is the legal backbone of the UK’s fight against money laundering and places stringent obligations on law firms to be vigilant, to have strong AML controls, and to report suspicious activity.

Companies Act 2006 (in particular Schedule 1A): In this act, it defines “People with Significant Control” (PSCs) for UK companies, which is closely related to the concept of beneficial ownership.

Verify control, not just ownership

Control can be exercised in various ways, and it’s important to look beyond just shared ownership.

A person can be an ultimate beneficial owner (UBO) if they exercise significant control, even if their shareholding is below 25%, for example when your client is an LLP. Check for influence via voting rights, directorships, or veto powers.

Red flags to be on high alert for include:

Nominee Directors or Shareholders: The use of nominees to hold shares or directorships.

Lack of Transparency: Reluctance to provide information or vague answers about ownership and control.

Inconsistent Information: Discrepancies between information provided by the client and information from other sources.

Why not do your research and look into their confirmation statements, do they have information on control of beneficial ownership on their websites, or are Board Minutes available to you?

Check on the Registers for Beneficial Owners website, and run a check on the background and relationships of the company’s directors and senior management.

Watch for layered structures

Multiple holding companies across jurisdictions may indicate masking of the truth! You’d want to understand the chain until you reach a human being. We appreciate that layered ownership structures can feel like untangling a particularly tricky ball of wool, but the key is to break it down step by step—each layer tells part of the story.

What would you do in the following scenarios?

Multiple Layers of Ownership where ownership is divided across several entities, often spanning different jurisdictions (e.g. Company A owns Company B, which owns Company C, and so on).
Use of Shell Companies, which are entities that exist only on paper, with no significant business activities, often used to add layers of ownership without transparency.
Circular Ownership, which occurs when entities within the structure own shares in each other, creating a loop that obscures the ultimate beneficial owner (UBO).
Offshore Jurisdictions are entities registered in jurisdictions with high levels of secrecy and minimal disclosure requirements are often included to complicate tracking.
Nominee Directors or Shareholders (as mentioned above), can be individuals or entities who are listed as directors or shareholders but act on behalf of the true owners without having actual control or interest.
Frequent Changes – watch out for regular changes in ownership, directors, or shareholders because these can make it harder to establish a clear picture of control.
Trusts and Foundations are legal arrangements that can be used to conceal the identity of the true owners by placing assets under the control of trustees or foundations.

The above structures are often red flags for money laundering, tax evasion, or other illicit activities. In these circumstances, your enhanced due diligence (EDD) measures, such as verifying the identities of beneficial owners and understanding the ownership structure, are crucial to back you and your practice up.

US Legislation News For Information

It’s worth noting that the US has also stepped up its efforts in corporate transparency, introducing new provisions that came into effect on 1st January 2024. These rules now require certain corporate entities in the States to report information about their beneficial owners.

Much like the corporate transparency legislation we’ve seen introduced in other parts of the world, including our own measures here in the UK, the overarching goal is to make it tougher for those with illicit intentions to conceal their activities behind shell companies or other murky ownership structures. The hope is that this increased transparency around who really owns and controls these entities will be a significant weapon in the ongoing fight against money laundering and the financing of terrorism.

To wrap this article up, the one thing I urge you to remember, is that it’s up to you to take reasonable measures to verify the identity of the beneficial owner.

For more information on the Register of Overseas Entities, you can click here to read more. The ROE came into force in the UK on 1 August 2022 through the new Economic Crime (Transparency and Enforcement) Act 2022.

Thanks for reading and if you have any specific questions on this subject or would like to take advantage of our ASK TEAL service, you can get in touch HERE.

Tom Hughes

Senior Associate

What does Beneficial Ownership mean for law firm AML compliance? Read More »

SARs - understanding suspicious activity with key insights and reporting tips from Teal Compliance and Amy Bell

SARs – Understanding Suspicious Activity: Key Insights and Reporting Tips

Anti-Money Laundering, Audit, Blogs, Legal Compliance, Regulatory Compliance, Risk Management / Mark

Teal Compliance explains the signs of suspicious activity in law firm compliance and risk management.

Before I kick off this blog, I’m going to remind you (or explain to you if you are new to the role of an MLRO or COLP) what suspicious activity actually means when it comes to law firm compliance and risk management.

In the context of anti-money laundering (AML) compliance, “suspicious activity” refers to behaviour, transactions, or patterns of conduct that give rise to a suspicion that money laundering or other criminal activity might be taking place.

Persons working in the regulated sector are required under part 7 of the Proceeds of Crime Act 2002 (POCA) and the Terrorism Act 2000, taking into account relevant guidance provided by your regulator, for example the SRA and the Law Society of England and Wales.

If you hold a client account, carry out work in trust and company formation, or offer conveyancing as a legal service, you are more likely to be targeted by financial criminals. Our ASK TEAL service is extremely helpful and supportive for defining suspicious activity, understanding reasonable grounds, inappropriate use, responsibilities of the MLRO / MLCO (depending on size of firm), and the process around reporting economic crime.

To get an idea of the amount of reports submitted, the UK Financial Intelligence Unit (UKFIU) receives over 460,000 SARs per year and stores them in a secure central database.

Before I crack on with more guidance and examples of suspicious activity, here’s a reminder of acronym meanings:

SOW – source of wealth
SOF – source of funds
SAR – suspicious activity report
MLRO – money laundering reporting officer
MLCO – money laundering compliance officer
AML – anti-money laundering
CDD – customer due diligence
DAML – defence against money laundering

This blog is predominantly for the legal profession and we’re kicking it off with Section 12 of The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (Regulations), Section 12 definition.

AML Guide: Independent legal professionals/trust/company service providers

So, when we’re talking about ‘independent legal professionals’ in these regulations, what we’re really referring to is a firm or a solo lawyer, you know, someone who’s running their own show, providing legal or notarial services to other people. But, and this is important, it’s specifically when they’re involved in financial or property deals.

Think things like:

the buying and selling of real estate and property or business entities;
Management of client money, securities or assets;
the opening or management of bank, savings or securities accounts;
anything to do with setting up, running, or managing a company, when money’s involved; or
the creation, operation or management of trusts, companies, foundations or similar structures.

When you ever read someone that ‘participates’ in a transaction for these rules, what we’re talking about is if they’re helping out with the planning or actually making the transaction happen. Essentially, if they’re acting for the client in some way during the whole thing. It’s about being involved, not just watching from the sidelines.

And then, when we get to ‘trust or company service provider’ that’s a firm who’s running a business and offering these specific services to clients. Now, the key here is, it’s only when we’re actually providing these services that we fall under that definition. So, basically, if I’m providing these services:

forming a firm (The SRA’s definition – forming any entity that, whether or not a legal person, is not an individual and includes a body corporate and a partnership or other unincorporated association)
acting, or arranging for another person to act
- as a director or secretary of a company
- as a partner of a partnership; or
- in a similar capacity in relation to other legal persons;
providing a registered office, business address, correspondence or administrative address or other related services for a company, partnership or any other legal person or legal arrangement;
acting, or arranging for another person to act,
- as a trustee of an express trust or similar legal arrangement;
- or a nominee shareholder for a person other than a company whose securities are listed on a regulated market.

Here’s Section 12’s specifics from source READ HERE.

What is the Definition of Suspicious Activity?

So, what exactly counts as ‘suspicion’ in our line of work?

Well, it’s a lower hurdle than you might think. In the case of R v Da Silva the present standard is set. Lord Justice Longmore said,

“So, probably, ‘knowing’ will not arise and what will arise instead is ‘suspecting’, which is a very different state of mind to knowing. To suspect something, you have a state of mind that is well short of knowing that the matter that you suspect is true. It is an ordinary English word. Members of the jury, if the Crown can show that the defendant said to herself, ‘I suspect that this money is the proceeds of criminal conduct, but it may be, on the other hand, that it is not’, that would fall within the definition of ‘suspicion’. The dictionary definition, which I direct you is relevant to the meaning of the word, is this. The dictionary definition of ‘suspicion’: ‘an act of suspecting, the imagining of something without evidence or on slender evidence, inkling, mistrust’. Therefore, any inkling or fleeting thought that the money being paid into her account 9950 might be the proceeds of criminal conduct will suffice for the offence against her to be proved.”

Essentially, if there’s a possibility, beyond just a far-fetched one, that something’s amiss, you’ve got a reportable suspicion. Of course, a simple ‘gut feeling’ isn’t enough, but if you’re thinking ‘there’s a chance this isn’t right,’ it’s time to take action.

I’m often asked about examples and how far back in the SOF you should be looking at suspicious activity work or actions. The answer is…it depends…because no two clients are the same and no two matters are the same. I’d start by some training on this to begin with, and thereafter have a clear protocol in your policies for firmwide use and follow with proactive controls. Better safe than sorry right?

Suspicious activity may include:

Unusual or inexplicable transactions: Let’s say you’re a conveyancer and your client has passed on admin and payments to a proxy third party. Why? Maybe the purchase price is much higher than current market value. Is your retainer set out £1,000 but they are insistent they’d like to be retained at £10,000? There are a variety of red flags to watch out for here.

Inconsistent behaviour: We would urge you to be on high alert for inconsistent purchaser behaviour in conveyancing or commercial entities. Are they changing key details, are they hard to get hold of, putting off replying to urgent requests? Time to investigate them further!

Deceptive and secretive clients: Got a client that seems evasive? Is the client avoiding questions? Is the client providing incomplete or false information? Why did the client choose your firm?

Exploitation of professional services: You will have been hiding under a rock if you don’t realise that financial criminals target us in the legal services to hide the origins of their illicit funds, i.e. dirty cash. Remember this case of a well paying and long standing corporate client who manipulated their instructing firm and chugged £4.1m through the client account for use of a banking account? The firm was fined £36k by the SRA. Legal Futures article can be read HERE.

A suspicion does not require certainty or concrete proof of money laundering. Instead, it arises when, based on the available information you have, a reasonable person concludes that there is something unusual warranting further investigation.

You’ll no doubt have read the latest cases for firms being fined for breaching AML conditions, like the firm where two partners were fined £50k for offering a banking facility to their wealthy client. In 2023 – 2024 alone, the SRA “submitted 23 SARs, performed 237 proactive inspections, and 258 desk-based reviews, and brought enforcement action against a combined total of 78 firms and individuals.”

This is Teal’s original blog, which has more information to delve into: “AML Definition of Suspicion”

Please note that failure to file a SAR after suspicion is raised is an offence under UK law. You can read the full Law Society guidance HERE.

Key Indicators of Suspicious Activity

The following are some classic examples of what to look out for in terms of red flags.

Unusual Transactions

Large, unexpected deposits with no clear explanation.
Multiple small transactions that together exceed a threshold.
Use of complex legal structures (e.g., trusts, offshore companies) without clear rationale.

Client Behaviour

Reluctance to provide identification or supporting documentation.
Insistence on confidentiality without clear reason.
Clients seeking to use cash for large transactions.

High-Risk Jurisdictions

Funds originating from or being sent to high-risk jurisdictions (e.g., countries known for corruption or weak AML controls)
Keep your “Black and grey” lists pinned to your desktop for continued updates.

Conveyancing and Real Estate

Over or under valuation of property compared to market norms.
Use of funds from unverified sources, particularly cash deposits.

Obligations for Law Firms

Under the AML regime, solicitors and law firms must:

Conduct Customer Due Diligence (CDD): Verify the client’s identity and the source of funds.
Monitor Transactions: Look for unusual patterns or behaviours.
Report Suspicious Activity: File a Suspicious Activity Report (SAR) to the UK Financial Intelligence Unit (FIU) within the National Crime Agency (NCA) if suspicious activity is identified.

Scenarios of Suspicious Activity

Here are some examples that will give you some insights into what and how organised crime can work:

Scenario 1: High-Value Cash Deposit for a Property

A solicitor is instructed by a new client to assist in purchasing a property worth £1.5 million. The client insists on paying £1 million in cash and provides vague explanations for the source of funds. Despite requests for supporting documentation, the client refuses to provide details.

Red Flags: Large cash payment, lack of source-of-funds evidence, and unwillingness to cooperate.

Action: The solicitor would usually file an internal suspicious activity report to their MLRO and then it is the responsibility of the MLRO to decide whether a SAR needs to be made to the NCA.

Scenario 2: Use of Offshore Companies

A client establishes an offshore company and instructs a solicitor to assist with purchasing several properties. The company is registered in a jurisdiction with weak AML controls, and the client is vague about the ultimate beneficial owner (UBO).

Red Flags: Complex structures without legitimate purpose, high-risk jurisdiction, and lack of transparency regarding UBOs.

