Blog

The Solicitors Regulation Authority (SRA) has long desired more robust punitive capabilities against traditional law firms. They have historically possessed the ability to impose significant fines on Alternative Business Structure (ABS) firms and can forward cases to the Solicitors Disciplinary Tribunal (SDT) for an agreed decision’s endorsement. Recently, however, their powers were indeed broadened, enabling them to impose a fine of up to £25,000 without SDT referral and approval.

A recent noteworthy fine was imposed on an Oxfordshire-based two-partner firm, Ferguson Bricknell, for Anti Money Laundering (AML) breaches. The firm was penalized £20,000 for violations of the Money Laundering Regulations and the SRA’s Standards and Regulations. Although £20,000 might appear insignificant to some, for a small firm, it’s a considerable sum! If you consider a £200 hourly rate at 20% profitability, a lawyer would need to work for more than 14 weeks to generate the profit to cover it. This is because fines are paid from profit; there’s no special budget set aside for them!

The full decision is a worthwhile read, providing insights into the firm’s declaration to the SRA of a compliant Practice Wide Risk Assessment. The SRA periodically requests firms to confirm their compliance with certain regulations and verifies this by checking a sample of firms. In this instance, the SRA disagreed with the firm’s assessment of compliance and investigated further into its AML conformity.

The case provides valuable insights into the SRA’s approach and offers seven key takeaways:

When the SRA communicates with a firm, ensure a response is made. If your Compliance Officer for Legal Practice (COLP) is the recipient, ensure they’re checking their spam emails as the SRA’s emails often land there.

If you claim compliance, be certain that you are indeed compliant. There is an abundance of guidance, including free templates for Practice Wide Risk Assessments. Never claim compliance if it’s not the case.

Keep up with reviews. Set reminders and take action. To show that you’ve reviewed a document, log the date and reviewer’s name (and approval if needed) within a version control table in the document.

Consider establishing an independent audit function. Although not mandatory for all firms, it’s crucial for those of significant size and nature. The audit doesn’t have to be external, but in smaller firms, it must be conducted by someone independent of the people who oversee the policies, controls, and procedures.

Regularly train your staff. The latest Legal Sector Affinity Group Guidance emphasizes annual refresher training. Additionally, the Money Laundering Reporting Officer (MLRO) and the Money Laundering Compliance Officer (MLCO) should receive specialist training for their roles.

Conduct a matter risk assessment, as required by the 2017 Money Laundering Regulations. The SRA expects to see an assessment on every file falling within the regulations’ scope, with enough information to judge the risk assessment’s accuracy.

Perform source of funds and wealth checks when necessary. Make sure it’s complete before accepting or moving any transactional money through the client account.

The case underscores the SRA’s commitment to enforcing AML Compliance. They will act against non-compliant firms, even if there are no actual money laundering allegations. Firms are expected to take their responsibilities seriously, with disciplinary actions waiting for those who don’t.

I love an AML Audit. I really enjoy reviewing Firm’s policies and procedures and seeing the different approaches Firm’s take in respect of AML. Best of all is seeing how the culture surrounding Compliance is changing.

So, what is an AML audit and what should an AML audit involve?

The AML audit process is a way to strengthen or improve a firm’s AML programme. It is a way of assessing whether Firm’s AML policies, controls and procedures are up to date, comply with The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR) and are functioning in practice as intended.

The purpose of the Audit is to:

• examine and evaluate the adequacy and effectiveness of the policies, controls and procedures adopted by the Firm to ensure compliance with the requirements of the Money Laundering Regulations;
• make recommendations in relation to those policies, controls and procedures; and
• monitor compliance with those recommendations.

Why Conduct an AML Audit?

Mandatory Audit

Regulation 21 of the MLR requires a relevant person, where appropriate to the size and nature of the business, to establish an independent audit function. This does not necessarily need to be an external audit, however, it will need to be conducted by someone in the firm who is independent of the Risk/Compliance/Anti Money Laundering (AML) function, but equally has enough AML knowledge to be able to conduct the audit. It is important to note that any findings in an Audit Report carried out under regulation 21 are disclosable to the Regulator.

