The legal sector is vulnerable to money laundering – and we’re here to help law firms with compliance and training, and make sure you’re fully equipped to ‘stop the baddies’.
The credibility of a law firm makes it an obvious target for money laundering criminals and having weak processes or staff that aren’t properly trained is like leaving your front door open.
So, here are my Top 10 Anti-Money Laundering (AML) Tips:
All firms have to show regard to their supervisor’s risk assessment when preparing their own. (Reg 18 (2)). Make sure it is mentioned in the steps you’ve taken in preparing the risk assessment. If your assessment of risk differs with theirs, explain why.
2. Client account focus
In your Firm Risk Assessment, don’t forget to include the risk from the client account. It’s referenced in the National Risk Assessment and the Supervisors Risk Assessment, so it should be in yours. Often the focus is solely on the work types and firms don’t always identify the more generic operational risks. Detail what you do to protect the client account in the risk mitigation section. Also, don’t forget to include or cross reference your accounts procedures (for example, the timing of accepting funds and refusing to provide banking facilities and how you deal with funds from third parties) in your AML policy.
3. Source of funds and source of wealth
Tell people what you want them to do, ask them to record the steps they’ve taken, check that they’ve reviewed the information and most importantly remember their assessment of risk, having considered the information they have. I ask lawyers all the time.
“If I were to look at your files tomorrow, would I be able to see you have considered the source of funds and source of wealth?”
4. Client communication
Help your lawyers with what to say to clients about why your firm carries out Customer Due Diligence (CDD), in particular source of funds and wealth enquiries. If I had a pound for every time I heard the concern that
“Clients will think they are being accused/would be insulted if we asked.”
… Actually, clients don’t mind being asked nearly as much as we think they do – everyone asks all the time. But it does help if you give your lawyers some wording to explain the rationale for the checks. Clients understand this and are often appreciative of your efforts.
5. Timing of verification
You know the law, you must complete the ID&V part of CDD before the establishment of a business relationship or before carrying out a transaction. Some firms won’t issue a file number until it’s done. The Solicitors Regulation Authority certainly seem in favour of that approach.
However, many firms open the file first but require CDD to be completed soon thereafter, using the exception in Regulation 30(3). If you are going to do that, make sure you monitor that ID&V is in fact completed ‘as soon as practicable’. Make sure you can track the files and that CDD is obtained.
I see many policies which say the CDD must be obtained in, say, seven or 14 days, or work must stop – but it’s not always clear how that is managed. Is it a system issue – the file locks to prevent any further work – or is it manual, with compliance checking and chasing? Whatever it is, include it in your written procedure and be ready to show an auditor/the regulator the records of the monitoring.
6. CDD on existing clients
Something I hear all the time is:
“We will rely on existing client due diligence unless we become aware of a change in the client’s identity, risk profile or there is a three year gap in instructions”.
That’s because it is in the guidance. However, in theory, for an existing client that instructs once every two years, the CDD would never be refreshed if the lawyer doesn’t ‘become aware’ of a change. When considering a private individual, they are unlikely to change their identify, but a company could, and their beneficial owners could. So, where you don’t act for the beneficial owners, how would you know? I have always preferred to give the CDD a ‘shelf life’ – the longest we will rely on existing CDD is x months/years and then we will refresh. I would also capture the consideration of whether the fee earner thinks anything has changed in the matter risk assessment.
7. ‘purports to act’
The regulations require that, where a person purports to act on behalf of the customer, you verify the person’s authority to act and ID&V them. Some people have taken that to mean a director, but, if you look at the guidance for the legal sector, it refers to a ‘representative’. Most firms take the view that a director does not ‘purport’ to act, they do act for the company. Usually, I see firms apply Regulation 28(10) when they have an agent or attorney situation. That said, I’m still a fan of ID&V-ing at least one director because I like to know a ‘real’ person is attached to the corporate client.
8. Information for clients
The Money Laundering Regulations 2017 were amended by the Data Protection Act 2018. Make sure you’re giving your clients the required information.
9. Know your searches
Know how your electronic verification searches work. Many firms now have electronic verification of ID as part of their CDD processes. I was an early adopter in 2006 and I’m still a big fan but I say be careful. I find that many people can’t explain to me how they work, what they are checking and how many matches are required to pass.
Is it checking what you think it’s checking?
Sometimes, I see examples of CDD searches passing with the wrong date of birth included! Also, if the contract with the provider was agreed with the previous MLRO and you are the new one, make sure you are fully briefed.
10. Certifying copy ID
Be careful who you ask to certify copy ID. I prefer to rely on someone who is either well briefed or is familiar with the AML legislation, like lawyers or accountants. Also, you (or indeed the police) may want to speak to the certifier in the future so make sure it’s someone who can be traced.
That’s going to be difficult if you rely on post office or bank counter staff. Make sure they’ve signed and dated the certification and their name is printed in a way that you can read it.
I find giving the client an explanation of requirements that they can then hand to the certifier is the most effective way of getting it right.
If there are any burning questions or issues you want to discuss my team and I are always available. In the first instance please get in touch with firstname.lastname@example.org.