The coming of age of anti-money laundering regulation
As the SRA makes anti-money laundering compliance one of its priority risks, Matthew Moore suggests horizontal programmes are more likely to achieve buy-in from partners and staff
Few areas of law firm compliance requirements can safely be regarded as one-off issues to be dealt with and then forgotten.
This is all the more so in relation to anti-money laundering controls and the regime introduced by the Money Laundering, Terrorist Financing and Sources of Funds (Information on the Payer) Regulations 2017 (MLR).
First, the regulations lay down the need for continuing activity on various fronts – ongoing monitoring of clients under r.28(11) and keeping training up to date at r.24 chief among them.
Secondly, the SRA (as the Law Society for these purposes) is designated as one of the approved supervisory authorities for the regulations, meaning that it has continued accountability to HM Treasury in relation to its commitment to enforce effective controls to counter money laundering and terrorist financing activities.
The wider picture of the pressures that the SRA comes under as an approved supervisory body will help to explain why it needs to remain active with this aspect of its regulatory obligations.
Concerns were expressed in advance of the regulations taking effect as to the multiplicity of legal and accountancy supervisors.
The law societies of Scotland and Northern Ireland, the Council for Licensed Conveyancers, CILEx and the Bar Standards Board all share the same regulatory responsibilities with the SRA within the UK legal sector as a whole.
Inevitably this created the risk of inconsistency between the various regulators and this led the Treasury to make provisions for a legal oversight role in the shape of OPBAS – the Office for Professional Body Anti-Money Laundering Supervision, under the direction and control of the Financial Conduct Authority (FCA).
The other development that firms will be more familiar with is that, as if to head off the need for OPBAS, the various legal regulators came together to participate in a joint statement of best practice, and so the Legal Sector Affinity Group AML Guidance (LSAG) was born.
Although the MLR took effect in June 2017 that guidance was not approved by HM Treasury until March last year (2018), meaning that lawyers who were following its provisions would be able to refer to this in any proceedings against them, and also that the supervisory bodies would have a clearer template of what they will expect to be in place in any monitoring reviews or disciplinary proceedings.
With the anniversary of those guidelines falling this month, any honeymoon period that might have been allowed should be seen to have well and truly expired. And for those who put in place the regime as advised at the time, a review will now timely.
Risk assessment review
As to the practical steps now to be taken the priority should be to undertake or to renew the risk assessment required by r.18 MLR.
There is a good deal on the need for the entire anti-money laundering (AML) regime to be risk-based throughout the regulations and the steps that are required of law firms in this regard form one element of the hierarchy of risk assessments laid down by the Fourth EU Directive.
These start at European Commission level, then trickling down to national governments before reaching the designated supervisory bodies and so eventually to the “obliged entities”, or individual businesses practices that are subject to the regulations.
Critically, each level should take on board the risks identified at the level above them, as can be seen in the wording of r.18, to the effect that when a regulated firm undertakes its risk assessment it must take into account the information made available to it by its supervisory body.
The firm is also required to keep and “up-to-date record in writing” of the assessment and a copy of this must be made available to its supervisory body on request (r.18(6) MLR).
In order to comply with r.18, therefore, a risk assessment should be undertaken and be recorded for future inspection and that risk assessment should then be kept up to date.
There are no specific requirements as to how often a review is required and chapter 2 of the LSAG merely refers to is as needing to be an “ongoing process”.
That part of the guidance note lists in some detail the sort of considerations that should be taken into account including those based on client types, service areas and certain high-risk practice areas in particular.
There should be a reference at least to the SRA’s published views on risk factors in law firms which were published in March 2018 under the title “Preventing Money Laundering and Financing of Terrorism”, with the risk assessment guidance forming part of a full report on a thematic review of 50 firms undertaken by the SRA in late 2017.
The risk review is useful in summarising those areas of the highest risk in the view of the regulator and the particular aspects of those services which might give rise to concerns.
Given the emphasis in r.18 on the need to refer to the risk assessment at the level above, some reference in the firm’s report to this SRA guidance is clearly to be recommended.
It next needs to be borne in mind that the risk assessment is not an exercise undertaken for its own purpose – it should then inform the processes and procedures that are then put into place to manage the risks that have been identified. This is therefore a consideration in relation to the “policies, controls and procedures” that are required to be in place under r.19 MLR.
These will need to cover all of the core requirements that arise from the regulations, the forms to be used when checking client identities and reviewing instructions being an essential aspect, but also file storage and the other required records, and the arrangements for training.
It should follow from the risk assessment that the greater the risk, the more arduous the checking procedures should be, so within the same firm it will probably be appropriate to have more complex forms for the higher risk conveyancing instructions as opposed to other areas of litigation, which might technically be outside the scope of the MLR in any event.
As to the appointments that need to be made, and now notified to the SRA, and the other “internal controls” these will be found at r.21. There are now two roles to be filled – reporting officer and compliance officer – whether by the same person or different individuals.
