Anti-money laundering

Print this entire practice note
Approx 130 pages in A4 format

Anti-money laundering

Practice note

Legal policy

15 December 2007

Anti-money laundering practice note – 15 December 2007

In force from 15 December 2007

This practice note is to help you comply with the Proceeds of Crime Act 2002, Terrorism Act 2000 and Money Laundering Regulations 2007. It also details good practice.

It applies to suspected money laundering occurring from 15 December 2007 to 22 February 2008.

For suspected money laundering occurring before 15 December 2007, refer to our previous guidance.

Top of page

Definitions and glossary

Definitions

Beneficial owners see - chapter 4.7
Business relationship a business, professional or commercial relationship between a relevant person and a customer, which is expected by the relevant person at the time when contact is established to have an element of duration
Customer due diligence see - chapter 4
Criminal conduct conduct which constitutes an offence in any part of the UK or would constitute an offence in any part of the UK if it occurred there ? see s340(2) of POCA
Criminal property property which is, or represents, a person's benefit from criminal conduct, where the alleged offender knows or suspects that it is such ? see also the definition of property
Disclosure a report made to SOCA under the Proceeds of Crime Act 2002 ? also referred to as a suspicious activity report (SAR)
Insolvency practitioner any person who acts as an insolvency practitioner within the meaning of section 388 of the Insolvency Act 1986 (as amended) or article 3 of the Insolvency (Northern Ireland) Order 1989 (as amended)
Inter vivos trust a trust which takes effect while a person is alive
Legal professional privilege see - chapter 6.4
Nominated officer a person nominated within the firm to make disclosures to SOCA under the Proceeds of Crime Act 2002 ? also referred to as a money laundering reporting officer (MLRO)
Occasional transaction a transaction (carried out other than as part of a business relationship) amounting to 15,000 euros or more, whether the transaction is carried out in a single operation or several operations which appear to be linked
Ongoing monitoring see - chapter 4.4
Overseas criminal conduct

conduct which occurs overseas that would be a criminal offence if it occurred in the UK

does not include conduct which occurred overseas where it is known or believed on reasonable grounds that the relevant conduct occurred in a particular country or territory outside the UK, and such conduct was in fact not unlawful under the criminal law then applying in that country or territory

that exemption will not apply to overseas criminal conduct if it would attract a maximum sentence in excess of 12 months imprisonment were the conduct to have occurred in the UK

will always be exempt if the overseas conduct is such that it would constitute an offence under the Gaming Act 1968, the Lotteries & Amusements Act 1976 or s23 or s35 of the Financial Services and Markets Act 2000

see s102 of SOCPA
Politically exposed persons see - chapter 4.9.2
Privileged circumstances see - chapter 6.5
Property all property whether situated in the UK or abroad, including money, real and personal property, things in action, intangible property and an interest in land or a right in relation to any other property.
Regulated sector activities, professions and entities regulated for the purposes of AML/CTF obligations - see chapter 1
Tax adviser a firm or sole practitioner who, by way of business, provides advice about the tax affairs of another person, when providing such services
Terrorist property money or other property which is likely to be used for the purposes of terrorism, the proceeds of the commission of acts of terrorism and the proceeds of acts carried out for the purposes of terrorism
Trust or company service provider

a firm or sole practitioner who by way of business provides any of the following services to other persons -

  1. forming companies or other legal persons
  2. acting or arranging for another person to act
    1. as a director or secretary of a company;
    2. as a partner of a partnership; or
    3. in a similar position in relation to other legal persons;
  3. providing a registered office, business address, correspondence or administrative address or other related services for a company, partnership or any other legal person or arrangement;
  4. acting, or arranging for another person to act, as -
    1. a trustee of an express trust or similar legal arrangement; or
    2. a nominee shareholder for another person other than a company listed on a regulated market when providing such services.

Top of page

Glossary

AIM Alternative Investment Market
AML / CTF Anti-money laundering / counter-terrorist financing
CDD Customer due diligence
EEA European Economic Area
FATF Financial Action Task-force
FSA Financial Services Authority
GRO General Register Office
HMRC Her Majesty's Revenue and Customs
IBA International Bar Association
JMLSG Joint Money Laundering Steering Group
LLP's Limited Liability Partnerships
LPP Legal professional privilege
PEPs Politically exposed persons
POCA Proceeds of Crime Act 2002
Regulations Money Laundering Regulations 2007
SARs Suspicious activity reports
SRA Solicitors Regulation Authority
SOCA Serious Organised Crime Agency
Terrorism Act Terrorism Act 2000
Third directive Third European Money Laundering Directive

Top of page

Chapter 1 - introduction

Contents

1.1 General comments

Solicitors are key professionals in the business and financial world, facilitating vital transactions that underpin the UK economy. As such, they have a significant role to play in ensuring their services are not used to further a criminal purpose. As professionals, solicitors must act with integrity and uphold the law, and they must not engage in criminal activity.

Money laundering and terrorist financing are serious threats to society, losing revenue and endangering life, and fuelling other criminal activity.

This practice note aims to assist solicitors in England and Wales to meet their obligations under the UK anti-money laundering and counter-terrorist financing (AML/CTF) regime.

Top of page

1.2 Status of this practice note

This practice note replaces previous Law Society guidance and good practice information on complying with AML/CTF obligations.

The purpose of this practice note is to:

  • outline the legal and regulatory framework of AML/CTF obligations for solicitors within the UK
  • outline good practice on implementing the legal requirements
  • outline good practice in developing systems and controls to prevent solicitors being used to facilitate money laundering and terrorist financing
  • provide direction on applying the risk-based approach to compliance effectively

The Solicitors Regulation Authority will take into account whether a solicitor has complied with this practice note when undertaking its role as regulator of professional conduct, and as a supervisory authority for the purposes of the Regulations. This practice note is not mandatory but a solicitor may be asked by the SRA to justify a decision to deviate from it.

Some solicitors' firms are authorised and regulated by the FSA because they are involved in mainstream regulated activities eg advising clients directly on investments such as stocks and shares. Those firms should also consider the Joint Money Laundering Steering Group's guidance .

