How Law Firms Are Getting Client Onboarding Wrong - and What It Costs

Most law firms believe their client onboarding is compliant. It is not. If your firm collects identity documents by asking clients to photograph their passport and email it to a partner, you are not performing remote identification. You are collecting an image that anyone with basic software can forge, storing personal data without a lawful processing basis, and creating precisely the kind of gap that the EU's new Anti-Money Laundering Regulation is designed to close. For managing partners and compliance leads at regulated firms, this is no longer a process inconvenience. It is a liability.

What the new AMLR actually requires for client identification

Regulation (EU) 2024/1624 (the AMLR), which applies directly across all EU member states from 10 July 2027, replaces the fragmented national transpositions of the 4th and 5th Anti-Money Laundering Directives with a single, uniform rulebook. For law firms, the most operationally significant change is in Article 22: customer due diligence must now use electronic identification methods that meet the standards set by the eIDAS Regulation (EU) 910/2014.

This is not a recommendation. It is a requirement. And in many ways it replaces local national rulesets. Identification via eIDAS-compliant methods, including the forthcoming EUDI Wallet, satisfies the CDD verification standard for remote onboarding. Methods that do not meet this threshold — including emailed passport photographs, scanned copies, and unverified video calls — do not.

The draft Regulatory Technical Standards from the European Banking Authority confirm this direction: from 2027, regulated entities must accept EUDI Wallet-based identification, and identity verification must reach at least "Substantial" assurance level under the eIDAS framework for standard CDD, and "High" assurance for enhanced due diligence scenarios.

Why emailed ID copies are not remote identification

A client photographing their passport and sending it via email is not an identity verification process. It is a document transfer. There is no liveness check to confirm the person holding the document is the person pictured in it. There is no biometric binding between the individual and the credential. There is no cryptographic proof that the document has not been altered in transit.

From a GDPR Article 6 perspective, the processing basis for storing copies of identity documents must be clearly established and proportionate. Firms routinely collect and retain these copies without a documented legal basis, without a retention schedule, and without the technical safeguards that Article 32 requires for data of this sensitivity. The result: personal data scattered across inboxes, local drives, and case management systems with no audit trail and no access control.

In conversations with law firms across the Nordics and the UK, we hear the same pattern. Partners and associates receive instructions from their compliance function to collect identity documents from clients. The compliance team expects a verified identity record. What they get is a JPEG in an email thread, stored nowhere systematic, verified by no one.

What this process actually costs a firm

The direct cost is not just regulatory exposure. It is operational drag, reputational risk, and client friction that accumulates silently.

Regulatory enforcement is accelerating. The EU's new Anti-Money Laundering Authority (AMLA), which becomes operational alongside the AMLR in 2027, centralises supervision for high-risk entities and introduces direct enforcement powers. National supervisory bodies, including the SRA in the UK, have already increased enforcement actions against firms with inadequate CDD processes. Fines under the AMLR can reach up to €10 million or 10% of annual turnover, whichever is higher.

The operational cost is equally real. When partners and associates become responsible for collecting and storing identity documents, they become de facto data processors for some of the most sensitive personal information a firm handles. Every unsecured email, every passport photograph saved to a desktop folder, every copy forwarded to a colleague creates a data incident waiting to happen. Under GDPR Article 33, a firm must report a personal data breach to the supervisory authority within 72 hours. Most firms cannot even determine how many copies of a client's identity document exist across their systems.

The client experience cost compounds over time. Asking a board member or senior executive to photograph their passport and email it to a law firm is not a professional interaction. It signals that the firm lacks the infrastructure to handle sensitive data securely. In a competitive market for advisory mandates, this matters.

What ongoing monitoring actually demands

The AMLR does not stop at initial identification. Article 22 requires ongoing customer due diligence throughout the business relationship. This means firms need a system of record for client identity that can be re-verified, screened against sanctions lists, and updated when circumstances change.

An emailed passport copy cannot do this. It is a static artefact that degrades in compliance value from the moment it is received. There is no mechanism to re-verify the identity, no integration point for screening services, and no way to demonstrate to a regulator that the firm has maintained an ongoing, risk-based approach to client monitoring.

What firms need is an identity system that is eIDAS-compliant from the start: one that verifies the person, not just the document, and that maintains a persistent, auditable identity record that screening services can connect to. The identity must belong to the client and be reusable across engagements, so re-verification is a confirmation rather than a restart. We covered how this obligation has evolved in more detail in our earlier analysis of what AML due diligence actually requires from law firms.

What to do before July 2027

The compliance deadline is fixed. Firms that wait until 2027 to address their onboarding process will find themselves rebuilding under pressure. Three steps can be taken now.

First, audit how your firm currently collects and stores client identity data. Map every location where passport copies, ID photographs, and verification records exist. Most firms discover that identity data is distributed across email accounts, local drives, SharePoint folders, and case management systems with no central record and no access control.

Second, establish a documented legal basis under GDPR for every category of identity data your firm processes. If your firm cannot articulate the lawful processing basis for storing a client's passport photograph, that processing should stop.

Third, evaluate identity verification systems that meet eIDAS standards now, before the AMLR compliance deadline forces a rushed procurement. The systems that satisfy the AMLR's requirements are those that verify the person biometrically, issue a reusable credential, and maintain a persistent identity record that screening services can integrate with. Trust Circle's identity verification, backed by ZealiD's status as a Qualified Trust Service Provider on the EU Trusted List, provides exactly this: a regulated identity that is verified once and reused for every subsequent interaction, from onboarding through document signing, with a full audit trail.

References

• Anti-Money Laundering Regulation (AMLR), Regulation (EU) 2024/1624. European Union, 2024. https://eur-lex.europa.eu/eli/reg/2024/1624
• Regulation (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market (eIDAS). European Union, 2014. https://eur-lex.europa.eu/eli/reg/2014/910/oj
• General Data Protection Regulation (GDPR), Regulation (EU) 2016/679, Articles 6, 32, 33. European Union, 2016. https://eur-lex.europa.eu/eli/reg/2016/679/oj
• European Banking Authority. "Draft Regulatory Technical Standards on Customer Due Diligence under the AMLR." Expected Q1 2026. https://www.eba.europa.eu/