The Legal Profession's Compliance Reckoning
For decades, lawyers occupied a comfortable position in the AML landscape. They advised clients on compliance. They helped structure transactions. They occasionally filed suspicious activity reports. But they were largely exempt from the rigorous KYC obligations imposed on banks and financial institutions.
That era is over.
Under the EU's AMLR package, lawyers, notaries, and other independent legal professionals are firmly classified as obliged entities. In the United States, the AML Act of 2020 and subsequent FinCEN rulemaking are moving in the same direction. The message from regulators is unambiguous: legal professionals are gatekeepers to the financial system, and they will be held to gatekeeper standards.
This is not a theoretical risk. In 2024, the EU's supranational risk assessment identified legal professionals as a high-risk channel for money laundering, particularly in real estate transactions and corporate structuring. National regulators across Europe have followed with targeted supervision programs and, increasingly, enforcement actions against law firms with inadequate AML controls. Fines, professional sanctions, and reputational damage are all becoming more common—and more severe.
For law firms, notaries, and legal professionals operating in real estate, fund formation, and corporate transactions, the question is no longer whether AML compliance applies to them. It is whether their current processes are adequate for the obligations they already have—and whether those processes will scale as requirements continue to tighten under AMLA coordination and AMLR direct applicability.
Part 1: What the Law Requires
EU Obligations for Legal Professionals
Under EU AML law, lawyers and notaries are obliged entities when they participate in certain activities on behalf of their clients. These triggering activities include buying and selling real property, managing client money, securities, or other assets, opening or managing bank or savings accounts, organizing contributions for the creation or operation of companies, and creating, operating, or managing trusts, companies, foundations, or similar structures.
The scope is broad—far broader than many legal professionals realize. Any law firm involved in real estate transactions, corporate formation, fund structuring, or trust administration is covered. This is not limited to large international firms—a two-partner practice handling residential conveyancing is as much an obliged entity as a Magic Circle firm structuring cross-border fund investments. The obligations are the same; the scale of implementation differs.
Specific obligations mirror those imposed on financial institutions. Customer Due Diligence requires identifying and verifying the client through reliable documentation, identifying the beneficial owner of any entity client using independent sources, and understanding the nature and purpose of the business relationship. This is not a cursory check—it requires genuine investigation into who the client is, who benefits from the transaction, and what the purpose of the engagement actually is.
Enhanced Due Diligence must be applied for high-risk situations: PEPs, complex ownership structures, high-risk jurisdictions, unusually large or unusual transactions, and any situation where the risk of money laundering or terrorist financing is elevated. EDD is not optional where risk factors are present—it is a regulatory requirement, and the failure to apply it when circumstances warrant is itself a compliance breach.
Ongoing monitoring of client relationships is required throughout the relationship, not just at onboarding. Filing Suspicious Transaction Reports when there are reasonable grounds to suspect money laundering or terrorist financing is mandatory—and the failure to file when grounds existed attracts significant penalties. Records of all CDD measures and transactions must be maintained for a minimum of five years, in a format that is accessible and retrievable for regulatory inspection. And every firm must appoint a compliance officer and establish internal AML policies and procedures tailored to their specific practice.
The AMLR package reinforces these obligations with directly applicable rules across all member states. National variations in implementation will be reduced or eliminated. Supervision will be strengthened through AMLA coordination, meaning that supervisory standards will converge upward across the EU. The bar for legal professionals is rising—and it is rising fast.
US Obligations: Current and Coming
The US has historically been more permissive with legal professionals regarding AML obligations, but the regulatory trajectory is unmistakable and accelerating.
Currently, lawyers are not explicitly designated as obliged entities under the BSA. However, several developments are tightening the net significantly. The AML Act of 2020 directed FinCEN to study the role of legal professionals in money laundering and consider additional regulations. The Treasury Department's 2024 National Strategy for Combating Illicit Finance identified real estate professionals, including lawyers involved in real estate transactions, as a priority area for enhanced regulation. State-level bar associations are issuing formal ethics opinions on lawyers' AML obligations with increasing frequency, and certain jurisdictions are implementing additional requirements through professional conduct rules.
