AML – taking a risk-based approach

The term ‘risk-based approach’ (RBA) is ubiquitous amongst anti-money laundering (AML) professionals right now and, as with any other regulated sector, the legal industry has been looking for the best way to apply a RBA without disrupting business processes. However, while there is lots of guidance explaining what a RBA is, applying the approach effectively so that it controls risks is not always easy. Even taking into account the negative impact insufficient controls could have on a business, many firms appear reticent to commit time and effort to adopting the RBA, without more practical guidance from regulators.

In our latest webinar with The Law Society, How to meet your AML compliance obligations while keeping fee-earners happy, there was a strong consensus on the need to nurture a ‘compliance culture’ alongside implementing a thoughtfully calibrated RBA within law firms. A well-implemented RBA gives firms the flexibility to adjust their approach based on the risk presented and their own business needs, in turn this should make compliance processes much simpler, reducing friction and reinforcing a strong compliance culture.

That said, many legal firms are still struggling to answer a fundamental question – ‘how much due diligence is enough?’ – creating uncertainty as to the lengths they need to go to in order to mitigate each and every risk they identify. However, even if better, regulator-sponsored guidance existed, it’s unlikely it could be applied evenly across the legal sector. Law firms are exposed to a myriad of risks depending on their size, the services they provide, the clients they serve, the locations they operate in and the delivery channels they use. As such, each individual firm needs to evaluate and respond to specific risks identified in their risk assessments with balanced and considered, tailor-made measures and processes to satisfy regulatory obligations. In other words, one size does not fit all.

To achieve this, firms must move beyond seeing the RBA as just another regulatory burden, or a box that needs to be ticked; leaders should set the tone from the top by pro-actively promoting AML compliance. Creating a more open and collaborative compliance culture that embraces the RBA can bring many benefits (including keeping fee earners happy).

For instance, the RBA enables you to not only create flexible and bespoke compliance controls that protect, mitigate, and control the specific risks your business faces , but also to embed these controls in a way that is complementary to your firm’s structure, dynamics, and resources. In turn, this can significantly improve efficiency, reduce time spent on Know Your Client (KYC) processes, and help develop a strong compliance culture in your company. It also creates a symbiotic relationship: risks are understood and controls are targeted and easier to implement, so fee earners implement them, protecting themselves and the business. As Collette Best, director of anti-money laundering at the Solicitors Regulation Authority said during the webinar: “it is critical that we get the RBA right, so that we can target resources into the right areas of risk.”

This smart distribution of resources cannot only save you time and money and drive greater compliance buy-in but, perhaps even more importantly, can help you sleep at night, comfortable in the knowledge that you have the right controls focused on the right places.

So, how to achieve it? When assessing the risk, we want to consider every possible dimension: geographic risk, client risk, matter risk and delivery channel risk. Building a comprehensive, wide-angle view of the potential client helps identify higher risk and lower risk scenarios, highlighting where stronger controls are needed and where they can be simplified. This will allow firms to effectively evaluate risk and decide whether they want to engage with a given client and what level of due diligence they should perform. Achieving this requires the people in charge of implementing the RBA to have a solid knowledge of both AML requirements and company operations.

Even when a higher risk is identified, we needn’t fear the potential complexity of enhanced due diligence (EDD). Why? Because technology that can streamline the process and support responsible individuals in making informed, compliant decisions – faster – is getting better and becoming more accessible and affordable for all firms. Indeed, the right technology coupled with the right risk data will bring benefit across many AML controls. Whether conducting identity verification as part of the onboarding process, carrying out a client risk assessment before taking instruction, or implementing a monitoring programme to identify changes in client risk, using smart technology that has been purpose built to interrogate relevant data can significantly reduce any KYC burden. In turn this can support the roll out of an effective RBA, enabling compliance professionals to identify and target areas that present real risk and fee earners to focus on their revenue generating role.

Integrating tech and data into the legal workflow will certainly reduce the burden on fee earners and clients, whilst providing relevant information at the right time to help make risk-based decisions. A Law Society poll during the webinar backs this up; when asked what would encourage fee earners to properly implement AML policy and procedures, the highest proportion of respondents – 45% (154) – indicated that technologies that streamline the process of risk assessing and onboarding clients , would be of most benefit.

Even so, the expert panel also cautioned that technology shouldn’t be a subsitute for decisions made by reponsible individuals. Technology should be seen as a support function to facilitate the knowledge and experience of a highly capable compliance team, making informed decisions in a timely manner. There must always be plenty of thought applied and controls should be overseen by individuals who understand the information that technology will return and how this should be applied in their decision making.

Ultimately, a well calibrated RBA will lead you organically to the right procedures, reducing the time and resources needed to control and mitigate the risks your business is exposed to. Knowing your risks and having a good understanding of the AML tech that can help, puts you in a great position to implement the right RBA, protect your firm, and remain compliant, without making it burdensome for fee earners or getting in the way of doing business.