Action: The solicitor must conduct enhanced due diligence (EDD), request documentation to identify the UBO, and must speak to their MLRO, and then file a SAR if suspicions persist.

Scenario 3: Unusually Structured Payments

Corporate client instructs a law firm to hold funds in a client account as part of a commercial transaction. The funds are received in multiple instalments from unrelated third parties, and the client can’t provide a satisfactory explanation.

Red Flags: Multiple third-party payments, no legitimate business explanation.

Action: Conduct CDD on all parties involved, report to their MLRO, and refuse to proceed if concerns remain, and consider filing a SAR.

Scenario 4: Evasive Client Behaviour

A client seeks advice on setting up a trust but is reluctant to disclose the purpose or the source of the funds. The client requests frequent meetings but provides contradictory information about their income and assets.

Red Flags: Lack of transparency, contradictory information, and attempts to obscure the trust’s purpose.

Action: Ask further questions, verify the information provided, and if suspicions persist, file a SAR.

ALWAYS report suspicious activity to your MLRO come what may.

What triggers a suspicious activity report (SAR) in the UK?

Here’s the deal. There are these laws we have to follow, right? Part 7 of the Proceeds of Crime Act (POCA) and the Terrorism Act. Basically, if you’re working in a regulated field – and that’s us – you have to file a Suspicious Activity Report if you have a sniff that someone’s trying to launder money, evade tax or fund terrorism.

If you, as a law firm, suspects that a client’s SOW or SOF is suspicious, you have to:

Conduct further inquiries to clarify the situation.
Document all findings and decisions.
Consider whether to file a Suspicious Activity Report (SAR).

Reporting Suspicious Activity (SAR)

The above triggers would mean then that you, as an MLRO, or compliance officer, overseeing compliance in your firm should report suspicions straight away to the NCA and SRA (if regulated by the SRA) as follows.

National Crime Agency (NCA):

Yes, as a law firm, you are legally required to report suspicious activity to the NCA via a SAR. The NCA has made this easy to do, as they have a secure SAR portal that you can submit a Suspicious Activity Report.

It shouldn’t surprise you that the SAR portal is SECURE.

Solicitors Regulation Authority (SRA):

While a legal practice has to primarily report suspicious activity to the NCA, it also has obligations to the SRA. Doesn’t everything?!

If the suspicious activity involves a breach of SRA rules or raises concerns about the firm’s compliance, they must report this to the SRA.

Aligning to the SRA’s guidance, you’ve got to report all serious breaches of the money laundering regulations to them. Schedule 4 (12) of the regulations state that supervisors have to collect all information regarding the number of contraventions of these Regulations committed by supervised persons.

A reminder of what constitutes as a Serious Beach

serious or persistent compliance failures involving safeguards designed to prevent money laundering
clear risks of money-laundering activity taking place, or
where there has been potential loss or harm to businesses or individuals.

ASK TEAL is the perfect support solution and service for you, where our compliance consultants and associates are on hand to guide you through your query. Please find out more HERE.

The SRA has its ETHICS HELPLINE to help if unsure: 0370 606 2577

Amy's Reminders and Key Takeaways

Further to the Law Society Risk & Compliance Conference 2025, there is a clear requirement for law firms to conduct better and more robust AML protocols. Don’t rely on a template and not tailor it to your clients and areas of work.

Always conduct thorough CDD and escalate to EDD where necessary.

Please be vigilant about client behaviour, source of funds, and high-risk jurisdictions.

Report suspicions promptly through a SAR, even if it means delaying or refusing a transaction. It’s just not worth the risk.

If there’s one thing I’ve learned in my years working with law and AML, it’s this: meticulous record-keeping is your ultimate defence when demonstrating compliance.

Suspicious Activity Resources Reminder

Proceeds of Crime Act 2002: The primary legislation governing SARs together with the Terrorism Act 2000 (TACT).
Money Laundering Regulations 2017: Sets out AML obligations for law firms. These regs were amended with:
- the Money Laundering and Terrorist Financing (Amendment) Regulations 2019 which came into force on 10 January 2020. This implemented broad changes to the regulations.
- the Money Laundering and Terrorist Financing (Amendment) (EU Exit) Regulations 2020 made narrow changes mainly to the requirements around trust registration.

When we draft Firm Wide Risk Assessments for clients we also refer to the 2023 amendments which you can read HERE. This amendment was made so that domestic PEPs are treated as lower risk than overseas PEPs, although to be clear, EDD does need to be applied in both instances.

SRA Anti-Money Laundering Guidance: Provides detailed guidance on AML compliance.
NCA SAR Portal: The online platform for filing SARs.

Thanks for reading, and please get in touch with any questions, you know I’m always happy to help.

Amy (with a big dollop of help from Rhiannon!)

SARs – Understanding Suspicious Activity: Key Insights and Reporting Tips Read More »

Open Banking Landscape for Law Firms in 2025

Anti-Money Laundering, Blogs, Legal Compliance, Risk Management / Mark

Head of Legal at Armalytix, Tom Lyes, joined Amy Bell for a Coffee Conversation to discuss what the Open Banking landscape for Lawyers looks like in 2025.

The following is an abridged version of the webinar and I am jumping to the questions that came at the end of the webinar to start off this blog as they will set the pace for the rest of it!

In the webinar, Tom discussed:

Where are we now with Open Banking?
What’s next?
How the cases for lawyers are maturing beyond resi property into new disciplines such as Family Law and Commercial
How Armalytix has evolved by delivering the same output to a lawyer irrespective as to whether a client can use Open Banking or not
Open Banking in other jurisdictions

I was thrilled that Tom joined me in the conversation of open banking because I am an advocate for leveraging technology in law firms. I’ve known Tom for ages and value his insights and experience and this blog gleans information and guidance from our Coffee Conversation held on 20 March 2025.

At its core, open banking is all about making it easier and safer for businesses to connect directly with banks. Think of it as a way to share financial data and access bank services, like setting up payments, without all the usual hassle. The whole idea is to make things more transparent and generally simpler for businesses, and their clients / customers.

The back story is that open banking came about when Europe brought in the law called PSD2 back in 2018. The aim was basically three things:

to give people more control and understanding of their finances;
to offer more payment options; and
to boost competition and innovation, which ultimately leads to a better experience for everyone.

When we talk about law, finance, regulations, risk management and couple them with innovation that’s when we really shake things up in the legal sector. For Armalytix, it means they can set up lawyer payments using what they call a ‘straight-through’ process. Which means payments can go directly from A to B, with way less paperwork and faff. It’s making things much smoother, and honestly, it’s about giving clients back time they more often than not, don’t have much of.

You can catch up on the full recording HERE.

As always, the questions came in fast and furious at the end of the webinar, and I wanted to start with a couple of topics that were pertinent to the whole conversation and are trending too; AI and Training being the two most stand out.

I’ve literally been asked about AI policies so many times for law firm compliance in conjunction with regulations. The question of what AI processes Armalytix use was always going to come up. As I am in the midst of drafting AI policies I was also intrigued as to what Tom and his team were doing on this subject.

Question: What function does AI have in Armalytix technology, and how does the law firm and their client gain confidence that the AI is not “imagining” experimental data?

Tom’s response: Most of our open banking journeys don’t really use AI. AI is probably used in our statement scanning, in that we’ve taught the machine to be able to recognize a bank statement from a bank. This means we can recognize that it’s a (for example) Monzo bank statement. We ask it if we can recognize if the documentation is a Nationwide bank statement. That’s where AI comes in.

One of the questions that we get asked is around obvious use cases that we see in the legal sector around AI, being the summarising of information. We could, in theory, run these reports and start to teach AI to provide written summaries of those. Further to Teal’s innovation day and conversations around AI last year however, clients and our wider audience seemed really nervous about that the summarisation aspect. In particular, from an AML point of view, the response to our summarisation proposal was the worry that AI would read the summary but not look at the underpinning data.

Broadly speaking, and from the feedback Teal received, as yet, we haven’t pursued anything further on this front, although I think over a period of time, AI and people’s perceptions will change as they become more comfortable with AI summarisations of large amounts of information.

On this topic, it led me to another question. As an auditor and adviser to law firms, I find myself talking to clients about the software they bring in to assist with their AML and also for use cases. One of Teal’s leading questions for clients implementing software seems simple, do you know how it works? I always ask who trains who in the firm and does it come from the source?
I put this question to Tom.

Question: What are the key things that you would say a user needs to make sure they’ve done with training in this regard, and would they know how to explain it, say, if I came knocking at their door as an auditor?

Tom’s response: We would break the onboarding project into two parts.

If you’re going to bring any technology or process into a firm, you’ve got to align that with what you’re telling your clients, and you also have to align that internally so people know why.

I can see that the best run projects are where the people leading the projects can clearly explain to people internally, “why are we doing this”? It might only be two or three key points, but people just need to understand that. Get your team to come on the journey with you

The second part is around training. Lawyers get reports, but they don’t necessarily understand how to interpret that data, so the need for training is key. I always say that the focus of the training is on what the report is telling you at a high level.

Question: What do you define as risky in a firm wide risk assessment?

Tom’s Response: We have something called our Risk Insight, which is unique to each firm, i.e., not from our analytics. We give people the ability to build those insights within our environment, so that when someone reviews a report, they’re effectively reviewing something initially that says these are the risks in our practice that they deem risky.

Tailored risk insights help a firm to get a flavour as to what they are going into before they are thrown into the analytics. For example, overseas money coming into client account on a residential property transaction.

From going into firms to audit my associates and I see instances where training can decrease its efficiency. By this I mean that sometimes we see firms who rely on their own staff to train new colleagues coming into the firm. Training from the source should be for everyone. We ask our clients if everyone in the firm has received the same level of training as the people who initially received it?

Armalytix runs its Analytics 101, which is a bi-weekly session where firms who have new users are invited to bring those new users along. It’s an open training session. All new users can find out exactly how the reporting side of things work, and with bigger firms, we do a slightly more nuanced and customised version of that as well.

Essentially training is absolutely crucial, because if you’re a team that’s responsible for delivery of a project, it’s probably going to fall back on you if the training has become diluted.

Whenever a firm brings in new technology, there are always going to be teething issues but technology evolves too. So, the challenges come in a two-pronged process that requires consistent decisions around training and investing highly in that.

That’s not to say everybody’s appetite for risk is the same, but from my experience, if you give structure and consistency your risk is less.

Tom spoke about monitoring and in particular, the AML world – what does it look like from his perspective in terms of end client support requests? He said that if he could see a firm that was onboarded recently as a client of Armalytix, they have a barometer on what the monitoring should look like.

We went onto speak about evolving products for open banking, AML and risk management. Simply put, we all need refresher courses from time to time, including new features as an example. But also, and this goes for any software, what I see is firms expecting their current users to train any new colleagues coming in, as if by osmosis. I mentioned this above I know, but it is a real issue Teal is seeing. What if I come in to audit and ask you or your colleagues to explain to me how a search works in an audit? And what does the audit check? I might ask how they know what to do with the results of the search? I could go on, but it highlights to me that all training ideally for risk management, should always come straight from the source, and by the provider.

Question: How long does Armalytix store data? Is it stored outside the UK? Is it done via an app? And if so, do clients need to keep the app on their phone?

Tom’s response: No, it’s not an app, we are web based, which means that clients can do the journey on a desktop and on their mobile (and it’s fully mobile compatible). From a data storage point of view, we store it for what we’re legally asked to store it for in terms of number of years, because it’s our journey and different to the law firm, as the end client is our end client. When the client comes into our analytics, they have to sign up at the end of the journey, or once the firm has shared a report. They could request at any point for their data to be deleted.

In those instances, we’d naturally make sure that we would communicate with the end client’s law firm to make sure they have a copy of the report downloaded for their own purposes. We would confirm that the end client has requested directly from Armalytix to delete the data.

All the data is stored within the EU at the AWS, which is a well-versed method of data storage, using Amazon web servers.

Teal Tracker is a software service and I understand Tom’s procurement questions because as providers we have to have everything ready to go to those who might need to view it for due diligence purposes. The SRA are becoming increasingly interested in what due diligence law firms are carrying out on their suppliers too, which is why I was particularly interested to hear what Tom was saying about regulations and the differences in regulation. The notes on this are further down in the blog.

As a law firm and if you’re using a provider for open banking or another service, if you don’t know firstly, that provider’s regulatory stance, and second how many parties are involved in the delivery of that service, and you aren’t aware of their processes it can be extremely detrimental to your risk management policies.

