New wine, new bottles
The new anti-money laundering regulations build on the approach developed under the previous rules but much is new, too, and law firms shouldn't just blindly re-use the same processes to ensure compliance. Jean-Yves Gilg reports
With just one working day between the date they were published and their entry into force, the new anti-money laundering regulations have caused ripples of confusion around the legal services sector. Many of the new rules have a familiar feel, but firms have sensed that compliance will not be a matter of just putting old wine into new bottles. The question now is how much they will need to adjust their systems, and how quickly.
Sudden as the timeline appears, it shouldn’t have come as a surprise. The Fourth Money Laundering Directive, which the regulations implement, provides for an implementation deadline of 26 June 2017 at the latest. The Solicitors Regulation Authority, like the majority of legal professionals, was caught on the back foot.
Talking after the SRA board meeting last month, policy director Crispin Passmore said the regulator would be working on adjustments to its guidelines over the next three months. This will be submitted to the Treasury for approval but Passmore said the intention was to make the draft guidance public when it is ready, so law firms can prepare for the likely new principles.
Repeating previous warnings, Passmore added there was “a huge risk” of solicitors acting as “professional enablers”, and that firms should be “really alive to the risks they face and make sure they know their clients and understand the risks”. For the time being, however, as invited by the Treasury, the SRA has said it would take “a proportionate and pragmatic approach” while firms get their heads around the new principles.
For this is where the challenge starts. The new provisions take a risk-based approach to anti-money laundering, leaving firms to identify the risks they face in their business and design suitable processes to prevent them. The approach has become a favourite among regulators, allowing them to shift on to the regulated the responsibility for assessing the risks and developing an appropriate response.
There are some advantages for firms, too. This tends to be less prescriptive and the flexibility allows lawyers to come up with systems and processes suited to their circumstances. It’s also generally accepted that the Third Money Laundering Directive had already paved the way for this approach, and that the new regulations are more about refining it.
Risk assessment review
Nevertheless, the 120 pages of new laws are long on principle and short on practical guidance, leaving lawyers scratching their heads about the steps they should take. Challenges range from the general principle in regulation 18 to “take appropriate steps to identify and assess the risk of money laundering and terrorist financing to which its business is subject” to appointing “where appropriate with regard to the size and nature of its business” a suitable money laundering compliance officer with board level or senior management status (regulation 21).
Firms that have embraced the risk-based approach may feel little difference from the previous regime, but this doesn’t mean they can simply carry on as before. “Compliance is dynamic,” said Tracey Calvert, who runs compliance and regulatory consultancy Oakalls. “The key to success is to have an action plan to adapt for changes. In many ways there’s nothing new about the regulations and what we need to think about is to review our procedures and policies and our people against the regulations.”
Speaking at the Solicitors Journal AML panel debate on the day the new rules came into effect, the former SRA executive said there were still “many questions unanswered” which will only be resolved once the SRA and the Treasury department have fully assessed the new regulations and come up with guidance.
In the meantime, a good place for firms to start would be to review their existing risk assessment processes, Calvert suggested. The regulations list specific heads of risk – in regulation 18(2) – which provide a rough reference matrix that firms could use as a baseline.
Next, existing policies would need to be reviewed. “Having identified the risks, ask yourself what needs to change and what amendments you need to make to your policies to ensure they fit the new compliance requirements,” Calvert said.
Sean Hankin, manager at the SRA’s forensic investigation unit, said the main two risks at present were the upscaling of investment fraud schemes and solicitors using client accounts as a banking facility. Since then, the SRA has issued new warnings about fraudulent investment schemes. Last month it also made “questionable investment schemes” a priority risk under its latest Risk Outlook (page 11).
The rising risk of fraud in the profession has also prompted many firms to change their compliance infrastructure, according to Graeme Port, development manager at Encompass, an IT company providing know your client (KYC) solutions. “We’ve seen a shift away from a decentralised approach for managing the operational aspects of due diligence and KYC checks, a move away from the teams that work directly with fee earners towards a more centralised function.”
The centralisation route, Port said, gave compliance professionals greater oversight of how risk policies were implemented and allowed them to ensure consistency in their application or when there was a change in the law or in the firm’s policy.
