In 2026, one of the most serious anti money laundering risks facing law firms is the rise of synthetic identity fraud. These are not stolen identities, but entirely fabricated ones, built using a mix of real data such as National Insurance numbers and fake details including names, addresses and AI generated images.
The result is a client who can pass standard onboarding checks but does not actually exist.
This creates a clear AML risk. Once accepted by a firm, a synthetic client can be used to move illicit funds through client accounts, facilitate mortgage fraud or act within corporate structures to obscure beneficial ownership. Law firms, particularly heavy in conveyancing, are increasingly being used to provide legitimacy to these activities.
Several factors have intensified this threat. Generative AI can now produce highly convincing identity documents. The shift towards remote onboarding following Covid has reduced opportunities for in person verification and often lacks robust checks to confirm a real individual is present. At the same time, large scale data breaches have provided the raw material needed to construct increasingly credible synthetic identities.
Traditional document based verification is no longer sufficient. Firms need to strengthen their controls by incorporating biometric checks, using NFC technology to verify identity documents and applying a risk based approach that looks beyond whether the data matches.
Regulatory expectations are also tightening. While the SRA supervises law firms, the FCA’s approach to financial crime provides a clear benchmark. The FCA expects firms to take a proactive, risk based approach to customer due diligence, use reliable and independent sources of verification and adapt controls in response to emerging threats such as digital identity fraud. Firms are also expected to demonstrate ongoing monitoring via client matter risk assessments, not just one off checks at onboarding.
In practice, this means law firms should be able to evidence that their systems are capable of detecting sophisticated fraud, not just basic inconsistencies. A failure to identify a synthetic client may be viewed as a weakness in controls rather than an unavoidable oversight.
In this environment, the key AML question is no longer just whether the documents are genuine, but whether the client is real.