Special Feature: New Anti-Money Laundering guidance: tackling the requirement for independent audit
On the 20th January 2021 the Legal Sector Affinity Group (LSAG) published new Anti-Money Laundering Guidance for the legal sector which states that ‘The practice must conduct an independent audit of the adequacy and effectiveness of its AML policies, controls and procedures (PCPs)’.
The requirement to have a review was introduced in the Money Laundering Regulations 2017 and has always been risk-based, reflective of size of the firm and nature of the work involved. This means many firms considered they were of a size, not to warrant such a review. Whilst that may be true for some, the SRA Risk Outlook published in November 2020, and repeated in presentations since, expects most SRA firms will benefit from such a review. So, there is then an expectation – probably endorsed by all Regulators – that most firms complete one. To be honest, why would you not benefit from someone independent of the development and day to day enforcement of your AML PCPs taking a look; but just who?
Updated Guidance provides more on the approach to independent audit – including reviewing and making recommendations, requiring file remediation, as required and reporting AML suspicions to the MLRO. Audits can be undertaken internally from within the Firm using someone who has knowledge of the Money Laundering Regulations, but has not already been involved in the formulation, or day to day operation of your PCPs.
This could be, for example:
- An AML-experienced, senior individual from the Private Client Team, or Litigation reviewing the PCPs operating in other work areas of the Firm and how the MLRO/MLCO operates.
- It could be a recent new recruit to the Firm, already having awareness of AML requirements given the task and freedom, to augment their induction training on your AML PCPs.
- Someone from outside your Firm.
Whoever it is, they will need a working knowledge of the expanded 212 pages of the latest LSAG Guidance and access to Senior Managers. The audit will need to check your PCPs are ‘fit for purpose’, but whether in their opinion, those PCPs and your role holder’s activities meet the expectations of Regulators. That might be where challenges arise, particularly for a new recruit.
It is certainly going to take them some time away from their fee earning duties to accomplish:
- Reading your PCPs.
- Talking to the MLRO and MLCO about their roles and PCPs in place and where improvements might be useful.
- Appropriate sampling of files from across the Firm, especially in higher risk work areas and talking to case handlers about their AML findings and approach.
- Having access to SARs (both internal & those submitted to the NCA).
- Compiling an overall report and recommendations.
So, might it be better to look outside of the organisation? For someone already aware and knowledgeable about the LSAG Guidance, works with AML most of the time with other Firms, so knows how Firms operate and the requirements of an AML regime?
Legal Eye offers an audit service to fulfil this requirement. The audit report summarises an evaluation of your AML policies, controls and procedures to set out recommendations regarding adequacy and effectiveness of your anti-money laundering and counter-terrorist financing policies, controls, and procedures.
The report will also identify if working as they should. We comment on your existing PCPs not only from a background of the LSAG Guidance, but also on what we see on files drawn from a proportional assessment of the risk areas within your Firm and discussions with individuals running them.
How often, an independent review takes place is also risk based. It will reflect time elapsed since the last audit, changes to structure, services, or risk profile. You must record information from the audit and the actions taken. LSAG Guidance provides a list of what to record making reports available to a Regulator on request. You must also record why you consider the firm will not benefit from having such an audit and be prepared to justify such decisions!
From the independent audits performed, here are some common issues frequently arising:
- Practice Wide Risk Assessments suggesting not all risks in a work area have been considered, or that in a High Risk work area, such as Conveyancing, the overall assessment for the Firm is judged as low without detailed explanation;
- Client and Matter Risk Assessments:
- Often not capable of demonstrating thought processes that individual fee, or case handlers go through.
- A variety of approaches, from very detailed written records to a few tick boxes on a checklist pinned to a file cover. (A few tick boxes may be acceptable for work out of scope, such as drafting a simple Mirror Will, it most certainly won’t be acceptable for work falling in scope, such as creating a Trust, a Company, or where you should have suspicions of criminal activity. Remember, POCA makes you liable where you should have had reason to suspect)!
- Risk assessments that suggest their completion is tick-box. Not given thought, conflicting with what appears in the file, or not addressing risks identified by the firm. Dangerous in conveyancing, particularly where the only evidence of Source of Wealth is several bank statements, which themselves give rise to intriguing questions!
- Does asking for certified ID after a PEP alert confirm, or deny, the client is a PEP?
- Client and Matter must be risk assessed at instruction and reviewed as matters progress to conclusion. Key wording in the latest Guidance is recording all steps taken in those assessments. Tick box won’t be sufficient, nor a file that is devoid of any evidence of ongoing review!
- Litigation teams not concerned over AML, or risk assessment, despite sham litigation risk on the increase. Appearing for the first time in the UK National Risk Assessment in December 2020. The National Assessment also highlights how a lack of focus on compliance – taking a tick-box approach, or a lack of understanding of risk in firms, leads to a higher risk of being exploited by criminals.
So, when it comes to your Independent Audit – who will you choose, and why?
Written by Norman Denton, Senior Compliance and Regulatory Specialist at Legal Eye.
For more information contact firstname.lastname@example.org
Norman Denton is a Senior Compliance and Regulatory Specialist at Legal Eye.
Norman is a highly experienced compliance expert, delivering business improvement solutions with the owners of small and medium sized law firms and businesses for over 25 years. A very strong financial and risk management background gained through 25 years with a major bank, including 10 years as a lending manager to the professional sector, is underpinned by his depth of all-round business experience. When combined with his ability to objectively review a business, its leaders and market position this ensures a high level of stakeholder satisfaction.
Norman holds an ILM Level 7 Certificate in Executive Coaching & Mentoring. He gained Lexcel Consultant status in 2010 and has considerable experience of working with the legal profession.
Norman regularly presents around the country on the themes of Anti Money Laundering, Risk Management, Getting your Outward Facing Documents Compliant, GDPR, and Risk Management processes for a COLP. He has previously written several articles on the impact of OFR, Vulnerable Clients and ABS.
Kindly shared by Legal Eye
Main photo courtesy of Pixabay