Head of Legal at Armalytix, Tom Lyes, joined Amy Bell for a Coffee Conversation to discuss what the Open Banking landscape for Lawyers looks like in 2025.
The following is an abridged version of the webinar and I am jumping to the questions that came at the end of the webinar to start off this blog as they will set the pace for the rest of it!
In the webinar, Tom discussed:
- Where are we now with Open Banking?
- What’s next?
- How the cases for lawyers are maturing beyond resi property into new disciplines such as Family Law and Commercial
- How Armalytix has evolved by delivering the same output to a lawyer irrespective as to whether a client can use Open Banking or not
- Open Banking in other jurisdictions
I was thrilled that Tom joined me in the conversation of open banking because I am an advocate for leveraging technology in law firms. I’ve known Tom for ages and value his insights and experience and this blog gleans information and guidance from our Coffee Conversation held on 20 March 2025.
At its core, open banking is all about making it easier and safer for businesses to connect directly with banks. Think of it as a way to share financial data and access bank services, like setting up payments, without all the usual hassle. The whole idea is to make things more transparent and generally simpler for businesses, and their clients / customers.
The back story is that open banking came about when Europe brought in the law called PSD2 back in 2018. The aim was basically three things:
- to give people more control and understanding of their finances;
- to offer more payment options; and
- to boost competition and innovation, which ultimately leads to a better experience for everyone.
When we talk about law, finance, regulations, risk management and couple them with innovation that’s when we really shake things up in the legal sector. For Armalytix, it means they can set up lawyer payments using what they call a ‘straight-through’ process. Which means payments can go directly from A to B, with way less paperwork and faff. It’s making things much smoother, and honestly, it’s about giving clients back time they more often than not, don’t have much of.
You can catch up on the full recording HERE.
As always, the questions came in fast and furious at the end of the webinar, and I wanted to start with a couple of topics that were pertinent to the whole conversation and are trending too; AI and Training being the two most stand out.
I’ve literally been asked about AI policies so many times for law firm compliance in conjunction with regulations. The question of what AI processes Armalytix use was always going to come up. As I am in the midst of drafting AI policies I was also intrigued as to what Tom and his team were doing on this subject.
Question: What function does AI have in Armalytix technology, and how does the law firm and their client gain confidence that the AI is not “imagining” experimental data?
Tom’s response: Most of our open banking journeys don’t really use AI. AI is probably used in our statement scanning, in that we’ve taught the machine to be able to recognize a bank statement from a bank. This means we can recognize that it’s a (for example) Monzo bank statement. We ask it if we can recognize if the documentation is a Nationwide bank statement. That’s where AI comes in.
One of the questions that we get asked is around obvious use cases that we see in the legal sector around AI, being the summarising of information. We could, in theory, run these reports and start to teach AI to provide written summaries of those. Further to Teal’s innovation day and conversations around AI last year however, clients and our wider audience seemed really nervous about that the summarisation aspect. In particular, from an AML point of view, the response to our summarisation proposal was the worry that AI would read the summary but not look at the underpinning data.
Broadly speaking, and from the feedback Teal received, as yet, we haven’t pursued anything further on this front, although I think over a period of time, AI and people’s perceptions will change as they become more comfortable with AI summarisations of large amounts of information.
On this topic, it led me to another question. As an auditor and adviser to law firms, I find myself talking to clients about the software they bring in to assist with their AML and also for use cases. One of Teal’s leading questions for clients implementing software seems simple, do you know how it works? I always ask who trains who in the firm and does it come from the source?
I put this question to Tom.
Question: What are the key things that you would say a user needs to make sure they’ve done with training in this regard, and would they know how to explain it, say, if I came knocking at their door as an auditor?
Tom’s response: We would break the onboarding project into two parts.
If you’re going to bring any technology or process into a firm, you’ve got to align that with what you’re telling your clients, and you also have to align that internally so people know why.