This practice note is not a substitute for the law and compliance with it is not of itself a defence to offences under POCA, the Terrorism Act or the Regulations. However, courts will generally have regard to any good practice on a particular topic issued by a professional body when considering the standard of a professional's conduct and whether they acted reasonably, honestly and appropriately.

We are seeking Treasury approval of this practice note, which, in accordance with Regulation 45(2), will require the court to consider compliance with its contents in assessing whether a person committed an offence or took all reasonable steps and exercised all due diligence to avoid committing the offence.

Top of page

1.3 Definition of money laundering

Money laundering is generally defined as the process by which the proceeds of crime, and the true ownership of those proceeds, are changed so that the proceeds appear to come from a legitimate source. Under POCA, the definition is broader and more subtle. Money laundering can arise from small profits and savings from relatively minor crimes, such as regulatory breaches, minor tax evasion or benefit fraud. A deliberate attempt to obscure the ownership of illegitimate funds is not necessary.

There are three acknowledged phases to money laundering: placement, layering and integration. However, the broader definition of money laundering offences in POCA includes even passive possession of criminal property as money laundering.

  • 1.3.1 Placement

    Cash generated from crime is placed in the financial system. This is the point when proceeds of crime are most apparent and at risk of detection. Because banks and financial institutions have developed AML procedures, criminals look for other ways of placing cash within the financial system. You can be targeted because a solicitor's firm commonly deals with client money.

  • 1.3.2 Layering

    Once proceeds of crime are in the financial system, layering obscures their origins by passing the money through complex transactions. These often involve different entities like companies and trusts and can take place in multiple jurisdictions. You may be targeted at this stage and detection can be difficult.

  • 1.3.3 Integration

    Once the origin of the funds has been obscured, the criminal is able to make the funds reappear as legitimate funds or assets. They will invest funds in legitimate businesses or other forms of investment, often using you to buy a property, set up a trust, acquire a company, or even settle litigation, among other activities. This is the most difficult stage of money laundering to detect.

Top of page

1.4 Legal framework

  • 1.4.1 Financial Action Task Force (FATF)

    This was created in 1989 by the G7 Paris summit, building on UN treaties on trafficking of illicit substances in 1988 and confiscating the proceeds of crime in 1990. In 1990, FATF released their 40 recommendations for fighting money laundering. Between October 2001 and October 2004 it released nine further special recommendations to prevent terrorist funding.

  • 1.4.2 European Union directives

    • 1991 ? first money laundering directive

      The European Commission issued this to comply with the FATF recommendations. It applied to financial institutions, and required member states to make money laundering a criminal offence. It was incorporated into UK law via the Criminal Justice Act 1991, the Drug Trafficking Act 1994 and the Money Laundering Regulations 1993.

    • 2001 ? second money laundering directive (PDF, 122kb)

      This incorporated the amendments to the FATF recommendations. It extended anti-money laundering obligations to a defined set of activities provided by a number of service professionals, such as independent legal professionals, accountants, auditors, tax advisers and real estate agents. It was incorporated into UK law via the Proceeds of Crime Act 2002 and the Money Laundering Regulations 2003.

    • 2005 ? third money laundering directive (PDF, 302kb)

      This extended due diligence measures to beneficial owners, recognising that such measures can be applied on a risk-based approach, and required enhanced due diligence to be undertaken in certain circumstances. It is incorporated into UK law by the Money Laundering Regulations 2007.

  • Top of page

    1.4.3 Proceeds of Crime Act 2002 (POCA)

    • Scope

      POCA, as amended, establishes a number of money laundering offences including:

      • principal money laundering offences
      • offences of failing to report suspected money laundering
      • offences of tipping off and prejudicing money laundering investigations

      Original Act and amended legislation .

    • Application

      POCA applies to all persons, although certain failure to report offences only apply to persons who are engaged in activities in the regulated sector.

      From 15 December 2007, the Proceeds of Crime Act 2002 (Business in the Regulated Sector and Supervisory Authorities) Order 2007 amends the Proceeds of Crime Act 2002, changing the definition of the regulated sector to bring it into line with the Money Laundering Regulations 2007.

      Under Schedule 9 of POCA, key activities which may be relevant to you are the provision by way of business in one of the following ways:

      • advice about the tax affairs of another person by a firm or sole practitioner
      • legal or notarial services by a firm or sole practitioner involving the participation in financial or real property transactions concerning
        • the buying and selling of real property or business entities
        • the managing of client money, securities or other assets
        • the opening or management of bank, savings or securities accounts
        • the organisation of contributions necessary for the creation, operation or management of companies
        • the creation, operation or management of trusts, companies or similar structures

      Chapters 5 , 6 , and 8 of this practice note provide more details on your obligations under POCA.

  • Top of page

    1.4.4 Terrorism Act 2000

  • Top of page

    1.4.5 The Money Laundering Regulations 2007

    • Scope

      From 15 December 2007, the Money Laundering Regulations 2007 enter force, repealing and replacing the Money Laundering Regulations 2003 and implementing the third directive. They set administrative requirements for the anti-money laundering regime within the regulated sector and outline the scope of customer due diligence.

      The Regulations aim to limit the use of professional services for money laundering by requiring professionals to know their clients and monitor the use of their services by clients.

      Copy of the regulations

    • Application

      Regulation 3 states that the regulations apply to persons acting in the course of businesses carried on in the UK in the following areas:

      • credit institutions
      • financial institutions
      • auditors, insolvency practitioners, external accountants and tax advisers
      • independent legal professionals
      • trust or company service providers
      • estate agents
      • high value dealers
      • casinos
      • Independent legal professional

        An independent legal professional includes a solicitor working in a firm or as a sole practitioner who by way of business provides legal or notarial services to other persons. It does not include solicitors employed by a public authority or working in-house.

        The Regulations only apply to certain solicitors' activities where there is a high risk of money laundering occurring. As such, they apply where solicitors participate in financial or real property transactions concerning:

        • buying and selling of real property or business entities
        • managing of client money, securities or other assets
        • opening or management of bank, savings or securities accounts
        • organisation of contributions necessary for the creation, operation or management of companies
        • creation, operation or management of trusts, companies or similar structures

        You will be participating in a transaction by assisting in the planning or execution of the transaction or otherwise acting for or on behalf of a client in the transaction.