Tom and I were agreeing that if a software a law firm uses “goes down” and you can’t get access to the data, it may not be the analytics that’s crashed, it may well be the bank (as an example). There are layers to verify and check. If the SRA comes knocking asking you if you’ve done your due diligence on your service provider, will you have the reports at hand?

From a supplier perspective, Tom said that they have a data pack that sets out 90% of what Armalytix would expect to be asked as part of a DPI. He said he would expect law firm suppliers to be proactive on this front if you asked that question. It’s a pretty good sign of what type of supplier you’re working with, if they’re proactive about covering this topic! Worth a conversation with your current supplier maybe?

Question: If we’re using open banking software, do you still recommend obtaining original ID documents? Can we just rely on the ID docs being uploaded through the checks?

Amy’s response: I think his question is probably for me. I think the question might be about ID and Verification, as in the identity of a client, which is out with your service. If you’re going to use a software provider to help with the identification verification step of your client’s due diligence and you’re only going to use that software service, it has to be in accordance with the regulations; it has to be secure from fraud and misuse.

Now, if the reality is that those systems are using a biometric check or a document verification by looking at the image of the document, combined with external data lookups then it is actually going to be much more robust of a check. It’s more effective than you eyeballing a document that you’ve been given and you don’t know if it’s a forgery or not.

Often these software solutions have multiple anti-fraud steps built in, which is, of course, why you had to get the original documents in the first place to make sure it wasn’t a fraud!

The only caveat I’d give is that some firms are still concerned about the wording in the UK Finance mortgage lenders’ handbook for conveyancers (around seeing and taking a copy of a document), which tends to infer that you’ve actually handled the original and you’ve taken a copy of it.

Open Banking and User ID and Verification

It’s all about interpretation and managing risk when it comes to the UK Finance Handbook. We are hoping that UK Finance will amend their handbook to take into account this, because that wording has been there since I’ve been a solicitor (too long to remember!).

I do know that a request has gone into UK Finance for them to review those ID requirements, which are essentially anti-fraud measures and on the fraud subject, I think it was super interesting in the webinar when Tom talked about Armalytix using it to discharge a Dreamvar fraud (if you’re not a conveyancer or into vendor fraud, Dreamvar was a small property firm who unknowingly purchased a house from a fraudster who impersonated the true owner, leading to a £1.1 million loss and legal repercussions for involved solicitors).

In the Coffee Conversation webinar, Tom referred to the process where you have to make sure you’re sending the money to a bank account properly constituted in the name of the client for the last 12 months. I was so happy to hear that he and his team do this, because a lot of people are still focused solely on the Safe Harbour Id checks that look for the biometric check of the passport, which is an anti-fraud measure. If you’re in conveyancing you’ll get this but if you’re not, Safe Harbour is a set of really solid guidelines and standards that HM Land Registry put together, based on this UK Government Good Practice Guide, GPG 45.

Areas of law and fraud opportunities

I was thinking about Tom’s comments in our online event about which departments in a law firm or service area where lawyers would be looking at bank accounts in particular for their clients. Commercial litigation and embezzlement zoned into my thoughts.

When it comes to forensic accounting and examination of this example, we often see litigators or criminal lawyers double checking when their clients are accused of money laundering. Could you imagine a time when software could be used to defend people accused of money laundering?!

When it comes to software, which departments in your law firm waste time looking at bank statements, when they could be using software instead? Software would be more accurate (humans and numbers when you’re under pressure!), and time efficiency, making the whole process more cost effective for everyone.

I did say to Tom that I did think they might have some aspects to think about when it came to white collar fraud, especially private prosecutions, because lawyers would be pouring over financial data (including the bank statements!).

Open Banking Landscape for Lawyers in 2025

Where does open banking support lawyers?

I’m going to talk a little bit about the open banking landscape for lawyers in 2025, and Amy mentioned other use cases where open banking is supporting lawyers, rather than just something that powers and supports an AML type journey.

Open banking is the technology that empowers us in law firms. For that to happen, we have to be directly regulated by the FCA. In layman’s terms it means that we directly connect into 90% of UK current accounts through the big nine banks.

We’ve really focused over the last few years on raising the bar in terms of new innovations around open banking and source of funds.

AML is broadly our background. That’s what we’re most well known for. And lots of you will know that open banking can be really supportive in a source of funds check in terms of that middle piece of understanding, does that client have the money you need to see for that transaction and analysing the data that’s contained within.

Through open banking, you can get a set amount of data, whether that be 3, 6, 12 months or even longer on some higher risk matters. What open banking is able to do is analyse the data on cash, incoming transactions, and outgoing transactions.

We try to really focus on how we can do a better job at collecting as much as we can from the end client in that initial data grab. We’re one of the first providers to get access to Metro, and also for the Co-op which is now live, which is something we are proud of.

There are now 11.7 million active users of open banking enabled products in the UK that would cover use cases like ours, where we’re doing a one off to go get some information. If you think about how you might make a payment to an account number and sort code on your mobile (where you set someone up as a payee) open banking can speed up that, and there are businesses that have started to use that technology to really harmonise payments’ process.

When we looked at AML affordability investigation, or whatever you’re using open banking for, there are some key principles to get early client adoption from.

How to get law firm clients to come on board with open banking?

My first piece of advice would be to brace enough to TELL your clients, not ask them.

You’re the lawyer, you’re in control of the process, not your client. So, I’d say you have to be brave enough to tell your clients where vulnerabilities might come in.

If you have vulnerable clients or clients with no capacity then you require a Plan B.

I would say however, if you can get that message clear about you controlling the process and focusing on vulnerabilities, as well as understanding your client demographic, you should be looking to achieve an 80% to 90% success rate of sign-ups. I always say to law firms that if they can get their clients to understand the why, what’s the use case, why they have to do what you’re asking of them, when’s it going to happen, what it looks like, etc., they are more likely to understand the process and adopt the on boarding process of open banking with you.

New law firm client security questions

Security around finances and software are important to all of us.

For example, you might want to talk about security to your clients and how moving from manual to digital is safer. You might say that previously they would have emailed you their bank statements. It’s not particularly secure or safe for them or you as a firm. By giving your client an effective secure framework understanding, will mean they will be more likely to agree to open banking.

Law Firm Training for AML and Client Buy In

It’s no good adopting new technology into a firm if your staff don’t know how it works, and more importantly understand what the data is telling them.

When we work with firms who have centralised teams, we actually focus a bit more there on the “how things work” training angle, showing them what the user journey looks like, and what are some of the core messages around that?

If I was training a group of lawyers who would just purely be reviewing the reports, I would focus on reading the data and understanding what it is telling them.

Our feedback that we receive from leadership levels is about our articulated creation and of the consistency and process that we deliver. MLROs I speak to who will be at the top of the top of the chain for any queries, and will often say that when they get a report now, they’re broadly able to answer it much faster because it comes to them in a consistent format.

Come what may, I think it’s important to choose a provider that is FCA regulated, and who can handle any of the support queries generated. We focus all that on live chat.

What's next in the open banking world?

Many of you may have heard about “open finance” because the subject has been around for some while now. The term broadly represents an evolution of open banking beyond traditional banking to gather financial data.

The progression of open finance in the UK is linked closely to legislative development called the Data (Use and Access) Bill READ HERE) which is at the House of Lords stage and galloping towards Royal Assent at a fast pace (as at 1 April 2025).

This bill covers an awful lot of things around the ecosystem of financial data, and hopefully, what we in the professional services’ sector are hoping for here is that it creates structure and a framework as to what the future of open finance may look like.

Bear in mind, even when the bill becomes an act, changes won’t be immediate. Open finance is also a big cost for businesses to open up their API infrastructures without necessarily a reward, so although open finance is exciting in general for progress, just don’t expect anything too quickly.

We are also starting to see people grasp that open banking can be used for better verification of data. Many of our clients put their clients through an open banking journey with us, and therefore when it comes to 12 months of bank statement checks in a conveyancing matter for example, we can immediately report to our client as to whether their client’s bank account has actually been open for 12 months, as well as who the account owner is and what type of account it is.

What about those who can't or won't use open banking?

Good looks like 80% to 90% of those able to use open banking, but what about those people who fall out of that in all of the use cases?

We understand that not all clients can connect via open banking, and when they don’t, people are left dealing with a manual process which leads to delays in accuracies, more admin and less time for the good stuff. Earlier this year, we began embarking on our process of rolling out statement scanning, which is used as a combination of OCR and AI, but is generally used to support cases where open banking doesn’t work.

Family Law and Open Banking

Armalytix does a lot of work in the accountancy sector, especially working with insolvency practices. There’s a real clear use case here where in insolvency, the bank accounts may have been frozen, therefore they can’t be used through open banking. An insolvency practice will have those physical statements needed for some analysis, and the easiest way for them to do that is uploading them in the residential property world, you’re probably looking at things like gift donors, and vulnerable clients here.

Certainly, the technology is used more broadly in accounting than it is legal. But our main focus in the legal sector at present is in the family law space.

When asked about GDPR when requesting bank statements from the other side, it’s worth remembering that you, as the family lawyer, become the data controller, and as a data controller, you have a right to appoint a sub processor, and that agreement has to naturally cover that.

What jurisdictions are open banking processes in?

One of the questions I get frequently asked is open banking and jurisdictions other than the UK, and this is very appropriate as Amy is currently sat in the middle of Sydney, Australia!

As a provider, we currently only connect into UK bank accounts. There’s a number of reasons behind this, but if I start with Europe and post-Brexit, it has become more difficult for UK companies to obtain open banking licences, because of regulations and legal changes, such as having to have a presence in Europe etc. Unless you have a big European client base, the overall demand is pretty low (from our client base), so we never really pressed on with moving over jurisdictions.

If we start going a bit further afield, the jurisdictions that you might love us to give you some analysis on but probably never will be able to because they won’t open their doors to open banking are countries like China and Dubai, and I don’t anticipate them onboarding this process any time soon.

Outside the EU, two major jurisdictions that have opted for a regulatory-driven approach when it comes to open banking are Hong Kong and Australia. Australia’s open banking initiative, known as the Consumer Data Right (CDR), focuses on data sharing and consumer control.

I’m really keen to see how Australia handles the prescriptive side of Source of Funds (SOF) requirements. I’m sure Amy will keep us updated on the work she and AML Sorted are doing there. What’s fascinating about Australia, compared to the UK or Europe, is their banking landscape. It’s more consolidated, with their four major banks all mandated to implement these standards. Plus, even the smaller banks have followed suit, and they had some of the necessary infrastructure already in place. It’s quite different from the US, which is far more complex due to the sheer number of banks.

This link is totally independent to the work we do but it’s handy for a global look at which countries use open banking. https://www.openbankingmap.com/

What areas of law does open banking support?

Instead of tackling one problem at a time, firms are now using Open Banking to significantly reduce the time spent on bank statement analysis across multiple departments. By focusing on individual areas, they can achieve quicker and more impactful results.

What we are seeing more of are firms who offer:

Family and Divorce law
Conveyancing
Probate and Estate Administration
Commercial Litigation
Insolvency and Bankruptcy
Criminal Law (Financial Crime)

You can watch the full recording HERE.

Armalytix is an FCA regulated entity that works with Lawyers and Accountants to help them understand their clients’ finances.

Catch Up! You can watch all of Teal Compliance’s previous legal webinars here.

CLICK HERE TO WATCH

This link is totally independent to the work we do but it’s handy for a global look at which countries use open banking. https://www.openbankingmap.com/

Need Support or Advice?

If you would like to get hold of Tom, please email him directly: tom@armalytix.com, and if you have any questions of me or my associates, just drop me a line. My door is always open!

GET IN TOUCH HERE.

You're not alone, Teal Compliance is your partner in compliance and risk management support.

Start with your legal compliance audit
Anti-money laundering | Data Protection | Regulatory Compliance

Click Here

Open Banking Landscape for Law Firms in 2025 Read More »

What is an AML false positive for law firm compliance

What is a false positive when it comes to AML Compliance?

Anti-Money Laundering, Blogs, Legal Compliance, Regulatory Compliance, Risk Management / Mark

You know those ‘false positives’ we get in our AML checks? They’re a real pain, right? They basically grind things to a halt, and suddenly everyone’s chasing down leads that go nowhere. It’s not just annoying, it’s a huge drain on time and resources that should be spent on, you know, real compliance.

Plus, here’s the annoying bit, all that noise from the false alarms. It actually makes it harder to spot the actual dodgy stuff. We’re so busy dealing with the fake alerts, we might miss the genuine threats. And that’s the last thing we need, isn’t it? #stopthebaddies

This can happen for various reasons, and we’ll detail some below so you can keep your ears to the ground:

FACT: Regulators can ask to see your risk assessment if there is compliance failure at your practice.

