When the Solicitors Regulation Authority visited 50 firms last year as part of its Prevention of Money Laundering and Terrorist Financing Thematic Review, it took a close look at the question of compliance with the Money Laundering Regulations 2017 (MLR). In particular, the SRA focused on the then-new requirements to undertake a practice-wide money laundering and terrorist financing (ML/TF) risk assessment.
Of 50 visited, only a quarter of firms had such a risk assessment in place. Since then most firms have implemented risk assessment procedures, and some will be about to commence their annual risk assessment process again. Any firms that have still not prepared their assessment are now very much behind the curve.
As the SRA undertakes a similar series of visits for its 2018 review, we take a look at some practical tips for firms refreshing their money laundering and terrorist financing (ML/TF) risk assessment process.
What is an ML/TF risk assessment, who needs one, and how is it done?
The ML/TF risk assessment is the exercise of identifying the firm’s key risks and testing the controls in place to mitigate those risks. The risk assessment seeks to measure the firm’s exposure to the risks it faces and to plan actions to reduce those risks. Any firm undertaking regulated business will need to undertake this process.
There are many different ways to conduct the risk assessment process, and there is no one-size-fits-all method. Any good risk assessment requires a detailed understanding of the nature of the firm’s business, and an evaluation of the controls which impact on the risks inherent in the work. Firms must consider the ML/TF risk attaching to client base, geographical sphere of operations, transactions, products and services, and delivery channels. There is plenty of guidance available to help with identifying the risks associated with those five areas. In particular, the Legal Sector Affinity Group’s (LSAG) AML Guidance for the Legal Sector, the SRA’s own risk assessment, the UK National Risk Assessment, the JMLSG Guidance and Appendices and the Wolfsberg Frequently Asked Questions.
Who should undertake the risk assessment?
This depends on the size and the nature of the business. Firms with AML advisory/compliance practices may be able to commission those teams to conduct the process in-house. For some smaller firms the MLRO may well be the most experienced and appropriate assessor, although they must have the bandwidth to undertake the process, which for sizeable or more complex practices, can be time consuming.
For larger firms with complex or substantial regulated business, it will often be appropriate to engage an external provider. Firms should ask to see anonymised examples or extracts of previous risk assessments and should not be afraid to test knowledge of business-specific AML risk.
What questions need to be asked?
Firms needn’t reinvent the wheel and should use existing risk resources to collect information about the firm’s risk landscape. Larger firms should consult their client onboarding function, one of the first stops in understanding both inherent risk and control effectiveness. Management information, facts and figures should also be interrogated. Preliminary questions include:
- How many current clients, including breakdown by practice area and whether regulated or non-regulated?
- Number of clients opened per practice area annually?
- How many are repeat instructors?
- What is the breakdown of individuals/corporates?
- How many corporate clients are listed entities? How many are UK/EU based?
- How many clients are subject to EDD/SDD/Standard CDD?
- How many PEP clients? Clients with a sanctions connection? Severe adverse media hits? Connected to a high-risk jurisdiction? Remote (non-face-to-face) clients?
- Does the firm log breaches and/or AML-related issues?
- How many internal/external SARs over the last one/three/five years?
- What trends can be identified from those SARs?
- When was the last audit with an AML component? What do the findings say?
Not all firms will be able to answer these questions. Collecting management information will be key to informing the risk assessment; if it’s not possible to lay hands on these statistics, consider what changes should be made to the firm’s record-keeping process so that it can be retrieved and analysed going forward.
The MLCO’s role
Sometimes it’s hard to get traction with the business when conducting a risk assessment, and more so when it remains in-house. Busy fee-earners may not feel able to set aside time to engage. Tone from the top is essential in changing to a culture where ML/TF risk is taken more seriously and afforded more prominence. As the person with legal responsibility in this area, the money money laundering compliance officer (MLCO) is personally accountable and will be the key to unlocking participation.
Control effectiveness – easy wins
Little about the risk-assessment process can be described as ‘easy’ – for most firms it will be an involved and detailed undertaking. There are, however, some straightforward improvements which can be implemented with relative speed which will result in a measurable impact to control effectiveness:
- Refuse to take cash: one of the simplest measures to protect against ML/TF risk;
- Share client risk designations widely: ensure fee-earners are notified when dealing with a higher risk client to encourage better transaction monitoring;
- Protect the firm’s client account – don’t give out the account details in routine correspondence;
- Commission an annual MLRO’s report to identify trends and emerging threats;
- Impose a system for identifying third party payments;
- Deliver mandatory AML training to all relevant staff, with controls around a failure to attend; and
- Circulate LSAG’s money laundering warning signs for a tailored view of risk per practice area.
Ruth Paley is principal associate barrister at Eversheds Sutherland