      • Activities covered by the regulations

        In terms of the activities covered, note that:

        • managing client money is narrower than handling it
        • opening or managing a bank account is wider than simply opening a solicitor's client account. It would be likely to cover solicitors acting as a trustee, attorney or a receiver
      • Activities not covered by the regulations

        The Treasury has confirmed that the following would not generally be viewed as participation in financial transactions:

        • preparing a home information pack or any document or information for inclusion in a HIP - it is specificlly excluded under Regulation 4(1)(f)
        • payment on account of costs to a solicitor or payment of a solicitor's bill
        • provision of legal advice
        • participation in litigation or a form of alternative dispute resolution
        • will-writing, although you should consider whether any accompanying taxation advice is covered
        • publicly-funded work

        If you are uncertain whether the Regulations apply to your work, seek legal advice on the individual circumstances of your practice or simply take the broadest of the possible approaches to compliance with the Regulations.

      • Working elsewhere in the regulated sector

        When deciding whether you are within the regulated sector for the purpose of the regulations, you also need to consider whether you offer services bringing you within the definitions of a tax adviser , insolvency practitioner , or trust or company service provider . You must also consider the full range of related services, such as tax planning.

        You will also need to consider whether your firm undertakes activities falling within the definition of financial institution, particularly with respect to the list of operations covered by the banking consolidation directive, as contained in schedule 1 of the regulations . When considering those operations, you should note that a will is not a designated investment, so storing it is not a safe custody service, and is not covered by the Regulations.

        Being nominated as a trustee under a will does not amount to being a trust and company service provider, because the trust is not formed until the testator's death.

        If you are within the regulated sector in a category other than independent legal professional, this may affect your supervision under these regulations.

Top of page

1.5 Other Law Society services

We provide a number of other services to assist you in meeting your AML/CTF obligations:

  • a monthly e-newsletter, Gatekeeper, providing updates on legislation and case law, highlighting emerging warning signs and criminal methodologies and detailing training opportunities
  • the Practice Advice Service, which can be contacted on 0870 606 2522 during office hours, which will help you to navigate the practice note and talk through general issues relating to compliance
  • the AML directory listing solicitors willing to give other solicitors thirty minutes of free advice on legal issues relating to compliance
  • training opportunities

All of the Law Society's AML/CTF services can be accessed from www.lawsociety.org.uk/moneylaundering .

Top of page

1.6 Acknowledgements

Many have had input into the preparation of this practice note. The members of the Money Laundering Task Force and others mentioned below deserve particular acknowledgement for both the time and energy they have committed to the development of the guidance.

Task force

Robin Booth BCL Burton Copeland
Alison Matthews Irwin Mitchell
Christopher Murray Kingsley Napley
Peter Burrell Herbert Smith
Stephen Gentle Kingsley Napley
Nicola Boulton Byrne and Partners
Louise Delahunty Simmons and Simmons
Nick Cray Lovells
Peter Rodd Boys and Maugham
Chris McNeil Freshfields Bruckhaus Deringer

Law Society staff

Che Odlum Policy Adviser
Emma Oettinger Policy Adviser
James Richards E-communications Manager

Others

Richard Bark-Jones Morecrofts
Daren Allen DLA Piper
Sarah de Gay Slaughter and May
Clive Cutbill Withers
Johanna Waritay Clifford Chance
Suzie Ogilvey Linklaters
Elizabeth Richards SRA

The Law Society would also like to specifically thank the following people for the generous provision of their time and expertise in assisting the Law Society with its campaign to ensure that the requirements regarding identification of beneficial owners were sufficiently clear and workable:

Richard Bark-Jones Morecrofts
Toby Graham Farrer & Co
Rabinder Singh QC Matrix Chambers
Alex Balin Matrix Chambers
Michael Furness QC Wilberforce Chambers
Nicholas Le Poidevin Lincolns Inn
Nicholas Green QC Brick Court Chambers
Martyn Frost STEP
Keith Johnston STEP
Jacob Rigg STEP

Top of page

Chapter 2 - the risk-based approach

Contents

2.1 General comments

The possibility of being used to assist with money laundering and terrorist financing poses many risks for your firm, including:

  • criminal and disciplinary sanctions for firms and individual solicitors
  • civil action against the firm as a whole and individual partners
  • damage to reputation leading to a loss of business

These risks must be identified, assessed and mitigated, just as you do for all business risks facing your firm. If you know your client well and understand your instructions thoroughly, you will be better placed to assess risks and spot suspicious activities. Applying the risk-based approach will vary between firms. While you can, and should, start from the premise that most of your clients are not launderers or terrorist financers, you must assess the risk level particular to your firm and implement reasonable and considered controls to minimise those risks.

No matter how thorough your risk assessment or how appropriate your controls, some criminals may still succeed in exploiting you for criminal purposes. But an effective, risk-based approach and documented, risk-based judgements on individual clients and retainers will enable your firm to justify your position on managing the risk to law enforcement, courts and professional supervisors (oversight bodies).

The risk-based approach means that you focus your resources on the areas of greatest risk. The resulting benefits of this approach include:

  • more efficient and effective use of resources proportionate to the risks faced
  • minimising compliance costs and burdens on clients
  • greater flexibility to respond to emerging risks as laundering and terrorist financing methods change

Top of page

2.2 Application

The Money Laundering Regulations 2007 permit a risk-based approach to compliance with customer due diligence obligations.

This approach does not apply to reporting suspicious activity, because POCA and the Terrorism Act lay down specific legal requirements not to engage in certain activities and to make reports of suspicious activities once a suspicion is held. [See chapters 5 and 7 ] The risk-based approach still applies to ongoing monitoring of clients and retainers which enables you to identify suspicions.

Top of page

2.3 Assessing your firm's risk profile

This depends on your firm's size, type of clients, and the practice areas it engages in.