The American Bar Association's formal opinion on AML obligations clarifies that while lawyers are not currently required to file SARs, they have ethical obligations to avoid facilitating client misconduct, including money laundering. The "willful blindness" doctrine means that deliberately avoiding knowledge of a client's illicit activities provides no legal protection—ignorance by design is treated as knowledge by courts and regulators. A lawyer who deliberately fails to ask obvious questions about the source of funds for a real estate purchase cannot later claim ignorance as a defense.
The trajectory is clear. US legal professionals should prepare for formal AML obligations comparable to those in the EU. The question is not whether these obligations will come, but when—and in what form. Firms that build compliance infrastructure now will have a significant advantage when regulations formalize, avoiding the scramble and expense of last-minute implementation that characterized the banking sector's response to earlier AML regulations.
The Legal Privilege Tension
The most contentious aspect of AML obligations for lawyers is the tension with legal professional privilege, known as attorney-client privilege in the US context. This tension is real but frequently overstated by lawyers seeking to justify non-compliance.
In the EU, this tension is addressed through explicit carve-outs. Lawyers are generally not required to file STRs regarding information received in the course of ascertaining the legal position of a client or performing their task of defending or representing that client in judicial proceedings. However, this exemption is narrow and frequently misunderstood. It does not cover transactional work such as real estate purchases, corporate formations, or fund structuring. A lawyer conducting KYC on a client purchasing property is not protected by legal privilege from reporting suspicious activity related to that transaction. The privilege protects legal advice; it does not protect transaction facilitation.
The practical implication is that law firms must establish clear internal boundaries between advisory work (where privilege may limit reporting obligations) and transactional work (where full AML obligations apply without exception). This requires training so that all lawyers understand the distinction, documented policies that define which activities fall on which side of the line, and in larger firms, separate compliance workflows for different practice areas. The boundary between privileged and non-privileged work must be defined clearly and applied consistently—regulators will not accept vague claims of privilege as a blanket justification for non-compliance with AML obligations.
Part 2: The Practical Compliance Gap
Where Law Firms Fall Short
Most law firms' AML compliance programs are inadequate. This is not a criticism of intent—most lawyers want to do the right thing—but a recognition of structural challenges that the legal profession has been slow to address.
The first gap is KYC process maturity. Many firms still conduct KYC through informal processes: a partner asks for ID, a secretary photocopies it, and the copy goes in a physical file. There is no standardized verification process, no risk assessment framework, and no systematic record-keeping. The approach varies from partner to partner, and there is no quality control. This approach fails every regulatory expectation and would not survive a supervisory inspection.
The second gap is beneficial ownership identification. Law firms regularly establish companies, trusts, and fund structures for clients. Yet many firms do not conduct thorough UBO identification on the structures they create. The irony is significant and not lost on regulators: the firm creates the legal opacity that regulators are trying to penetrate, without verifying who ultimately benefits from the structures it designs. A firm that creates a multi-layered holding structure for a client without identifying the ultimate beneficial owner is both creating risk and failing to manage it.
The third gap is ongoing monitoring. Even firms that conduct reasonable onboarding KYC rarely have systems for ongoing monitoring of their client relationships. A client verified three years ago may have undergone significant changes in risk profile—new sanctions designations, adverse media, changes in political exposure, restructuring of ownership, new criminal investigations—without any updated due diligence being conducted. The firm continues to act for the client based on stale information.
The fourth gap is STR filing. Many legal professionals are uncertain about when and how to file suspicious transaction reports. The threshold for "reasonable grounds to suspect" is not always clear, and the tension with legal privilege creates additional uncertainty. The result is either under-reporting (missing genuine suspicions because the lawyer is unsure whether the threshold is met or whether privilege applies) or paralysis (not knowing how to proceed when concerns arise, resulting in no action at all). Both outcomes expose the firm to regulatory risk.
The fifth gap is training. AML obligations for legal professionals are complex, jurisdiction-specific, and evolving rapidly. Many firms provide minimal or no AML training to their staff. Fee earners may not know what red flags to look for in their specific practice area. Support staff may not understand their role in the compliance process. Without training, even well-intentioned compliance programs fail in practice because the people implementing them do not understand what is required.
The Risk of Inaction
Regulatory enforcement against legal professionals is intensifying across Europe, and the consequences are becoming more severe with each enforcement cycle.