I can see that the best run projects are where the people leading the projects can clearly explain to people internally, “why are we doing this”? It might only be two or three key points, but people just need to understand that. Get your team to come on the journey with you
The second part is around training. Lawyers get reports, but they don’t necessarily understand how to interpret that data, so the need for training is key. I always say that the focus of the training is on what the report is telling you at a high level.
Question: What do you define as risky in a firm wide risk assessment?
Tom’s Response: We have something called our Risk Insight, which is unique to each firm, i.e., not from our analytics. We give people the ability to build those insights within our environment, so that when someone reviews a report, they’re effectively reviewing something initially that says these are the risks in our practice that they deem risky.
Tailored risk insights help a firm to get a flavour as to what they are going into before they are thrown into the analytics. For example, overseas money coming into client account on a residential property transaction.
From going into firms to audit my associates and I see instances where training can decrease its efficiency. By this I mean that sometimes we see firms who rely on their own staff to train new colleagues coming into the firm. Training from the source should be for everyone. We ask our clients if everyone in the firm has received the same level of training as the people who initially received it?
Armalytix runs its Analytics 101, which is a bi-weekly session where firms who have new users are invited to bring those new users along. It’s an open training session. All new users can find out exactly how the reporting side of things work, and with bigger firms, we do a slightly more nuanced and customised version of that as well.
Essentially training is absolutely crucial, because if you’re a team that’s responsible for delivery of a project, it’s probably going to fall back on you if the training has become diluted.
Whenever a firm brings in new technology, there are always going to be teething issues but technology evolves too. So, the challenges come in a two-pronged process that requires consistent decisions around training and investing highly in that.
That’s not to say everybody’s appetite for risk is the same, but from my experience, if you give structure and consistency your risk is less.
Tom spoke about monitoring and in particular, the AML world – what does it look like from his perspective in terms of end client support requests? He said that if he could see a firm that was onboarded recently as a client of Armalytix, they have a barometer on what the monitoring should look like.
We went onto speak about evolving products for open banking, AML and risk management. Simply put, we all need refresher courses from time to time, including new features as an example. But also, and this goes for any software, what I see is firms expecting their current users to train any new colleagues coming in, as if by osmosis. I mentioned this above I know, but it is a real issue Teal is seeing. What if I come in to audit and ask you or your colleagues to explain to me how a search works in an audit? And what does the audit check? I might ask how they know what to do with the results of the search? I could go on, but it highlights to me that all training ideally for risk management, should always come straight from the source, and by the provider.
Question: How long does Armalytix store data? Is it stored outside the UK? Is it done via an app? And if so, do clients need to keep the app on their phone?
Tom’s response: No, it’s not an app, we are web based, which means that clients can do the journey on a desktop and on their mobile (and it’s fully mobile compatible). From a data storage point of view, we store it for what we’re legally asked to store it for in terms of number of years, because it’s our journey and different to the law firm, as the end client is our end client. When the client comes into our analytics, they have to sign up at the end of the journey, or once the firm has shared a report. They could request at any point for their data to be deleted.
In those instances, we’d naturally make sure that we would communicate with the end client’s law firm to make sure they have a copy of the report downloaded for their own purposes. We would confirm that the end client has requested directly from Armalytix to delete the data.
All the data is stored within the EU at the AWS, which is a well-versed method of data storage, using Amazon web servers.
Teal Tracker is a software service and I understand Tom’s procurement questions because as providers we have to have everything ready to go to those who might need to view it for due diligence purposes. The SRA are becoming increasingly interested in what due diligence law firms are carrying out on their suppliers too, which is why I was particularly interested to hear what Tom was saying about regulations and the differences in regulation. The notes on this are further down in the blog.
As a law firm and if you’re using a provider for open banking or another service, if you don’t know firstly, that provider’s regulatory stance, and second how many parties are involved in the delivery of that service, and you aren’t aware of their processes it can be extremely detrimental to your risk management policies.
Tom and I were agreeing that if a software a law firm uses “goes down” and you can’t get access to the data, it may not be the analytics that’s crashed, it may well be the bank (as an example). There are layers to verify and check. If the SRA comes knocking asking you if you’ve done your due diligence on your service provider, will you have the reports at hand?
