Compliance has become a black hole for time and money. Almost £40bn – equating to around 1.5% of GDP – is spent annually just on complying with money laundering regulations.
With every incremental change to the rules, whether AML, sanctions screening or customer data protection, law firms are forced to stitch together a patchwork of tools, often manually, to stay compliant. And unlike larger players, SMEs simply can’t absorb the costs of higher headcount or sprawling tech stacks.
The UK’s Data (Use and Access) Act, passed in June this year, presents a different approach and an opportunity for businesses to reduce their exposure to regulatory non-compliance. Service providers can now offer certified solutions that meet regulatory requirements in contexts such as right-work, right-to-rent and criminal records checks, freeing firms from their regulatory liabilities.
A shift in liability
Until this point, every business has had to devise bespoke compliance procedures and convince the regulator of their effectiveness under the regulation. The regulators themselves then had to monitor those firms and investigate when things went wrong.
Under the new model, regulators – in consultation with the industry that they regulate – determine operational and technical standards that are suitable. Third-party solutions can then be certified as compliant and used in place of the internal procedure. Annual audits of the providers ensure solutions remain compliant – saving time and effort for all.
Take the Land Registry for example. Conveyancers who verify client identity using the approved process are no longer personally liable if fraud occurs. Liability transfers to the system itself. For family lawyers, this sets a precedent. Whether it’s adoption checks, right-to-rent cases, or large financial settlements, following the certified route means less time second-guessing compliance and more confidence that liability is shared fairly.
Integrated compliance vs bolt-on compliance
For smaller firms, this route presents an opportunity to treat compliance as part of its tech architecture, unifying identity, fraud, and sanctions checks across providers into a single orchestration layer.
And instead of relying on a passport alone for identity checks, they can verify identity through equivalent combinations, such as a driver’s licence, bank statements, an NHS number or DWP records. This reduces case-by-case friction and broadens access for clients who might otherwise be excluded.
Under the status quo, poorly managed compliance processes mean a single failure anywhere in the stack can trigger crippling personal indemnity insurance premiums, or even the loss of cover altogether. Integration reduces anti-fraud costs by turning compliance into a single, trusted process.
Client experience and inclusion
This new model improves the client experience too. In sensitive cases, such as adoption or divorce, it can be frustrating to deal repeatedly with the same documents over and over again. An integrated approach reduces that pain as clients only need to provide information once.
Furthermore, because an integrated system uses identity equivalence, those without passports or standard UK documents are no longer locked out of legal services. This helps keep the door open to people such as asylum seekers or other new arrivals.
Looking ahead, the next phase of compliance will go beyond the technology of today’s certified providers. We’re already seeing decentralised identity wallets that hold verifiable credentials, encrypted biometrics that can match a face without storing it, and kite-marks that signal independent testing. For lawyers, these models will reduce liability, minimise sensitive-data handling, and give clients greater confidence that their identity is protected.
Three steps to escape the money pit
So how do you make the switch and escape the compliance money pit once and for all?
First, define your policy. Set out what “good enough” checks look like for your practice and your risk profile. That means being clear on where the biggest risks lie and what information you really need to collect. Without that clarity, firms risk either under-checking or overspending.
Second, choose certified routes via orchestration. By relying on government-backed standards and technology that links different checks together, you avoid the cost and complexity of repeatedly reintegrating tools every time the rules shift. Done well, orchestration means plugging in new trust services becomes straightforward, rather than having to undergo a costly manual upgrade, or even rebuild each time.
Finally, measure onboarding. Track how long each check takes, where clients abandon the process, and how insurers respond to your risk management. This data shows you whether your policy is working in practice, and whether you are striking the right balance between thoroughness, efficiency, and client service.
Regulation is, of course, a necessary evil, but the new Data Act reduces the pain factors for businesses and clients alike. Most importantly it levels the playing field for family lawyers that have previously been working at a distinct disadvantage.
David Rennie is chief trust officer at Orchestrating Identity
