It was hard to read the SRA’s most recent Anti-Money Laundering Thematic Review and not have flashbacks to some of my old school reports. Geography aside, I tried hard at school but was sometimes easily distracted by the pursuit of shortcuts.
‘Amasis would benefit from taking a more active interest in this topic.’ The review’s findings make uncomfortable reading. Although most firms were fully compliant with their AML obligations, there were substantial failings by a significant minority. A full 26 out of 59 firms the SRA visited were referred into disciplinary processes as an outcome of the review. Since publication of the review, the SRA has issued an AML Warning Notice and written to 400 firms asking them to ‘demonstrate compliance’ with the money laundering regulations. The message is clear: AML is a priority for the SRA and expectations are high.
‘Amasis must remember the importance of showing his working out to demonstrate his understanding.’ Of the 59 firms the SRA visited, four did not have a firm-wide risk assessment and 24 could not show they had considered all the risk factors set out in the MLRs. The findings in relation to matter risk assessments were just as poor – five firms did not have a process in place for matter risk assessments, and fee-earners at nine firms were unable to provide an adequate risk assessment for the files reviewed by the SRA. This is really not OK. The requirement for risk assessments is over a decade old. They are not ‘nice to have’ but the foundation on which a firm’s policies, controls, procedures and risk-based customer due diligence should be based. They must be tailored to your firm and your risks. It is also a requirement they take into account the findings of national and SRA risk assessments.
Do your processes work? How do you know? What have you documented to show you have considered this? It is critical that firms are able to evidence their decisions and that the controls they have are appropriate. For example, if you have had no internal suspicious activity reports in the last 12-18 months have you considered why? Have you documented that you have reviewed and considered your controls and that in light of the relevant factors (size, client demographic, training, services provided and so on) it is not appropriate to have received any internal SARs? Alternatively, (especially considering the low bar for suspicion and the all crimes approach), your review may lead you to the conclusion that this is unusual. In which case you may want to document how you will address this, possibly by increasing the quality and/or quantity of training. In either case, the SRA may well consider that if you have not written it down you have not even thought about it.
‘Amasis has a good grasp of the subject and contributes well but has room for improvement.’ A major lesson from the review is that it is not enough merely to have the relevant risk assessments, and policies and procedures – they must be understood and consistently applied by all staff. This is best achieved by fostering a culture of compliance. The SRA does not expect this information to reside solely in the money laundering reporting officer and money laundering compliance officer. This means ensuring that everyone understands their AML obligations and the consequences of non-compliance, both individually and for the firm. Generic training on AML is unlikely to be sufficient. Fee-earners need to be educated on the risks specific to their kinds of work and their obligations under the MLRs, and to the firm’s AML policies and procedures.
The compliance landscape is becoming ever more complex. The SRA’s review highlights not only where some firms are getting it wrong on AML, but also the seriousness of the consequences. With the government consulting on new measures to tighten up MLRs, now is a good time to review your firm’s risk assessment and policies.
Amasis Saba is chair of the Law Society’s AML taskforce