- My LS
AML compliance for small firms – part two: policies, controls and procedures
This three-part series looks at the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) from the perspective of small firms and provides tips on effective compliance.
Part two explores the practical requirements to implement policies, controls and procedures, provide training to 'relevant employees' and comply with record keeping obligations.
More detailed information can be found in the legal sector anti-money laundering (AML) guidance.
AML policies, controls and procedures
The AML policies, controls and procedures that firms must adopt are set out in Regulations 19 to 21. These are designed to mitigate your exposure to money laundering risk, and should reflect the risks identified in your practice-wide, client and matter risk assessments (part 1 of this series of articles)
You only need to apply three of the "internal controls" listed in MLR 2017 Regulations 19 to 21 if they’re "appropriate with regard to the size and nature" of your firm’s business:
Regulation 21(1)(a) Appointing a member of senior management – or a member of the board of directors or equivalent body – as the officer responsible for the firm’s compliance with MLR 2017
Note that this is separate from the requirements to appoint a nominated officer – often referred to as a money laundering reporting officer (MLRO) – and a compliance officer for legal practice (COLP). But the same person may hold both roles where appropriate.
Regulation 21(1)(b) Screening employees before and during their appointment
This means checking a person’s qualifications and references, which is good practice regardless of the size of your firm or the nature of your business. You may wish to consider a DBS (criminal record) check with the employee’s consent.
Regulation 21(1)(c) Establishing an independent audit function to review and make recommendations about your firm’s AML policies, controls and procedures, and its compliance with them
The auditor does not need to be independent of the firm, but they must be independent of the function being reviewed.
If you’re an experienced small practice, where senior people have a good understanding of all the firm’s clients and matters, you may decide that this internal control is not necessary.
An independent audit is more likely to be needed if junior staff undertake a high volume of work.
If you already have a system of external file reviews because of CQS or Lexcel, you can factor these in when deciding whether to establish an independent audit function.
Deciding if the three controls are needed
When you’re deciding whether you need to apply the three controls, you should consider both:
- the types of clients you act for
- the nature and complexity of your work
You should document your thinking, even if you only have a single office and a small number of staff. For example, if your small firm practises in a high-risk area such as conveyancing or company formation you may still feel that it should adopt these controls.
If you decide not to adopt them, you should keep a brief record of the factors you considered and the reasons for your decision.
If you’re a sole practitioner who does not employ other lawyers or paralegals, you do not need to apply the three controls set out above or appoint an MLRO or a COLP.
Regulation 24 of MLR 2017 requires firms to take appropriate measures to ensure that relevant employees and agents the business uses for AML-related work are:
- made aware of the law relating to money laundering, terrorist financing and data protection (insofar as the law on data protection relates to money laundering and terrorist financing)
- regularly given training on how to recognise and deal with transactions and situations that may be related to money laundering or terrorist financing
Relevant employees are staff who are "capable of contributing to the identification or mitigation of the risk of money laundering… or the prevention or detection of money laundering" in relation to the business. This should include accounts and reception staff. Agents the firm uses for AML compliance or for the matters identified in regulation 24(2)(b) now also fall within the training requirements.
Make sure that staff know and understand your firm’s policies, controls and procedures.
For data protection, training should cover record keeping requirements (Regulation 40) and the obligation under MLR 2017 to inform clients about the purpose for which their personal data is being collected when you carry out customer due diligence (CDD) checks (Regulation 41).
How and when to train your staff
As a smaller firm you may prefer to do training face to face rather than online. You may also consider hiring an external consultant to provide the training.
Additional training can be in the form of bulletins or information emails.
The level of training you provide, and how often you run it, depends on:
- the size and nature of your business
- the nature and extent of the risks you face
As best practice, you should consider training all relevant employees at least once every two years.
You should keep a record of which staff have been trained and how.
Keeping clients’ personal data
MLR 2017 impose a limit of five years on keeping personal data contained in CDD documents and records, unless:
- you need to retain the CDD documents and records about the transaction under an enactment or for legal proceedings
- you have the client’s consent
You can obtain the client’s consent to keep their personal data for a longer period through your engagement letters.
If you do not have the client’s consent and if the other exceptions do not apply, you’ll need to destroy personal data contained in paper and electronic CDD records when the five-year period following the end of your professional relationship has expired.