If you run a law firm in England and Wales in 2026, you are practising in an environment where anti‑money laundering (AML) failures are no longer treated as unfortunate oversights, they are treated as foreseeable risks you should have controlled. The SRA, HM Treasury and FATF have all tightened expectations around due diligence, risk assessment and monitoring, and many firms are still playing catch‑up.
This article sets out what has changed, what law firms are now expected to do on due diligence, and how Intelect can support you through investigations, training and technology.
1. The basics that the SRA expects you to get right
The SRA has been explicit: too many firms are still failing on the AML fundamentals. Under the Money Laundering Regulations 2017 (as amended), and reinforced in SRA guidance, every firm in scope must have the following,
- A firm‑wide AML risk assessment, documented and regularly reviewed.
- Client and matter‑level risk assessments carried out at the start of each relationship and updated when risk changes.
- An effective Customer Due Diligence (CDD) process, including identification and verification of clients and beneficial owners.
- Documented policies, controls and procedures proportionate to the size and nature of the firm, approved by senior management.
Alongside the regulations, the Proceeds of Crime Act 2002 and Terrorism Act 2000 require firms to have a process for identifying and reporting suspicious activity to the National Crime Agency (NCA) via Suspicious Activity Reports (SARs).
From Intelect’s perspective, these are the minimum hygiene factors. The real risks and the opportunities to demonstrate robust due diligence sit fairly and squarely in how you actually apply CDD in higher‑risk work.
2. Where due diligence fails in legal practice
Despite years of guidance, the SRA still sees the same weaknesses when it reviews firms.
- CDD done late or not at all – matters opened before identification/verification is complete.
- Superficial risk assessments – templates completed without real consideration of client, matter type, jurisdiction or delivery channel.
- Inadequate EDD – failure to escalate checks where there is a PEP, high‑risk country, complex structure or unusual transaction pattern.
- Poor ongoing monitoring – no systematic review of existing clients when circumstances change.
For law firms, these weaknesses often appear in the highest‑risk areas: conveyancing, corporate/M&A, private client, trusts and cross‑border work. They are the same areas where criminals most want to exploit the profession.
This is where investigative‑grade due diligence makes the difference. We have years of experience from working with firms to dig beneath the surface of complex clients and structures, testing narratives, validating beneficial ownership, tracing corporate chains and documenting findings in a way that will stand up to regulatory scrutiny.
3. CDD, EDD and high‑risk clients in 2026
The core requirements for law firm due diligence have not gone away, they have been sharpened. Under the regulations and SRA guidance, firms must:
- Carry out standard CDD on all clients in scope – identifying and verifying the client and, where applicable, beneficial owners of companies, partnerships and trusts.
- Apply Enhanced Due Diligence (EDD) where there is a higher risk of money laundering, including where the client is a Politically Exposed Person (PEP), where the client or transaction involves a high‑risk third country, or where a transaction is unusually complex or large.
- Conduct ongoing monitoring, ensuring transactions are consistent with the firm’s knowledge of the client, business and risk profile.
The SRA’s updated “Your AML obligations” guidance emphasises that firms must actively consider FATF high‑risk and increased‑monitoring lists when risk assessing matters, and that mandatory EDD must be applied where a client is established in a high‑risk third country under regulation 33. The Government’s amendments to the MLRs further narrow the list of high‑risk countries to those subject to FATF’s Call to Action, while still requiring firms to factor other jurisdictions into risk assessments.
For many firms, the challenge is operational: turning these abstract requirements into consistent file‑level behaviour by fee‑earners. That is where targeted training and well‑designed technology make a measurable difference.
4. Training your fee‑earners to make better risk decisions
The SRA repeatedly finds that firms struggle to evidence competent staff making informed AML decisions. Training is either too generic, too infrequent, or not tied to the realities of day‑to‑day work. Firms may have a policy, but fee‑earners cannot explain how to apply it to a complex client or transaction.
Intelect’s CPD‑certified eLearning is built around:
- Current UK AML legislation and SRA guidance.
- Real legal‑sector case studies from conveyancing, private client, corporate and trust work.
- Practical information on CDD, EDD, sanctions, PEPs, source of funds/wealth and SARs.
The goal is simple: help solicitors understand how a regulator will look at their file and what good due diligence evidence actually looks like.
EDD‑Pro members receive at least 50% off all Intelect CPD‑certified eLearning from Intelect.
Well‑trained fee‑earners are far more likely to spot red flags early, escalate appropriately and document their decisions in a way an SRA or FCA inspector will recognise as robust.
5. Using technology to enforce good due diligence
Policies and training are only part of the picture. Without the right tools, even well‑intentioned lawyers can revert to old habits under time pressure. The SRA makes it clear that firms must have systems to support client and matter‑level risk assessments, CDD and ongoing monitoring.
Intelect’s risk assessment platform is designed to support law firms in three practical ways:
- Structured CDD workflows aligned with UK AML regulations.
- Risk scoring that reflects client type, geography, services, and behaviour.
- Audit-ready documentation to support regulatory inspections and internal reviews.
Start a free 7-day trial of Intelect’s risk assessment platform no obligation Claim your free trial
Alongside this, EDD‑Pro gives your team a single workspace for actually performing the due diligence behind those risk scores. The platform combines passport and identity verification (including NFC chip and manual entry options) with AI‑powered open‑source searches, sanctions and PEP database checks, adverse media, and clear data visualisation, then packages the findings into a downloadable report with your notes and a complete audit trail. It is designed to be fast, efficient, and integration‑friendly, so you can move from Client Due Diligence to documented decisions without bouncing between multiple systems. Find out more here.
Act now, before the rules bite
Combined with Intelect’s investigative support and CPD‑certified training, this gives law firms a practical, defensible way to meet the SRA’s expectations on AML due diligence in 2026 and beyond.