Common and Generic Names

Clients with common names might be mistakenly flagged if their name matches someone on a sanctions list or a Politically Exposed Person (PEP) list.

The data from the Office of National Statistics of 2023 shows that Muhammad was the most popular boys’ name in four out of nine regions in England and 63rd most popular in Wales (followed by Noah and Oliver).

Now, in 2023 there were 4,661 Muhammads born across England and Wales; Mohammed came in 28th with 1,601, and Mohammad came 68th with 835. You can see how easily a misspelling could occur.

You’re a firm in rural Wales, and you have a potential new corporate client dialling in from abroad whose name is Owen Jones. A very lovely Welsh name that’s also extremely common.

While sanction checks are a mandatory compliance measure, they are susceptible to inaccuracies during the screening process. These inaccuracies can manifest as both false positives and false negatives, which ultimately undermine the efficacy of both sanction and PEP checks.

Several factors contribute to these inaccuracies. Outdated sanction lists, name variations – for instance the names above, ‘Muhammed Ahmed’ being recorded as ‘Mohammed Ahmad’, or “Owen Jones” being recorded as “Ewan Jones” could lead to inaccurate matches or failures to correctly identify an individual.

The really scary part? If these checks aren’t spot-on, someone who’s actually sanctioned could slip through the cracks. And that puts us, and you, at serious risk of getting tangled up in some seriously dodgy financial activities. Trust me, it’s not worth the gamble.

Outdated Data

Using old or incomplete data is a big issue for causing false positives. Here are some examples that law firms really have to think about and communicate consistently because of:

Say you have an outdated sanctions list and then run a client check against it? The client might have actually been on that naughty list previously, but no longer is. Can you imagine the sensitive conversations with your client around this as well as the delays?

I’d ask you questions to protect against this scenario including where your data is stored and is it in real-time?

FACT: The MLR 2017 imposes a five-year limit on keeping clients’ personal data contained in CDD documents…unless you need to retain the CDD documents and records about the transaction under an enactment or for legal proceedings.

In the above example I’d say there is a need for advanced technology. If you can invest in sophisticated tech matching algorithms and data verification tools it will give your AML processes a boost.

Sticking with the data causes, simple but catastrophic for management, could be typos, formatting errors, and inconsistencies that may well be human error led. Are your staff literate, savvy and excellent at proofing before the data is saved?

Address Discrepancies

This comes up with residual balances a lot – the address of the client and any discrepancies you hold. However in this instance, old address data can trigger a false positive too. Say a client has moved house, but the previous addresses you hold for them could now actually be linked to a high-risk individual. I talk more about human error further down in this blog.

Another embarrassing conversation with your client and an unnecessary investigation.

Do you rely on outdated client databases? Are your CRM within your CMS up to date?

Irrelevant Data from Public Records

You know, when we’re running these AML checks, especially with public records, we’ve got to be super careful. Those databases can be a real minefield of old and useless info. Imagine, we get a hit because someone was linked to a company that doesn’t even exist anymore. Boom, false positive. We’re chasing our tails for hours over something completely irrelevant.

And trust me, there are plenty of firms that have learned this the hard way, it’s a balancing act between competent compliance and common sense. Say a law firm has relied on public records without really checking if the data’s current or even relevant to the client? It’s a classic case of ‘garbage in, garbage out,’ and it just ends up wasting everyone’s time and resources.

PEP (Politically Exposed Person) Matches

I’ve alluded to PEP matches above, but think about it, you get a new client, and their name pops up as a potential PEP. But here’s the thing, it’s just a common name, and they’re completely unrelated to any politically exposed person. The problem? Your system is pulling up outdated data. Maybe years ago, someone with the same name held a public position and you’ve flagged that. However, in this regard, that’s ancient history now and yet your system has still triggered a false positive.

And that’s the real danger. If you’re relying on old, stale data for PEP checks, you’re basically setting yourself up for a ton of these false alarms. It’s not just a time-waster; it’s a real compliance risk. You’ve got to have current, accurate information to avoid getting bogged down in these pointless investigations.

Last but not least, it’s good old human error.

Human Error

It’s not just dodgy data that causes those annoying false positives in AML checks. We’ve got to remember, humans are involved too, and we’re not perfect. We all know that time is often not our friend working in a law firm. Say a legal cashier is under pressure and has typed in ‘£1,000,000’ instead of ‘£100,000’, or they misread a transaction description and suddenly, you’re chasing a phantom money launderer. It’s easy enough to do when you’re dealing with tons of documents and tight deadlines, especially in conveyancing.

And it’s not just typos. I’ve seen cases where someone ignores the context – like a big cash deposit that’s actually from a legitimate sale – or they’re using old data because they’re in a hurry. It’s a real reminder that even with all the fancy systems, human error can still throw a massive spanner in the works.

FACT: Ongoing monitoring involves scrutinising transactions to ensure they are consistent with known client information

Strategies to reduce false positives

False positives can create significant challenges for any law firm, including wasted time and resources, delays for legitimate clients, and potential bottlenecks in compliance processes…..

To me, it’s about managing your compliance and risk management processes efficiently because it’s crucial to strike a balance between minimising false positives and avoiding false negatives (where genuine suspicious activities go undetected). The cost to a business for both small firms and larger firms if their systems flag up wrong information can be devastating. AML is complex, I know, but being on guard for any vulnerability your firm has is key and although “when in doubt might” come to mind, it’s really about working correctly to mitigate any inaccurate red flags too. No-one wants a false positive error that impacts your legal practice which is why I can’t emphasise enough how important training is and also having a team like Teal being there to support you and your colleagues (and clients of course).

FACT: Training for employees must ensure understanding of firm policies and AML compliance procedures under Regulation 24.

The good thing is that there are a wealth of strategies you can use to reduce false positives.

To begin, it is imperative to address data quality. Implementing robust data hygiene practices is super important; this entails ensuring your client data is accurate and subject to regular updates. That’s the important bit, you have to consistently check on updates. My advice would be to provide comprehensive training to all your staff regarding the correct capture of information during the onboarding phase. This training can seriously mitigate the risk of future data mismatches.

Secondly, I’d strongly recommend enhancing Know Your Customer (KYC) and due diligence procedures beyond the minimum requirements. Employing independent verification tools to cross-reference data and address any potential gaps will definitely reduce potential false positive results.

Finally, the centralisation of data across your firm is critical. The establishment of a centralised data management system for compliance purposes will help with all departments.

In conclusion, what is the impact of a false negative in our AML controls?

Look, we all know false positives are a pain, but we can’t just throw our hands up and accept them. We need to get smarter about how we track and manage them. First off, I’d say look at your false positive ratio – what percentage of those alerts are actually worth your time? You should be aiming to see that number go down, consistently.

Then, there’s the alert handling time. How long are you spending on each case? If it’s taking forever, you definitely need to think about streamlining your workflows to cut out the unnecessary steps.

You know I’m an advocate for effectively leveraging tech? Let’s be real in this scenario, we all need to look at our own resource allocation when it comes to compliance and risk management. By this I mean, are you throwing bodies at this problem, or could you be using tech to automate some of the grunt work?

LawCare data shows that staff are already anxious and stressed at work, so if they are already swamped, plus busy dealing with fake alerts, they then can’t focus on actual risks or, you know, doing their actual jobs and bringing in fees. False positives are a pain in resources.

You know the SRA isn’t getting any easier on you as a law firm, which means you can’t afford to be wasting time and money on false alarms. I’d recommend building a solid strategy – a mix of good tech, smart processes, exceptional consistent training, and human judgement. It’s about getting your AML accuracy up without sacrificing safety.

And our clients? They’re the ones who suffer the most. Imagine being delayed or questioned for no reason – that’s going to damage relationships, right?

From my perspective, all these false alerts mean you could miss crucial reporting deadlines or just get so bogged down with checks that you can’t make quick decisions. My biggest concern for you would be that with all this noise, you might actually miss the real money laundering risks staring you right in the face.

Amy

What is a false positive when it comes to AML Compliance? Read More »

online safety act and implications for law firms. Picture of courtesy of Tudum and is of Adolesence from Netflix.

Online Safety Act implications for Law Firm Compliance

Blogs, Data Protection, Legal Compliance, Regulatory Compliance, Risk Management / Mark

Let’s talk about the Online Safety Act (the Act) – it’s a big deal for everyone operating in the UK’s digital space, and that includes law firms. Think of it as a landmark piece of legislation designed to create a safer online environment.

Netflix’s Adolescence starkly portrays the vulnerability of young people to online manipulation and the erosion of their sense of self through excessive social media engagement, highlighting the very issues the Online Safety Act aims to address. The story is based around the family of a 13 year old boy and the fall out of a crime against a classmate that he commits. It’s just made viewing history with the stats of views still climbing.

Ofcom’s “Enforcing the Online Safety Act” can be read HERE. The ICO has some guidance on this topic around online safety and GDPR too, which you can read HERE (10 step guide to sharing information to safeguard children), and another piece of guidance HERE (Children’s Code Strategy).

Our blog here will go over the UK’s Online Safety Act and its implications for law firms. The Act places responsibility on businesses, including law firms, to protect users from harmful and illegal content, especially children.

Did you know that the Act lists over 130 ‘priority offences’, and tech firms “must assess and mitigate the risk of these occurring on their platforms”?

The priority offences can be split into 17 categories including fraud and financial offices, together with proceeds of crime.

Essentially, the Act puts the onus on businesses, and that includes the business of running a law firm, to protect users from harmful and illegal content, with a particularly strong emphasis on safeguarding children.

Of course the Act is inherently targeted at larger tech platforms.

Platforms must now act quickly to come into compliance with their legal duties, and our codes are designed to help them do that. But, make no mistake, any provider who fails to introduce the necessary protections can expect to face the full force of our enforcement action.

Suzanne Cater, Enforcement Director at Ofcom

The Act introduces a whole raft of legal requirements, especially for those services that allow users to interact or offer search functions. We’ll go into that in more detail later in the blog.

As you will no doubt be aware, the Act received Royal Assent back in October 2023, and various provisions are already in effect. So, this isn’t something on the horizon; it’s happening now. For us in the legal profession, we know non-compliance can lead to hefty fines. So, it’s absolutely crucial that you, as a law firm, understand the Act inside and out, and get to grips with your specific responsibilities under the new law.

You’ll know that this Act is primarily to protect children online, but there has been a new Category 1 that’s been added since 2023, to protect adults too (self harm and suicide).

The definition of ‘appropriate measures’ for removing illegal content will really depend on the online service in question – what’s right for a social media platform with millions of users, won’t be the same for a small community forum.

Ali Hall, Online Safety Supervision Principal at Ofcom speaking to publisher Startups

We’d say to all readers of this article that their websites and social media platforms might need a look at, which we’ll highlight further down.

In the meantime, we suggest you look at your law firm for data protection, privacy, and risk management in any event. When was the last time you did this? Further to SRA’s ever evolving fining powers, and latest highlights such as this from Legal Futures “Director and law firm fined £50,000 for multiple compliance failures” it’s more important than ever to protect your clients and your reputation.

Data Protection and Privacy

The Act interacts with existing data protection laws, such as the UK GDPR. Law firms, which handle sensitive client data, must ensure their online practices comply with both sets of regulations.

What does this mean for you? Time now to review and update privacy policies to reflect the Act’s requirements.

It’s also time to implement robust security measures to protect client data online, if you haven’t already.

The Act introduces new risks related to online content and conduct. This means that as a law firm, you’ll need to assess these risks and implement appropriate mitigation strategies.

What might this look like for your firm? Depending on your readership and clientele, you may need to develop policies and procedures for handling online safety issues.

Again, depending on the size of your practice, you might have to provide training to staff on online safety best practices. We think this is a good idea in any event, so that you and your colleagues are aware of the Act in private lives too.

It’s recommended that there is ongoing monitoring of online activity for any potential risks.

It’s worth noting that Ofcom, the regulator in this regard, isn’t suggesting small businesses will be negatively affected, but essentially its regulatory requirements create a broader online safety environment that law firms must be aware of. While you’re not directly regulated by Ofcom, you must still ensure your online activities align with the Act’s goals and principles.

Law firms that offer employment law, contract law, regulatory compliance and criminal law will want to proactively guide and advise their clients with updates.

Our Data Protection Compliance service is designed to make sure law firms can clearly identify the risk to the data they process and put in policies, procedures, and controls to protect it. You can build on the Act to this work thereafter.

