The Money Laundering Regulations 2017 have been in force since 26th June. While the SRA have said that they are taking a proportionate and pragmatic approach as firms take steps to comply with the new requirements, there is no indication of what this means in practice and is likely to be of little comfort if your firm comes under scrutiny.
Most firms will have systems, policies and procedures in place that already go a long way towards complying with the new regulations. There are, however, new obligations that require additions and amendments to your AML regime.
It is now mandatory to undertake a documented, firm-wide money laundering and terrorist financing risk assessment to identify, monitor and address weaknesses. It is the ideal way for you and other individuals throughout the firm to actively consider the risks your firm faces and the role each and every fee earner has to play in preventing the firm getting into difficulties.
The risk assessment exercise should be owned and led by the MLRO. However, involving fee earners from across the firm will lead to a better assessment of the risks facing the firm and how accurately these are currently perceived and acted upon.
The findings of your risk assessment should feed into all of your efforts and act as a reference point in reviewing your AML policy and procedures, the content of training sessions, internal controls, your matter risk assessment procedure and file auditing. You should be able to present it to the SRA on request – an additional reason for its necessity.
Whilst Regulation 18 gives you an indication of the risks take into consideration, each firm’s risk profile will be different. It is also worth considering the following questions when undertaking the risk assessment, in relation to your clients, your services, your firm and your staff:
- Do you act for clients who have connections with countries which are high risk for money laundering?
- Do you meet most of your clients face to face or is there a high percentage of clients where the only contact is through email and telephone correspondence?
- Where do your clients’ funds come from? How do you carry out source of funds checks?
- Do you have clients that operate in sectors that, by their nature, pose a higher risk of money laundering, for example because they involve handling large sums of cash?
- Do you act for politically exposed persons (PEPs), members of their families or close associates??
- Do you have a fairly stable client base or a high client turnover?
- Through what channels do you acquire work?
- What practice areas does your firm operate in?
- How much of your work is high risk?
- Do you act in complex or high value transactions?
- What types of transactions do you handle?
- Do your clients ask you to handle financial transfers unrelated to the matter on which you are instructed?
- What is the size and nature of your firm?
- What internal systems, policies and procedures do you have in place?
- When were your systems, policies and procedures last reviewed and updated?
- What arrangements are in place for monitoring the firm’s compliance with anti-money laundering requirements in practice?
- What is the awareness amongst staff of your systems, policies and procedures?
- When were staff last trained on anti-money laundering? Is training given on induction?
- What checks do you carry out when employing a new fee earner?
- Is any member of staff displaying ignorance or indifference to their AML obligations?
- Is there a lack of appropriate oversight of anyone working in the firm, at any level?
- Do you carry out “screening” of your staff (a new requirement under Regulation 21(b)), i. e. an assessment of their skills, knowledge and expertise together with their conduct and integrity?
As well as considering the risks, your assessment should also list the steps you have taken and measures you have in place to mitigate the risks.
Once the MLRO has drafted the risk assessment, it should be presented to and agreed by the partners. Your systems, policies, procedures and controls should then be amended to reflect the risk assessment, focusing in particular on the areas that present the greatest threats to your firm. All this should then be communicated to everyone in the firm.
It is important that the risk assessment is a living document which is kept under regular review (at least annually) and updated as and when material changes occur.
What else do you need to do?
- review, amend and implement your systems, policies, procedures and controls in the light of the risk assessment;
- ensure you have in place an independent audit function to examine and evaluate adequacy and effectiveness of policies, controls and procedures adopted;
- make recommendations in relation to those policies, controls and procedures and monitor compliance with those recommendations;
- implement staff screening;
- provide training to staff on the new requirement and ensure staff are made aware of updated systems, policies, procedures and controls;
- ensure you have adapted to the changes to the CDD regime, in particular in relation to the new prescriptive requirements regarding corporate bodies;
- comply with new requirements relating to PEPs;
- ensure record keeping and data protection systems, policies and procedures meet the new requirements;
- comply with new obligations relating to record keeping and the provision of information about beneficial ownership if you act as a trustee of a relevant trust;
- apply for approval to the SRA by 26th June 2018 if you are a beneficial owner, officer or manager of a firm (the SRA will announce how this is to be done).