You should consider the following factors:

  • 2.3.1 Client demographic

    Your client demographic can affect the risk of money laundering or terrorist financing. Factors which may vary the risk level include whether you:

    • have a high turnover of clients or a stable existing client base
    • act for politically exposed persons ( PEPs )
    • act for clients without meeting them
    • practice in locations with high levels of acquisitive crime or for clients who have convictions for acquisitive crimes, which increases the likelihood the client may possess criminal property
    • act for clients affiliated to countries with high levels of corruption or where terrorist organisations operate
    • act for entities that have a complex ownership structure
    • are easily able to obtain details of beneficial owners of your client or not

    Top of page

    2.3.2 Services and areas of law

    Some services and areas of law could provide opportunities to facilitate money laundering or terrorist financing. For example:

    • complicated financial or property transactions
    • providing assistance in setting up trusts or company structures, which could be used to obscure ownership of property
    • payments that are made to or received from third parties
    • payments made by cash
    • transactions with a cross-border element

    Simply because a client or a retainer falls within a risk category does not mean that money laundering or terrorist financing is occurring. You need to ensure your internal controls are designed to address the identified risks and take appropriate steps to minimise and deal with these risks. Read examples of possible internal controls .

    Chapter 11 provides more information on warning signs to be alert to when assessing risk.

Top of page

2.4 Assessing individual risk

Determining the risks posed by a specific client or retainer will then assist in applying internal controls in a proportionate and effective manner.

You may consider whether:

  • your client is within a high risk category
  • you can be easily satisfied the CDD material for your client is reliable and allows you to identify the client and verify that identity
  • you can be satisfied you understand their control and ownership structure
  • the retainer involves an area of law at higher risk of laundering or terrorist financing
  • your client wants you to handle funds without an underlying transaction, contrary to the Solicitors' Account Rules
  • there are any aspects of the particular retainer which would increase or decrease the risks

This assessment helps you adjust your internal controls to the appropriate level of risk presented by the individual client or the particular retainer. Different aspects of your CDD controls will meet the different risks posed:

  • If you are satisfied you have verified the client's identity, but the retainer is high risk, you may require fee earners to monitor the transaction more closely, rather than seek further verification of identity.
  • If you have concerns about verifying a client's identity, but the retainer is low risk, you may expend greater resources on verification and monitor the transaction in the normal way.

Risk assessment is an ongoing process both for the firm generally and for each client, business relationship and retainer. In a solicitor's practice it is the overall information held by the firm gathered while acting for the client that will inform the risk assessment process, rather than sophisticated computer data analysis systems. The more you know your client and understand your instructions, the better placed you will be to assess risks and spot suspicious activities.

Top of page

Chapter 3 - systems, policies and procedures

Contents

3.1 General comments

Develop systems to meet your obligations and risk profile in a risk-based and proportionate manner. Policies and procedures supporting these systems mean that staff apply the systems consistently and firms can demonstrate to oversight bodies that processes facilitating compliance are in place.

3.2 Application

Regulation 20 of the Money Laundering Regulations 2007 requires the regulated sector to have certain systems in place. If you are in the regulated sector, failing to have those systems is an offence, punishable by a fine or up to two years' imprisonment. You must demonstrate your compliance to the SRA, as supervisor under the regulations.

If you are outside the regulated sector, you should still consider how these systems can assist you to comply with your obligations to report suspicious transactions in accordance with POCA and the Terrorism Act .

Top of page

3.3 Nominated officers

  • 3.3.1 Why have a nominated officer?

    Regulation 20(2)(d)(i) requires that all firms within the regulated sector must have a nominated officer to receive disclosures under Part 7 of POCA and the Terrorism Act , and to make disclosures to SOCA.

    Regulation 20(3)provides that there is no requirement to have a nominated officer in the regulated sector if you are an individual who provides regulated services but do not employ any people or act in association with anyone else.

    Firms who do not provide services within the regulated sector should consider appointing a nominated officer, even though it is not required, because POCA and the Terrorism Act still apply. The Solicitors' Code of Conduct 2007 requires business management systems facilitating compliance with legal obligations.

  • Top of page

    3.3.2 Who should be a nominated officer?

    Your nominated officer should be of sufficient seniority to make decisions on reporting which can impact your firm's business relations with your clients and your exposure to criminal, civil, regulatory and disciplinary sanctions. They should also be in a position of sufficient responsibility to enable them to have access to all of your firm's client files and business information to enable them to make the required decisions on the basis of all information held by the firm.

    Firms authorised by the FSA will need to obtain the FSA's approval to the appointment of the nominated officer as this is a controlled function under section 59 of the Financial Services and Markets Act 2000 .

  • Top of page

    3.3.3 Role of the nominated officer

    Your nominated officer is responsible for ensuring that, when appropriate, the information or other matter leading to knowledge or suspicion, or reasonable grounds for knowledge or suspicion of money laundering is properly disclosed to the relevant authority. The decision to report, or not to report, must not be subject to the consent of anyone else. Your nominated officer will also liaise with SOCA or law enforcement on the issue of whether to proceed with a transaction or what information may be disclosed to clients or third parties.

    The size and nature of some firms may lead to the nominated officer delegating certain duties regarding the firm's AML/CTF obligations. In some large firms, one or more permanent deputies of suitable seniority may be appointed. All firms will need to consider arrangements for temporary cover when the nominated officer is absent.

Top of page

3.4 Risk assessment

You can extend your existing risk management systems to address AML and CTF risks. The detail and sophistication of these systems will depend on your firm's size and the complexity of the business it undertakes. Ways of incorporating your risk assessment of clients, business relationships and transactions into the overall risk assessment will be governed by the size of your firm and how regularly compliance staff and senior management are involved in day-to-day activities.