Talking of the Act, law firms could do a risk assessment that implements any changes you think your firm need to look into:

Identifying Potential Risks: review the types of content hosted or shared on your website and social media (e.g., user-generated content, comments, videos).
Analyse the likelihood of illegal or harmful content being present or shared on the platform.
Assess existing content moderation practices and their effectiveness.
Review policies for user reporting and complaint handling.
Evaluate any automated tools used for detecting and removing harmful content.
Analyse Potential Gaps: identify areas where current measures may fall short, such as detecting newer forms of harmful content. Consider emerging risks as the online landscape evolves.
Compliance with Ofcom Guidance: ensure that your policies align with Ofcom’s codes of practice and that necessary reporting mechanisms are in place. Verify that terms and conditions are user-friendly and transparent.
Action Plan: develop a strategy to address gaps, such as improving moderation systems, updating user guidelines, or enhancing staff training.
Set measurable goals to regularly review and update the risk assessment.
Regular Review Process: create a process for periodic reassessment of risks, particularly after platform updates or regulatory changes.

Teal Compliance Risk Assessment is the perfect starting block for dovetailing to your firm’s requirements under the Act.

Websites and Social Media Platforms

We live and work in a digital age and your law firm’s website and social media could possibly need tweaking or monitoring.

Does your law firm’s website have interactive features like blog comment sections, forums, or user-generated content, they may need policies written for content moderation? The processes would incorporate removing illegal content (e.g., hate speech). Of course law firm websites won’t be the click of choice for children, but if there is a potential for moderate harmful content on the site, you need to think carefully. Also, do have clear terms of use that outline acceptable and unacceptable content.

It’s worth taking the time to conduct your firm’s risk assessment for AML compliance at this time too.

Our website audit service provides a full and comprehensive review of your website, making sure it adheres to the SRA Regulations, so you could take advantage of aligning your website’s policies for these regulations as well as Ofcom’s.

We all need to look at our own social media channels to monitor any engagement for potentially harmful or illegal content. By this we mean you should:

monitor comments and interactions on any of your posts (and check with the scheduling tool provider of their policies if you use one); and
have processes in place to remove or report inappropriate content;
Add to your terms of use or social media policies an outline about acceptable behaviour on your digital channels. This will back you up as a business and potentially protect you as you’ll be able to manage expectations and provide a basis for removing inappropriate content.

Teal Compliance Recommendations

Reviewing Online Policies: Law firms should review their online policies and procedures to ensure they align with the Act’s requirements.

Staff Training: Providing staff with training on online safety best practices is essential.

Monitoring Online Activity: Law firms should monitor their online activity for potential risks and take appropriate action.

Staying Informed: Staying up-to-date on the Act’s implementation and Ofcom’s guidance is crucial.

In essence, the Online Safety Act reinforces the need for law firms to take their online responsibilities seriously. They must ensure their online activities are conducted in a safe and responsible manner, and that they comply with the evolving regulatory landscape.

As pillars of our society, the legal profession simply has to adhere and align to regulations and rules to uphold the sanctity of our reputation.

Thanks for reading and do get in touch with us if we can support your form with its AML compliance and risk management undertakings.

Team Teal

Online Safety Act implications for Law Firm Compliance Read More »

Law Society Risk and Compliance Conference 2022 Teal Compliance Key Takeaways

Risk and Compliance March 2025 Key Takeaways

Anti-Money Laundering, Blogs, Compliance Training, Legal Compliance, Regulatory Compliance, Risk Management / Mark

Eilish Cullen, Teal Compliance’s Head of the Partnerships and our Data Protection Subject Matter Expert attended the Law Society Risk and Compliance Conference on 12 March 2025, here are her takeaways.

As ever, the sector is shifting big time, and we all need to be ready for it – whether managing complex and evolving regulations, ensuring data security, adapting to the rise of AI, and navigating economic pressures, all while building a positive culture and driving new business.

So this is something we all need to keep a close eye on, especially for COLPs and MLROs as the challenges we in AML and risk management are facing is going to dramatically ramp up with more and more complexities to navigate.

Here are Amy Bell’s Handy Hints for those new to the role of COLP & MLRO – READ HERE

The agenda for the rest of the day looked like this, and each delegate was offered 2 out of the 4 workshops:

TED talk: Is the legal profession fit for the 21st century?
SRA: Regulatory priorities in a changing legal landscape
Plenary 1: AI on trial This session delves into the risks and opportunities of AI in legal practice.
Workshop A1: Cybersecurity for small and medium-sized firms (run under Chatham House Rule)
Workshop A2: Social conflict and reputational risk
Plenary 2: Economic crime concerns
Workshop B1: Handling client money Post Axiom Ince the SRA proposes
Workshop B2: Risk management 101 Essential risk management strategies and best practices for process mapping and policy development.
Plenary 3: Code of conduct and culture What is your role as a compliance officer in shaping conduct and culture?
Reputational risk in law: Defending your reputation Join Jacqueline McKenzie, human rights and immigration lawyer, for an insightful keynote on managing reputational risk.

Eilish’s Key Takeaways:

Is the Legal Profession Fit For the 21st Century?

Kirin Kalsi, General Counsel, Compliance Officer and Data Protection Officer at E.ON UK, gave us a Ted Talk on the subject.

With the focus on law firms and their lawyers being focused on the billable hour and money, the potential for risk is high, to the client, to the reputation of the law firm, and of course to the law firm employees.

Kirin went on to talk about how the training of juniors/trainees hasn’t really changed in 20 years. The same methods are being used, but how do we come together as a legal sector to change that approach for training our new generation.

From training new generations coming into the profession and how the culture of the sector as a whole, as well as firmwide, is key to long term growth. New entrants to the profession say work/life balance is really important, their outlook on what’s important is different and Kirin said that potentially the profession is still way behind on this.

As attendees, we were asked is it within our power to change this? A conversation that I am taking back to the team at Teal and asking ourselves how we can support change.

As the Post Office Scandal, ‘Biggest Miscarriage of Justice’, is still very much in our front of minds, seeing Lee Castleton speak at various events, and knowing that 900 Post Masters were prosecuted, Kirin asked what can we learn from it in our risk and compliance efforts, both as consumers of law and of practitioners.

On a side note away from Kirin’s talk, the SRA confirmed it has more than 20 live investigations into solicitors and law firms who were working on behalf of the Post Office/Royal Mail Group. In a statement it says “We will take action where we find evidence that solicitors have fallen short of the standards the public expects”.

If you haven’t already read this, I urge you to: Post Office Horizon Inquiry – human stories

The need to ‘speak up’ and remind ourselves of our professional obligations. Attendees were asked if we have carried out our own firm’s internal training/briefings when it came to ensuring there will never be another Post Office Scandal (in terms of aggressive litigation, dehumanisation, bullying).

If you haven’t, then it’s time to have the conversation as to why we and/or our bosses feel it’s irrelevant?

It didn’t take long for the talk to turn to the use of AI and technology. As a profession we need to be forward thinking and proactive, especially when it increases efficiency and time. For example, our Teal Tracker, is built for efficiency and risk management. It’s accessible and easy to use. Amy Bell wrote this software and had it built specifically for the holes that appear in a firm’s AML compliance, data protection and regulatory processes.

TEAL TRACKER – you can read more about our software by clicking on the link HERE.

The takeaways on the subject of AI from Kirin’s Ted Talk for me were that in 2025, lawyers and colleagues in firms are more efficient and self-sufficient, arguably due to the software firms currently have in place.

As with technology and change, with AI there is an element of firms being both delighted at what AI can assist with in tandem with fear that it will replace their jobs.

There is still a concern regarding the reliability of AI (still in experimental phase) but the stark reality is that it is improving every day. We can’t afford to be dinosaurs.

When it comes to law firm risk and compliance, human risk has always been present (ask any insurer!), and therefore accuracy and reliability has always been a concern even without the use of AI.

All of us in the legal sector need to consider human risk -v- risk of AI getting it wrong.

Concern regarding whether a firm’s insurance covers the risk surrounding using AI – a reminder to firms to have that open conversation with their PII provider.

Regulatory Priorities in a Changing Legal Landscape (Aileen Armstrong, SRA) “We are Looking Forward”

Aileen Armstrong, Executive Director, Strategy Innovation and External Affairs at the SRA, focused on their priorities when it came to client money, high volume claims, and governance & regulation of AI.

Client Money Consultation

The SRA received hundreds of written responses from the legal profession on this as well as insights and opinions from their round table and focus groups.

In terms of alternatives to firms holding client money, some firms did agree that third party managed accounts (TPMAs) may present less risk.

However, firms had concerns that using TPMAs could increase the risk of cyber crime due to the amount of funds in them. Costs of their use and visibility were also a key concern in this respect. Other firms thought that changes to the current regulations surrounding accountant reports should be strengthened, perhaps in favour of annual declarations.

The SRA knows that any change won’t happen immediately and no decisions have been made at present. An executive speaker for the SRA stated that it may be a case that a tech solution may be the answer, something which may not even be in existence yet.

It’s a case of watching this space.

Handling Client Money - Residual Balances

We talked to Karen Edwards, Head of Professional Development at the ILFM, who found the conversation on residual balances intriguing.

Jayne Willetts, solicitor advocate, said that there is likely to be tightening up by the SRA on the issue of residual balances in the form of warning notices or additional guidance notes, but in her view she didn’t think the SRA will amend the Accounts Rules.

If you need Residual Balance Training – look no further – CLICK HERE.

High Volume Consumer Claims

The SRA currently has 60 live cases regarding law firms on this issue. They have published

guidance to consumers on this point, which you can READ HERE.

The SRA realise that these types of funding (no win no fee as an example) are a vital access to justice for so many, especially when other funding methods are not available.

The flip side is that there simply has to be better consumer protection overall. There have been significant problems and failings in this area, namely unstable funding models, lack of supervision, how ‘no win no fee’ models are sold/marketed to clients, as well as cold-calling and failings surrounding ATE/keeping clients up to date.

The SRA however does recognise that there are many claims’ firms doing a grand job, but the continued risks to consumers must be monitored and controlled.

Governance & Regulation of AI

The SRA recognises the importance of innovation in general.

In many ways we are still at the bottom of the hill however in terms of our understanding of this fast evolving landscape. In terms of what the SRA is doing in this area, it was said that it is producing guidance to help, whilst working with tech providers. The SRA is conscious that different firms/departments will have different AI needs.

The regulator says it has also been working with the Law Society on legal tools and the need for regulation surrounding this.

Question to SRA: What can the SRA do to win hearts and minds?

Answer: They recognise that the regulator must play its part and it recognises the need to engage with the sector… “talking and hearing”. This is why they wanted to do the Client Money Consultation differently rather than just set out proposals. They wanted to look at all of the evidence.

Question to SRA: Supervision. Is the SRA just concerned about supervision on high volume claims or in general?

Answer: Obligation to supervise must happen across the board.

On a side point, I read a post from John Hyde, Reporter at the Law Society Gazette.

He reported that the SRA insisted, on his questioning, that no decisions had been made on the future of the client account. He went on with his opinion post saying when asked how much money is held in law firm client accounts, the response was that the SRA didn’t know off the top of their head right now.

Hyde said that given that it was fundamental to the whole topic of client accounts, he might have imagined that the figure would be a key one. He concluded his short LinkedIn post saying,

“The SRA is acting without truly understanding the profession or acquiring sufficient evidence”.

Plenary 1: AI On Trial: Felix Zimmerman from Simmons & Simons (and others)

Felix specialises in negligence claims in firms, specifically surrounding AI use.

Conveyancing & Artificial Intelligence

The data came first in this talk.

There were 1.2 million property transactions in the UK last year and an increase is anticipated.

There is a drop in conveyancers so this means less people doing more work. The conveyancing industry has a reputation for doing things slowly. However, exciting for this area of property transactional law is development with the use of AI Agents to assist (multi models) which can control the mouse and key board, log into peoples inboxes, draft emails and then put them in their draft inbox ready for the staff member to check and send out.

This is designed to improve efficiency, Teal Compliance will be keeping its ear and eyes open with regard to risk in this regard.

Litigation & AI

There is now the ability to look at pleadings and review the prospects of success, thus reducing fee earners time on this.

Compliance & AI

There is a plethora of data online Felix said, and reviewing all of this can take time. AML compliance, risk management etc, can cause frustration for everyone, with fee earners and lawyers who just want to get on with their own client work, as well as partner feedback explaining they are worried about their firm’s bottom line, time constraints, fees and the possible impact on client relations due to delays.

All of these stresses around compliance can significantly impact job satisfaction.

Replacing Staff?

