You are here:
  1. Home
  2. Support services
  3. Advice
  4. Articles
  5. AML compliance for small firms - policies, controls and procedures, part two

AML compliance for small firms - policies, controls and procedures, part two

12 February 2018

This three-part series looks at the Money Laundering Regulations 2017 from the perspective of small firms and provides tips on effective compliance.

Part two explores the practical requirements to implement policies, controls and procedures, to provide training to 'relevant employees' and to comply with record keeping legislation.

More detailed information can be found in the draft legal sector AML guidance.

Policies, controls and procedures

The policies, controls and procedures that firms must adopt are set out in Regulations 19 to 21. These are designed to mitigate your money laundering risk exposure, and should reflect the risks identified in your practice-wide, and client and matter risk assessments (Part 1).

Three of the ‘internal controls’ listed in Regulations 19 to 21 are only required if they are ‘appropriate with regard to the size and nature’ of your firm’s business. These are:

  1. 1. Appointing a member of senior management (or a member of the board of directors or equivalent body) as the officer responsible for the firm’s compliance with the Money Laundering Regulations.
    • Note that this is separate from the requirements to appoint a nominated officer (often referred to as an MLRO) and a Compliance Officer for Legal Practice (COLP), but the same person may hold both roles where appropriate.
  2. 2. Screening of employees before and during their appointment.
    • This means checking a person’s qualifications and references, which is good practice regardless of the size of your firm or the nature of your business. You may wish to consider a DBS (criminal record) check with the employee’s consent.
    3. Establishing an independent audit function to review and make recommendations about your firm’s policies controls and procedures, and its compliance with them.
    • The auditor need not be an external person, but must be independent of the function being reviewed.
    • If you are an experienced small practice, where senior persons have a good understanding of all the firm’s clients and matters, you may decide that this internal control is not necessary. However, if you have a high volume of work undertaken by more junior staff then an independent audit is more likely to be needed.
    • If you already have a system of external file reviews because of CQS or Lexcel then these can be factored into your decision to establish (or not) an independent audit function.

    When you are deciding whether your business is of a size and nature such that it is appropriate to apply these three controls, you should consider the types of clients you act for and the nature and complexity of your work. You should document your thinking, even if you only have a single office and a small number of staff. For example, a small firm that practises in a high-risk area such as conveyancing or company formation may still feel that it should adopt these controls.

    If you decide not to adopt them, you should keep a brief record of the factors you considered and the reasons for your decision.

    A sole practitioner who does not employ other lawyers or paralegals does not need to apply the three controls set out above, or appoint an MLRO or a COLP.

    back to top


    Regulation 24 of the Money Laundering Regulations requires firms to take appropriate measures to ensure that 'relevant employees' are:

    • made aware of the law relating to money laundering, terrorist financing and data protection (insofar as the law on data protection relates to money laundering and terrorist financing)
    • regularly given training on how to recognise and deal with transactions and situations that may be related to money laundering or terrorist financing.

    Part of your training should focus on ensuring that staff know and understand the firm’s policies, controls and procedures. For data protection, the training should cover record keeping requirements (Reg 40) and the obligation under the Money Laundering Regulations to inform clients about the purpose for which their personal data is being collected when you carry out CDD checks (Reg 41).

    Smaller firms may prefer to do face to face rather than on-line training, or may consider hiring an external consultant to provide the training. Additional training can be in the form of bulletins or information emails.

    The level and frequency of training again depends on the size and nature of your business and the nature and extent of the risks you face. As best practice, you should consider training all relevant employees at least once every two years.

    'Relevant employees' are staff who are ‘capable of contributing to the identification or mitigation of the risk of money laundering… or the prevention or detection of money laundering’ in relation to the business. This should include accounts and reception staff.

    You should record which staff have been trained and how.

    back to top

    Keeping the clients’ personal data

    The Money Laundering Regulations impose a new limit of five years on keeping personal data contained in CDD documents and records, unless:

    • you need to retain the CDD documents and records about the transaction under an enactment or for legal proceedings
    • you have the client’s consent.

You can obtain the client’s consent to keep their personal data for a longer period through your engagement letters. Without the client’s consent and where the other exceptions do not apply you will need to destroy personal data contained in paper and electronic CDD records when the five-year period following the end of your professional relationship has expired.

back to top