Rhiannon Davies, Associate and specialist in AML and Regulatory Compliance. This article is a debrief of the webinar and transcript I ran on 2 April 2025. You can watch the recording HERE.
Let’s kick off with AML audits and what the regulations say. Specifically, we’re looking at Regulation 21. It has a few key requirements, but I’ll focus on the part about independent audits.
You can read here about our outsourced AML Compliance and Regulatory Compliance SORTED programmes that cover the requirements too.
Regulation 21 and Independent Audits
We started off the webinar AML audits and what the regulations actually say.
- Key requirements of Regulation 21
- The role and purpose of independent audits
- Defining “independent” and “size and nature”
The first requirement is appointing a Money Laundering Compliance Officer (MLCO). This must be someone in senior management, like a Board Director or equivalent (e.g. senior management). Why? They need to have enough authority to enforce policies, update training, and even decide on the firm’s risk appetite for clients and work types.
The second requirement involves screening employees—both before they join and during their tenure with the firm. I won’t go into detail on this today, but if you’re curious, LSAG 9.4 has some excellent guidance on how to approach it.
Now, onto the third part of Regulation 21—the independent audit function (there are loads of different terms for this function). This is where it gets interesting! Essentially, the audit assesses the adequacy and effectiveness of your firm’s AML policies, procedures, and controls within the firm. If issues are identified, the auditor provides recommendations and follows up to ensure compliance.
But here’s the thing—what does ‘independent’ really mean? And how does ‘size and nature’ factor into whether your firm needs this function? These are questions we get all the time.
‘Size and nature’ isn’t strictly defined in the regulations, which can make it tricky. The SRA, however, suggests that the majority of firms will require an independent audit function. For instance, if your firm handles conveyancing work, it’s almost certain you’ll need one. On the other hand, if you’re a sole practitioner without staff, you can probably justify not implementing one.
As for ‘independent,’ it doesn’t always mean external. That said, achieving true independence internally can be challenging. The auditor mustn’t be someone who sets or follows the firm’s AML policies, however, it needs to be someone with enough knowledge of AML which rules out many internal staff. Often, firms find they need to bring in external specialists to meet this requirement.
So, in summary to this section of the webinar, I said that if your firm doesn’t already have an independent audit function, now’s the time to assess your needs. And if you’re unsure where to start, I’m happy to point you toward some useful resources. Please feel free to email us: hello@tealcompliance.com
Introduction to Ongoing Monitoring
I’m grouping this with the previous topic because it’s a key area where we often find firms struggle, particularly fee earners. During our AML audits, we consistently observe challenges with the implementation of effective ongoing monitoring procedures. So, I’m going to delve into this in a bit more detail, referencing the regulations themselves.
Ongoing Monitoring: A Deeper Dive
- Defining ongoing monitoring and its components
- SRA guidance on ongoing monitoring
- Challenges in implementing ongoing monitoring
Ongoing monitoring is split into two parts, firstly from a transaction point of view, where you need to keep an eye on the level of risk that the matter and the client is posing to the firm throughout the whole of the matter.
Secondly, it’s the reviewing identification documents for your existing clients and making sure you’re keeping them relevant and up to date. So any of those documents that you’re relying on, if they’ve expired, you’re getting new ones.
When we talk about ongoing monitoring, it involves both of those components.
Defining Ongoing Monitoring
Here’s a summary of the definition of ongoing monitoring – comprising two key components.
- Transaction monitoring: this means continuously assessing the level of risk that the matter and the client pose to the firm throughout the duration of the case.
- Periodic reviews of client identification documents to ensure their validity. Expired documents, for example, must be replaced.
Therefore, ongoing monitoring encompasses both the scrutiny of transactions and the maintenance of up-to-date client documentation.
SRA Guidance on Ongoing Monitoring
The SRA emphasises the mandatory nature of ongoing monitoring, as stipulated in Regulation 28(11) of the Money Laundering Regulations.
The SRA’s guidance highlights that any communication with a client has the potential to alter the risk profile of the matter, the client, or both.
Consequently, risk assessments should be re-evaluated at appropriate intervals and to reflect any changes in circumstances, such as alterations in beneficial ownership, the nature of the client’s business, or their address.
It’s worth noting that the SRA stresses the significance of ‘any communication‘ in this context. This underscores the need for comprehensive AML training for all staff, including support and reception personnel, as any interaction with a client could reveal suspicious activity. Essentially if any staff has a touch point with your clients, they need training.
The phrase ‘re-evaluated at appropriate intervals‘ requires careful consideration, as its interpretation can vary. While it’s clear that a reassessment is necessary when material changes occur (e.g., third-party funding, newly discovered links to high-risk countries etc), the challenge lies in demonstrating ongoing monitoring when no such changes are apparent.
Challenges in implementing ongoing monitoring
Why do we see so many firms struggle with ongoing monitoring? From our experience and training it looks like this:
- Not understanding the purpose of ongoing monitoring
- Doing it but not evidencing it, especially where nothing has changed
- Not sure when it should be done
- Ticking boxes without providing rationale
- Not wanting to bother clients further
- Forgetting about LSAG
We often hear about re-evaluation at appropriate intervals in ongoing monitoring.What does that exactly mean though, because there’s no definition!
