What happens when the ID photo isn’t real?

Abstract
The Solicitors Regulation Authority (SRA) has issued stark warnings to legal professionals regarding the escalating threat of deepfake identity fraud, particularly in the context of anti-money laundering (AML) compliance. As client onboarding increasingly moves online, traditional identity verification methods are proving vulnerable to sophisticated AI-generated impersonations. This article explores the regulatory landscape under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) and the SRA's expectations for firms to bolster their client due diligence (CDD) processes. It highlights the critical need for enhanced vigilance, technological adoption, and robust internal controls to mitigate the significant financial, reputational, and regulatory risks posed by deepfake technology.
Introduction
The legal sector in Great Britain faces an unprecedented challenge to its anti-money laundering (AML) defences with the rise of deepfake technology. What once seemed like a futuristic threat is now a present danger, as artificial intelligence (AI) enables the creation of highly convincing fake images, audio, and video that can impersonate real individuals. The Solicitors Regulation Authority (SRA) has explicitly highlighted this looming spectre of deepfake identity fraud in its recent AML reports and sectoral risk assessments, signalling a critical need for practitioners to re-evaluate their client identification and verification (ID&V) protocols.
This development is particularly pertinent given the increasing reliance on remote client onboarding, where the inherent advantage of in-person verification is diminished. Firms are now tasked with navigating a landscape where a seemingly authentic ID photo or a convincing video call could be entirely fabricated, leading to significant exposure to money laundering and fraud. This article will delve into the statutory obligations under the UK's AML regime, analyse the specific vulnerabilities introduced by deepfakes, and outline the SRA's expectations and practical steps legal professionals must take to fortify their defences against this sophisticated form of fraud.
Background
The bedrock of AML compliance for legal professionals in the UK is the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017). These Regulations impose stringent obligations on regulated entities, including law firms, to prevent their services from being exploited for illicit financial activities. Key requirements include conducting firm-wide risk assessments, implementing robust internal controls, providing ongoing staff training, and, crucially, performing customer due diligence (CDD) on clients.
CDD mandates the identification of clients and verification of their identity based on reliable, independent sources. This traditionally involves obtaining photographic identification and proof of address. Where higher risks are identified, firms must apply enhanced due diligence (EDD) measures, which entail scrutinising the background and purpose of transactions and increasing the degree and nature of monitoring. The SRA, as the supervisory authority for solicitors, regularly issues guidance and warning notices to ensure compliance, with a consistent focus on the effectiveness of firms' systems and controls. The challenge now is that the very foundation of identity verification – the visual authenticity of a document or a person – is being undermined by readily accessible deepfake technology.
Analysis
The advent of deepfake technology fundamentally challenges the efficacy of traditional ID&V processes. Deepfakes, which are AI-generated or manipulated images, audio, or video, can convincingly impersonate real individuals, making it increasingly difficult for human eyes or basic electronic checks to distinguish between authentic and fake content. The SRA's updated sectoral risk assessment explicitly warns that reliance on video calls for client identification significantly increases the risk of impersonation attacks through deepfakes.
This vulnerability is particularly acute in remote onboarding scenarios. A convincing fake passport image or a synthetic face matching a stolen document can be produced rapidly and cheaply. Even basic 'liveness' detection prompts, designed to confirm a person's physical presence, are increasingly susceptible to spoofing by sophisticated video tools. If both the uploaded identity document and the live video feed are fabricated, a firm could unwittingly onboard a non-existent client, creating a clean audit trail for a fraudulent entity. The SRA has identified the legal profession as a high-risk sector for money laundering, making such failures a serious exposure.
Beyond identity verification, deepfakes pose risks in other areas, such as vendor fraud, particularly in property transactions. Fraudsters can impersonate genuine property owners to sell properties without consent, using law firms to facilitate both the fraud and the laundering of proceeds. The Fraud Act 2006 is the primary legislation for prosecuting such financial crimes, defining fraud as dishonestly making a false representation with the intent to make a gain or cause a loss. The creation of a deepfake with fraudulent intent would clearly fall within the scope of this Act. Furthermore, firms that fail to detect and prevent deepfake-enabled fraud could face severe SRA disciplinary action, including substantial fines and reputational damage, for breaches of the MLR 2017 and professional conduct rules.
