Regulation 21 of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 requires that a firm which is regulated, implements internal controls where appropriate to the size and nature of the firm.
These controls are:
1. Appoint a person to be responsible for compliance with the regulations.
2. Screen relevant employees, both before the appointment is made and ongoing thereafter.
3. Establish an independent audit function
So, what should the ‘controls’ look like and what is the appropriate ‘size and nature’?
In my experience, in legal services we don’t have many controls in place. Our colleagues in other industries, such as financial services have lots. A control exists to check the efficacy of a policy and procedure. By way of an example, I am betting your firm has a confidential waste policy, “you must not put client information or confidential data in the normal waste paper bin”. You will have a procedure which says “You must put confidential waste in the bin for confidential shredding”. Very few firms however have a control which says “we will check the waste paper bins weekly to ensure that no confidential data has been put in there”.
It's great to have policies and procedures, but we usually only find out if they are effective when something goes wrong, by which time it’s too late to avoid the damage that the policy and procedure was designed to avoid.
The Regulation 21 controls are designed to make sure you have someone who is tasked with making sure that the regulations are complied with, we have people who know how to comply with them, and that we check that they are working.
Size and Nature
Implementation of these controls depends on the size and nature of the firm. When we were drafting the guidance at the Money Laundering Task Force we grappled with how does a firm decide on the size and nature. It’s not an easy thing to define. The Legal Sector Affinity Group decided on:
Factors you may consider when determining whether it is appropriate to apply those controls include:
The number of staff members your practice has
The number of offices your practice has and where they are located (including whether your practice has overseas offices)
Your client demographic
The nature and complexity of work your practice undertakes
The level of visibility and control that senior management has over client matters
(taken from the draft Legal Sector Affinity Group Guidance).
Sole practitioners who do not employ any staff are not caught by this by virtue of regulation 21(6).
In practice, I think firms will have appointed their COLP as being responsible for compliance (which is arguably already their job by virtue of the SRA authorisation rules). I think firms will be obtaining references for new staff, at times carrying out more rigorous criminal records type checks, and will be thinking about testing staff understanding after training courses.
I think less straight forward is establishing whether a firm needs an independent audit function. My personal view, (rather than of the Law Society) is that a firm does not have to be very big in order to be required to do this. Take this example, a firm that has about 50 people, across 2 offices, with all the staff collecting and recording their own due diligence, and lawyers making decisions about what sorts of inquiries to make regarding the purpose and nature of the transaction. Does the MLRO know that his policies are adhered to and are effective? If, hand on heart, he would say no, an audit would give him that visibility. The mischief the control is trying to get at is to ensure that the firm knows if the Policies, Controls and Procedures they have in place are working.
So if you decide you are the size and nature to need an independent, who is going to do it? Do you have staff the with requisite knowledge and capacity to carry out the audit? Are they able to acting independently? I think that resourcing alone would be a struggle for many of the smaller firms, and indeed a fair few of the larger firms, who might have an audit function, but without the necessary experience in AML.
An audit should include review of the policies and procedures, interviewing staff and reviewing files and accounts processes to ensure that the policies and procedures are deployed correctly.
With that in mind, we have put together a package of support for firms who can’t resource their audit internally. We can:
Review existing policies and procedures, including firm and matter risk assessments
Carry out on site review of systems, policies and procedures
Interview staff members to test understanding
Provide feedback of observations and recommendations for improvement
In addition we can help
Rectify policies and procedures
Develop controls to ensure constant visibility as to compliance
Provide tailored in-house training to all staff members to embed learning
Provide ongoing support and monitoring
If you are still unsure how the “size and nature” test applies to your firm, I’d be more than happy to have a chat to you about it. We run a weekly “Ask a compliance expert” clinic so if you would like a place on that, email email@example.com and Sally will arrange to book you in.