By Legal Futures Associate Kord
Most onboarding effort goes into proving the client is who they say they are. It’s an important question to ask, but it is no longer the most important one.
In the first full year of the Payment Systems Regulator’s mandatory reimbursement regime, UK payment firms repaid £173 million to victims of authorised push payment (APP) fraud, across 188,000 eligible claims.
The National Crime Agency and the Law Society have launched a joint campaign warning conveyancers specifically about payment diversion fraud, and the Government’s Fraud Strategy 2026–2029, published in March, has put more than £250 million behind the problem.
It speaks an uncomfortable truth for law firms used to putting all their energy into identity verification alone: the main angle of attack for fraudsters is at the movement of money.
A verified client isn’t a verified payment
APP and payment diversion fraud sidestep the identity phase. Instead, fraudsters intercept the next step, the email confirming where the deposit should be sent, the updated ‘client’ bank details, the request to release funds to a new account.
A homebuyer who has been fully verified can still be tricked into sending six figures to a criminal’s account, and a fee-earner working from a spoofed email can still authorise a payment to the wrong place.
Neither failure is caught by a passport scan, because neither failure happens at the passport stage.
This is a structural weakness in how most firms onboard.
That’s because identity is still treated as a one-off event at the start of the matter. Money management is often the single most dangerous moment in the entire transaction, so handling it separately—and frequently over exposed email channels—is a major risk.
Closing the gap
The Law Society’s 2026 CQS update names ‘poor verification processes for client bank details’ as one of the leading causes of audit failures.
It’s one reason the regulator’s expectations are shifting towards verifying the payment and verifying the client together, not as separate obligations.
The firms that still treat identity and money as discrete steps are those most exposed to criminal and regulatory risk.
When there is no clear link between the client verified at onboarding and the account the money leaves or goes to, payment diversion fraud suddenly becomes a serious risk, and reconstructing the compliance timeline suddenly becomes very hard.
Through Kord, you can verify the client’s identity at onboarding, and the funds attached to that client are received through a regulated route tied to the same record—not as bank details typed into an email.
The identity you verify is the identity attached to the money. It means payment redirection has far less room to operate when the whole matter sits on a single trail.
Get in touch to find out more.