From a supplier perspective, Tom said that they have a data pack that sets out 90% of what Armalytix would expect to be asked as part of a DPI. He said he would expect law firm suppliers to be proactive on this front if you asked that question. It’s a pretty good sign of what type of supplier you’re working with, if they’re proactive about covering this topic! Worth a conversation with your current supplier maybe?
Question: If we’re using open banking software, do you still recommend obtaining original ID documents? Can we just rely on the ID docs being uploaded through the checks?
Amy’s response: I think his question is probably for me. I think the question might be about ID and Verification, as in the identity of a client, which is out with your service. If you’re going to use a software provider to help with the identification verification step of your client’s due diligence and you’re only going to use that software service, it has to be in accordance with the regulations; it has to be secure from fraud and misuse.
Now, if the reality is that those systems are using a biometric check or a document verification by looking at the image of the document, combined with external data lookups then it is actually going to be much more robust of a check. It’s more effective than you eyeballing a document that you’ve been given and you don’t know if it’s a forgery or not.
Often these software solutions have multiple anti-fraud steps built in, which is, of course, why you had to get the original documents in the first place to make sure it wasn’t a fraud!
The only caveat I’d give is that some firms are still concerned about the wording in the UK Finance mortgage lenders’ handbook for conveyancers (around seeing and taking a copy of a document), which tends to infer that you’ve actually handled the original and you’ve taken a copy of it.
Open Banking and User ID and Verification
It’s all about interpretation and managing risk when it comes to the UK Finance Handbook. We are hoping that UK Finance will amend their handbook to take into account this, because that wording has been there since I’ve been a solicitor (too long to remember!).
I do know that a request has gone into UK Finance for them to review those ID requirements, which are essentially anti-fraud measures and on the fraud subject, I think it was super interesting in the webinar when Tom talked about Armalytix using it to discharge a Dreamvar fraud (if you’re not a conveyancer or into vendor fraud, Dreamvar was a small property firm who unknowingly purchased a house from a fraudster who impersonated the true owner, leading to a £1.1 million loss and legal repercussions for involved solicitors).
In the Coffee Conversation webinar, Tom referred to the process where you have to make sure you’re sending the money to a bank account properly constituted in the name of the client for the last 12 months. I was so happy to hear that he and his team do this, because a lot of people are still focused solely on the Safe Harbour Id checks that look for the biometric check of the passport, which is an anti-fraud measure. If you’re in conveyancing you’ll get this but if you’re not, Safe Harbour is a set of really solid guidelines and standards that HM Land Registry put together, based on this UK Government Good Practice Guide, GPG 45.
Areas of law and fraud opportunities
I was thinking about Tom’s comments in our online event about which departments in a law firm or service area where lawyers would be looking at bank accounts in particular for their clients. Commercial litigation and embezzlement zoned into my thoughts.
When it comes to forensic accounting and examination of this example, we often see litigators or criminal lawyers double checking when their clients are accused of money laundering. Could you imagine a time when software could be used to defend people accused of money laundering?!
When it comes to software, which departments in your law firm waste time looking at bank statements, when they could be using software instead? Software would be more accurate (humans and numbers when you’re under pressure!), and time efficiency, making the whole process more cost effective for everyone.
I did say to Tom that I did think they might have some aspects to think about when it came to white collar fraud, especially private prosecutions, because lawyers would be pouring over financial data (including the bank statements!).
Open Banking Landscape for Lawyers in 2025
Where does open banking support lawyers?
I’m going to talk a little bit about the open banking landscape for lawyers in 2025, and Amy mentioned other use cases where open banking is supporting lawyers, rather than just something that powers and supports an AML type journey.
Open banking is the technology that empowers us in law firms. For that to happen, we have to be directly regulated by the FCA. In layman’s terms it means that we directly connect into 90% of UK current accounts through the big nine banks.
We’ve really focused over the last few years on raising the bar in terms of new innovations around open banking and source of funds.
AML is broadly our background. That’s what we’re most well known for. And lots of you will know that open banking can be really supportive in a source of funds check in terms of that middle piece of understanding, does that client have the money you need to see for that transaction and analysing the data that’s contained within.