Issues which may be covered in a risk assessment system include:

  • the firm's current risk profile
  • how AML/CTF risks will be assessed, and processes for re-assessment and updating of the firm's risk profile
  • internal controls to be implemented to mitigate the risks
  • which firm personnel have authority to make risk-based decisions on compliance on individual files
  • how compliance will be monitored and effectiveness of internal controls will be reviewed

Top of page

3.5 Internal controls and monitoring compliance

The level of internal controls and extent to which monitoring needs to take place will be affected by:

  • your firm's size
  • the nature, scale and complexity of its practice
  • its overall risk profile

Issues which may be covered in an internal controls system include:

  • the level of personnel permitted to exercise discretion on the risk-based application of the regulations, and under what circumstances
  • CDD requirements to be met for simplified , standard and enhanced due diligence
  • when outsourcing of CDD obligations or reliance will be permitted, and on what conditions
  • how you will restrict work being conducted on a file where CDD has not been completed
  • the circumstances in which delayed CDD is permitted
  • when cash payments will be accepted
  • when payments will be accepted from or made to third parties
  • the manner in which disclosures are to be made to the nominated officer

Monitoring compliance will assist you to assess whether the policies and procedures you have implemented are effective in forestalling money laundering and terrorist financing opportunities within your firm. Issues which may be covered in a compliance system include:

  • procedures to be undertaken to monitor compliance, which may involve:
    • random file audits
    • file checklists to be completed before opening or closing a file
    • a nominated officer's log of situations brought to their attention, queries from staff and reports made
  • reports to be provided from the nominated officer to senior management on compliance
  • how to rectify lack of compliance, when identified
  • how lessons learnt will be communicated back to staff and fed back into the risk profile of the firm

Top of page

3.6 Customer due diligence

You are required to have a system outlining the CDD measures to be applied to specific clients. You should consider recording your firm's risk tolerances to be able to demonstrate to your supervisor that your CDD measures are appropriate.

Your CDD system may include:

  • when CDD is to be undertaken
  • information to be recorded on client identity
  • information to be obtained to verify identity, either specifically or providing a range of options with a clear statement of who can exercise their discretion on the level of verification to be undertaken in any particular case
  • when simplified due diligence may occur
  • what steps need to be taken for enhanced due diligence
  • what steps need to be taken to ascertain whether your client is a PEP
  • when CDD needs to occur and under what circumstances delayed CDD is permitted
  • how to conduct CDD on existing clients
  • what ongoing monitoring is required

For suggested methods on how to conduct CDD see Chapter 4 of this practice note.

Top of page

3.7 Disclosures

Firms, but not sole practitioners, need to have a system clearly setting out the requirements for making a disclosure under POCA and the Terrorism Act . These may include:

  • the circumstances in which a disclosure is likely to be required
  • how and when information is to be provided to the nominated officer or their deputies
  • resources which can be used to resolve difficult issues around making a disclosure
  • how and when a disclosure is to be made to SOCA
  • how to manage a client when a disclosure is made while waiting for consent
  • the need to be alert to tipping off issues

For details on when a disclosure needs to be made see chapters 5 , 6 and 7 of this practice note. For details on how to make a disclosure see chapter 8 of this practice note.

Top of page

3.8 Record keeping

Various records must be kept to comply with the regulations and defend any allegations against the firm in relation to money laundering and failure to report offences. A firm's records system must outline what records are to be kept, the form in which they should be kept and how long they should be kept.

Regulation 19 requires that firms keep records of CDD material and supporting evidence and records in respect of the relevant business relationship or occasional transaction. Adapt your standard archiving procedures for these requirements.

  • 3.8.1 CDD material

    You may keep either a copy of verification material , or references to it. Keep it for five years after the business relationship ends or the occasional transaction is completed. Consider holding CDD material separately from the client file for each retainer, as it may be needed by different practice groups in your firm.

    Depending on the size and sophistication of your firm's record storage procedures you may wish to:

    • scan the verification material and hold it electronically
    • take photocopies of CDD material and hold it in hard copy with a statement that the original has been seen
    • accept certified copies of CDD material and hold them in hard copy
    • keep electronic copies or hard copies of the results of any electronic verification checks
    • record reference details of the CDD material sighted

    The option of merely recording reference details may be particularly useful when taking instructions from clients at their home or other locations away from your office. The types of details it would be useful to record include:

    • any reference numbers on documents or letters
    • any relevant dates, such as issue, expiry or writing
    • details of the issuer or writer
    • all identity details recorded on the document

    Where you are relied upon by another person under Regulation 17 for the completion of CDD measures, you must keep the relevant documents for five years from the date on which you were relied upon.

  • Top of page

    3.8.2 Risk assessment notes

    You should consider keeping records of decisions on risk assessment processes of what CDD was undertaken. This does not need to be in significant detail, but merely a note on the CDD file stating the risk level you attributed to a file and why you considered you had sufficient CDD information. For example:

    'This is a low risk client with no beneficial owners providing medium risk instructions. Standard CDD material was obtained and medium level ongoing monitoring is to occur.'

    Such an approach may assist firms to demonstrate they have applied a risk-based approach in a reasonable and proportionate manner. Notes taken at the time are better than justifications provided later.

    Firms may choose standard categories of comment to apply to notes.

  • Top of page

    3.8.3 Supporting evidence and records

    You must keep all original documents or copies admissible in court proceedings.

    Records of a particular transaction, either as an occasional transaction or within a business relationship, must be kept for five years after the date the transaction is completed.

    All other documents supporting records must be kept for five years after the completion of the business relationship.

  • Top of page

    3.8.4 Suspicions and disclosures

    It is recommended that you keep comprehensive records of suspicions and disclosures because disclosure of a suspicious activity is a defence to criminal proceedings. Such records may include notes of:

    • ongoing monitoring undertaken and concerns raised by fee earners and staff
    • discussions with the nominated officer regarding concerns
    • advice sought and received regarding concerns
    • why the concerns did not amount to a suspicion and a disclosure was not made
    • copies of any disclosures made
    • conversations with SOCA, law enforcement, insurers, supervisory authorities etc regarding disclosures made
    • decisions not to make a report to SOCA which may be important for the nominated officer to justify his position to law enforcement

    You should ensure records are not inappropriately disclosed to the client or third parties to avoid offences of tipping off and prejudicing an investigation, and to maintain a good relationship with your clients. This may be achieved by maintaining a separate file, either for the client or for the practice area.

  • 3.8.5 Data protection

    The Data Protection Act 1998 applies to you and SOCA. It allows clients or others to make subject access requests for data held by them. Such requests could cover any disclosures made.

    Section 29 of the Data Protection Act 1998 states you need not provide personal data where disclosure would be likely to prejudice the prevention or detection of crime, or the apprehension or prosecution of offenders.

    HM Treasury and the Information Commissioner have issued guidance which essentially provides that the Section 29 exception would apply where granting access would amount to tipping off. This may extend to suspicions only reported internally within the firm.

