The UK’s Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 (MLR2017) transposed the requirements under the EU 4th Anti-Money Laundering Directive (4AMLD), which brought law firms into scope for the respective AML requirements. MLR 2017 went into effect from 26 June 2017, and supervisory authorities within the legal sector initially allowed for a transitional period for legal professionals to adopt the new requirements; however, recent reviews of firm’s compliance by the Solicitors Regulation Authority (SRA) have found high levels of non-compliance which has resulted in the issuance of an AML warning notice to regulated persons and firms in May 2019.
In summary, Firms now have a variety of AML requirements to adhere to including:
- Firm-wide AML risk assessment: Firms are required to create and maintain a firm-wide written risk assessment specific to the size and nature of the business; considering the following six risk factors; type of clients; countries in which it operates; its products or service areas; types of transaction and delivery methods. The risk assessment must be updated, as appropriate; include an audit trail of steps taken to perform the assessment and the key information used to develop the risk assessment; and must be made available upon request by the SRA.
- AML Policies and Procedures & SAR filing: AML policies and procedures should be based on the money laundering and terrorist financing (ML/TF) risks identified in the Firm’s risk assessment and be reviewed annually for updates, where required. Policies and procedures should provide guidance for identifying and scrutinising complex transactions; identifying transactions with no apparent economic or legal purpose; and appropriately guide and inform staff of their responsibility to raise and disclose suspicious activity and file a suspicious activity report, where appropriate. A written record must be maintained for all updates and distribution of such policies and procedures to staff.
- Customer Due Diligence (CDD): Understanding the client and their respective ML/TF risks is fundamental to a strong AML and Financial Crime programme. CDD is required for all client relationships in regulated departments and must be assessed in relation to the type of client and matter. Ongoing monitoring is also a critical element to re-assessing risks on a continuous basis and ensuring information is refreshed and accurate.
- Training: Due to the technical nature of AML compliance, firms must provide training for relevant employees. Employees must be aware of the law regarding money laundering, terrorist financing, and data protection requirements. Such training should be provided regularly and should be developed according to staff level, responsibility and role at the Firm. Furthermore, it is critical that the Firm’s Money Laundering Reporting Officer (MLRO) and Money Laundering Compliance Officer (MLCO) has appropriate training to facilitate risk-based decision making and sharing of appropriate and informed guidance.
- Independent AML Audit: A risk-based approach should be taken to determine the frequency of an independent AML review, but should occur following any material changes to the Firm’s risk assessment at a minimum. The independent audit of a Firm’s AML programme must examine, evaluate and make recommendations regarding the adequacy and effectiveness of the Firm’s policies, procedures and controls to mitigate ML/TF risks.
- Record Retention and Data Protection: The requirements noted above are underpinned by record retention and data protection requirements, which must also be considered and embedded within all areas of the AML programme.
How Protiviti Can Help
Protiviti has experience in the interpretation and practical implementation of the MLR2017 requirements for the legal sector. Our experienced staff can leverage our AML subject matter expertise and experience across various institutions, to provide recommendations for enhancements to critical elements of your AML programme.
Specifically, we can develop or enhance existing policies, procedures and controls to reflect the requirements of the regulations to be tailored to the size and nature of your firm. We understand that embedding these practices into the firm is critical to enhancing the risk culture, and also offer assistance with the design and facilitation of training for staff customised to difference audiences and level of AML experience.
Furthermore, we have experience in performing independent AML programme audits, developing and documenting business wide risk assessments; performing, validating and remediating customer KYC files as well as providing guidance on industry standards for all other aspects of your AML programme.
Please feel free to contact us for additional information on areas Protiviti can provide assistance in helping you to meet your AML obligations.