Non-Mandatory Audit (Internal Audit)

A Firm may choose to conduct an internal Money Laundering Audit as routine procedure, being a way of checking whether the Firm’s policies, controls and procedures are up to date and comply with the MLR. The Audit report in these circumstances would remain for internal purposes only and confidential to the firm.

What is the Process for Conducting an AML Audit?

The audit is a four-stage process:

1. Policy Review – A Review of the Firm’s policies and procedures against the requirements of the legislation will need to be conducted.
2. Test – The Firm should then test the knowledge, understanding and application of those processes.
3. Audit Report – This contains the findings of the audit, as well as recommendations for changes.
4. Review – Following the Audit, there should be a review following an implementation period to establish compliance with the recommendations. Any recommendations must be implemented.

1. Review of Policies and Procedures

A review of all the Firm’s AML policies and procedures, Firm Risk Assessment and the Firm’s matter-based Risk Assessment is conducted by the Auditor.

When carrying out the review the Auditor will assess whether the Firm’s AML policies and procedures meet the requirements of the MLR.

The Auditor will use a list/table of each specific regulation and check this against the Firm’s AML policies and procedures to confirm whether or not the Firm has met that requirement.

2. Test

As part of the Audit the Auditor should test the knowledge, understanding and application of the Firm’s processes. This is normally tested through staff interviews and matter file reviews.

Interviews

Interviewing staff will help the Auditor assess the staff’s knowledge and understanding of money laundering, money laundering red flags and the firm’s processes.

File Reviews

The Auditor will carry out a review of files and assess whether the matters comply with the Firm’s AML policies and procedures.

The Auditor may also request to review some closed files. Reviewing a closed matter will assist the Auditor in assessing whether there was on-going monitoring of risk and whether the completion instructions to accounts included information as to risk.

3. The Audit Report

The Audit will result in a written report on whether:

• The Firm’s risk assessment and AML policies, controls and procedures comply with the minimum requirements of the MLR.
• Changes which are required as a result of deficiencies identified (if any)

The Audit report should:

• Set out the law (what specific regulations of the MLR were checked against)
• Explain what was examined for that specific regulation.
• Document findings of areas of compliance and non-compliance as well as identifying areas for recommended improvement in behaviour and practice. It should be made clear which areas the Firm is compliant, non-compliant or partially compliant.
• Include an indication of where there are potential failings and a recommended course of action

4. Review

The Firm should conduct a review following an implementation period to establish compliance with the recommendations. As part of the review the Auditor will be assessing whether the recommendations have been carried out and whether there is any evidence to show whether they are effective.

If you would like to discuss this further or feel your Firm requires an AML Audit, please get in touch and we would be happy to help. Drop us an email at hello@tealcompliance.com.

Regulation 21 of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (otherwise known as the Money Laundering Regulations) requires that regulated firms implement certain controls where it is appropriate to the size and nature of the firm. One of those controls is to establish an independent audit function. 

The size and nature test requires some objective thought and firms are directed by the Legal Sector Affinity Group’s Guidance to consider a number of factors including the number of staff and offices your firm has, your client demographic, and the nature and complexity of work you undertake. The Solicitors Regulation Authority’s take on it is that most firms (but not all) will need an independent audit. In its latest AML Report of October 2021, the Regulator found that a high number of firms visited (49 out of 69) failed to implement an independent audit where required. For those firms where an audit had been carried out, some common areas of concern were that the reviews were not sufficiently thorough or lacked an element of testing, they weren’t independent, and firms had not implemented the recommendations in a timely way. Such concerns could lead to firms being referred to the SRA’s Investigations Team. 

