Regulation 21 of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (otherwise known as the Money Laundering Regulations) requires that regulated firms implement certain controls where it is appropriate to the size and nature of the firm. One of those controls is to establish an independent audit function.
The size and nature test requires some objective thought and firms are directed by the Legal Sector Affinity Group’s Guidance to consider a number of factors including the number of staff and offices your firm has, your client demographic, and the nature and complexity of work you undertake. The Solicitors Regulation Authority’s take on it is that most firms (but not all) will need an independent audit. In its latest AML Report of October 2021, the Regulator found that a high number of firms visited (49 out of 69) failed to implement an independent audit where required. For those firms where an audit had been carried out, some common areas of concern were that the reviews were not sufficiently thorough or lacked an element of testing, they weren’t independent, and firms had not implemented the recommendations in a timely way. Such concerns could lead to firms being referred to the SRA’s Investigations Team.
So if you have considered the size and nature test and determined that you need an independent audit, what should you expect from your review? It is key that your audit:
- Is independent from the people in your firm who are involved in setting and following the policies. The Regulations don’t prescribe that your audit must be carried out by a third party; but consider whether you are of a sufficient size to be able to resource a truly independent audit. Do you have staff with the right knowledge and capacity to carry out the audit? Even larger firms who have an audit function may find they do not have the necessary experience in AML.
- Is adequate in its scope and depth in order to give the firm assurance that the policies, controls and procedures they have in place are working. It should include a review of the existing documentation including firm and matter risk assessments and training plans, and a detailed review of how those processes have been implemented through file reviews and interviews with staff members to test understanding. The frequency of the audit should also be considered. Many firms decide to carry out an annual audit based on the size and nature test, but you may also consider focusing more frequent audits on higher risk areas as identified in your firm-wide risk assessment.
- Effectively identifies where processes are working well and roots out any problems with the process or where the process is not being followed. This means having the right person with the right expertise to carry out the audit so they know what they are looking for. It means carrying out an adequate number of interviews and file reviews across all locations and matter types so the Auditor can get a good feel for the firm and the types of issues that are occurring. Staff members from your fee earning teams, finance and any centralised onboarding teams should expect to be interviewed, along with the firm’s MLRO/MLCO. You may also consider focusing more frequent audits on higher risk areas as identified in your firm-wide risk assessment
- Provides feedback on where the firm’s current policies and procedures are not meeting the requirements of the Regulations and makes recommendations for improvement. A written report will provide you with the evidence that an independent audit has been carried out should the Regulator ever ask you for that information. The report should clearly set out the actions that should be taken to rectify any non-compliance. Recommendations should be implemented in a timely way and you should keep a record of the actions taken to meet the recommendations.
- Is part of an ongoing monitoring process to help you continually evaluate and improve compliance with the Regulations. Keep records of independent audits carried out for future reference and to evidence a robust auditing regime.
There is no doubt that an independent audit requires some forwarding planning and investment in resources, whether that be internal resource or if you plan to engage an independent firm to carry out the audit on your behalf. It’s not a tick box exercise. Senior level commitment to the importance of implementing good anti-money laundering controls is therefore crucial and sets the tone for the firm and for the staff whose files may be reviewed or who may be interviewed as part of the audit process. But the reward for your investment is obtaining a real learning opportunity to understand what your firm is doing right and where it can make improvements and effectively manage money laundering risks.
Photo by Scott Graham on Unsplash