Posted by Yazad Bajina, director at Legal Futures Associate Checkboard [1]
Bajina:
For years, many law firms have treated identity verification as a box-ticking exercise. They run a liveness check, match a face to a document, and move on.
But that single-stage approach is no longer good enough; in fact, the rise of ever more sophisticated AI tools has even led some commentators to declare an end to KYC (know your client) facial recognition entirely.
In that reality, liveness checks are a response to yesterday’s fraud. AI is now outpacing single-stage verification, and relying on old methods can almost be regarded as an act of negligence.
And if your LinkedIn feed is anything like mine, you’ve probably already seen dozens of examples, stories and test cases where once reliable checks are being bypassed with deepfakes and forged documents.
Bad actors are developing new tricks faster than good actors can respond to them. It’s time for law firms to step up.
Good enough?
So, what’s going on? Fraud is nothing new. Driving licences are routinely forged. Bank statements can be manipulated or fabricated at the touch of a button. Illicit funds are obscured across multiple accounts or through complex legal arrangements.
Smaller law firms too often adopt a ‘good enough’ approach to fraud.
Sometimes that really is good enough, but that single-stage verification approach is being undercut by the more sophisticated AI-enabled methods fraudsters and launderers are now adopting.
Even supposedly foolproof biometric identity verification [2] can be bypassed by passports, including those containing NFC (near field communication) chips, made out with someone else’s name or face.
Criminal networks target firms with single-stage verification processes. And once identity is compromised, every downstream control becomes less effective. Sanctions screening, politically exposed person (PEP) checks, and anti-money laundering monitoring can’t work properly if the person you’re screening isn’t who they claim to be.
Tougher questions
Doing more of the same isn’t going to cut it anymore.
Law firms need to abandon single-stage verification and start asking tougher questions of their clients.
When verification stops at asking ‘Are they who they say they are?’, it can all too easily be bypassed by relatively simple – and increasingly accessible – methods.
Law firms need to ask:
- Can they prove their identity independently? (address, mortality, National Insurance)
- Are we allowed to work with them? (sanctions, PEPs)
- Are their funds legitimate? (proof of funds, source of funds, source of wealth)
These additional stages are important because most fraud isn’t identified at the first hurdle. Instead, it emerges when red flags are raised across multiple independent data points.
Bad actors can manipulate documents, fabricate screenshots, and exploit any number of loopholes. But they probably can’t do all those things at once without being noticed.
Subjecting each client to an enhanced level of scrutiny helps you root out those bad actors.
Better answers
Many of the checks law firms rely on are still controlled by bad actors. Fraudsters can choose what evidence gets shown and what information is revealed, and therefore shape the narrative surrounding their onboarding.
By employing multi-stage verification, law firms can take back control.
As the tools available to fraudsters become more accessible, and the barrier to entry becomes lower, law firms need to use every weapon in their arsenal to fight back.
That’s why they need to ask tougher questions – and to demand better answers – in a world where face value can no longer be trusted.