In this series, I cover my Top Tips for AML Compliance, here are the first 10……
1) Evidencing you have taken your supervisor’s risk assessment into account when preparing your own. All firms must have regard to their supervisor’s risk assessment when preparing their own. (Reg18(2)) Make sure it is mentioned in the steps you’ve taken in preparing the risk assessment. If your assessment of risk differs with theirs, explain why.
2) In your Firm Risk Assessment, don’t forget to include the risk from the client account. It’s referenced in the National Risk Assessment and the Supervisors Risk Assessment so it should be in yours. Often the focus is solely on the work types and firms don’t always identify the more generic operational risks. Detail what you do to protect the client account in the risk mitigation section. Also don’t forget to include or cross reference your accounts procedures (e.g. timing of accepting funds and refusing to provide banking facilities and how you deal with funds from third parties) in your AML policy.
3) Source of Funds and Wealth! So big I can’t cover it in 1300 characters. Look out for a free “ask me anything” webinar coming soon! In the meantime, tell people what you want them to do, ask them to RECORD the steps they’ve taken, that they’ve reviewed the information and most importantly their assessment of risk having considered the information they have. I ask lawyers all the time, “if I were to look at your files tomorrow would I be able to see you have considered the source of funds and source of wealth?”
4) Client Communication. Help your lawyers with what to say to clients about why the firm carries out CDD, in particular source of funds and wealth enquiries. If I had a pound for every time I heard the concern that “clients will think they are being accused/would be insulted if we asked”......., actually clients don’t mind being asked nearly as much as we think they do - everyone asks all the time. But it does help if you give your lawyers some wording to explain the rationale for the checks. (I know because they ask me all the time!) Some people explain that it’s a legal obligation, but I much prefer explaining why money laundering is a problem, (enabling criminality, human trafficking, damage to the local and national economy) and why we as a firm care about that, that the checks are essential in playing our part to prevent money laundering. Clients understand this and are often appreciative of your efforts.
5) Managing the timing of verification. This was the first job I had in AML. You know the law, you must complete the ID&V part of CDD before the establishment of a business relationship or before carrying out a transaction. Some firms won’t issue a file number until it’s done. The #SRA certainly seem in favour of that approach (see their thematic report from March 2018) However, many firms open the file first but require CDD to be completed soon thereafter, using the exception in Regulation 30(3). If you are going to do that, make sure you monitor that ID&V is in fact completed “as soon as practicable”. Make sure you can track the files and that CDD is obtained. I see many policies which say the CDD must be obtained in say, 7 or 14 days, or work must stop, but it’s not always clear how that is managed. Is it a system issue, the file locks to prevent any further work, or is it manual, with compliance checking and chasing? Whatever it is, include it in your written procedure and be ready to show an auditor/the regulator the records of the monitoring.
6) CDD on existing clients I see all the time, “we will rely on existing client due diligence unless we become aware of a change in the client’s identity, risk profile or there is a 3 year gap in instructions”. That’s because it is in the guidance. However, in theory, for an existing client that instructs once every 2 years, the CDD would never be refreshed if the lawyer doesn’t “become aware” of a change. For a private individual, they are unlikely to change their identify but a company could, their beneficial owners could, and where you don’t act for the the beneficial owners, how would you know? Now, of course, we could have a discussion about “become aware” and what is expected in terms of investigation, I’d be interested in your thoughts. In my experience little thought is actually given to whether there has been a change, it’s often “yes we have CDD from last time, so I can crack on” For me, I have always preferred to give the CDD a “shelf life” - the longest we will rely on existing CDD is x months/years and then we will refresh. I would also capture the consideration of whether the fee earner thinks anything has changed in the matter risk assessment.
7) “Purports to act” The Regulations require that where a person purports to act on behalf of the customer, you verify the person’s authority to act and ID&V them. Some people have taken that to mean a director, but if you look at the guidance for the Legal Sector, it refers to a “representative”. Most firms take the view that a director does not “purport” to act, they do act for the company. Usually I see firms apply Regulation 28(10) when they have an agent or attorney situation. That said, I’m still a fan of ID&Ving at least one director because I like to know a real person is attached to the corporate client.
8) Information for clients. The Money Laundering Regulations 2017 were amended by the Data Protection Act 2018 Make sure you’re giving your clients the required information.
9) Know how your electronic verification searches work! Many firms now have electronic verification of ID as part of their CDD processes. I was an early adopter, in 2006. I’m still a big fan. But be careful, I find many people can’t explain to me how they work, what they are checking and how many matches are required to pass. Is it checking what you think it’s checking? Sometimes I see examples of CDD searches passing with the wrong date of birth in! Also, if the contract with the provider was agreed with the previous MLRO and you are the new one, make sure you are fully briefed. We’re working on a report looking at the providers on the market. If you’re a provider and you’d like to take part, get in touch.
10) Be careful who you ask to certify copy ID. I had a fake passport in once, it was certified by a Vet. I’ve nothing against Vets but I prefer to rely on someone who is either well briefed, or is familiar with the AML legislations, like lawyers and accountants. Also, you (or indeed the police) may want to speak to the certifier in the future so make sure it’s someone who can be traced. That’s going to be difficult if you rely on post office or bank counter staff. Make sure they’ve signed and dated the certification and their name is printed so you can read it. I find giving the client an explanation of what’s needed that they can hand to the certifier is the most effective way of getting it right.