AML and KYC compliance sits in an awkward place in most law firms: too important to cut corners on, too repetitive and document-heavy to absorb gracefully at volume. The Solicitors Regulation Authority's AML guidance has become progressively more detailed since the Money Laundering Regulations 2017 came into force, and enforcement activity has sharpened noticeably since 2022. The question is not whether to take the process seriously. It is whether your fee earners and compliance staff should still be doing the manual steps by hand.
Below are the questions we hear most often from COLPs, IT directors and innovation leads at UK law firms when they first look at automating this work.
What does "AML KYC automation" actually mean for a law firm?
It covers several distinct tasks that firms routinely collapse into a single process — and that conflation is usually where the inefficiency begins. Client identity verification: collecting and validating passports, driving licences, utility bills. Sanctions and PEP screening: checking individuals and entities against current watchlists. Source of funds and wealth documentation: collecting, storing and linking evidence to the matter. Ongoing monitoring: re-screening existing clients when their risk profile changes. And the firm-wide risk assessment and matter risk assessment, which are more analytical than documentary.
Automation is not equally useful across all of these, and we are direct about that with firms we work with. Identity document verification and sanctions screening are the most tractable. Source of funds analysis and risk assessment still require supervised human judgement — an automated tool can surface the documents, flag inconsistencies and structure the output, but the compliance decision sits with a qualified person. Selling a firm on the idea that the whole process can be automated is how projects fail and audits get failed.
Which tools are actually used in UK legal AML workflows, and what are their limitations?
Two vendors dominate the identity verification and screening market for UK law firms: SmartSearch and Thirdfort.
SmartSearch is the more established of the two and is widely used by conveyancing and commercial practices. It runs electronic identity verification against credit reference and mortality data, and includes AML screening — sanctions, PEPs, adverse media — via a single API call. Its limitation is data coverage outside the UK and Western Europe. For international counterparties, particularly in jurisdictions with thin credit bureau infrastructure, electronic verification often fails to return a result and you are back to document collection anyway. Firms running significant cross-border M&A work should not assume SmartSearch solves the problem globally.
Thirdfort positions itself as a more modern alternative, with a client-facing mobile app that handles biometric identity verification and open banking-based source of funds checks. The biometric layer is genuinely useful for remote client onboarding. The gotcha is that open banking data only covers accounts held in participating UK institutions — it tells you about a bank transfer from Barclays, not about the provenance of funds arriving from a Cypriot holding company. For high-net-worth private client and real estate work, open banking is a starting point, not a complete answer.
Neither tool eliminates the need for a process around what happens when verification fails or when enhanced due diligence is required. That workflow — who reviews the exception, what documentation is requested, how it is stored and linked to the matter — is where most firms still have manual gaps, and where we spend the majority of our time when scoping an AML automation engagement.
Is there a meaningful role for AI beyond identity verification and screening?
Yes, specifically in three areas.
Document extraction and structuring. Source of funds packs — bank statements, corporate structure charts, trust deeds, asset schedules — arrive as PDFs, sometimes scanned. An AI extraction layer can parse these documents, pull named entities, flag date gaps in bank statement sequences, and populate a structured record rather than leaving a paralegal to read through eighty pages manually. We have run this against packs of over 300 pages with extraction accuracy above 94% on structured financial documents, falling to around 80% on degraded scans. That gap matters — the 20% of low-confidence extractions still need human review, and any honest scoping conversation has to say so upfront.
Ongoing monitoring and re-screening triggers. Most firms are weak on the ongoing monitoring obligation under Regulation 28 of the Money Laundering Regulations 2017. They screen at onboarding and then rely on news alerts or nothing at all. An automated monitoring layer — scheduled rescreens against sanctions lists, PEP status changes, adverse media — with results surfaced into a compliance dashboard rather than buried in email, is operationally straightforward to build and materially improves audit trail quality. This is often the quickest win for firms that already use SmartSearch or Thirdfort for onboarding.
Matter risk assessment drafting. AI drafting assistance for matter risk assessments is genuinely useful, particularly for practices producing a high volume of standard-form assessments. A model trained on the firm's past assessments and matter types can produce a first-draft narrative that a fee earner reviews and signs off, rather than writing from scratch. The compliance decision remains human-owned; the administrative burden reduces. We treat this as an augmentation of the fee earner's judgement, not a replacement for it.
What is the most common misconception about AML automation in law firms?
The belief that passing client verification through a third-party tool satisfies the firm's AML obligations is wrong, and it causes real problems.
Electronic verification is one method of satisfying the identification and verification requirements under the Regulations. It is not a safe harbour. The SRA is explicit that firms remain responsible for the adequacy of their CDD regardless of which tool they use. If SmartSearch returns a green result but the client's source of funds is unexplained, the firm has not completed its CDD. We have seen firms treat a passed electronic verification as file-ready, with source of funds documentation incomplete and no matter risk assessment on file. That is a regulatory exposure, not a compliance programme.
The corrected position: electronic verification and screening tools handle the identity layer. AML compliance is the sum of identification, verification, source of funds, matter risk assessment, ongoing monitoring, and the judgement calls that connect them. Automating part of that process does not discharge the whole obligation.
How does this connect to wider document automation work at the firm?
AML and KYC is rarely the only document-heavy compliance workflow in a firm. Firms that have invested in due diligence automation often find that the extraction infrastructure — the pipelines that parse PDFs, extract entities, and write structured outputs to a database — is largely reusable for source of funds document processing. The underlying capability is the same; the domain logic differs. We have built on that reuse deliberately where firms come to us with both problems.
Similarly, the data extracted through AML processes — verified identities, corporate structures, UBOs, PEP flags — is valuable beyond the compliance file. Firms that route this into a client intelligence store rather than a static PDF archive start to build a usable record of counterparty and client relationships. That has value for conflicts checking, pitch work, and relationship management. It is also a reasonable argument to make internally when justifying the infrastructure spend.
For firms considering how to scope and budget an automation project in this space, the build versus buy question matters more than it might appear. Off-the-shelf AML platforms handle the screening and verification layer well; they are generally poor at the bespoke extraction, exception handling, and internal data routing that distinguishes a genuinely automated workflow from a digitised manual one.
What should a firm have in place before starting an automation project here?
Three things, practically speaking.
First, a documented current-state process. If you cannot describe in writing what happens when EDD is triggered — who owns it, what is collected, where it is stored, how it is linked to the matter — you cannot automate it. You will automate the chaos.
Second, clarity on your data residency position. AML records contain personal data of the highest sensitivity. Any tool or pipeline that touches this data needs to be assessed under UK GDPR. That means knowing where data is processed, what the retention schedule is, and whether your PI cover extends to automated processing failures. We process and store all client data within the UK; that is a requirement we treat as non-negotiable for legal clients.
Third, a named compliance owner for the automated outputs. Automation changes the workflow; it does not change accountability. The COLP still owns the AML programme. The system produces a structured output, flags exceptions, and maintains an audit trail. A qualified person reviews the exceptions and takes the compliance decision. That division of labour needs to be written down before the system goes live, not after.
If you are starting to think seriously about this, the most useful conversation is usually a narrow one: pick the single most painful manual step in your current AML process — typically source of funds document handling or ongoing monitoring — and scope that first. Firms that try to automate the entire CDD workflow in one project rarely land well. We scope AML automation in stages precisely because the compliance risk of a poorly implemented system is higher than the cost of a phased rollout. If you want to talk through what that looks like for your firm's specific matter mix and client base, get in touch directly — a scoping conversation costs nothing and usually surfaces the priority quickly.