    If you decide the Section 29 exception applies, document steps taken to assess this, to respond to any enquiries by the Information Commissioner.

    HM Treasury guidance (PDF, 28kb)
    Information Commissioner guidance (PDF, 73kb)

    Note the definition of personal data.

Top of page

3.9 Communication and training

Your staff members are the most effective defence against launderers and terrorist financers who would seek to abuse the services provided by your firm.

Regulation 20 requires that you communicate your AML/CTF obligations to your staff, while regulation 21 requires that you provide staff with appropriate training on their legal obligations and information on how to recognise and deal with money laundering and terrorist financing risks.

Rule 5 of the Solicitors' Code of Conduct also requires you to train your staff to a level appropriate to their work and level of responsibility.

  • 3.9.1 Criminal sanctions and defences

    Receiving insufficient training is a defence for individual staff members who fail to report a suspicion of money laundering. However, it is not a defence to terrorist funding charges, and leaves your firm vulnerable to sanctions under the regulations for failing to properly train your staff.

  • 3.9.2 Who should be trained?

    When setting up a training and communication system you should consider:

    • which staff require training
    • what form the training will take
    • how often training should take place
    • how staff will be kept up-to-date with emerging risk factors for the firm

    Assessments of who should receive training should include who deals with clients in areas of practice within the regulated sector, handles funds or otherwise assists with compliance. Consider fee earners, reception staff, administration staff and finance staff, because they will each be differently involved in compliance and so have different training requirements.

    Training can take many forms and may include:

    • face-to-face training seminars
    • completion of online training sessions
    • attendance at AML/CTF conferences
    • participation in dedicated AML/CTF forums
    • review of publications on current AML/CTF issues
    • firm or practice group meetings for discussion of AML/CTF issues and risk factors

    Providing an AML/CTF policy manual is useful to raise staff awareness and can be a continual reference source between training sessions.

  • Top of page

    3.9.3 How often?

    You are required to provide training at regular and appropriate intervals. In determining whether your training programme meets this requirement, you should have regard to the firm's risk profile and the level of involvement certain staff have in ensuring compliance.

    You should consider retaining evidence of your assessment of training needs and steps taken to meet such needs.

    You should also consider:

    • criminal sanctions and reputational risks of non-compliance
    • developments in the common law
    • changing criminal methodologies

    Some type of training for all relevant staff every two years is preferable.

  • Top of page

    3.9.4 Communicating with your clients

    While not specifically required by the regulations, we consider it useful for you to tell your client about your AML/CTF obligations. Clients are then generally more willing to provide required information when they see it as a standard requirement.

    You may wish to advise your client of the following issues:

    • the requirement to conduct CDD to comply with the regulations
    • whether any electronic verification is to be undertaken during the CDD process
    • the requirement to report suspicious transactions

    Consider the manner and timing of your communications, for example whether the information will be provided in the standard client care letter or otherwise.

Top of page

Chapter 4 - customer due diligence

Contents

4.1 General comments

Customer due diligence (CDD) is required by the Money Laundering Regulations 2007 because you can better identify suspicious transactions if you know your customer and understand the reasoning behind the instructions they give you.

4.2 Application

You must conduct CDD on those clients who retain you for services regulated under the regulations ( see Chapter 1 ). Rule 2 of the Solicitors' Code of Conduct is also relevant to all solicitors.

4.3 CDD in general

  • 4.3.1 When is CDD required?

    Regulation 7 requires that you conduct CDD when:

    • establishing a business relationship
    • carrying out an occasional transaction
    • you suspect money laundering or terrorist financing
    • you doubt the veracity or adequacy of documents, data or information previously obtained for the purpose of CDD

    The distinction between occasional transactions and long-lasting business relationships is relevant to the timing of CDD and the storage of records .

    Where an occasional transaction is likely to increase in value or develop into a business relationship , consider conducting CDD early in the retainer to avoid delays later. As relationships change, firms must ensure they are compliant with the relevant standard.

    There is no obligation to conduct CDD in accordance with the regulations for retainers involving non-regulated activities.

    Existing business relationships before 15 December 2007

    You must apply CDD measures at appropriate times to existing clients on a risk-sensitive basis. You are not required to apply CDD measures to all existing clients immediately after 15 December 2007. Where you have verified a client's identity to a previously applicable standard then, unless circumstances indicate the contrary, the risk is likely to be low. If you have existing high risk clients that you have previously identified you may consider applying the new CDD standard sooner than for low risk clients. Read more .

  • Top of page

    4.3.2 What is CDD?

    Regulation 5 says that CDD comprises:

    • identifying the client and verifying their identity on the basis of documents, data or information obtained from a reliable and independent source
    • identifying, where there is a beneficial owner who is not the client, the beneficial owner and taking adequate measures, on a risk-sensitive basis, to verify his identity so that you are satisfied that you know who the beneficial owner is. This includes understanding the ownership and control structure of a legal person, trust or similar arrangement.
    • obtaining information on the purpose and intended nature of the business relationship
    • Identification and verification

      Identification of a client or a beneficial owner is simply being told or coming to know a client's identifying details, such as their name and address.

      Verification is obtaining some evidence which supports this claim of identity.

    • A risk-based approach

      Regulation 7(3) provides that you must:

      • determine the required extent of customer due diligence measures on a risk-sensitive basis depending on the type of client, business relationship, product or transaction
      • be able to demonstrate to your supervisory authority that you took appropriate measures in view of the risks of money laundering and terrorist financing

      You cannot avoid conducting CDD, but you can use a risk-based approach to determine the extent and quality of information required and the steps to be taken to meet the requirements.

      You need only obtain information on the purpose and intended nature of your client's use of your services when you are in a business relationship with them. However, it's good practice and required by Rule 2 of the Solicitors' Code of Conduct to obtain such information to ensure you fully understand instructions and closely monitor the development of each retainer, even if it is for an occasional transaction or transactions below the threshold.

  • Top of page

    4.3.3 Methods of verification

    Verification can be completed on the basis of documents, data and information which come from a reliable and independent source. This means that there are a number of ways you can verify a client's identity including:

    • obtaining or viewing original documents
    • conducting electronic verification
    • obtaining information from other regulated persons
    • Independent source

      You need an independent and reliable verification of your client's identity. This can include materials provided by the client, such as a passport.