Through open banking, you can get a set amount of data, whether that be 3, 6, 12 months or even longer on some higher risk matters. What open banking is able to do is analyse the data on cash, incoming transactions, and outgoing transactions.
We try to really focus on how we can do a better job at collecting as much as we can from the end client in that initial data grab. We’re one of the first providers to get access to Metro, and also for the Co-op which is now live, which is something we are proud of.
There are now 11.7 million active users of open banking enabled products in the UK that would cover use cases like ours, where we’re doing a one off to go get some information. If you think about how you might make a payment to an account number and sort code on your mobile (where you set someone up as a payee) open banking can speed up that, and there are businesses that have started to use that technology to really harmonise payments’ process.
When we looked at AML affordability investigation, or whatever you’re using open banking for, there are some key principles to get early client adoption from.
How to get law firm clients to come on board with open banking?
My first piece of advice would be to brace enough to TELL your clients, not ask them.
You’re the lawyer, you’re in control of the process, not your client. So, I’d say you have to be brave enough to tell your clients where vulnerabilities might come in.
If you have vulnerable clients or clients with no capacity then you require a Plan B.
I would say however, if you can get that message clear about you controlling the process and focusing on vulnerabilities, as well as understanding your client demographic, you should be looking to achieve an 80% to 90% success rate of sign-ups. I always say to law firms that if they can get their clients to understand the why, what’s the use case, why they have to do what you’re asking of them, when’s it going to happen, what it looks like, etc., they are more likely to understand the process and adopt the on boarding process of open banking with you.
New law firm client security questions
Security around finances and software are important to all of us.
For example, you might want to talk about security to your clients and how moving from manual to digital is safer. You might say that previously they would have emailed you their bank statements. It’s not particularly secure or safe for them or you as a firm. By giving your client an effective secure framework understanding, will mean they will be more likely to agree to open banking.
Law Firm Training for AML and Client Buy In
It’s no good adopting new technology into a firm if your staff don’t know how it works, and more importantly understand what the data is telling them.
When we work with firms who have centralised teams, we actually focus a bit more there on the “how things work” training angle, showing them what the user journey looks like, and what are some of the core messages around that?
If I was training a group of lawyers who would just purely be reviewing the reports, I would focus on reading the data and understanding what it is telling them.
Our feedback that we receive from leadership levels is about our articulated creation and of the consistency and process that we deliver. MLROs I speak to who will be at the top of the top of the chain for any queries, and will often say that when they get a report now, they’re broadly able to answer it much faster because it comes to them in a consistent format.
Come what may, I think it’s important to choose a provider that is FCA regulated, and who can handle any of the support queries generated. We focus all that on live chat.
What's next in the open banking world?
Many of you may have heard about “open finance” because the subject has been around for some while now. The term broadly represents an evolution of open banking beyond traditional banking to gather financial data.
The progression of open finance in the UK is linked closely to legislative development called the Data (Use and Access) Bill READ HERE) which is at the House of Lords stage and galloping towards Royal Assent at a fast pace (as at 1 April 2025).
This bill covers an awful lot of things around the ecosystem of financial data, and hopefully, what we in the professional services’ sector are hoping for here is that it creates structure and a framework as to what the future of open finance may look like.
Bear in mind, even when the bill becomes an act, changes won’t be immediate. Open finance is also a big cost for businesses to open up their API infrastructures without necessarily a reward, so although open finance is exciting in general for progress, just don’t expect anything too quickly.
We are also starting to see people grasp that open banking can be used for better verification of data. Many of our clients put their clients through an open banking journey with us, and therefore when it comes to 12 months of bank statement checks in a conveyancing matter for example, we can immediately report to our client as to whether their client’s bank account has actually been open for 12 months, as well as who the account owner is and what type of account it is.
What about those who can't or won't use open banking?
Good looks like 80% to 90% of those able to use open banking, but what about those people who fall out of that in all of the use cases?