So if you have considered the size and nature test and determined that you need an independent audit, what should you expect from your review? It is key that your audit: 

• • Is independent from the people in your firm who are involved in setting and following the policies. The Regulations don’t prescribe that your audit must be carried out by a third party; but consider whether you are of a sufficient size to be able to resource a truly independent audit. Do you have staff with the right knowledge and capacity to carry out the audit? Even larger firms who have an audit function may find they do not have the necessary experience in AML. 
  • Is adequate in its scope and depth in order to give the firm assurance that the policies, controls and procedures they have in place are working. It should include a review of the existing documentation including firm and matter risk assessments and training plans, and a detailed review of how those processes have been implemented through file reviews and interviews with staff members to test understanding. The frequency of the audit should also be considered. Many firms decide to carry out an annual audit based on the size and nature test, but you may also consider focusing more frequent audits on higher risk areas as identified in your firm-wide risk assessment. 
  • Effectively identifies where processes are working well and roots out any problems with the process or where the process is not being followed. This means having the right person with the right expertise to carry out the audit so they know what they are looking for. It means carrying out an adequate number of interviews and file reviews across all locations and matter types so the Auditor can get a good feel for the firm and the types of issues that are occurring. Staff members from your fee earning teams, finance and any centralised onboarding teams should expect to be interviewed, along with the firm’s MLRO/MLCO. You may also consider focusing more frequent audits on higher risk areas as identified in your firm-wide risk assessment 
  • Provides feedback on where the firm’s current policies and procedures are not meeting the requirements of the Regulations and makes recommendations for improvement. A written report will provide you with the evidence that an independent audit has been carried out should the Regulator ever ask you for that information. The report should clearly set out the actions that should be taken to rectify any non-compliance. Recommendations should be implemented in a timely way and you should keep a record of the actions taken to meet the recommendations. 
  • Is part of an ongoing monitoring process to help you continually evaluate and improve compliance with the Regulations. Keep records of independent audits carried out for future reference and to evidence a robust auditing regime. 

There is no doubt that an independent audit requires some forwarding planning and investment in resources, whether that be internal resource or if you plan to engage an independent firm to carry out the audit on your behalf. It’s not a tick box exercise. Senior level commitment to the importance of implementing good anti-money laundering controls is therefore crucial and sets the tone for the firm and for the staff whose files may be reviewed or who may be interviewed as part of the audit process. But the reward for your investment is obtaining a real learning opportunity to understand what your firm is doing right and where it can make improvements and effectively manage money laundering risks.

Photo by Scott Graham on Unsplash

This is a question I get asked loads of times!

In fact, last week I had a client who has a policy of asking for ID for employees, and their client refused citing Data Protection concerns. I’m not planning to go into the data protection issues here, but instead whether you have to ask for it.

To get to the answer here, we need to start with the law.

The law requires, in connection with a client who is not a natural person (I prefer using the word human here!) that you need to obtain and verify certain information about entity. For a company that is

• name,
• company number,
• registered office,
• the law to which it is subject,
• its constitution,
• the full names of the board and senior persons responsible for it.

In addition, you need to identify and verify the ultimate beneficial owners.

So, do we need ID from directors, or people who instruct us on behalf of a company?

In the original 2003 Money Laundering Regulation it was a requirement to identify and verify at least 2 directors, but this was removed by the 2007 regulations. I’ve found despite this change many firms still have that process, whether as a legacy from the original regulations or as a risk management measure – so that they have proof a real person is connected with the company. After all, the whole point of passports and utility bills is so you can tell the police which door to knock on, to talk to about the entity.

I think many of the more recent queries I have had come from confusion arising from Money Laundering and Terrorist Financing Regulations, which introduced in 2017 Regulation 28(10).

(10) Where a person (“A”) purports to act on behalf of the customer, the relevant person must—

(a) verify that A is authorised to act on the customer’s behalf;

(b) identify A; and

(c) verify A’s identity on the basis of documents or information in either case obtained from a reliable source which is independent of both A and the customer.

There was concern when this first came in that an employee or director might be thought to be purporting to act on behalf of the client. Fortunately, the Legal Sector Affinity Group Guidance helps here:

Section 6.6

Examples of someone purporting to represent might include:

• a parent on behalf of an adult child.
• an individual not employed by your client; or
• a situation where the instructing persons authority to instruct is not clear or does not make sense.

Section 6.14.9

Someone employed by your client (depending on their position or seniority) or a director of your client may be considered as having apparent or ostensible authority to provide instructions on behalf of the client, though you may seek comfort of this on a risk sensitive basis. They should not be considered to be intermediaries, agents, or representatives. Where it is not clear or apparent what their authority to instruct on behalf of the client is, CDD should not be considered to be complete.