Could the new rules fuse the two types of approach? One delegate suggested the regulations, because they were more risk based, required compliance professionals and heads of teams to “touch-base with fee earners much more so you can determine what sort of due diligence check you need to undertake centrally, so there almost needs to be more engagement”.
Port concurred, saying there could be a gap between policies held centrally and how they’re executed on the ground. There needs to be “a continuum between the policy and its execution”.
Much as firms seem to be accepting risk-based regulation in principle, several provisions in the new regulations raise very practical questions. Many in the audience were puzzled by the requirement to appoint a board level AML compliance officer if the firm’s size and the nature of its business made this “appropriate”.
“How do you identify a ‘board level’ compliance officer? What if you don’t have a board?” asked a member of the audience. The requirement, under regulation 21, raised a preliminary question: is the firm such that it should appoint one, and could this person be the existing money laundering reporting officer (MLRO)?
“Nothing is prescribed,” replied Calvert. “The key word is ‘the nature of the business’. In a smaller firm, it could be the MLRO if they are sufficiently senior and have access to the board or equivalent senior member of the management team.”
Smaller firms face a particular conundrum. By virtue of their size, there are simply not very many senior individuals to choose from. “There aren’t going to be that many firms clearly falling within the scope of regulation 21,” commented Hankin. “In a lot of firms, aside from the very large ones, we’re expecting the new compliance officer and the MLRO to be one and the same person.”
Were there any scenarios that the SRA would rather not come across? “We expect these officers to be of sufficient seniority within the firm, and to make any money laundering reports without being under any influence or having to go through another member of the firm to do so,” Hankin commented. “We also expect them to make suspicious activity reports (SARs), even where transactions don’t complete,” he added, suggesting that the number of SARs submitted by the legal profession – just 1 per cent of all reports – was unexpectedly low considering the high risk occurrence.
For Calvert, the question was fundamentally one of awareness of the risk at a time when money laundering was becoming an increasingly serious concern. “The new rules are about trying to avoid the risk that people aren’t going to take proper notice of these changes. You need to have the ear of the right people in the firm,” she said.
That question is especially apt in the context of law firms with offices or alliance partners in other countries, including outside the European Union. Regulation 20, in particular, introduces the concept of “parent undertaking” – in practice, a firm’s head office – and makes that body responsible for ensuring that its subsidiaries and branches comply with domestic provisions implementing the directive in other European Economic Area countries, or, if in a third country, apply similarly strict procedures.
“The regulations talk about ‘parent’ bodies, and the influence of the parent body has over its network of local firms. If you are the head office firm, you must be in a position to assess the risk in all other offices outside the UK,” Calvert said.
“Given the input of the Financial Action Taskforce on money laundering (FATF),” Hankin added, “you definitely want the best possible practice across the group.”
Evidence of process
The requirement in regulation 21(1)(c) for firms to have an independent audit function caused similar confusion. One compliance officer suggested it would be challenging to find a suitable person to fulfil that requirement, considering that the AML knowledge in most firms is in the AML compliance team. Could they be external professionals, such as auditors? She had raised the question with her firm’s own auditors, who were unable to provide a definitive answer.
“By definition the AML experts will be in the AML team, so this is something we – the SRA – will need to think through,” Hankin responded.
Calvert brought the question back to the term “independent”, saying the word could be used to refer to an individual with the required independence and seniority to reflect on circumstances and make changes where appropriate. “It could be somebody within the firm, as long as they have this kind of relationship with the board,” she said.
As with the rest of the regulations, the changes in relation to the independent audit requirement should necessarily result in a change of a firm’s procedures. The same approach would apply to other concerns raised by delegates about independent verification in the course of due diligence or to the screening and training of staff.
But what will be required is evidence that those responsible for the firm’s AML systems have applied their minds to it. As with risk-based regulation, this will involve reflecting on the likely risk, evidencing that process, and putting any conclusion – including new policies – clearly in writing.
Inevitably, this will result in more administration. Larger firms with dedicated teams will likely be able to absorb the additional workload. Smaller firms, where AML responsibilities are taken on by one of the partners, will find it more challenging. Their problem is that they tend to be more vulnerable to fraud but many don’t have the practical means to protect themselves from it.
The new regulations address a critical issue and, arguably, the risk-based approach is the right one, but their lofty aspirations may prove tricky in practice.
Jean-Yves Gilg, editor-in-chief