AML/CTF compliance for law firms: real obligations and how to manage them

Anti-money laundering (AML) and counter-terrorism financing (CTF) stopped being an exclusively banking concern years ago. Since the transposition of the Fourth and Fifth AML Directives, law firms and legal advisers providing certain services are obliged entities, subject to the same due diligence, risk assessment, and reporting requirements as any financial institution. The difference is that law firms have far fewer resources, staff, and infrastructure to meet these obligations.

#Which legal services trigger AML obligations

Not all legal services are affected. The obligation is triggered when the firm participates in:

• Real estate transactions: purchase and sale, mortgage creation, transfer of real rights.
• Management of client funds, securities, or other assets.
• Opening or managing bank accounts, savings accounts, or financial instruments.
• Creation, operation, or management of companies or legal structures.
• Disposal or acquisition of businesses.

Pure legal advice outside these areas — contentious litigation, employment consultation — does not trigger the obligation. But any firm with even a basic corporate, real estate, or M&A practice falls squarely within the scope of Spanish AML legislation (Ley 10/2010).

#The four obligations most commonly breached

In AML supervisory inspections of law firms, four obligations account for most findings:

#1. Identification and verification of the ultimate beneficial owner

Client identification does not stop at obtaining an ID or company registration number. For legal entities, you must identify the ultimate beneficial owner (UBO): the natural person who ultimately owns or controls the entity (25% threshold of capital or voting rights, or control through other means). This means accessing the UBO register and documenting the result.

The most common mistake: identifying the legal representative and filing the matter. A legal entity as a client is not sufficient — you must trace back to the natural person behind it.

#2. Risk assessment by client and transaction

Due diligence is not a welcome formality: it must be calibrated to the actual risk profile of the client. High-risk categories include politically exposed persons (PEPs), clients from countries flagged by the FATF, and transactions involving opaque legal vehicle structures.

A client who has been with the firm for years is not automatically low risk: their profile may have changed, and the client file must be reviewed periodically.

#3. AML policy manual that is current and operational

AML legislation requires an approved and up-to-date prevention manual. Yet many firms have outdated documents that do not reflect actual practice, or that nobody consults because they are in a shared folder only the compliance officer knows about.

The manual alone is insufficient: there must be an internal suspicious activity reporting channel, along with evidence that it is applied.

#4. Regular staff training

All staff involved in services subject to AML obligations must receive regular training. Evidence of this training (attendees, date, content) must be kept to demonstrate compliance during an inspection.

#How digitalising the firm supports AML compliance

The link between technology and regulatory compliance in law firms is not always obvious, but it is direct:

• A structured digital file (not desktop folders) ensures that due diligence documentation is always locatable and exportable.
• An operations log linked to each file allows the history of a client relationship to be reconstructed without relying on the responsible attorney's memory.
• Alert systems configured in the firm's CRM can automatically detect when a client's risk profile changes (new PEP identified, origin country added to a risk list).
• Deadline management reduces the risk of a periodic client review being forgotten in a high-workload practice.

Nexum is designed for firms that want AML compliance to be a process integrated into daily operations — not a one-off exercise that generates anxiety whenever an inspection approaches.

#The cost of non-compliance

Penalties for serious AML infringements can reach the greater of: twice the profit obtained, 10% of annual turnover, or €10 million. For minor or less serious infringements, fines range from €60,000 to €1 million. But the most immediate cost is not the fine: it is a remediation notice with tight deadlines that can paralyse the firm's operations for weeks.

Starting to structure compliance before an inspection arrives is not paranoia — it is basic risk management.