Although not all activities carried out by the legal sector are within the money laundering regulations (“AMLR), any firm which carries regulated services must be registered for and comply with the AMLR and other anti-money laundering and counter terrorist financing legislation. A full list of regulated services is found here.
What does this mean for your firm
The part of the AML compliance framework best known to everyone is the requirement to carry out due diligence. However, this is only part of the obligations placed on regulated firms. Other key obligations include the requirement to carry out a firm wide risk assessment. This assessment is the basis for how the firm applies the “risk based approach” required throughout the AMLR
Recent visits by the SRA have identified failings in significant numbers of the risk assessments produced by firms. These highlight both a lack of understanding of how to create a risk assessment and also a failure to implement adequate controls to mitigate the risks identified. Examples of common failings included:
- Use of risk assessment templates – although the use of a template is acceptable, the templates used did not reflect the activity of the firm and its particular risks arising from its client base, services and the way in which it operated.
- There was confusion between firm wide risk assessments and matter risk assessments. Both are required, but they are different and focus on different aspects of the AML control framework.
- A significant number of firms failed to consider all of those risk aspects required to be taken into account by the money laundering regulations (regulation 18).
There was also a lack of understanding of the obligation to ensure that the policies and procedures which the firm had put in place were effective or indeed followed – the AMLR set out a requirement for an independent (of the AML compliance team) audit to establish and monitor effectiveness. Several firms pointed to an external audit which did not consider money laundering procedures and controls at all, others used the MLRO or MLCO to carry out the audit, which meant it was not independent. Other firms had not carried out any audit.
These framework elements of AML compliance should drive how the firm approaches its obligations in relation to AML compliance and the underlying policies and procedures, including those in relation to due diligence. Where there are weaknesses in understanding the risks to be mitigated, it is likely that there will be weaknesses in implementing procedures driven by risk assessment. The SRA found that there were deficiencies in due diligence in firms. These related both to an understanding of the risks associated with the client and therefore when enhanced due diligence was required, poor procedures and also failures to comply with procedures which were in place.
As a result of these findings the SRA has issued a warning in respect of risk assessment and further guidance in relation to the need to establish an independent audit function, who needs to have one and what the scope of the audit should be.
The SRA have indicated that Firms will be expected to have taken account of the findings of the previous reviews, the “Warning” documents issued and the examples of good and poor practice. There is an expectation also that compliance teams will have sufficient resources to carry out their responsibilities.
How can BDO help
BDO has a dedicated team of specialists who can assist with gap analysis between the regulatory requirements expected by the SRA and your policies and procedures. We can also assist in preparing risk assessments which are tailored to your firm’s business and client base, identifying the exposures which affect your firm.
Additionally, we can assist in developing and implementing an internal audit programme to test the effectiveness of your processes and procedures.
For further information please contact:
Fiona Raistrick, Partner, Economic Crime
Angela Foyle, Partner, Economic Crime
Michael Knight-Robson, Director, Economic Crime