The Money Laundering Regulations 2017 came into force last June but there isn’t much written about them. For such a major initiative, I’d have expected more of a splash.
Generally, they represent evolution rather than revolution, maintaining the same approach but subtly adding bits here and there. The big exception is regulation 18 for firms to ‘take appropriate steps to identify and assess the risks of money laundering and terrorist financing to which its business is subject.’ This means taking into account information from the SRA; risk factors relating to clients, countries in which we operate, products and services, transactions, delivery channels; and the size and nature of the business.
Further, we must assess ‘the skills, knowledge and expertise of individuals to carry out their functions effectively’, and their conduct and integrity (reg 21(1) and (2) – these apply to ‘persons relevant to compliance and otherwise capable of contributing to the identification or mitigation’… of ML. In other words, all partners, fee earners, accounts staff, and possibly support staff also – in a smaller firm, probably everyone. Further, you must keep written records of the inputs, and disclose all of this to the SRA.
This came into force last June: there is no extended by-when, so if you haven’t done one then you are in breach.
Many readers will have received the SRA’s questionnaire in January, the replies to which will inform the SRA’s required own sectoral risk assessment. For all the information available to them, I was shocked that they asked such basic questions. The SRA has to share its information with the ‘regulated community’ but it appears that either they don’t have that much, or that they are keeping what they do have to themselves.
There’s a wealth of risk management advice relating to AML on the SRA’s website, and their scam alerts are useful – but it is all rather high level and not always of obvious application.
But this is no different to other official bodies. The National Risk Assessment (HM Treasury, October 2017) states that legal services pose a high risk, partly because there are so many firms, the challenges of supervising them all, complicit, unwitting or negligent solicitors, and changing delivery channels.
Again, all this is incredibly high level, and frankly of little practical assistance to a firm’s risk assessment. I don’t know of any official body that publishes anything that is easily applied. Regulators must understand that more practical guidance is desperately needed.
There are several official AML bodies, many apparently doing similar things. They produce high-level output that’s hard to understand and difficult to apply. For example, ‘Moneyval’ – or, the Council of Europe’s ‘Committee of Experts on the Evaluation of Anti-Moneylaundering Measures and the Financing of Terrorism.’
A few questions for my readers: did you know that Moneyval exists? are you familiar with its role, where it sits in the pecking order of AML organisations, and the relevance of its output to your firm? If the answer to any of these is ‘no’, then you absolutely must convert that ‘no’ to a ‘yes’. Regulators will expect you to be familiar with all efforts to eliminate ML and how you can use international output to inform your own work.
So, that ML assessment. Have you done one? It’s no good just looking at the statutory factors – they are minimal, and don’t tell you very much. You must cast your net far wider. Official publications are out of date the next day; how are you keeping your risk assessment up to date? You must be sure that it will withstand regulatory scrutiny and be able to justify the factors that you have included. This is important for three reasons:
Fee earners performing individual client ML risk assessments need to take into account the firm’s risk assessment (regulation 28(12))
Firms must demonstrate that their client due diligence measures are appropriate – including to address the risks identified by the firm’s risk assessment (regulation 28(16))
The SRA is required to review firms’ risk assessments, and also the adequacy of the policies, controls and procedures (‘PCPs’) adopted and the way in which those PCPs are implemented. Therefore, expect your work, including your PCPs, to come under intense scrutiny (regulation 46(4))
If you need help in compiling your risk assessment, or in updating your AML policies, controls and procedures, then contact us at Enderley Consulting today on 01743 294863. We can help you get this right!