In the first half of 2025, the Abu Dhabi Global Market's Financial Services Regulatory Authority issued enforcement notices against 29 institutions for deficiencies in anti-money laundering (AML) controls — a significant proportion of them designated non-financial businesses and professions (DNFBPs). Simultaneously, Australia's parliament passed the Anti-Money Laundering and Counter-Terrorism Financing Amendment Act, extending AML obligations to lawyers, accountants, and real estate professionals under what AUSTRAC calls Tranche 2, with phase-in dates beginning July 2026. The message from regulators worldwide is the same: professional services firms are no longer a low-enforcement backwater.
What is a DNFBP, and why now?
FATF Recommendation 22 defines DNFBPs as the non-bank sector entities that handle client funds, structure transactions, or control legal arrangements on behalf of third parties. The covered professions include lawyers and notaries, accountants and auditors, real estate agents and developers, dealers in precious metals and stones, and trust and company service providers (TCSPs). For two decades these sectors sat at the margins of AML enforcement while banks absorbed the bulk of regulatory attention and fines.
That balance is shifting under sustained pressure from three directions: FATF's fourth-round mutual evaluations have penalised jurisdictions that maintain weak DNFBP oversight; the EU's Sixth Anti-Money Laundering Directive (AMLD6) has harmonised criminal liability standards and extended predicate offences; and national regulators from Singapore's MAS to the UK's Solicitors Regulation Authority (SRA) have published sector-specific AML supervisory priorities that name professional services explicitly. The common thread is that law firms, accounting practices, and TCSPs routinely sit at the point where illicit funds first acquire a veneer of legitimacy — and regulators have concluded that voluntary compliance is insufficient.
The 2026 enforcement wave
The Abu Dhabi fines are instructive not just for their number but for their pattern. Enforcement notices cited failures at intake — inadequate client due diligence (CDD) at the point of engagement — rather than monitoring failures downstream. Firms had onboarded clients without completing beneficial ownership (UBO) checks, accepted source-of-funds declarations without documentary support, and failed to apply enhanced due diligence (EDD) to politically exposed persons (PEPs). Australia's Tranche 2 legislation, effective July 2026 for real estate and the legal and accounting professions, imports these same obligations: risk-based CDD, UBO identification, suspicious activity reporting (SAR), and record-keeping for a minimum of seven years.
In the UK, the SRA's 2025–2026 AML supervisory programme targeted law firms with international client bases and complex transaction structures, with inspection findings published quarterly. EU member states implementing AMLD6 are simultaneously widening the definition of predicate offences — tax crimes and environmental offences now trigger AML reporting obligations — and increasing maximum criminal penalties for compliance officers who sign off on deficient programmes. For professional services firms operating across multiple jurisdictions, the cumulative compliance burden is no longer theoretical.
"We used to run a conflicts check and consider CDD done. Now a regulator can walk in and ask for documented source-of-funds analysis on every client we onboarded in the last three years. The spreadsheets we relied on are simply not defensible." — Managing Partner, international law firm, interviewed by WIDTH
What firms must get right
1, client risk-rating at intake
A risk-based approach requires a documented risk score at the point of engagement — not a blanket policy applied after onboarding. High-risk indicators for professional services clients include PEP status, UBO structures involving jurisdictions on FATF's grey list, matters involving real property or shell company formation, and instructions received through intermediaries. The risk rating should drive the depth of CDD required before the engagement letter is signed.
2, source-of-funds documentation
Regulators distinguish between a client's declared source of funds and verified source of funds. A declaration signed at intake is not verification. Verification requires documentary evidence — bank statements, sale proceeds confirmations, inheritance records, corporate financial statements — that corresponds to the quantum of funds being introduced into the transaction. For real estate matters and corporate restructurings above defined thresholds, EDD is mandatory, not discretionary.
3, ongoing monitoring beyond annual reviews
FATF Recommendation 22 and the implementing legislation in most FATF member jurisdictions require that CDD be kept current, not merely collected at intake. For long-standing client relationships, firms must define triggers for refresh — change of UBO structure, new matter type outside the original risk profile, change of jurisdiction — and demonstrate that those triggers are monitored systematically. Annual review cycles alone are insufficient where client circumstances are volatile.
The audit trail problem
Most professional services firms still manage AML compliance through a combination of intake forms, email correspondence, and shared drives. When a regulator requests a file — or when an internal audit commences — reassembling the evidence trail for a single client relationship can take days. The intake form may record a risk rating with no link to the underlying risk factors that produced it. The source-of-funds documents may sit in a matter management system with no connection to the CDD record. The rationale for not filing a SAR may exist only in a partner's email.
This fragmentation is not a minor operational inconvenience. In enforcement proceedings, regulators assess not just whether CDD was completed but whether the firm can demonstrate a contemporaneous, reasoned compliance decision. A spreadsheet with a risk score and no supporting rationale does not meet that standard. Neither does a PDF attached to a matter file with no audit log showing when it was reviewed, by whom, and what action followed.
What this means for professional services firms
- Intake is the highest-risk moment. The majority of enforcement actions against DNFBPs cite deficiencies that existed at onboarding, not in ongoing monitoring. Firms must treat the engagement letter stage as a compliance gate, not an administrative formality.
- Documentation must be contemporaneous and linked. Risk ratings, source-of-funds analysis, and SAR decisions need to be recorded at the time of the decision, tied to the underlying evidence, and retrievable as a unified audit trail — not reconstructed after a regulator requests a file.
- Cross-border matters require jurisdiction-specific logic. A client whose UBO resides in a FATF grey-list jurisdiction triggers EDD requirements that differ from domestic clients; a matter touching UAE real estate carries different regulatory expectations than one in Singapore. Compliance programmes that apply a single policy globally are unlikely to satisfy regulators in either jurisdiction.
WIDTH's professional services module is built for firms that need structured, auditable AML compliance without the operational overhead of enterprise financial-institution tooling. Client risk-rating, UBO capture, source-of-funds documentation, and SAR workflow are managed in a single environment — with every decision logged, time-stamped, and linked to the evidence that supports it. For law firms, accounting practices, and TCSPs facing their first regulatory inspection under Tranche 2 or AMLD6, that audit trail is not optional. Learn how WIDTH supports professional services compliance.