The average demographic of junior lawyers is 30 years and up now. There are concerns that they might be replaced by AI.

Ultimately, AI is being built to empower and assist with the “heavy lifting” in a law firm. It’s important for the legal sector as a whole to understand that AI should not be delegated tasks which are not appropriate for it, and that will negatively impact their clients and the firm’s reputation whilst keeping the insurer satisfied.

The reality is that the next set of laptops being bought will have AI chips built into them, it’s a language model training tool.

It was suggested that if we are having to double check the work of AI assistance, is it worth it in the first place?

Arguably yes, as it will still cut down a lot of time.

Question: Could firms face negligence claims for their failure to use AI?

Answer: Felix says yes potentially- for example in commercial litigation. ‘Relatively’ software is commonly used in these departments to review disclosure and can provide much better selection than any team of paralegals would.

Question: Environmental Consequences -v- Commitment to Net Zero.

Answer: Yes, recognise that there is a big environmental impact regarding use of AI e.g. use of water coolers for hard drives.

Question: What Training Should Firms Put in Place for AI Safety?

Answer: An overview of solutions, limitations etc.

Economic Crime Concerns.

The panel consisted of Colette Best (Kingsley Napley), Anita Clifford (Red Lion Chambers) Andy Donovan (Vinci Works), Harriet Holmes (Thirdfort) and Nicola Kirby (Latham and Watkins).

The Dentons case was one of the first topics discussed. Let’s face it, it wasn’t a great result for the legal profession. HOWEVER, the saving grace is that it highlighted only serious breaches will result in the SDT getting involved.

The headline from the Law Society Gazette (article dated 11 March 2025) is:

“SRA overturns Dentons acquittal in AML case”

You can read the article written by Bianca Castro HERE. The judgment from the High Court, said the ‘only evaluation’ required by the SDT ‘was whether or not the firm had complied with regulation 14 of the MLRs 2007’.

Source of Funds (SOF) and Source of Wealth (SOW):

There are no anticipated changes to the legislation for source of funds / source of wealth.

The legislation states get it from the source “where necessary” so we are left to look at the LSAG Guidance.

SOW is needed where a client is a PEP or in high risk jurisdiction. The difficulty with SOF/SOW is that a lot of it is a judgement call, making it a tricky area. Similarly, the legal profession is using terms interchangeably, which isn’t helpful.

Generally speaking, getting six months of documentation, as a starting point, but with the possibility of having to go back several years for higher risk areas. Teal and the team will update any changes and of course we always have updates and webinars on this subject.

The panel said that documenting decision making is important with decision making, information considered and action taken as a result.

Law Society’s 2025 focus on Risk and Compliance

The Law Society outlined their Formal Response to the SRA Consultation on Client Money with the following points:

Government considerations were discussed including the question, should we dispose of Enhanced Due Diligence (EDD) for high risk jurisdictions i.e. make it more risk based? Should we have lower risk factors?

The SRA has said that sanctions need to be in FWRA, either within the AML one or a separate one.

Trade sanctions should also be considered, especially if firms are at risk.

The SRA is carrying out sanction visits on law firms it regulates. This is mostly following on from its earlier sanctions questionnaires. It’s usually a 1 day visit, with policies and interviews taking place. Do check with the SRA on this point if you have any concerns.

Accountants’ Reports – there was talk about asking firms to submit these every 3 years (at present law firms need to obtain an accountant’s report within six months of the end of each accounting period if they hold or receive client money; and this report should only be submitted to the SRA if it is qualified, meaning it identifies issues with compliance regarding client fund).

Enforcements – we should expect SRA enforcements to continue and don’t think the ‘change of guard (Paul Philip leaving) will change this!

SRA Thematic Review on AML Training October 2024 Findings:

There is a distinct and direct link between the quality of AML training and findings on files. Firms and the legal sector as a whole must move beyond “Tick-Box” training, something that Teal Compliance has been passionately focused on for a long time now.

The SRA is concerned that some firms treat AML training as a mere formality, rather than a crucial tool for preventing financial crime. The regulator stresses the need for training to be relevant, engaging, and tailored to the specific risks faced by each firm.

TEAL COMPLIANCE TRAINING – find out more of how our tailored, relevant and engaging training can support your law firm policies and procedures.

As mentioned a few times throughout the day, ‘Off the shelf’ training probably isn’t going to cut it. The SRA wants to see that the training is tailored to real life scenarios. AML training should be at the very least carried out annually.

It was said that there needs to be systems in place for when someone misses AML training, including seniors management and partners.

In terms of specific training, there was a recommendation for training that is interactive such as ‘have a look at this” examples and “ who do you think is the beneficial owner?”’ i.e. pin the tail on the beneficial owner type of situation. Great to know that Teal Compliance is doing this and more in all our training sessions.

Someone came out with this statement, which I loved: “If it has a heart beat, train it’.

It was concluded that treating templates as a final solution is wholly inadequate. Use them as a base, yes, and then meticulously adapt them to your firm’s specific requirements. This is one of the themes we see at Teal Compliance, a firm’s assumption that a template is enough. It’s not.

Have a look at our Policy Review and Writing HERE.

Regarding ongoing monitoring, Harriet Holmes said there was a necessity to document ongoing monitoring, even if there have been no changes to client or matter risk, and to make sure everyone understood the tools and technology they are using. She pointed out that if you get alerts, look at them in a timely fashion and solve any issues as otherwise it leaves you and your firm exposed.

Have you downloaded your TEAL TRACKER?

Code of Conduct and Culture in Law Firms

This session had panel speakers, Paul Bennett (Partner at Bennett Briegal LLP), Clare Hughes-Williams (Partner at DAC Beachcroft), Pearl Mosses (Head of Regulatory Compliance at Setfords Law Ltd), and Elizabeth Rimmer (CEO at LawCare).

Between the above speakers, it was agreed that firms need to have strong HR support and buy in to the employees, not just their employers

Great leadership means leading by example, ensuring your team has trust in you, whilst having a transparent organisation that has the ability for staff to call out poor behaviour. HR and supportive teams must communicate throughout the firm what your culture is and embed it firmly. This should never be just a website policy saying how great you are with your culture and DEI, you have to show it through actions.

The following were suggested to manage risk as well as look after your staff and colleagues:

Anti-Bullying and Harassment training.
Performance reviews should be part of your culture.
Survey staff to find out what is the drive and motivations within your culture.

Elizabeth Rimmer, CEO of Lawcare, reminded us that the charity was there for everyone in the legal sector. It’s a place of confidentiality and no judgement.

Lawcare has been in place since 1997 and 2024 was their busiest year apart from 2020 (lock down).

The charity findings say that a review of your hierarchy behaviours could flag up some vital change requirements as they are seeing a culture in many firms on the premise that “it’s how things are done round here” which isn’t sustainable for retaining great staff or business growth.

With the topic of psychological safety at work, questions that you might ask yourself are:

Do you and your colleagues feel valued?
Is constructive criticism in place?
Is there a fear of raising mistakes (i.e., if I own up to a mistake, might I lose my job or be judged?)
How do we learn from this as a culture (when mistakes happen – because they will happen!)?
Is there a subtle blame culture?
What are our inherent risks that might hinder our staff’s mental health?
Is there a lack of supervision when it comes to bullying and harassment?

Overall, this was a really great session to bring the day to a close. ·

Eilish Cullen’s Conclusion of Risk & Compliance Conference Talks

For me, I found the conversations and topics around the evolving risk and compliance landscape to be as follows:

There is an increasing complexity of risk and compliance for law firms, not only traditional AML and regulatory risks, but also reputational risks, which are now receiving greater scrutiny.

The role of risk and compliance professionals is evolving to encompass a wider range of responsibilities.

When it came to culture and legal ethics it was very evident that the SRA is placing greater emphasis on firm culture and well-being. We know from speaking with our friends in insurance that this is a big factor for protecting firms against risks because having a strong moral and ethical culture is seen as essential for reducing errors and improving client outcomes.

Discussions also focused on the need to balance regulatory priorities with lawyers’ ability to advocate for their clients.

The conference underscored the insufficiency of generic compliance templates. Law firms must recognise this and develop tailored AML strategies to meet the demands of the current regulatory environment.

If you’d like to chat with me directly or find out how my colleagues can support you, please

do get in touch with me: eilish@tealcompliance.com or you can get hold of any of us HERE.

Risk and Compliance March 2025 Key Takeaways Read More »

Teal Compliance debate the topic of law firm client accounts and the use of TPMAs

The Future of Client Accounts: Should Law Firms Move to Third-Party Managed Accounts?

Anti-Money Laundering, Blogs, Data Protection, Legal Compliance, Regulatory Compliance, Risk Management / Mark

The management of client accounts has come under increased scrutiny in recent years, with the Solicitors Regulation Authority (SRA) questioning whether law firms should continue to handle these accounts themselves.

One alternative that has been proposed is the use of third-party managed accounts (TPMAs). But is this the right move for law firms? I know this is a contentious topic, but it’s well worth exploring the potential benefits if we’re forced into change, as well as the challenges of relying on TPMAs.

Legal Futures’ article dated 25 February 2025, with an alarming headline here:

“Time to act” on scrapping client accounts, consumer panel says

It includes statements from the Legal Services Consumer Panel regarding law firms holding client monies on account and commenting on the SRA’s Consultation, Mr Hayhoe, Panel Chair of the Legal Services Consumer Panel (LSCP), said “the consultation on the model of solicitors holding client money “disproportionately” focused on residual balances and interest, rather than the “central issue” of misappropriation.”

The Case for Third-Party Managed Accounts

If you’re not sure exactly what third-party managed accounts (TPMAs) are then here’s a quick definition:

TPMAs are accounts managed by third-party providers that are regulated by the Financial Conduct Authority (FCA). These providers* offer a range of services, including secure handling of client funds, compliance with anti-money laundering (AML) regulations, and protection against cyber threats.

One of the key benefits of using a TPMA is that it should reduce your firm’s risk associated with client accounts, since you’re not holding any money.

Since TPMAs are managed by specialists with advanced security measures, they could be better equipped to prevent fraud and cyber attacks because that’s vital for them in their service to you.

For instance, a TPMA provider might invest more heavily in cybersecurity than a typical law firm, hence the deterrent for baddies.

Additionally, TPMAs could alleviate some of the administrative burdens and headaches that come with managing client accounts.

Law firms could focus on their core legal work while the TPMA provider would handle the complexities of management the funds, including compliance with regulatory requirements.

TPMAs offer some potential advantages for law firms, but they’re certainly not a silver bullet. I’d suggest that as a firm (especially in property law and corporate) you need to carefully consider your needs as well as your circumstances before deciding whether to switch to a TPMA.

*there aren’t that many providers

The result of the SRA’s consultation should provide further clarity and I will be sending out updates as and when.

Pros of TPMAs for Law Firms

Reduced Risk: Less chance of law firms breaching the SRA Accounts Rules, and as TPMAs are regulated by the FCA (Financial Conduct Authority), law firms will have less direct responsibility for compliance with the SRA Accounts Rules. This can reduce the risk of accidental breaches, disciplinary action, and claims against professional indemnity insurance.

Lower risk of fraud and theft: TPMAs will have invested more funds into security measures than a law firm could. This might potentially reduce the risk of cybercrime and financial fraud compared to managing client accounts in-house.

Increased Efficiency: Will this be the end of legal cashiers? Probably not as we all need bookkeepers but if you don’t operate double ledgers, then this may change your accounting. TPMAs would streamline the accounts’ processes, freeing up time, plus no more manual reconciliation of client accounts! Do keep in contact with the ILFM for their updates and support in the meantime.

Faster transactions: Some TPMA providers offer faster transaction speeds, which will always be helpful for time-sensitive transactions (that said, Friday Afternoon Fraud is a concern due to the amount of transactions that happen, see below!).

Improved Client Experience including transparency and convenience. TPMA providers have online portals where clients can track their funds in real-time. Also, it will be interesting to see how TPMAs integrate with other legal tech solutions you might use already.

Right, that’s the upside of using TPMAs, but in reality, are we a long way from a mass changeover?

The Challenges of TPMAs for Law Firms

Despite the potential benefits I mentioned above, of course the whole conversation around TPMAs isn’t so clear cut and there is the continued debate around pitfalls and challenges of using TPMAs.

One of the most significant is cost.

TPMAs typically charge fees for their services, which can add up, particularly for smaller firms. These costs may include fees for each transaction, as well as ongoing account management fees.

Currently it looks like typical costs are between 0.25% and 1.5% of the funds held, depending on the transaction size, complexity, and the TPMA provider.

