The SRA's Anti-Money Laundering Annual Report 2024–25 confirmed a further rise in regulatory intensity, with 935 proactive AML engagements in the period which is almost double from the previous period, and one-third of firms remaining non-compliant, with 54% only partially compliant. Of the weaknesses flagged, failures around enhanced due diligence including insufficient verification, absent EDD records, and inadequate evidence of the measures applied.

For firms whose client base includes higher-risk individuals like international clients, those onboarded without a face-to-face meeting, or those whose instructions involve complex or high-value transactions, the question isn't whether enhanced due diligence applies. The question is whether your processes are robust, consistent, and defensible.

Legl's Dual-ID CDD workflow is designed to help you to answer that question, supporting your firm to meet the requirements that are appropriate based on your firm’s risk appetite and policies.

The Regulatory Foundation: What MLR 2017 Actually Requires

Enhanced due diligence is not a discretionary upgrade. Regulation 33 of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 requires firms to apply EDD to higher-risk clients, including any case which by its nature presents a higher risk of money laundering (Reg 33(1)(g)).

Reg 33(6) specifically identifies non-face-to-face onboarding as a higher-risk factor. A client you have never met in person, which, in an era of digital-first legal services, is increasingly common, may trigger the obligation to go beyond standard CDD. Critically, the same provision names an electronic identification process meeting the conditions set out in regulation 28(19) as a recognised safeguard when applying EDD to remotely onboarded clients.

The regulations do not prescribe two forms of identity document in every case. What they require is due diligence proportionate to the risk, with verification drawn from a source independent of the client (Reg 28(12) and 28(18)–(19)). Reg 33(5) further supports this by listing "seeking additional independent, reliable sources to verify information provided or made available" as an explicit enhanced due diligence measure.

In practice, many firms operationalise this as a two-photo-ID policy for higher-risk clients. The challenge has been building that policy into a reliable, repeatable, and auditable workflow, rather than relying on fee earners to remember to request a second document, or stitching together a manual process using generic form tools.

Dual-ID CDD encodes that policy directly into the client onboarding journey.

What Dual-ID CDD Does and How It Works

At its core, Dual-ID CDD collects two identity documents from the client, confirms their validity, and verifies both against a biometric scan of the client's face. The biometric match is the independent verification step, not the document alone. This matters from a regulatory standpoint: it is the combination of document authenticity checking and biometric confirmation that satisfies the conditions under Reg 28(18)–(19) for an electronic identification process to serve as a credible safeguard.

The workflow is designed to reduce error at every stage. If a document upload contains an issue, for example the wrong document type, poor image quality, a document that has already been used in another verification, the client is dynamically prompted to correct it before submission. This removes the manual back-and-forth that typically delays onboarding and increases the risk of non-compliant files reaching the fee earner.

The workflow accepts a passport as the primary document, paired with either a UK photocard driving licence or a foreign national ID card as the second. Each is checked for authenticity and validity, and both are biometrically matched to the client's live selfie. The document set is fixed within the workflow, so verification is consistent for every client it is applied to. This process is suited to internationally mobile or remotely onboarded clients. 

Both ID documents are checked for validity and cross-referenced. The full process creates an audit trail that demonstrates precisely what was collected, when, and what the verification outcome was.

Scope and Configurability: Applying It Where Your Risk Assessment Requires

Dual-ID CDD is not a one-size-fits-all setting. Firms can configure the workflow to apply to all clients, to clients identified as resident outside the UK , or to specific individuals that the firm has assessed as higher risk under its own client and matter risk assessment process.

This configurability reflects the underlying regulatory logic. Reg 33(6) requires firms to weigh geographic factors and non-face-to-face delivery when determining whether EDD applies. Dual-ID CDD gives compliance teams the controls to translate that risk-based judgement directly into the onboarding workflow, without requiring fee earner discretion at the point of client contact.

For firms operating across multiple practice areas like conveyancing, private client, corporate etc the ability to apply Dual-ID CDD selectively means it can be targeted at the matters and client types where the firm's own risk assessment calls for it, rather than creating friction across every file.

A Note on Standard CDD

It is worth being explicit about what Dual-ID CDD is not. Standard one-ID CDD, which in Legl’s platform includes biometric verification, is a robust identity verification method and remains entirely sufficient for the majority of clients. Legl's Standard CDD workflow meets the requirements for electronic identity verification under Reg 28 and is appropriate for clients assessed as standard risk.

Dual-ID CDD is an additional tool for the specific circumstances where a firm's risk-based approach calls for two forms of identification. It does not imply that single-ID verification is inadequate. It reflects the firm's own risk assessment for a particular client or client type.

It also replaces the manual workaround that many firms currently rely on: requesting a second document through a custom form, outside of any verified CDD process. That approach produces neither the biometric check nor the audit trail that a formal EDD workflow provides. Dual-ID CDD closes that gap.

Source of Funds: The Adjacent EDD Measure

Identity verification is one pillar of an EDD process. Source of funds is another, and it is the one that SRA inspections have consistently found to be underdeveloped. By October 2025, the SRA alone had issued 35 fines totalling more than £565,000, with common breaches including weak CDD, inadequate source-of-funds checks, and poor record-keeping.

Legl's Source of Funds capability allows clients to securely share bank transaction data via open banking, providing firms with instant access to verified, real-time financial information. For higher-risk matters, particularly in conveyancing and corporate transactions like M&A this brings source of funds checks into the same auditable, digital process as identity verification and other AML workflows. 

The result is a coherent EDD workflow: dual identity verification with biometric confirmation, and source of funds evidence, captured together in a single client journey and logged under the matter record.

What This Means in Practice

For compliance officers and MLROs, the practical value of Dual-ID CDD is twofold. First, it systematises a process that many firms are already trying to operate manually, making it consistent across fee earners and offices, rather than dependent on individual knowledge and memory. Second, it produces the documented evidence of EDD that regulators require. Under Reg 28 of the MLRs 2017, an undocumented EDD process is treated as no EDD process in a regulatory file review. If you can't evidence it, the regulatory position is that you didn't do it.

For fee earners, it removes the burden of chasing clients for a second document through email or bespoke form tools. The workflow guides the client through the process, handles errors dynamically, and delivers a compliant, decision-ready file.

And for clients, it is a cleaner, faster onboarding experience - even where the compliance bar is higher.

Conclusion

With emerging threats including deepfake ID fraud and digital onboarding without adequate verification now flagged by the SRA as areas of growing concern, the gap between a firm's stated EDD policy and what actually happens at the point of client contact is a genuine compliance risk. Dual-ID CDD closes that gap by encoding the two-ID policy, including biometric verification and full audit trail, into a workflow that runs consistently for every client it is applied to.

For firms ready to move beyond manual workarounds and build EDD processes that are defensible under scrutiny, that conversation starts with understanding where your current workflows leave gaps, and what a purpose-built solution looks like in practice.

‍