      Consider the cumulative weight of information you have on the client and the risk levels associated with both the client and the retainer.

      You are permitted to use a wider range of sources when verifying the identity of the beneficial owner and understanding the ownership and control structure of the client. Often only the client or their representatives can provide you with such information. Apply the requirements in a risk-based manner to a level at which you are satisfied that you know who the beneficial owner is.

    • Documents

      You should not ignore obvious forgeries, but you are not required to be an expert in forged documents.

    • Electronic verification

      This will only confirm that someone exists, not that your client is the said person. You should consider the risk implications in respect of the particular retainer and be on the alert for information which may suggest that your client is not the person they say they are. You may mitigate risk by corroborating electronic verification with some other CDD material.

      When choosing an electronic verification service provider, you should look for a provider who:

      • has proof of registration with the Information Commissioner's Office to store personal data
      • can link an applicant to both current and previous circumstances using a range of positive information sources
      • accesses negative information sources, such as databases on identity fraud and deceased persons
      • accesses a wide range of 'alert' data sources
      • has transparent processes enabling you to know what checks are carried out, the results of the checks, and how much certainty they give on the identity of the subject
      • allows you to capture and store the information used to verify an identity.

      When using electronic verification, you are not required to obtain consent from your client, but they must be informed that this check will take place.

      While we believe electronic verification can be a sufficient measure for compliance with money laundering requirements, there may be circumstances where it will not be appropriate. For example, the Council for Mortgage Lenders notes that electronic verification products may not be suitable for fraud prevention purposes, such as verifying that a person's signature is genuine.

  • Top of page

    4.3.4 Reliance and outsourcing

    Reliance has a very specific meaning within the regulations and relates to the process under Regulation 17 where you rely on another regulated person to conduct CDD for you. You remain liable for any failure in the client being appropriately identified. Reliance does not include:

    • accepting information from others to verify a client's identity when meeting your own CDD obligations
    • electronic verification, which is outsourcing

    You need

    • the consent of the person on whom you rely for your reliance
    • agreement that they will provide you with the CDD material upon request
    • the identity of their supervisor for money laundering purposes. Consider checking the register of members for that supervisor, although a personal assurance of their identity may be sufficient where you have reasonable grounds to believe them .

    We believe you should ask what CDD enquiries have been undertaken to ensure that they actually comply with the regulations, because you remain liable for non-compliance. This is particularly important when relying on a person outside the UK, and you should be satisfied that the CDD has been conducted to a standard compatible with the third directive (PDF, 302kb), taking into account the ability to use different sources of verification and jurisdictional specific factors. It may not always be appropriate to rely on another person to undertake your CDD checks and you should consider reliance as a risk in itself.

    • Top of page

      Reliance in the UK

      You can only rely on the following persons in the UK :

      • a credit or financial institution which is an authorised person
      • a person in the following professions who is supervised by a supervisory authority:
        • auditor
        • insolvency practitioner
        • external accountant
        • tax adviser
        • independent legal professional
    • Reliance in an EEA state

      You can only rely on the following persons in an EEA state:

      • a credit or financial institution
      • auditor, or EEA equivalent
      • insolvency practitioner, or EEA equivalent
      • external accountant
      • tax adviser
      • independent legal professional

      if they are both:

      • subject to mandatory professional registration recognised by law, and
      • supervised for complying with money laundering obligations under Chapter 5, Section 2 of the third directive (PDF, 302kb).

      A person will only be supervised in accordance with the third directive if the third directive has been implemented in the EEA state. You can check on the International Bar Association's website on the progress of implementation across Europe .

    • Top of page

      Reliance in other countries

      You can only rely on the following persons outside of the EEA:

      • credit or financial institution, or equivalent
      • auditor, or equivalent
      • insolvency practitioner, or equivalent
      • external accountant
      • tax adviser
      • independent legal professional

      if they are both:

      • subject to mandatory professional registration recognised by law, and
      • supervised for complying with money laundering obligations to a standard equivalent to that under Chapter 5, Section 2 of the third directive (PDF, 302kb).

      Consult a list of countries where CDD requirements and supervision of credit or financial institutions are considered equivalent to the European Economic Area .

      Consult a list of national money laundering legislation around the world, and whether it applies to lawyers .

    • Top of page

      Passporting clients between jurisdictions

      Many firms have branches or affiliated offices ('international offices') in other jurisdictions and will have clients who utilise the services of a number of international offices. It is not considered proportionate for a client to have to provide original identification material to each international office.

      Some firms may have a central international database of CDD material on clients to which they can refer. Where this is the case you should review the CDD material to be satisfied that CDD has been completed in accordance with the third directive. If further information is required, you should ensure that it is obtained and added to the central database. Alternatively, you could ensure that the CDD approval controls for the database are sufficient to ensure that all CDD is compliant.

      Other firms may wish to rely on their international office to simply provide a letter of confirmation that CDD requirements have been undertaken with respect to the client. This will amount to reliance only if the firm can be relied upon under the terms of Regulation 17 and the CDD is completed in accordance with that regulation.

      Finally, firms without a central database may wish to undertake their own CDD measures with respect to the client, but ask their international office to supply copies of the verification material, rather than the client themselves. This will not be reliance, but outsourcing.

      It is important to remember that one of your international offices may be acting for a client who is not a PEP in that country, but will be when they are utilising the services of your office. As such, you will need to have in place a process for checking whether a person passported into your office is a PEP and, if so, undertake appropriate enhanced due diligence measures.

      UK-based fee earners will have to undertake their own ongoing monitoring of the retainer, even if the international office is also required to do so.

  • Top of page

    4.3.5 Timing

    • When must CDD be undertaken?

      Regulation 9 requires you to verify your client's identity and that of any beneficial owner, before you establish a business relationship or carry out an occasional transaction .

      Regulation 11 provides that if you are unable to complete CDD in time, you cannot:

      • carry out a transaction with or for the client through a bank account
      • establish a business relationship or carry out an occasional transaction

      You must also:

      • terminate any existing business relationship
      • consider making a disclosure to SOCA

      Evidence of identity is not required if a one-off transaction involves less than €15,000 or if two or more linked transactions involve less than €15,000 in total. This exception does not apply if there is any suspicion of money laundering or terrorist financing.