Another challenge is the potential for increased administrative work. While TPMAs handle many aspects of fund management, as a law firm, you are still responsible for ensuring that the TPMA meets the required standards. This might involve additional due diligence and compliance checks, which could offset some of the administrative savings.

On top of that, there is the issue of trust. Some of your clients may feel uncomfortable with their monies being managed by a third party rather than the law firm they have instructed.

Transparency and openness is key when it comes to consumer protection. The SRA is hot on that, as you will know!

Law firms will have to communicate clearly with their clients about the benefits of using a TPMA and provide assurances about the security and oversight in place.

TPMAs, Law Firms and SRA Accounts Rules

TPMAs will need to abide by SRA Accounts Rules 2019 to an extent although they are primarily regulated by the FCA.

Rule 11 of the SRA Accounts Rules specifically addresses TPMAs, requiring firms to ensure the provider is FCA-regulated, the client understands the arrangement, and that accurate records are maintained.

The key difference is that the TPMA provider takes on the primary responsibility for compliance with the detailed rules on holding and managing client money.

Have you had a compliance audit recently?

Whether you’d like to read Teal’s brochure or want to dive in and get a legal compliance audit done now, you can read all about how we support you, your reputation and your clients. CLICK HERE

Aggregation Risks

There may be an aggregation risk associated with TPMAs. If the legal sector were to move en-masse to TPMAs, this could create a concentration of client funds into a few large providers.

While this might reduce potential risks in individual law firms, it could also give a greater focus to financial criminals on their concentration of targeting TPMAs, as well as cybercriminals.

The potential for a large-scale breach of a TPMA could have catastrophic consequences.

Are insurers prepared to underwrite?

Is the Shift to TPMAs the Solution?

While TPMAs offer some clear advantages, they’re not a panacea for the risks associated with client accounts.

The decision to move to a TPMA should be made extremely carefully, weighing the benefits against the costs and potential risks.

For some law firms, particularly larger ones with significant resources, managing client accounts in-house might still be the best option. These larger law firms should have the capability to invest in advanced security measures in order to maintain rigorous compliance standards.

Teal Compliance offers expertise back-up with Data Protection Compliance support in this regard.

For smaller firms, however, TPMAs could offer a valuable solution, provided they can manage the associated costs and maintain client trust.

While the adoption of TPMAs offers potential benefits, particularly for smaller legal practices, it’s crucial to understand that it doesn’t absolve firms of their fundamental responsibilities.

Maintaining robust compliance and risk management protocols, prioritising client safety, safeguarding your firm’s reputation, and ensuring adequate insurance support remain paramount. Only after these foundational elements are firmly in place would I suggest you consider the budgetary and ROI implications of a TPMA transition.

Small law firm SORTED Programme support and all compliance services and training can be found HERE.

Switching to a TPMA means different things to different MLROs, COLPs and Managing Partners.

Who do you want to hold funds?
Would using a TPMA be less time consuming?
Is it a convenient way to offer full transparency to your clients?
Are you fee earners and legal cashiers on board with the requirements?

Insurers' thoughts

Marc Rowson and Brian Boehmer, partners at insurance brokerage Lockton, discussed the implications on the profession, explaining how law firms can confidently navigate this evolving legal landscape.

Further to the SRA consumer protection review, and the talk about client accounts, Brian said he believes that mandating the use of TPMAs would be “a reactionary response to a few bad apples”, while Marc questions whether using TPMAs could entirely prevent the improper use of client money: “I suspect if someone wants to game the system, they’d find a way.”

If you want to read more about what Marc and Brian think you can read their thoughts HERE.

Quotes on Client Accounts and SRA Plans

"Kneejerk and disruptive": The Joint V law societies (representing 15,000 legal professionals) criticized the SRA's plans, stating they show a lack of understanding of the legal profession and could add a whole new level of risk.

Law Gazette

"Time to act": The Legal Services Consumer Panel urged the SRA to take decisive steps towards scrapping client accounts and mandating TPMAs, arguing that the current framework doesn't offer adequate consumer protection.

Legal Futures

"Disproportionate and poorly justified": The Law Society expressed similar concerns, arguing that the proposals are disproportionate and not justified by the evidence. They also highlighted the potential for increased costs and delays for clients.

Law Society Website

"Resistance to change": The Consumer Panel also criticised the SRA's "conservatism" and resistance to change, suggesting that embracing TPMAs could modernise the handling of client funds.

Legal Futures

Financial transactions in the legal sector will always be a target for financial and economic criminals. If you directly hold client funds and make use of the interest, being forced to take reasonable steps to change to a TPMA facility will be jarring.

As the legal sector continues to evolve, the debate over the future of client accounts is likely to continue, with firms exploring various options to protect client funds and maintain compliance. I, for one, will be here to support any changes for Teal Compliance clients.

Catch up on Teal Compliance’s Legal Webinars

CLICK HERE

Need Help?

Did you know that Teal provides specialist training to both COLPs and MLROs? If you want to find out more, simply GET IN TOUCH HERE.

You're not alone, Teal Compliance is your partner in compliance and risk management support.

Start with your legal compliance audit
Anti-money laundering | Data Protection | Regulatory Compliance

Click Here

The Future of Client Accounts: Should Law Firms Move to Third-Party Managed Accounts? Read More »

Handy Hints for those new to the role of a COLP and MLRO in a law firm

New to the role of COLP and MLRO?

Anti-Money Laundering, Blogs, Legal Compliance, Regulatory Compliance, Risk Management / Mark

Firstly, if you’re new to the role of a compliance officer in your law firm, congratulations! If you’re the MLRO or the COLP, which are key positions in a law firm, getting to grips with our Handy Hints will help you stay on top of regulatory expectations and best practices.

If you haven’t downloaded already, our Guide to Source of Wealth & Funds for Law Firm Compliance is a must have.

Here are some of our key tips, plus practical guidance written for you, if you’re new to the role in a law firm in England or Wales.

1. Understand Your Core Responsibilities

As MLRO, your primary duties include:

Receiving and assessing Suspicious Activity Reports (SARs) from staff
Deciding whether to report suspicions to the National Crime Agency (NCA)
Keeping a clear and auditable record of decisions
Ensuring compliance with the Money Laundering Regulations 2017 (as amended)
Keeping up-to-date with Sanctions Regimes (especially in light of post-Brexit UK sanctions)

As COLP, your duties include:

Ensuring compliance with the SRA Code of Conduct and SRA Principles
Reporting serious compliance breaches to the SRA
Acting as the firm’s ‘whistleblower’ for misconduct

If you don’t already have a TOOLKIT then you can get hold of our TEAL TRACKER HERE which will get you off to a great start.

2. Keep on Top of Key Legislation & Guidance

Some key documents and sources you must be familiar with:

The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (as amended)
Proceeds of Crime Act 2002 (POCA) – especially on offences like failure to report and tipping off
SRA’s Anti-Money Laundering (AML) Guidance
Legal Sector Affinity Group (LSAG) AML Guidance – this is tailored for law firms
Sanctions and Financial Crime Guidance from the Office of Financial Sanctions Implementation (OFSI)

3. Risk Assessment & Client Due Diligence (CDD)

Ensure your firm-wide AML risk assessment is up-to-date
Make sure your firm is risk-based – i.e., clients, transactions, and matters are assessed for risk at the outset and on an ongoing basis
Implement proper Know Your Client (KYC) checks – ID verification, beneficial ownership checks, source of funds/wealth assessments
Make use of electronic verification tools, but don’t rely on them alone
High-risk clients (PEPs, high-net-worth individuals, complex structures) require enhanced due diligence (EDD)
Have a clear matter risk assessment process that all fee-earners follow

4. SARs & Internal Reporting

Train staff on how to spot red flags (e.g., unusual payments, urgent last minute changes in payments, complex company structures, reluctance to provide information)
Have a clear SAR reporting process – encourage staff to report suspicions internally first (to you as MLRO)

If you file a SAR to the NCA, remember:

You mustn’t tip off the client
You may need a Defence Against Money Laundering (DAML) before proceeding with a transaction
Keep a clear record of why you did/didn’t report

HOW WE CAN SOLVE YOUR COMPLIANCE HEADACHES

AML SORTED Programme (for medium to large sized law firms) CLICK HERE
AML SORTED Programme (for small law firms) CLICK HERE
Regulatory SORTED Programme (for medium to large sized law firms) CLICK HERE
Regulatory SORTED for Small Firms Programme (for small law firms) CLICK HERE

5. Training & Staff Engagement

Provide regular AML training for all fee-earners and staff
Training should be practical – use real-life examples of risks in legal work
Ensure all new joiners get AML training as part of induction
Encourage an open culture where staff feel comfortable raising concerns

6. Staying Compliant with the SRA

Be prepared for SRA AML Audits – they’ve increased spot checks on firms
Ensure your Policies, Controls, and Procedures (PCPs) are documented and kept up-to-date
If you’re ever unsure about an issue, document your reasoning before making a decision
Keep a register of AML breaches and near-misses
Attend their Compliance Conference each year

AML AUDITS WITH TEAL COMPLIANCE

7. Managing Stress & Your Own Risk

Keep an audit trail of key AML decisions – this protects you if questioned by the regulator
Use external resources and networks – join MLRO/COLP forums for peer support
If in doubt, seek external legal or compliance advice rather than making risky decisions alone
LawCare is the legal sector’s charity, supporting us in our roles in law firms. Their helplines are confidential, if you’re struggling with stress please contact them. They’re excellent and all the volunteers on the helplines have either worked in law, or still do, i.e. they “get it”.

READ THIS ARTICLE FOR FURTHER INSIGHTS

Need Help?

Did you know that Teal provides specialist training to both COLPs and MLROs? If you want to find out more, simply GET IN TOUCH HERE.

New to the role of COLP and MLRO? Read More »

How to master the tricky world of source of funds and wealth

How to Master the Tricky World of the Source of Funds and Wealth

Anti-Money Laundering, Blogs, Legal Compliance, Regulatory Compliance, Risk Management / Mark

AML compliance can feel like walking a tightrope, right? Especially when it comes to a client’s source of funds and wealth. It’s a balancing act: you need to be flexible enough to handle all sorts of clients, but you also need a rock-solid strategy for managing risk.

At Teal Compliance we hear that it can be hard to have the conversation around source of funds and source of wealth with a well paying existing client, or those who have a high net worth.

If you haven’t downloaded already, our Guide to Source of Wealth & Funds for Law Firm Compliance is a must have.

Here are my thoughts on how law firms should nail the risk-based approach to source of funds and wealth verification, keeping you compliant without slowing things down.

Step 1: Build Your Risk-Assessment Toolkit

Think of your clients and transactions like a deck of cards – some are higher risk than others. Maybe you’ve got clients from countries with shaky AML rules, or maybe their business structure is a bit of a maze.

Whatever the reason, I suggest you begin by categorising them.

Once you’ve sorted them, decide what level of due diligence each category needs. Basic checks for some, the full nine yards for others. And don’t forget to keep your toolkit updated! Regulations change, the market shifts, and new risks pop up all the time.

If you don’t already have a TOOLKIT then you can get hold of our TEAL TRACKER HERE which will get you off to a great start.

Step 2: Set Clear Rules for High-Risk Transactions

Certain transactions, like residential conveyancing (a classic money laundering route as you will know) and corporate acquisitions, just scream “high risk.” For these, you need clear, standardised policies.

Within your AML Policy, you should spell out exactly what you consider is acceptable proof of source of funds and wealth. For example, if funds are coming from somewhere from a sale being handled by another law firm you may want your fee earners to get a completion statement from the law firm along with a bank statement from the client to show the funds being deposited. You should also build flexibility into your policy too because what happens when a transaction throws you a curveball? Your policy should tell you how to handle it.

Our SORTED Programmes can help you spot the gaps in your compliance and fix them.

Step 3: Train Your Team – Make Them Risk Detectives!

Handling High-Risk Transactions

Your team needs to be sharp when it comes to risk. I can’t emphasise enough how your training should be FIRMWIDE.

From your MLROs and COLPS to your receptionists, each one should be able to spot risk at the start a new client onboarding process and a new transaction, whilst keeping an eye on it during ongoing monitoring, and double-check everything whilst having the confidence to ask for help or back up if they need it. No fear culture is seriously important.

And here’s my pro tip: document everything. Why did they assess the risk the way they did? Write it down. It not only protects your firm but also shows you’re serious about compliance. Your PII firm will appreciate your documented communications and it will help should you ever get a visit from your regulator.