To counter this evolving threat, the SRA advises firms to assess whether their electronic due diligence systems adequately protect against deepfakes and to explore software solutions for detection. More robust technological solutions involve moving beyond simple image comparison to reading data encoded within identity documents, such as NFC chips in passports, which contain verified details and biometric data. Pairing this with advanced biometric liveness checks significantly reduces the risk, as fraudsters cannot easily reproduce valid NFC chip data. The standard of care expected from solicitors is evolving, with an implicit expectation that firms will leverage available AI programmes to enhance due diligence where they are better, quicker, and cheaper.
Conclusion
The proliferation of deepfake technology represents a significant and immediate threat to the integrity of client identification and AML compliance within the legal sector. Firms can no longer rely solely on traditional visual checks or basic digital verification methods, as these are increasingly vulnerable to sophisticated AI-driven impersonations. The SRA's warnings underscore the urgency for legal professionals to adapt their practices and invest in advanced solutions.
Practitioners must conduct thorough risk assessments that specifically account for deepfake threats, particularly in remote onboarding and high-risk transactions like conveyancing. This necessitates a proactive approach to adopting robust technological solutions, such as those capable of reading embedded data in identity documents and performing advanced biometric liveness detection. Crucially, ongoing staff training is paramount to ensure that all personnel are aware of deepfake risks and equipped to identify red flags. Failure to evolve will not only expose firms to significant financial losses and reputational damage but also to severe regulatory penalties from the SRA. Staying abreast of technological advancements and regulatory guidance is no longer optional but a fundamental requirement for maintaining compliance and safeguarding the profession.
Citations
- 1.Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (SI 2017/692)
- 2.Fraud Act 2006
- 3.Solicitors Regulation Authority Warning Notice: Money laundering and terrorist financing (June 2026)
- 4.Solicitors Regulation Authority Warning Notice: Compliance with the money laundering regulations – firm risk assessment (June 2026)
- 5.Solicitors Regulation Authority Blog: Be aware of clients using AI to bypass identity checks (April 22, 2026)
- 6.Legal Futures: SRA warns solicitors over 'deepfake' clients and vendor fraud (March 12, 2024)
- 7.Legal Futures: What happens when the ID photo isn’t real? (July 03, 2026)
- 8.Legal Cheek: Beware of 'deepfake' clients, regulator warns lawyers (March 13, 2024)
- 9.Lockton: Deepfake and the risk of vendor fraud: challenges and solutions for solicitors (April 07, 2024)
- 10.Facia.ai: Analyzing Solicitors Regulation Authority (SRA)'s Update | Highlighting Deepfake Threat to Law Practitioners (March 08, 2024)
- 11.The Law Society: Quick guide to the Money Laundering Regulations 2017
- 12.The Law Society: Why running identity checks does not make you AML compliant (June 20, 2024)
- 13.MSR Solicitors: Deepfakes & The Law: A Challenge in the Age of Synthetic Media (April 28, 2025)
- 14.Kingsley Napley: Deepfake FAQs
- 15.Police.uk: Deepfakes
- 16.Legal Compliance Services: SRA updates warning notice on suspicious activity reports (November 28, 2025)
- 17.Aventine Lab: Everything You Need To Know About SRA's AML Report 2025 (October 30, 2025)
- 18.Plenitude Consulting: SRA Warns of AI Used to Bypass Identity Checks (May 01, 2026)
- 19.The Law Society: A deep dive into deepfakes (August 23, 2024)
- 20.Chronicle Law: Deepfakes and the Legal Sector (April 09, 2026)
- 21.International Journal of Law: Deepfake Technology and It's criminal misuse (April 22, 2026)
- 22.Shufti Pro: Are Deepfakes Illegal? Laws, Ethics & Regulatory Landscape (February 17, 2026)
