Guidance needed over new risk-based anti-money laundering regulations
Firms urged to start re-assessing risk and reviewing existing policies
New requirements in the 2017 anti-money laundering regulations, ranging from drawing up risk-based policies to the screening and training of staff, have left lawyers searching for answers as to how they are expected to implement the new rules.
Drafts of the new regulations were published in March but the final version only came out on 22 June, just four days before they became law. Most provisions in the 120 pages of new rules have remained as first proposed but legal compliance professionals have already pointed to the lack of practical direction and have called for urgent guidance.
The regulations, which implement the Fourth Money Laundering Directive, are more about finessing the existing framework rather than a complete overhaul. At their heart is the outcomes-focused approach – an increasingly popular approach with regulators, which shifts the assessment of risk onto the regulated.
Firms that have properly embraced this approach under the previous rules may feel little difference, but this doesn’t mean they can simply carry on as before. ‘Compliance is dynamic,’ said Tracey Calvert, who runs compliance and regulatory consultancy Oakalls. ‘The key to success is to have an action plan to adapt for changes. In many ways there’s nothing new about the regulations and what we need to think about is to review our procedures and policies and our people against the regulations.’
Speaking at the Solicitors Journal AML panel debate last month, the former SRA executive said there were still ‘many questions unanswered’ which would only be resolved once the Solicitors Regulation Authority and the Treasury department have fully assessed the new regulations and come up with guidance.
However, she added, the issue needed to be firmly on the agenda and firms ‘should be talking about the changes and give some thought about how they will address any gap’.
A good place for firms to start was to review their existing risk assessment process, Calvert said. There was guidance in the regulations which referred to specific heads of risk, that should prompt firms to compare those to their client portfolio and ascertain their own risk areas.
Next were the existing policies. ‘What needs to change and what amendments do you need to make to your policies to ensure they fit the new compliance requirements?’ she asked.
Client due diligence should now be given greater attention following the introduction of new elements relating to data protection. Firms will not only need to think about how they evidence they’ve carried out appropriate due diligence, but may also need to change their terms of business. One new requirement is to keep data for five years, which may mean getting informed consent.
Sean Hankin, manager at the Solicitors Regulation Authority’s forensic investigation unit, said the new rules were a challenge for the regulator too. A few days earlier, the SRA had issued a statement saying it would take a ‘pragmatic approach’. Hankin confirmed the regulator would be ‘proportionate and sympathetic’ as it, too, would take time to consider how it would approach the new rules.
Nevertheless, he said, firms should remain vigilant. ‘Solicitors are still at risk of being used as a conduit for fraud,’ he said, with lawyers being seen in some circles as ‘professional enablers’.
The main two risks at present were the upscaling of investment fraud schemes and solicitors using client accounts as a banking facility. ‘Fraudsters will make schemes look legitimate, so solicitors must be very aware,’ he said.
Endorsing Calvert’s recommendations on policies, Hankin added that firms should ensure they had written procedures that were properly applied ‘and not just sitting in a drawer’.
The rising risk of fraud in the profession has also prompted many firms to change their compliance infrastructure, according to Graeme Port, development manager at Encompass, an IT company providing Know Your Customer (KYC) solutions. ‘We’ve seen a shift away from a decentralised approach for managing the operational aspects of due diligence and KYC checks, a move away from the teams that work directly with fee earners towards a more centralised function.’
Port said the centralisation route gave compliance professionals greater oversight of how risk policies were implemented and allowed them to ensure consistency in their application or when there was a change in the law or in the firm’s policy.
‘With a centralised process,’ he said, ‘it’s easier to update policies, make sure that training is rolled out to those who need it, and to collect feedback about what’s working or not – that’s more difficult when the process is out of the MLRO’s hands.’
Read the full report in the issue dated 8 August 2017