We understand that not all clients can connect via open banking, and when they don’t, people are left dealing with a manual process which leads to delays in accuracies, more admin and less time for the good stuff. Earlier this year, we began embarking on our process of rolling out statement scanning, which is used as a combination of OCR and AI, but is generally used to support cases where open banking doesn’t work.
Family Law and Open Banking
Armalytix does a lot of work in the accountancy sector, especially working with insolvency practices. There’s a real clear use case here where in insolvency, the bank accounts may have been frozen, therefore they can’t be used through open banking. An insolvency practice will have those physical statements needed for some analysis, and the easiest way for them to do that is uploading them in the residential property world, you’re probably looking at things like gift donors, and vulnerable clients here.
Certainly, the technology is used more broadly in accounting than it is legal. But our main focus in the legal sector at present is in the family law space.
When asked about GDPR when requesting bank statements from the other side, it’s worth remembering that you, as the family lawyer, become the data controller, and as a data controller, you have a right to appoint a sub processor, and that agreement has to naturally cover that.
What jurisdictions are open banking processes in?
One of the questions I get frequently asked is open banking and jurisdictions other than the UK, and this is very appropriate as Amy is currently sat in the middle of Sydney, Australia!
As a provider, we currently only connect into UK bank accounts. There’s a number of reasons behind this, but if I start with Europe and post-Brexit, it has become more difficult for UK companies to obtain open banking licences, because of regulations and legal changes, such as having to have a presence in Europe etc. Unless you have a big European client base, the overall demand is pretty low (from our client base), so we never really pressed on with moving over jurisdictions.
If we start going a bit further afield, the jurisdictions that you might love us to give you some analysis on but probably never will be able to because they won’t open their doors to open banking are countries like China and Dubai, and I don’t anticipate them onboarding this process any time soon.
Outside the EU, two major jurisdictions that have opted for a regulatory-driven approach when it comes to open banking are Hong Kong and Australia. Australia’s open banking initiative, known as the Consumer Data Right (CDR), focuses on data sharing and consumer control.
I’m really keen to see how Australia handles the prescriptive side of Source of Funds (SOF) requirements. I’m sure Amy will keep us updated on the work she and AML Sorted are doing there. What’s fascinating about Australia, compared to the UK or Europe, is their banking landscape. It’s more consolidated, with their four major banks all mandated to implement these standards. Plus, even the smaller banks have followed suit, and they had some of the necessary infrastructure already in place. It’s quite different from the US, which is far more complex due to the sheer number of banks.
This link is totally independent to the work we do but it’s handy for a global look at which countries use open banking. https://www.openbankingmap.com/
What areas of law does open banking support?
Instead of tackling one problem at a time, firms are now using Open Banking to significantly reduce the time spent on bank statement analysis across multiple departments. By focusing on individual areas, they can achieve quicker and more impactful results.
What we are seeing more of are firms who offer:
- Family and Divorce law
- Conveyancing
- Probate and Estate Administration
- Commercial Litigation
- Insolvency and Bankruptcy
- Criminal Law (Financial Crime)
You can watch the full recording HERE.
Armalytix is an FCA regulated entity that works with Lawyers and Accountants to help them understand their clients’ finances.
I’m really keen to see how Australia handles the prescriptive side of Source of Funds (SOF) requirements. I’m sure Amy will keep us updated on the work she and AML Sorted are doing there. What’s fascinating about Australia, compared to the UK or Europe, is their banking landscape. It’s more consolidated, with their four major banks all mandated to implement these standards. Plus, even the smaller banks have followed suit, and they had some of the necessary infrastructure already in place. It’s quite different from the US, which is far more complex due to the sheer number of banks.
This link is totally independent to the work we do but it’s handy for a global look at which countries use open banking. https://www.openbankingmap.com/
Need Support or Advice?
If you would like to get hold of Tom, please email him directly: tom@armalytix.com, and if you have any questions of me or my associates, just drop me a line. My door is always open!
You're not alone, Teal Compliance is your partner in compliance and risk management support.
Anti-money laundering | Data Protection | Regulatory Compliance