    • Top of page

      Exceptions to the timing requirement

      There are several exceptions to the timing requirement and the prohibition on acting for the client.

      However, you should consider why there is a delay in completing CDD, and whether this of itself gives rise to a suspicion which should be disclosed to SOCA.

      • Normal conduct of business

        Regulation 9(3) provides that verification may be completed during the establishment of a business relationship , (not an occasional transaction ), where:

        • it is necessary not to interrupt the normal conduct of business, and
        • there is little risk of money laundering or terrorist financing occurring

        You must complete verification as soon as practicable after the initial contact.

        Consider your risk profile when assessing which work can be undertaken on a retainer prior to verification being completed.

        Do not permit funds or property to be transferred or final agreements to be signed before completion of full verification.

        If you are unable to conduct full verification of the client and beneficial owners, then the prohibition in Regulation 11 will apply.

      • Ascertaining legal position

        Regulation 11(2) provides that the prohibition in 11(1) does not apply where:

        'A lawyer or other professional adviser is in the course of ascertaining the legal position for their client or performing their task of defending or representing their client in, or concerning legal proceedings, including advice on instituting or avoiding proceedings.'

        The requirement to cease acting and consider making a report to SOCA when you cannot complete CDD, does not apply when you are providing legal advice or preparing for or engaging in litigation or alternative dispute resolution.

        This exception does not apply to transactional work, so take a cautious approach to the distinction between advice and litigation work, and transactional work.

Top of page

4.4 Ongoing monitoring

Regulation 8 requires that you conduct ongoing monitoring of a business relationship on a risk-sensitive and appropriate basis. Ongoing monitoring is defined as:

  • scrutiny of transactions undertaken throughout the course of the relationship, (including where necessary, the source of funds), to ensure that the transactions are consistent with your knowledge of the client, their business and the risk profile.
  • keeping the documents, data or information obtained for the purpose of applying CDD up-to-date. You must also be aware of obligations to keep clients' personal data updated under the Date Protection Act .

You are not required to:

  • conduct the whole CDD process again every few years
  • conduct random audits of files
  • suspend or terminate a business relationship until you have updated data, information or documents, as long as you are still satisfied you know who your client is, and keep under review any request for further verification material or processes to get that material
  • use sophisticated computer analysis packages to review each new retainer for anomalies

Ongoing monitoring will normally be conducted by fee earners handling the retainer, and involves staying alert to suspicious circumstances which may suggest money laundering, terrorist financing, or the provision of false CDD material.

For example, you may have acted for a client in preparing a will and purchasing a modest family home. They may then instruct you in the purchase of a holiday home, the value of which appears to be outside the means of the client's financial situation as you had previously been advised in earlier retainers. While you may be satisfied that you still know the identity of your client, as a part of your ongoing monitoring obligations it would be appropriate in such a case to ask about the source of the funds for this purchase. Depending on your client's willingness to provide you with such information and the answer they provide, you will need to consider whether you are satisfied with that response, want further proof of the source of the funds, or need to discuss making a disclosure to SOCA with your nominated officer .

To ensure that CDD material is kept up-to-date, you should consider reviewing it:

  • when taking new instructions from a client, particularly if there has been a gap of over three years between instructions
  • when you receive information of a change in identity details

Relevant issues may include:

  • the risk profile of the client and the specific retainer
  • whether you hold material on transactional files which would confirm changes in identity
  • whether electronic verification may help you find out if your clients' identity details have changed, or to verify any changes

Top of page

4.5 Records

You are required to keep records of your CDD material.

4.6 CDD on clients

Your firm will need to make its own assessments as to what evidence is appropriate to verify the identity of your clients. We outline a number of sources which may help you make that assessment.

  • 4.6.1 Natural persons

    A natural person's identity comprises a number of aspects, including their name, current and past addresses, date of birth, place of birth, physical appearance, employment and financial history, and family circumstances.

    Evidence of identity can include:

    • identity documents such as passports and photocard driving licences
    • other forms of confirmation, including assurances from persons within the regulated sector or those in your firm who have dealt with the person for some time.

    In most cases of face to face verification, producing a valid passport or photocard identification should enable most clients to meet the AML/CTF identification requirements.

    It is considered good practice to have either:

    • one government document which verifies either name and address or name and date of birth
    • a government document which verifies the client's full name and another supporting document which verifies their name and either their address or date of birth.

    Where it is not possible to obtain such documents, consider the reliability of other sources and the risks associated with the client and the retainer. Electronic verification may be sufficient verification on its own as long as the service provider uses multiple sources of data in the verification process.

    Where you are reasonably satisfied that an individual is nationally or internationally known, a record of identification may include a file note of your satisfaction about identity, usually including an address.

    • Top of page

      UK residents

      The following sources may be useful for verification of UK-based clients:

      • current signed passport
      • birth certificate
      • current photocard driver's licence
      • current EEA member state identity card
      • current identity card issued by the Electoral Office for Northern Ireland
      • residence permit issued by the Home Office
      • firearms certificate or shotgun licence
      • photographic registration cards for self-employed individuals and partnerships in the construction industry
      • benefit book or original notification letter from the DWP confirming the right to benefits
      • council tax bill
      • utility bill or statement, or a certificate from a utilities supplier confirming an arrangement to pay services on pre-payment terms
      • a cheque or electronic transfer drawn on an account in the name of the client with a credit or financial institution regulated for the purposes of money laundering
      • bank, building society or credit union statement or passbook containing current address
      • entry in a local or national telephone directory confirming name and address
      • confirmation from an electoral register that a person of that name lives at that address
      • a recent original mortgage statement from a recognised lender
      • solicitor's letter confirming recent house purchase or land registry confirmation of address
      • local council or housing association rent card or tenancy agreement
      • HMRC self-assessment statement or tax demand
      • house or motor insurance certificate
      • record of any home visit made
      • statement from a member of the firm or other person in the regulated sector who has known the client for a number of years attesting to their identity - bear in mind you may be unable to contact this person to give an assurance