Eight AML questions the SRA may ask

The number of anti-money laundering (AML) audits conducted by the Solicitors Regulation Authority (SRA) are increasing, with ever larger fines imposed for breaches.

Hundreds of firms are visited to discuss their AML practices and procedures every year, and only around a third are deemed fully compliant (see the SRA’s Anti-money laundering annual report 2022–23).

Challenge yourself to answer the following questions. If you can’t, it’s unlikely you’re compliant.

1   Who leads on anti-money laundering in your firm?

Responsibility for your firm’s anti-money laundering lies with senior management. There are two roles that are required under the regulations:

• The key role is that of the money laundering reporting officer (MLRO), who acts as the gatekeeper for internal suspicious activity reports (SARs), among other responsibilities. All firms in scope need to have an MLRO in post.
• The second role is the money laundering compliance officer (MLCO) or money laundering compliance principal, who is responsible for day-to-day compliance. Although the need to appoint an MLCO is expressed in regulation as arising “where appropriate to the size and nature of the business”, it’s likely to be appropriate in the majority of cases.

These roles must be filled by individuals who have authority within the firm and a sound grasp of the AML requirements for law firms. Sole practitioners can undertake both roles.

2   Can you prove all relevant employees are AML trained?

Every employee and agent involved in client transactions, from management down, must understand the AML requirements for individuals and firms. Training should cover:

• the legal and regulatory requirements and responsibilities
• the specific AML policies, controls and procedures (PCPs) of your business, and
• how to recognise and report suspicious activities.

This training should be part of both the onboarding process and ongoing continuing professional development.

3   Do you have written PCPs tailored to your business?

Using generic AML PCPs isn’t enough. The regulations make it a requirement to have bespoke PCPs. To be compliant, they must be written down, specifically tailored to the risks of your business, and include:

• any relevant polices, such as your core AML policy
• any relevant procedures, such as customer due diligence (CDD) checks, or how to report suspicious activities
• your risk assessments (client, matter and business-wide), and
• your training records.

All employees and agents must read and acknowledge your firm’s PCPs, showing they’ve understood how to put them into practice.

4   Have you conducted the required risk assessments?

Understanding the AML risks unique to your business and clients is crucial. Conduct ongoing risk assessments for:

• your firm or business (firm-wide risk assessment)
• your service areas or departments or certain jurisdictions that represent unique risks, such as conveyancing, real estate and trusts
• individual transactions or matters (matter risk assessments), and
• each client (client risk assessment).

These will reveal any potential weaknesses and guide your PCPs. Remember, risk is ever-changing. Any change in your business or client base will trigger risk assessment updates.

5   Can you demonstrate up-to-date CDD?

CDD is the collective term for the checks you must do on your clients, which may differ depending on the circumstances. Conducting identity verification – electronically or manually – is a small part of your CDD. It should also include:

• using an independent and reliable source to verify your client’s identity (such as a passport)
• identifying where there’s a beneficial owner who is not the client
• taking reasonable measures to verify the identity of a beneficial owner and to understand the ownership and control structure, be it a legal person, trust, company or other
• assessing and obtaining information on the purpose and intended nature of the business relationship or transaction, where appropriate
• understanding the source of funds / wealth, and
• screening against sanctions, politically exposed persons (PEP) lists and adverse media reports.

Note that achieving enhanced due diligence compliance will involve significantly more checks than the above.

6   Is every AML action written down?

If it’s not documented, it didn’t happen. Your AML records are proof of compliance and are therefore your protection. It’s essential to keep an audit trail of:

• all AML documentation
• every risk assessment and action
• internal and external SARs, and
• employee training.

Record-keeping goes beyond fulfilling regulatory obligations – it could be pivotal to your defence should any client become involved in a criminal investigation.

7   Is there evidence of internal and external SARs?

You will need to report suspicious activities, should they occur. For your business to fulfil its legal obligations in this area, you need to:

• create an environment where submitting internal SARs becomes routine, and
• have an assessment process whereby your MLRO considers internal reports and decides whether to file an external one.

Should your MLRO choose not to file an external SAR to the National Crime Agency, it’s crucial to document why.

8   Is your AML up to date?

Ongoing monitoring is mandatory under regulation 28(11) of the Money Launder Regulations 2017. It’s an essential part of risk management because any communication could bring with it a change in the risk profile of a matter, a client or both.

Risk assessments should be re-evaluated at appropriate, regular intervals to update any potential risks that may change over time.