Email is not a secure channel for client document exchange, and law firms relying on it for customer due diligence are building a compliance gap that will not survive regulatory scrutiny. If you are a managing partner, COO, or compliance lead at a UK or European law firm, this article explains why your current document collection process likely fails the record-keeping requirements of the Money Laundering Regulations 2017 and what an adequate alternative looks like.
Why do professional services firms still treat email as secure?
Because it works, and because nobody has told them otherwise in terms they care about. In conversations with UK and Nordic law firms, the most consistent pattern is not that firms have assessed the risk and accepted it. It is that they have never assessed it at all. Email is the default because it has always been the default. And when something has always been the default, it is easier not to ask questions.
The assumption runs roughly like this: our email is encrypted, our provider is reputable, and we have never had a breach reported to us. Therefore email is compliant.
Every part of that assumption is wrong from a regulatory standpoint. TLS encryption protects the connection in transit but not the data at rest on either end. "No reported breach" is not evidence of no breach. According to the SRA's Risk Outlook report on cybercrime, 83% of all cybercrime incidents reported by law firms involved email. And "reputable provider" says nothing about where client identity documents are stored, who can access them, or whether access can be revoked after the fact.
What does Regulation 40 actually require?
Regulation 40 of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 requires firms to keep adequate records of the measures taken for customer due diligence and to make those records available on request to their supervisory authority.
In practice, this means a firm must be able to demonstrate a clear, verifiable trail for how client identity documents were collected, who handled them, how they were stored, and whether access was appropriately controlled throughout.
Email fails every one of those tests. When a client sends a passport scan over email, there is no verified chain proving it was not intercepted, forwarded, or stored in an uncontrolled location. There is no access log. There is no proof the sender is who they claim to be. There is a PDF in an inbox and a compliance gap that grows every time someone hits forward.
What does an SRA audit actually look for?
The SRA does not ask whether you have been breached. It asks whether you can show your controls. An SRA inspection expects to see that a firm has systems producing verifiable, time-stamped records of CDD collection and storage, not a folder of email attachments with no chain of custody.
In 2023/24, the SRA issued 44 fines totalling £556,832 for AML non-compliance and brought enforcement action against 78 firms and individuals. Only 22% of firms inspected were fully compliant with AML requirements. The common failures were not exotic. They were basic: no firm-wide risk assessment, no adequate policies and procedures, no demonstrable record of due diligence measures.
Email-based document collection contributes directly to these failures because it produces no auditable record by design.
How email creates attack vectors firms do not see
The compliance risk is compounded by a security risk that most firms underestimate. Email is the single largest attack surface for law firms. Successful cyber attacks against UK law firms rose by 77% in 2023/24, from 538 to 954 reported incidents.
|
Risk
|
How email enables it
|
What regulation requires instead
|
|
Interception of client identity documents
|
Documents transit unencrypted mail servers, often outside the EU
|
Controlled channel with end-to-end encryption and EU data residency per GDPR Article 32
|
|
Uncontrolled forwarding
|
No access control after delivery; documents can be forwarded, downloaded, or printed without record
|
Access-controlled environment with revocable permissions and audit trail
|
|
Identity spoofing
|
Email address is not verified identity; sender can be impersonated
|
Verified identity of the person sharing documents, not assumed from an email address
|
|
No audit trail
|
No log of who accessed what, when, or from where
|
Time-stamped, verifiable record of every document interaction per Regulation 40 MLR 2017
|
|
Indefinite data retention in inboxes
|
Client documents persist in uncontrolled mailboxes long after engagement ends
|
Controlled storage with retention policies and secure deletion
|
In April 2025, the ICO fined a UK law firm £60,000 after hackers gained access through an administrator account without multi-factor authentication, exfiltrating 32 gigabytes of sensitive legal case files that later appeared on the dark web. The firm only discovered the breach when the National Crime Agency contacted them. This is not an isolated case. It is the pattern: firms do not know their documents have been compromised because the channel they use to exchange them has no visibility into access.
What do most client portals get wrong?
The instinct to solve this with a "secure portal" is correct. The execution usually is not. Most portal solutions require clients to authenticate through SSO, Google Authenticator, or similar mechanisms that create friction. The client does not have the app. The client does not understand the setup. The client abandons the process and sends the document by email anyway.
This is the pattern we see consistently: firms invest in a secure tool, clients find it too difficult, and the firm quietly reverts to email because the client relationship matters more than the compliance policy. The problem is not that firms do not care about security. It is that security tools designed for internal IT teams do not work for external client relationships where the firm cannot mandate the technology stack.
Any solution that requires a client to install software, configure an authenticator, or navigate an enterprise SSO flow will fail at the point of adoption. What works is a verified identity approach: the client proves who they are once, through a regulated identity verification process, and then accesses the shared workspace through biometric authentication on their own device. No authenticator apps, no passwords to forget, no IT department involvement.
What happens if you get this wrong
The consequences are not theoretical. They operate on multiple levels.
A regulatory inspection that finds email-based CDD collection will flag it as an inadequate control. If the firm cannot produce a verifiable record of document collection and handling, that is a Regulation 40 failure regardless of whether any data was actually compromised.
A data breach involving client identity documents collected over email triggers GDPR Article 32 liability for failing to implement appropriate security measures during transmission and storage. The ICO can impose fines of up to 4% of annual worldwide turnover or £17.5 million, whichever is higher.
And there is the cost that never appears in a fine: the six weeks of partner time spent reconstructing a document trail that should have existed by default, the client notifications, the reputational damage that a professional services firm built on trust cannot easily recover from.
What to do next
Map your current document collection process for one active client matter. Trace the path from client to file. Ask three questions: Can I show a regulator exactly who sent this document and when? Can I prove it was not accessed by anyone unauthorised? Can I revoke access to it today?
If the answer to any of those involves opening Outlook and searching for an attachment, the process does not meet the standard.
Trust Circle was built to close exactly this gap. It is an identity-anchored workspace where client identity is verified through ZealiD's regulated identity verification (ZealiD holds Qualified Trust Service Provider status on the EU Trusted List), every document exchange creates a verifiable audit trail, and access is controlled through biometric authentication rather than passwords or authenticator apps that clients abandon.
References
Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, Regulation 40. UK Government. https://www.legislation.gov.uk/uksi/2017/692/regulation/40
Regulation (EU) 2016/679 (General Data Protection Regulation), Article 32. European Union, 2016. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679
Solicitors Regulation Authority. "Risk Outlook report: information security and cybercrime in a new normal." 2022.
https://rules.sra.org.uk/sra/research-publications/risk-outlook-report-information-security-cybercrime/
Solicitors Regulation Authority. "Anti-money laundering: compliance with the regulations and preventing money laundering." Updated 2026. https://www.sra.org.uk/solicitors/resources/money-laundering/
.svg "ZealiD Logo New (1)"){kind=small}