National regulators are conducting targeted inspections of law firms, particularly those involved in real estate and corporate transactions—the areas identified as highest risk. Findings from these inspections frequently cite inadequate CDD procedures that do not meet the minimum standards, missing or incomplete beneficial ownership records, absence of documented risk assessments, failure to file STRs when circumstances clearly warranted them, and inadequate training records.
Penalties range from formal warnings to substantial fines that can reach hundreds of thousands of euros. In severe cases, individual lawyers face professional sanctions including suspension or disbarment—the end of a career. The personal liability dimension is particularly significant for legal professionals: unlike corporate penalties absorbed by a large institution, sanctions against individual lawyers are public, personal, and potentially career-ending.
Beyond regulatory penalties, law firms face reputational risk that may be even more damaging in the long term. A law firm publicly associated with a money laundering case—even as an unwitting facilitator—suffers client trust damage that no amount of remediation can fully repair. In a profession built entirely on trust and reputation, this risk alone should motivate compliance investment. Clients choose lawyers they trust, and trust evaporates when a firm's name appears in enforcement actions or media coverage of financial crime.
The risk-reward calculation is straightforward. The cost of implementing proper AML compliance is modest relative to firm revenue—particularly when using cloud-based technology solutions that eliminate the need for large capital investments. The cost of non-compliance—in fines, reputational damage, professional sanctions, and potential criminal liability—is potentially existential for the firm and certainly career-threatening for individuals.
Part 3: Building a Law Firm Compliance Program
Governance Structure
Every law firm subject to AML obligations needs a clear governance structure with defined responsibilities and sufficient authority to ensure compliance is actually implemented, not merely documented.
A Money Laundering Reporting Officer (MLRO) or equivalent must be appointed. In most jurisdictions, this must be a senior person with sufficient authority and independence to challenge decisions—including decisions by managing partners. The MLRO must have the authority to refuse or delay a matter if KYC is incomplete, and this authority must be supported by the firm's governance. In smaller firms, this may be a partner with dedicated compliance responsibilities. In larger firms, it should be a dedicated compliance role reporting directly to the managing partner or management board, with clear independence from fee-earning pressure.
The firm needs written AML policies and procedures tailored to its specific practice areas, client base, and risk profile. Generic, off-the-shelf policies purchased from a compliance vendor and filed without customization are insufficient. The policies must reflect the specific risks the firm actually faces: the jurisdictions it operates in, the types of transactions it handles, the client segments it serves, and the particular red flags relevant to each practice area. A conveyancing firm faces different risks than a fund structuring firm, and their policies should reflect this.
A firm-wide risk assessment should identify and document the money laundering and terrorist financing risks relevant to the firm's practice. This assessment drives the intensity of compliance measures and must be proportionate to the firm's actual risk exposure. A firm specializing in domestic residential conveyancing for individuals has a different risk profile than a firm structuring cross-border fund investments for institutional clients, and their compliance programs should reflect that difference in both scope and depth.
Regular training must reach all staff—partners, associates, trainees, paralegals, and administrative staff. Training should be role-specific and practical: fee earners need to understand risk indicators in their specific practice area and how to escalate concerns, while support staff need to understand the firm's procedures for handling identification documents, maintaining records, and routing documents through the compliance workflow. Training should include real-world scenarios drawn from the firm's actual practice areas, not abstract regulatory lectures.
Client Onboarding Workflow
A standardized, technology-enabled client onboarding workflow transforms law firm compliance from ad hoc to systematic—and from a burden to a business advantage that improves both compliance quality and client experience.
The workflow should begin at engagement, before any substantive work begins. The client must be identified and verified through a defined process that includes collecting and verifying identity information for all individuals and entities involved in the matter, identifying and verifying beneficial owners of entity clients through independent sources, assessing the risk level of the engagement considering client type, transaction type, jurisdictions involved, and any risk indicators, applying enhanced due diligence where risk factors are elevated, screening all parties against applicable sanctions and PEP lists, and documenting all CDD measures taken and their results.
The workflow should be integrated with the firm's practice management system so that no file can be opened, and no work can begin, without completed KYC. This removes the temptation to "start work and catch up on compliance later"—a common and dangerous practice that creates both regulatory and ethical risk. Technology enforces this discipline in a way that policies alone cannot.