Accordingly, it is now much clearer in that “purports to act” is not intended to mean officers or employees of a company. That said, many firms still do carry out individual CDD on Directors and sometimes on employees instructing who are not directors, and whilst that is not required by the Regulations, it can be useful to provide an audit trail for the client in case you are challenged later on as to why you acted on instructions provided on behalf of the non-human client.

Filing Suspicious Activity Reports (SARs) should be a priority for all law firms when presented with circumstances that alert them to the potential for money laundering.

But the very word “suspicious” is in itself, problematic, as it lacks clear definition.

It’s essential that the basis for suspicion is expressed as clearly as possible – not just because of the potential for legal action, but also because of the potential that it may be read by a client.

So, what does “suspicion” actually mean?

Unhelpfully, “suspicion” isn’t formally defined in legislation – but it has been the subject of question by the courts on several occasions.

The judge in the case of Lonsdale v National Westminster Bank plc [2018] EWHC 1843 (QB) stated that

“The [person that suspects] must think that there is a possibility, which is more than fanciful, that the relevant facts exist. A vague feeling of unease would not suffice. But the statute does not require the suspicion to be “clear” or “firmly grounded and targeted on specific facts”, or based upon “reasonable grounds.”

This suggests that the term “suspicion” is subjective, with a relatively low threshold. Suspicion must be genuine, but there’s no robust necessity for it to be based on specific facts.

With this in mind – and in line with advice published by the NCA – here are our ten tips for avoiding the potential pitfalls when reporting suspicious activity:

1. Use clear and concise language, keeping the content clear, concise and simple. Avoid using acronyms and legal jargon.

The “reasons for suspicion” section of the SAR limits your input to 8000 characters, equating to around 1500 words.

2. Give full and precise reasons for your suspicion of money laundering.

It’s important for the NCA to see:

• Who is doing what
• Who they are/were doing it with
• When they are/were doing it
• Why they are/were doing it
• Where they did it
• How they are doing it

3. Specify all individuals and businesses, including suspected criminal property in as much detail as possible (having regard to privilege). You may not be in possession of all of the details, so you should make this clear in your report if that’s the case. Think about:

• Associated subjects
• Dates of Birth, Post Codes, Occupations
• Financial transactions.

4. Specify all information giving rise to suspicion and explain how you discovered it.
5. Clearly distinguish between information that you know from that which you suspect.
6. Present a chronological sequence of events which support your suspicion. Be as specific with regards to dates as possible.
7. Justify the basis of your suspicion – don’t simply state that it’s a cause for concern.

For example, a client’s bank account has large third-party transfers:

• explain if the client has been contacted (and if not, why not) and any explanation offered
• describe why the explanation given has not allayed your concerns
• demonstrate how the pattern of transfers/withdrawals presents suspicious circumstances.

8. Explain how the activity in question differs from normal, expected operations for that customer/business sector. If the SAR implicates a professional enabler (i.e., an accountant, insolvency practitioner, conveyancer, etc.) state whether it appears that the facilitation is witting or otherwise.
9. Set out the case if your suspicion relates to the transactions only, or whether it extends to the professional involved. If the SAR doesn’t relate to financial transactions, explain the activity you consider to be suspicious.
10. If you are requesting a Defence Against Money Laundering (DAML) be specific about the work you are undertaking for your customer/client which you believe you will require a defence to money laundering for e.g.:

• “to buy/sell the property at (address) for (value amount)”
• “to disburse the funds between the following people …”
• “to buy/sell the (named company)”
• “to draw up contracts between party X and party Y, transfer the ownership of the (named company) to party Y, and transfer the (value of funds) to party X which is all part of the arrangement”
• “to release the funds in account A to person B”.

The regulated sector has been criticised by NCA regarding the quality of SARs. The amount of information provided is of vital importance for a number of reasons:

• Improves efficiency in processing SARs
• Poor quality SARs divert resources away from detection and investigation of crime
• Vital source of intelligence
• Contents can be a basis for legal action against the maker – Lonsdale v National Westminster Bank.

If Teal Compliance can be of any assistance in helping with your reporting obligations and procedures, please contact us at hello@tealcompliance.com