“Best practice and with a risk based approach”, it could mean different things to different people and firms. Ultimately, it means there needs to be an update if anything on the matter has changed. For example, if a third party is now providing funds for the transaction, or say you’ve suddenly discovered the client’s got links to a country outside of the UK that would generally prompt you to relook at the risk assessment. This seems obvious right?
However, what about when nothing’s changed? How do you evidence that? How do you prove you’ve done your ongoing monitoring when absolutely nothing’s changed on the matter and you’re still as comfortable with the risk as you were at the very beginning of the matter?
That’s the bit where we often find we don’t have the evidence when we’re running an AML audit; so when we’re doing some of the file reviews, as a minimum, we’d recommend the following guidance via three points.
Three point ongoing monitoring guidance
Our three point guidance is where you assess the risk and emphasis is on the word minimum.
Think of it as a story because it has a beginning, a middle and an end.
Beginning stage: file opening
At this point, is there anything that you’ve seen or been told that doesn’t quite sit right with you? Are you not sure whether you want to proceed with the matter? Do you need some more information to make yourself more comfortable? Or are you happy to proceed at this time?
Either way, it needs to be noted on your risk assessment. And I must say, the majority of firms that we audit, the opening risk assessment is the one that’s often carried out well.
It’s the next stage where we see failures.
Middle stage – review of CDD documents
I’d normally suggest this part of your ongoing monitoring story is once you’ve reviewed the CDD documents from your client. This is the point when due diligence checks around your client’s evidenced source of funds (SOF) and source of wealth (SOW) are with you.
At this point, you’d be looking if anything has changed at all, i.e. have any risk factors changed from what you decided at the beginning? Does the evidence from your client match what they told you at the beginning? Does everything still make sense? And again, if not, you might need to ask further questions, or you might need to see some further evidence.
If everything is hunky dory, carry on and proceed with your matter. HOWEVER, don’t forget to document and evidence your checks and confirmations.
Even if nothing’s changed, documenting that you have still assessed that risk again, would evidence ongoing monitoring. Then I suggest a final risk assessment.
End stage – last minute changes
An assessment of the risk again, before you proceed with whatever it is that you’re doing that could end up being money laundering.
Before the actual transaction takes place (e.g. in conveyancing), before any money’s moved you have evidenced your final risk assessment.
Remember, the baddies are waiting for any last minute changes in the hope that you don’t ask any questions.
Financial criminals and money launderers thrive on last-minute transaction changes, banking on lawyers being under pressure to push deals through without thorough scrutiny. They count on urgency preventing deeper AML checks, allowing them to disguise their true source of funds or wealth. The pressure conveyancers were under in March because of the changes to Stamp Duty, was horrific, the baddies would have been rubbing their hands with glee.
Come what may, you have to maintain vigilance with risk assessments and ongoing monitoring whilst documenting every step to justify risk ratings. If it’s not written down and evidenced, in essence, it didn’t happen. You hear time and time again about SRA inspections and their fining powers when swooping in to check.
Practical Guidance on Risk Assessment Frequency
As a reminder on some practical tips to help with your ongoing monitoring for risk assessments, we’d say never to focus on thinking that after your initial first step of onboarding CDD to continue checking on changes or documents that don’t match your original docs.
Our recommendations would be:
- Initial Assessment: This is conducted when the file is opened. At this stage, the primary focus is on determining whether to accept the client and, if so, the appropriate level of Customer Due Diligence (CDD). Any initial concerns or uncertainties should be thoroughly documented.
- Interim Assessment: We advise conducting this assessment after reviewing the client’s CDD documentation, including source of funds and source of wealth evidence. The aim is to verify the consistency of the evidence with the client’s initial representations and to identify any emerging risk factors.
LSAG offers helpful guidance on documenting ongoing monitoring, including the issues considered, actions taken, reasons for decisions, and details like dates and individuals involved. Monitoring also involves reviewing and renewing client identification documents, especially for ongoing or long-term clients. Having said that, when reviewing client identification documents, it doesn’t mean you need to ask the client for them again for every matter but they must be reviewed for relevance and validity, such as checking for expired documents.
Challenges in Implementing Ongoing Monitoring
Changes in beneficial ownership, particularly further up the corporate structure, may not be immediately apparent, which makes ongoing monitoring crucial.
For corporate clients, drawing up a structure chart at the beginning of the relationship and confirming it at each new matter is really good practice. This would help with ensuring the beneficial ownership remains consistent. If a change is identified, such as a new beneficial owner, then you must follow appropriate identification and verification processes in line with your firm’s policies and procedures.
We get it, struggling with ongoing monitoring is common, which is why my colleagues and I want to support you and your colleagues.
Challenges range from a lack of understanding of the actual purpose of ongoing monitoring, assumptions based on long-standing client relationships, and inadequate documentation. For instance, staff might simply tick a box to indicate monitoring without detailing the rationale or evidence. There’s also a hesitation to bother clients for updated information, fearing complaints or loss of business.
My advice is clear, would you go to prison for a client? No – it’s not worth it.
I hope you found this blog helpful, and do watch the recording if you have time.
Rhiannon