There is now also a requirement for identity checks to be conducted when appointing new members of staff, or “relevant employees”, as already recommended by the SRA in its model headings for a compliance plan in the Authorisation Rules dealing with the appointments of COLPs and COFAs.
This will mean in practice that in addition to checking the identity of the new colleague on induction, an assessment should be made of their role and exposure to AML and CTF (‘Combating the Financing of Terrorism’) responsibilities.
Consideration should then be given to the need for training, or perhaps just a refresher to training already undertaken. The initial screening is not a one-off activity, however, and the monitoring of AML and CTF knowledge and experience should feed into the firm’s ongoing performance review or appraisal and training programme. It is important to keep training up to date, whether face-to-face or on-line.
Adequacy and effectiveness
The requirement for an independent audit to “examine and evaluate the adequacy and effectiveness of the policies, controls and procedures adopted by the relevant person to comply with the requirements of these Regulations” of each firm at r.21(1) (c) caused some consternation among firms when the draft regulations first appeared.
There has been reassurance on this issue in the LSAG, however, where it is suggested that the term “independent” refers only to the person conducting the checking and should not necessarily be taken to mean that an external audit resource is required.
Furthermore, in smaller firms where just one or a small number of principals are confident that they have a good understanding of the current level of compliance, there may be no need for an audit at all.
This interpretation is based to the reference to the “size and nature” of the practice as referred to at r.21(1) and would be in marked contrast to the large compliance audit teams maintained by the major banks.
Firms that are subject to the Lexcel programme might well claim that a combination of file reviews which includes a consideration of the CDD processes that are in place, coupled to the annual review of all policies, may well be sufficient to meet this requirement.
It is also fair to add that if the firm fails to comply with any provisions set out at regulations 19 and 21 of the MLR 2017, then technically it may be liable to criminal sanctions by way of imprisonment or a fine under r.86, but in practice disciplinary action would be undertaken by the SRA as part of its responsibilities in this respect.
There is a hardening of approach on this issue, however, as seen in conviction of Neil Richard Bolton in 2017 for both failure to disclose suspicions of money laundering activity contrary to s.330 Proceeds of Crime Act 2002 and for failure to comply with the MLR.
We should however be reasonably confident that such draconian measures will be limited to more serious cases where money laundering activity has been found to have occurred as opposed to a “mere” breach of the accompanying regulations.
In any review now of the AML regime and the effectiveness of the firm’s own policies and arrangements the most likely problem area is likely to be assessing the lawfulness of any funds that are to be handled by way of completion monies in any transaction.
The firm should be wary if the source of funding for a property purchase is obscure or unusual for the type of transaction involved and will need to make further enquiries in such circumstances.
If large payments are made from the client’s own funds then the origins of those funds should be ascertained: in other words, it becomes just as important to know the source of wealth of the client as the source of funds, such as the bank account(s) that will be used to remit the completion monies.
In this regard it should be remembered that the fact that a payment is made via a mainstream clearing bank does not necessarily mean that the funds are clean – a point that many lawyers continue to overlook.
It is possible that criminal funds might have been successfully ‘placed’ in an account, in which case its subsequent ‘layering’ is as culpable as the introduction of the funds to the bank in the first place.
Property lawyers in particular need to remember that from their point of view it is layering that carries the greater risk of their becoming involved in money laundering activity, rather than the receipt of cash.
Thus far we have concentrated on the SRA’s requirements and what is therefore required to keep a clean bill of health so far as the regulator is concerned.
This perhaps overlooks the degree of importance we should all want to place on this topic, money laundering being the activity that maintains some very unpleasant criminal activity, be it the sale of illegal drugs, prostitution, extortion or fraud.
Add to this the frustration expressed by many reporting and compliance officers that, try as they may, they cannot achieve the degree of buy-in that they need from partners and colleagues to achieve the level of compliance with their policies and procedures that they would like.
Is there a magic wand that can be waved in this direction? Probably not, but one suggestion borne out of experience is to make the AML policy more horizontal than vertical.
In most firms the AML policy applies firmwide, as it is seen as a separate management issue to be addressed by the firm as a whole.
In so doing, however, the fee earners are only indirectly engaged with what is required of them to ensure compliance.
Better by far to undertake the required risk assessment and the required appointments and control arrangements on a firmwide basis, but then define the specific risks, forms and control procedures department by department.
This analysis suggests that providing a conveyancer, private client or family lawyer with a set of observations and requirements that address their area of practice only will make them much more likely to take notice.
In contrast, provide them with a more generic view of what the firm as a whole must do and there is a much greater risk of disconnection.
In other words, in order to make your AML policy come to life, drill it down to each part of the practice in a way that will address the user’s specific concerns.
All being well, this will be likely to impress both regulators and users alike.
Matthew Moore is director of law firm compliance consultancy Infolegal Ltd and a consultant solicitor on regulatory issues at Jayne Willetts & Co. and co-author of Money Laundering Compliance for Solicitors, the second edition of which has just been published by Professional Compliance Publishing infolegal.co.uk