E-Signatures and Anti-Money Laundering: Getting Compliance Right

The AML–E-Signature Intersection

Anti-money laundering compliance and electronic signatures are not naturally aligned. AML regulation is fundamentally concerned with identity — knowing who your customer is, where their funds come from, and whether their behaviour is consistent with their stated profile. Electronic signatures are fundamentally concerned with intent — evidencing that a person agreed to a specific document at a specific time.

The tension arises because many firms assume that an electronic signature on a customer agreement constitutes evidence of identity verification. It does not. The signature evidences agreement. Identity verification is a separate obligation, and conflating the two creates gaps that regulators will find.

The Money Laundering Regulations 2017

The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) establish the UK's AML framework. Regulation 28 requires relevant persons to apply customer due diligence (CDD) measures, which include identifying the customer and verifying their identity on the basis of documents, data, or information obtained from a reliable and independent source.

When a customer signs an agreement electronically, the firm must be able to demonstrate that CDD was completed before or at the point of establishing the business relationship — not merely that a document was signed. The electronic signature process can support this by:

• Linking the signed document to the CDD record in the firm's systems
• Recording the email address to which the signing link was sent (which should match the verified customer record)
• Capturing the IP address and device information at the point of signing (which can be cross-referenced against known customer data)
• Timestamping the signature event to establish the chronological relationship between CDD completion and agreement execution

Enhanced Due Diligence Scenarios

For higher-risk customers — politically exposed persons (PEPs), customers in high-risk jurisdictions, or complex corporate structures — the MLR 2017 requires enhanced due diligence (EDD). In these scenarios, the standard electronic signature workflow may be insufficient.

Firms should consider whether the signing process for EDD customers requires additional authentication steps. Options include:

1. Multi-factor authentication — requiring the signer to authenticate via SMS code or authenticator app before accessing the document
2. Video identification — recording a video call during which the signer confirms their identity before completing the electronic signature
3. Witnessed signing — having a compliance officer present (physically or via video) during the signing process, with the witness event recorded in the audit trail

The choice of authentication method should be documented in the firm's risk assessment and applied consistently across customer segments.

Audit Trail Requirements for AML

The MLR 2017 requires firms to retain copies of CDD documentation for five years after the end of the business relationship (Regulation 40). This retention requirement applies to the evidence of identity verification, not to the signed agreement itself (which may have a longer retention requirement under other regulations).

For electronic signatures used in AML-relevant workflows, the audit trail must be sufficiently detailed to demonstrate:

• Who signed — the identity of the signer, linked to the firm's CDD record
• When they signed — an ISO 8601 timestamp from a reliable source
• From where — IP address and device information, which can corroborate the customer's known location
• What they signed — the specific document, identified by a cryptographic hash, preventing disputes about document content
• That they consented — recorded consent text evidencing the signer's intention to be bound

In an AML context, the audit trail is not just evidence of agreement. It is evidence of the customer's engagement with the firm at a specific point in time, from a specific location, using a specific device. This data has value beyond the signing event itself.

Suspicious Activity and the Signing Process

Firms should consider whether the electronic signing process can generate intelligence relevant to suspicious activity reporting. Anomalies in signing behaviour — such as a customer signing from an IP address in a jurisdiction inconsistent with their stated address, or multiple documents signed in rapid succession without reasonable reading time — may warrant further investigation.

The audit trail data captured during electronic signing can supplement the firm's transaction monitoring if it is integrated into the firm's surveillance systems. IP geolocation, device fingerprinting, and behavioural analytics applied to signing events can identify patterns that merit a Suspicious Activity Report (SAR) under the Proceeds of Crime Act 2002.

This is not to suggest that every anomalous signing event is suspicious. But a firm that captures detailed signing data and does not consider its AML relevance is missing an opportunity to strengthen its overall compliance posture.

Practical Integration

For firms integrating electronic signatures into their AML compliance framework, the following approach reduces risk:

1. Separate identity verification from signing — complete CDD through your existing process before issuing the signing link. Do not rely on the signing event as evidence of identity.
2. Link signing records to CDD records — ensure your systems can cross-reference the signed agreement with the customer's CDD file, ideally through a unique customer identifier.
3. Capture detailed audit data — IP address, user agent, timestamp, and consent text at minimum. This data serves both signing evidence and AML surveillance purposes.
4. Apply enhanced controls for high-risk customers — document the additional authentication or verification steps required for PEPs, high-risk jurisdictions, and complex structures.
5. Retain records for the longer period — where AML retention (five years post-relationship) and general regulatory retention (seven years) overlap, apply the longer period.
6. Train compliance staff — ensure your AML team understands what data the signing platform captures and how it can be used for monitoring and investigation.

Conclusion

Electronic signatures are not an AML tool. They are an agreement tool that, when properly implemented, produces data that supports AML compliance. The key is to recognise the boundaries: the signature evidences intent, not identity. CDD evidences identity, not intent. Both are required, and neither substitutes for the other. Firms that integrate the two processes with clear documentation and detailed audit trails will find that their electronic signing implementation strengthens, rather than weakens, their AML compliance posture.