For firms handling real estate transactions, the workflow should include source of funds verification. Where is the purchase money coming from? Can the client demonstrate a legitimate source consistent with their known financial profile? This is often the most revealing element of real estate KYC and the one most frequently neglected by legal professionals. Source of funds questions that reveal inconsistencies or evasiveness are among the strongest indicators of potential money laundering, and lawyers are uniquely positioned to ask these questions because they see the transaction details that other parties may not.
Technology Adoption
Law firms have historically been slow technology adopters—a cultural characteristic that is increasingly untenable in an era of technology-enabled regulatory compliance.
Manual KYC processes are inadequate for modern compliance expectations. They are slow, delaying client onboarding and transaction completion at a time when clients expect speed. They are error-prone, with human mistakes in data entry, verification, and record-keeping that create compliance gaps. They are inconsistent, with different lawyers applying different standards to similar situations, making the firm's compliance quality unpredictable. They are unscalable, with compliance effort growing linearly with client volume while revenue grows sublinearly. And they are difficult to audit, with paper-based records that are hard to search, review, and present to regulators during inspections.
Technology-enabled compliance solves these problems comprehensively. A modern KYC platform for law firms provides standardized digital onboarding for all client types with consistent quality regardless of which lawyer initiates the matter, automated identity verification and document checking that works in seconds rather than days, integrated sanctions and PEP screening that is always current and always comprehensive, risk-based workflow routing that automatically determines standard versus enhanced due diligence based on the firm's documented risk framework, centralized record-keeping with full audit trails that satisfy regulatory inspection requirements, ongoing monitoring with automated alerts for changes in client risk profile, and regulatory reporting capabilities that reduce the administrative burden of compliance.
The implementation need not be disruptive. Cloud-based platforms like VeriKYC can be deployed alongside existing practice management systems, providing compliance capability without requiring wholesale technology replacement. Most firms can be fully operational within weeks, not months. The onboarding process for the platform is simpler than the onboarding process for a new client.
The return on investment is clear: faster client onboarding that improves client satisfaction and competitive positioning, reduced compliance risk that protects the firm and its individual lawyers, lower cost per verification as automation replaces manual processes, and a defensible compliance program that satisfies regulatory expectations and survives inspection without qualification.
Conclusion: From Gatekeeper Liability to Gatekeeper Advantage
Legal professionals are gatekeepers. Regulators have decided this, and the regulatory trajectory is irreversible regardless of jurisdictional debates or professional body objections. The question is whether law firms treat this as a liability to be minimized—spending as little as possible on compliance while hoping to avoid inspection—or an advantage to be leveraged.
Firms with robust AML compliance can market their compliance capability as a genuine client benefit. In real estate transactions, sophisticated buyers and sellers want assurance that their counterparty has been properly vetted—it protects them from the risk of a transaction being unwound or investigated after completion. In fund formation, institutional investors expect their legal counsel to have best-in-class compliance processes and will choose firms that can demonstrate this capability in due diligence questionnaires. In corporate transactions, strong compliance reduces the risk of regulatory complications post-completion and provides comfort to all parties that the deal has been conducted properly.
The firms that invest in compliance now will win mandates from clients who value professionalism and risk management—and those clients tend to be the most sophisticated, the most loyal, and the most profitable. The firms that delay will face increasing regulatory pressure, potential enforcement action, and client attrition to better-prepared competitors who have made compliance a differentiator rather than an afterthought.
The compliance frontline has arrived at the legal profession's door. The only question is how you respond.
The practical steps are clear. Assess your current program against regulatory requirements—honestly, not defensively. Invest in technology that automates the routine elements of compliance so your lawyers can focus on the judgment calls that require legal expertise. Train your entire team, from partners to reception, because compliance is not the responsibility of a single individual—it is a firm-wide obligation. Document everything, because in the regulatory world, undocumented compliance is indistinguishable from non-compliance.
And recognize that this is not going away. Every regulatory cycle brings tighter requirements, more intensive supervision, and higher penalties. The firms that get ahead of this curve will not only survive—they will thrive. Those that wait will find themselves perpetually catching up, spending more to achieve less, and losing clients and talent to firms that made the investment earlier.
The gatekeeper role is permanent. Make it an advantage.