Posted by Yazad Bajina, chief commercial officer at Legal Futures Associate Checkboard [1]
Bajina: A scanned copy of a passport is no longer enough
At the root of every failed compliance review is a familiar phrase: a calm assertion of “but we did a document check”. It’s the first line of defence when questions are asked about how a client was verified before a matter was opened.
In 2026, that’s no longer enough. And if your firm is still treating it as though it is, you’re opening yourself up to more risk than necessary.
Not good enough
The Solicitors Regulation Authority’s (SRA) expectations around client due diligence have evolved considerably over the past decade.
The Legal Sector Affinity Group guidance, updated in recent years, demands firms take a risk-based approach to verifying client identity – one that is proportionate to the risk posed by the client, matter or transaction.
That sounds a lot more involved than just a document check.
But the reality on the ground at many firms – large and small – is that onboarding still means asking a client to email a copy of their passport and utility bill, and ticking a box once a compliance officer has glanced over it.
That process might have passed muster years ago, but today it’s no longer adequate.
Evolving threats
The reason document checks are failing isn’t just a regulatory issue. The tools available to bad actors have advanced dramatically, and AI-generated identity documents are now increasingly difficult to distinguish from the genuine article by sight alone.
Meanwhile, deepfake images, video and even audio are maturing to the point where verification by sight or sound alone is increasingly unreliable.
Using these tools and fragments of real personal data, bad actors can now create synthetic identities to open client relationships at law firms.
Law firms make particularly attractive targets because they lend legitimacy to transactions, contracts and relationships; criminals can exploit them to move laundered money or obscure suspicious ownership structures.
The SRA has been outspoken on the risk of this behaviour.
A new line of defence
Against that backdrop, a document check just isn’t going to cut it anymore. It simply isn’t a defence.
Robust identity verification in 2026 means going beyond a scanned copy of a passport or an uploaded utility bill.
Instead, it means taking that extra step to confirm not just that a document exists, but that it is genuine, correct, up-to-date and belongs to the person presenting it.
This requires using enhanced data insights – anything from credit files to HM Land Registry title deeds – to build a consistent, repeatable and scalable process, and to produce a verifiable audit trail that holds up to regulatory scrutiny.
And it requires firms to start asking harder questions about their compliance controls – and whether those controls reflect what actually happens when a new client instruction comes in.
Ahead of the curve
Compliance in 2026 means asking not just whether you’ve performed a check but whether that check actually means anything.
Anti-money laundering and identity checks based on documents alone will leave you exposed not just to regulatory scrutiny, but also to bad actors.
Implementing robust, repeatable controls will keep you ahead of these fast-evolving criminal risks. But it takes initiative, leadership, and a willingness to leave your compliance comfort zone to get there.