HOW WE CAN SOLVE YOUR COMPLIANCE HEADACHES

AML SORTED Programme (for medium to large sized law firms) CLICK HERE
AML SORTED Programme (for small law firms) CLICK HERE
Regulatory SORTED Programme (for medium to large sized law firms) CLICK HERE
Regulatory SORTED for Small Firms Programme (for small law firms) CLICK HERE

The UK Bank Account Myth: Don't Get Caught Out!

Let’s bust a myth that’s been doing the rounds for way too long: just because money’s in a UK bank account doesn’t mean it’s clean. Big banks have been in hot water for money laundering, so don’t assume anything.

Myth #1: UK Bank Account = Clean Money

Nope. Even the most reputable banks can have dirty money flowing through them. Just because it’s in a UK account doesn’t automatically make it legit.

Action: Always do your own due diligence on the source of funds, no matter where they’re held. Trace the money back to its origin and make sure the client’s story matches the documents.

Myth #2: The Bank’s Already Checked It

Maybe the bank did file a Suspicious Activity Report (SAR), but they might still have to release the funds. It doesn’t mean you’re off the hook.

Action: Treat every transaction like it’s brand new. Even if a bank has cleared the funds, your firm needs to verify the source and make sure everything is AML-compliant.

Bottom Line: Don’t fall for the UK bank account myth! It’s a trap. By understanding the limitations of relying on bank checks and doing your own thorough due diligence, you can keep your firm safe.

In conclusion....

If you find you are procrastinating from having that awkward conversation with a client (or indeed that well paying existing or high net worth client) about having to do some comprehensive checks as to where their funds are coming from, you can simply blame it on legislation! Come what may, you, as a solicitor, compliance officer, CILEx lawyer, paralegal, Senior Partner…have to adhere to the AML regulations by performing comprehensive checks to authenticate identities, proof of address, and source of funds and wealth.

Would you rather have a short, possibly tricky conversation with a client, or potentially face a serious consequence (no one wants a huge fine or go to prison).

As an example, if you are a conveyancer, you have to follow the rules to make sure the money used to buy a property isn’t from the proceeds of crime. It’s not just about ticking boxes for your law firm, you have to be smart and proactive in the fight against financial crime.

Let’s be honest, nobody wants their firm involved in money laundering. That’s where risk assessments come in. They’re like a health check for your business, helping you identify potential vulnerabilities so you can take action. By understanding the risks, you can put smart controls in place and keep things running smoothly (and legally!).

It’s never too late to get compliant, and it’s definitely never too early to begin the process.

You can email me directly, or any of my team to find out how Teal can help support you, your reputation and your clients.

Please remember that Teal Compliance is your go-to AML and Risk Management Partner and we have a variety of packages available to support you, your colleagues and of course, your clients!

To find out more, click HERE and come what may, we look forward to supporting you soon.

SORTED: Compliance Services

Training and Education

Ask Teal: Consultation Services

Legal Compliance Audit

Policy Review & Writing Services

Website Audit Services

Teal Tracker

Let us support you, your team and your clients.

How to Master the Tricky World of the Source of Funds and Wealth Read More »

Hidden costs of inadequate risk management in a uk law firm by AMY BELL

The Hidden Costs of Inadequate Risk Management in Law Firms

Anti-Money Laundering, Legal Compliance, Regulatory Compliance, Risk Management / Mark

What keeps a lawyer up at night? The answer will depend on where they sit in their role in a law firm. As a solicitor and AML compliance specialist, I get it.

Senior partners might focus on cashflow and reputation. Newly qualifieds might be struggling with imposter syndrome. Practice managers may be spinning their plates with software integration and IT headaches, whereas compliance officers will have their own plethora of worries.

From my experience, it depends on whether you’re specifically a COFA, COLP, or MLRO (of course many small high street firms have one person covering all the compliance and risk management pathways in a firm whilst fee earning).

Does your firm focus on conveyancing and private client work? You’ve got a whole host of challenges just by default. Are you involved in litigation and dispute resolution? Then you’ve got the “sham litigation” scenarios abounding. Onboarding overseas’ clients from possible “risk” territories? You’ve got some serious CDD work there. Have a senior partner that also holds the role of the compliance officer and looks after client accounts? Let’s not even go there…

It’s great that I’m seeing so many more firms come to me and my team asking for support in compliance training, more onboarding with our Teal Tracker software and generally being more proactive with their firm’s visibility in understanding and staying compliant, but there are so many that are still focused on the pounding billable hour and 100% client focused, rather than 85% on client work and 15% training and compliance.

The concept of “sustainable effort” is the idea of working at 85% capacity, as we can maintain the perfect equilibrium of high performance and well-being, i.e. if you are working at 100% then this leads to burnout, which of course leads to risk. McKinsey’s Burnout Tool is handy HERE.

It’s too easy to use AML templates and not tailor them to your firm, your clientele, and of course your employees and colleagues. I designed our AML software, TEAL TRACKER, with you in mind….if you’re reading this, then why not have a look at our software HERE.

We can all rely on those basic templates, ask new employees to read the policy online, run a tick box exercise, but what happens when it’s too late? When risk has crashed through your door.

Ultimately, overseeing risk management in your law firm is about finding a balance that works for you and your employees, whilst seriously considering factors like workload, regulator fines, insider (and outsider) threats, and workplace culture.

As the CEO of Teal Compliance and Chair of the Law Society’s Money Laundering Task Force, I can only continue to support my peers in the legal profession and impart my insights and expertise.

Sometimes if you look at scenarios and work backwards it helps to identify the stages of how to feel secure in your firm’s compliance processes and controls. Know the saying “I never thought it would happen to me?”. My advice is to assume it will be you and deter the baddies whilst appeasing the regulators.

Some of the “hidden costs”, i.e. consequences of inadequate risk management include:

Regulatory penalties: Firms that fail to comply with AML regulations can face significant fines and penalties. All you need to do is look at the SRA’s website or a search in Legal Futures to hear the latest. The law firm Ashfords LLP had a largely unblemished regulatory and disciplinary history and so it is regretful that they were then fined more than £100,000 for failing to comply with AML regulations
Reputational damage: A firm’s “brand” reputation can be devastatingly damaged if it has been involved in money laundering or other illegal activities, whether or not the crime was due to naivety or planned. We are in a digital age where social media and Google reviews can be detrimental, leading to a loss of clients, difficulty attracting new business, and a decline in overall firm value – you want succession and have worked so hard but then you’re fined, possibly struck off and another firm sweeps in at a price that’s hard to swallow.
Client money losses: The responsibility for client account monies falls on the law firm and its managers, including the Compliance Officer for Finance and Administration (COFA) and the Compliance Officer for Legal Practice (COLP). If client monies are stolen or laundered, and the SRA finds out, the firm and its responsible individuals can face serious consequences, including disciplinary action and potential referral to the Solicitors Disciplinary Tribunal (SDT). If the loss of client money is due to dishonesty or negligence by your firm, then you and your firm would be responsible for reimbursing the client. Consequences are hidden from this obvious painful financial strain, but brand reputation, personal life stresses and recruitment are key players.
Cybersecurity threats: Inadequate risk management can leave firms really open and vulnerable to dreaded cyber-attacks and data breaches. These can cause significant financial losses, including the cost of remediation, legal fees, and potential fines.
Internal fraud: This is a painful one because it forces us to look at insider threats. Common types of internal fraud include administering the accounts of individual clients where a single person has sole authority, and unofficial “borrowing” from client account or billing fraud. Billing fraud is where fee earners might inflate time spent and/or fees charged to meet or exceed targets. In the latter scenario it goes back to the pressures put on lawyers and therefore workplace culture might need more looking into.
Increased scrutiny: Time in a law firm is hard to come by, especially if there aren’t enough fee earners to cover the amount of work. It’s back to the balance of 85% output. If your firm has a history of compliance issues that aren’t rectified or evidenced to be doing more to manage risk, that firm faces increased scrutiny from the regulators. That is time-consuming in itself, as well costly. Your firm might be incurring higher costs to bring your practice into a healthy compliance model after failing to manage all risks adequately.
Difficulty obtaining insurance: If you have poor compliance records then it stands to reason that you might find it more difficult to obtain professional indemnity insurance or cyber insurance, or may face higher premiums. Insurers prefer continued transparency and openness. They better serve you when you come to them quickly with a possible breach. If they see you are in communication with them with anything seemingly risky, they’ll be able to help you navigate the process better.
Recruitment and Talent: Ask anyone in law and they’ll tell you that recruiting is a headache but then keeping great people in your firm is a migraine. A poor risk management culture leads to employee dissatisfaction, burnout, and ultimately, loss of your talented peers and colleagues. You don’t want to see your colleagues heading off to a competitor who offers continued training that’s engaging, and focuses on the 85% model at work do you?
Operational Inefficiencies: Practice managers have many plates to spin, therefore if part of their role is to ensure the operational running of your firm lacks effective risk management the plates begin to drop. Billing errors, CMS glitches, delayed disbursements, increased administrative workloads, and no controls to track and measure for compliance policies and processes.
Clients: We are all consumers of law in some way or another, yes, even us solicitors, i.e. we are all human. We observe, we listen, we trust, we lose trust…. clients may lose trust in a firm that fails to manage risks effectively. Remember social media, and insider gossip? It happens, people talk. If there’s a local newspaper with a budding journalist reading to crawl the disciplinary pages or court documents for their “business section”, and you’re in a firm of high street residential conveyancers, before you know it, the reputation is damaged, leading to loss of business and an impact on your firm’s market value. Whether you might be thinking of succession or investment, poor risk management has many hidden costs that include your future.

It’s never too late to invest in your firm’s compliance and manage risk effectively.

Amy

The Hidden Costs of Inadequate Risk Management in Law Firms Read More »

Risk Management

Contents

Understanding beneficial ownership

Definition of an individual PSC of a UK company

Definition of a beneficial owner of an overseas entity

Examples of concealing beneficial ownership

Don’t rely on the corporate veil — lift it

Challenge vague answers

Document the risk rationale

Verify control, not just ownership

Watch for layered structures

US Legislation News For Information

AML Guide: Independent legal professionals/trust/company service providers

What is the Definition of Suspicious Activity?

Suspicious activity may include:

Key Indicators of Suspicious Activity

Unusual Transactions

Client Behaviour

High-Risk Jurisdictions

Conveyancing and Real Estate

Obligations for Law Firms

Scenarios of Suspicious Activity

Scenario 1: High-Value Cash Deposit for a Property

Scenario 2: Use of Offshore Companies

Scenario 3: Unusually Structured Payments

Scenario 4: Evasive Client Behaviour

What triggers a suspicious activity report (SAR) in the UK?

Reporting Suspicious Activity (SAR)

National Crime Agency (NCA):

Solicitors Regulation Authority (SRA):

Amy's Reminders and Key Takeaways

Suspicious Activity Resources Reminder

Open Banking and User ID and Verification

Areas of law and fraud opportunities

Open Banking Landscape for Lawyers in 2025

How to get law firm clients to come on board with open banking?

New law firm client security questions

Law Firm Training for AML and Client Buy In

What's next in the open banking world?

What about those who can't or won't use open banking?

Family Law and Open Banking

What jurisdictions are open banking processes in?

What areas of law does open banking support?

Need Support or Advice?

You're not alone, Teal Compliance is your partner in compliance and risk management support.

Common and Generic Names

Outdated Data

Address Discrepancies

Irrelevant Data from Public Records

PEP (Politically Exposed Person) Matches

Human Error

Strategies to reduce false positives

In conclusion, what is the impact of a false negative in our AML controls?

Data Protection and Privacy

Websites and Social Media Platforms

Teal Compliance Recommendations

Is the Legal Profession Fit For the 21st Century?

Client Money Consultation

Handling Client Money - Residual Balances

High Volume Consumer Claims

Governance & Regulation of AI

Plenary 1: AI On Trial: Felix Zimmerman from Simmons & Simons (and others)

Litigation & AI

Compliance & AI

Replacing Staff?

Economic Crime Concerns.

Source of Funds (SOF) and Source of Wealth (SOW):

Law Society’s 2025 focus on Risk and Compliance

SRA Thematic Review on AML Training October 2024 Findings:

Code of Conduct and Culture in Law Firms

Eilish Cullen’s Conclusion of Risk & Compliance Conference Talks

The Challenges of TPMAs for Law Firms

TPMAs, Law Firms and SRA Accounts Rules

Have you had a compliance audit recently?

Aggregation Risks

Is the Shift to TPMAs the Solution?

Insurers' thoughts

Quotes on Client Accounts and SRA Plans

Need Help?

You're not alone, Teal Compliance is your partner in compliance and risk management support.