Digital Identity Verification and Risk Mitigation

Given the trusted position that solicitors have and the value, nature and combination of the professional services that they provide, it is unfortunate, but not surprising, that the risks of criminals seeking to exploit their services are inherent for solicitors. Identity verification of clients is therefore a crucial step for solicitors in mitigating these risks.

Know your client (KYC) checks support solicitor firms in recognising those individuals or entities who may pose a higher risk of money laundering (ML) or terrorist financing (TF). Thorough and effective processes can also reduce the risk of the use of stolen identities or forged documents, common features of certain types of economic crime.

For these reasons, verification of client identity is a fundamental part of the Client Due Diligence (CDD) measures required by the Money Laundering Regulations 2017.

However, it is recognised that identity verification can be complex and resource-intensive for solicitor firms, and time-consuming for legitimate clients or customers. In its 2024 Consultation on Improving the Effectiveness of the Money Laundering Regulations (the MLRs), the government stated its commitment to considering ways to minimise the burden of identity verification for firms and clients while ensuring it remains effective at reducing the risk of ML/TF. The government committed to making it easier to comply with identity verification requirements in the MLRs, including by encouraging the uptake of digital identity technologies.

Traditionally identity verification and CDD checks have relied on manual procedures. This often entails in-person meetings with clients, manual identity verification, and email exchanges to gather essential documents. But as technology has developed, use of digital or electronic identification and verification (EID&V) tools has increased.

Many of these digital identity services are available from various third-party commercial providers and can be used by solicitors in meeting their identity verification requirements. A challenge in their use can be that, under the MLRs, solicitors can never outsource their ultimate responsibility through reliance on third-party providers. The onus is on the solicitor to take appropriate steps to understand how the digital identification process works, where it derives its data from, how it searches and to be satisfied as to the validity and reliability of the information the process is reporting.

In response to the increasing use of EID&V tools and to support solicitors in their compliance, the Law Society of Northern Ireland has published guidance on using EID&V tools for CDD on the Members Dashboard of its website (available here).

Section 7 of the Anti-Money Laundering Guidance for the UK Legal Sector also considers in detail and underscores the importance of the use of such technology and EID&V tools. This single sector Guidance has been approved by HM Treasury and is produced by the Legal Sector Affinity Group (LSAG) which comprises all the UK legal sector professional body supervisors, including the Society.

The accompanying case study concerns a firm which was identified by the Society on inspection as requiring more robust CDD measures in order to highlight some of the issues that should be taken into consideration when utilising EID&V providers.

The use of EID&V is clearly permitted by the MLRs, with Regulation 28 of the MLRs setting out the minimum requirements for EID&V processes. The correct use of EID&V also offers many potential benefits to support compliance with the MLRs and the mitigation of risk through applying CDD measures. However, any decision about whether to use EID&V should be based on a comprehensive understanding of what the system does and how it will help to meet a firm’s CDD obligations, which obligations remain with the firm under the MLRs, and address the ML/TF risks presented by the individual client or matter.

The Society’s guidance for EID&V gives further detail on the different factors for solicitor firms to consider when deciding whether to use EID&V, including:

• Does the EID&V process meet the requirements of Regulation 28(19) of the MLRs?

• Does the EID&V process properly establish the client’s identity rather than just establishing that the identity exists, and can the firm adequately demonstrate that the process does so to the Law Society as its supervisor?

• Does the EID&V process offer a higher degree of comfort e.g. are multiple sources of data used; do sources use robust underlying data sources where individuals are forced to prove identity in some way; biometric identification?

• Does the EID&V provider have proof of registration with the Information Commissioner’s Office for the purposes of storing personal data?

• Does the EID&V provider seek assurance testing and certification by the government, an approved expert body, or another internationally reputable expert body?

• Does the firm understand and can it demonstrate an adequate understanding of:

- Inputs to the system;

- The data sources used by the system to verify identity;

- The outputs from the system and what they mean; and

- How the system complies with relevant sections of the MLRs.

'It is recognised that identity verification can be complex and resource-intensive for solicitor firms'

• Tiered services – are these provided and does the firm understand and is it using the correct tiered service appropriately?

• Are the firm’s staff who are responsible for conducting searches using the EID&V process adequately trained to ensure the validity and accuracy of client data input, and that all necessary data is submitted in the right fields?

• Are necessary record-keeping and data protection considerations being met?

The Society’s guidance for EID&V also sets out FAQs, other available guidance and links to the LSAG AML Guidance for the Legal Sector regarding the use of EID&V. The Society’s guidance does not endorse any specific EID&V product or service provider.

As already noted, the government is committed to encouraging the uptake of digital identity technologies to support compliance. In this regard, the government has recently announced in its published Consultation Response (July 2025) that HM Treasury and the Department for Science, Innovation and Technology (DSIT) will jointly produce guidance on using digital identities for MLRs’ identity verification checks across all sectors, including the legal sector. This guidance will:

• Provide clarity on the definition of a digital identity;

• Give further detail on how digital identities can be used in line with the MLRs’ risk-based approach; and

• Seek to clarify how MLRs’ requirements interact with the UK Digital Identity and Attributes Trust Framework of standards and governance for trustworthy and secure digital identities services, underpinned by the Data (Use and Access) Act 2025.

Once available, this government guidance should provide greater clarity for firms on the use of EID&V services and the legitimacy of digital identity providers, which is welcomed.

Brian Carson,Head of AML Policy, Law Society of Northern Ireland

Case Study - Electronic ID & Verification (EID&V) – Firm A

• Firm A received an integrated accounts inspection by the Law Society’s Compliance Officer. Notable deficiencies in client due diligence measures were found on case file reviews, with no evidence of CDD or source of funds checks having been undertaken on several files and a lack of documentary records.

• After review of the inspection report by the Law Society’s Professional Conduct Committee, the Committee directed that a follow-up discrete onsite AML/CTF inspection be carried out by the Law Society’s AML Compliance Officer.

• On inspection the AML Compliance Officer found that the firm had since commenced using digital identity verification services provided by a third-party provider offering ‘full compliance with the MLRs’.

• While general compliance by the firm with the MLRs and improvements in the firm’s CDD measures were noted, issues were identified with the EID&V services being used by the firm.

• The checks being undertaken in the particular EID&V process used limited data sources, with corresponding limited outputs. Only screening for Politically Exposed Persons (PEPs) and sanctions were evident over the identification and verification of the client’s identity.

• The EID&V process used did not demonstrate sufficient capability to provide assurance that the person claiming a particular identity was in fact the person with that identity, to the degree necessary for effectively mitigating any risks of money laundering and terrorist financing as required by Regulation 28 of the MLRs. There was, for example, no liveness check nor equivalent documented check by the solicitor.

• The EID&V process as currently used was not by itself sufficient to meet all CDD requirements.

• The AML Compliance Officer’s reported findings were raised with the firm’s Money Laundering Reporting Officer (MLRO) who engaged positively, and guidance was provided. The firm’s MLRO was also referred to the LSAG AML Guidance for the Legal Sector.

• On further enquiry it was discovered that the third-party provider offered tiered services with some misunderstanding regarding the level of service currently used. The correctly tiered service was identified for appropriate use by the firm.

• After review by the Professional Conduct Committee, the solicitors were reminded of their obligations under the MLRs, again directed to the available guidance, and the necessary corrective actions were taken. An AML/CTF revisit inspection was directed at a future date to monitor ongoing adherence.