Audit trail: preparing for an AML visit

The thought of a Solicitors Regulation Authority (SRA) anti-money laundering (AML) audit no doubt fills most compliance officers with dread.

Nevertheless, the regulators are getting more proactive in their role as AML supervisor.

Many firms have had an SRA visit to discuss AML practice and procedure. So, what can you expect if you are selected for an AML audit?

It’s probable that the SRA may have selected your firm for one of two reasons:

• it wants to look closely at your AML controls, perhaps relating to a recent breach or complaint
• your firm is caught by the Money Laundering Regulations (2017) (MLRs) and, as a result, you are one of many thousands of firms who are being routinely investigated

You will be aware that AML has been a priority issue for the SRA in recent years.

Proactive supervision is designed to tighten AML standards across the profession.

It also gives the SRA the data it needs to feed back to OPBAS (Office for Professional Body Anti Money Laundering).

First contact

When the SRA first makes contact, it will usually offer a few dates for you to choose to accommodate your availability.

It is unlikely that the SRA will turn up unannounced on your doorstep.

Naturally, even the most highly organised firms will want to give themselves enough time to prepare and so, most often, it’s best to elect for the date furthest away.

Instead of panicking, at this stage it’s helpful to look at the impending visit as an opportunity to get your AML ducks in a row.

If you know you are not up to date, or fear that something may have slipped under the radar with all the recent legislative changes (and subsequent amendments), you still have time to remedy things.

Mercifully, there are no rules as to how often law firms should update their policies or review their procedures.

Unsurprisingly, this area has been left deliberately vague, so that each law firm applies a ‘risk-based’ approach to their AML framework.

That said, it’s important to absorb, refresh and implement any recent changes as soon as is reasonably possible.

However, if you have managed to stay abreast of the changes and you have future dates in mind for a review of your existing systems, don’t forget to follow this up.

Failure to review things in line with your policy may indicate to the SRA that your AML framework is not working.

What will they ask for?

So, what exactly will the SRA want to see during one of these visits?

It’s important to note that routine investigations by the SRA are ‘front loaded’ in terms of the assessment of your AML framework, so you will need to submit all of your policy documents in advance of the visit.

The SRA will likely ask for the following:

1 Firm-wide risk assessment (FWRA)

Sometimes referred to as a practice-wide risk assessment (PWRA), this is the cornerstone of your AML controls.

You must have one in place to be compliant with the SRA Standards and Regulations.

Starting with a template is acceptable, but you have to tailor it to the risks faced by your firm.

Make sure the document is reviewed in accordance with your policy and, if it doesn’t already, your risk assessment should include reference to the Legal Sector Affinity Group (LSAG) guidance.

2 Policies, controls and procedures (PCPs)

This should include all your client and matter risk assessments and your core AML policy.

3 Associated policy documents

This will include anything referencing the Criminal Finances Act 2017 and how you store your client data.

4 Fee earner lists

You will need a list of any fee earners whose work is subject to the MLRs and their ‘live’ matters.

It is likely that they will also want to see any ‘high risk’ matters and understand how these are being actively managed by the fee earners/MLRO.

5 Training records

You may be asked to include the training records of all ‘relevant’ staff members.

Make sure that your money laundering reporting officers (MLRO and MLCO) fully up to date with the AML regulations and the LSAG guidance.

You will be asked what solutions have been rolled out to manage the risk so it’s important to keep records of all AML updates that you circulate within the firm, to demonstrate that you are reminding staff of their responsibilities.

6 Screening employees

Where firms screen relevant employees, this should be ongoing on a regular basis and not just something to undertake on recruitment.

7 Client due diligence records

Are these held centrally or on the client matter?

Do your fee earners know how often CDD is refreshed? With each new instruction? Every three years?

This needs to be clear in your AML policy.

8 Source of funds and wealth procedures

How are you evidencing this and capturing the perceived risk?

For example, do you ask your clients to produce consent orders from a divorce? Or a completion statement from a related/recent sale?

Taking a clients’ word for it that they sold a house and are using it to buy another is not good practice.

9 SARs and MLRO records

The SRA will be interested in how many suspicious activity reports (SARs) you have completed. Remember that having no SARs may indicate that your training has not been effective.

It is also sensible to maintain records of any cases that you have turned down.

10 Minutes of board meetings

The SRA want to see that AML is high on the compliance agenda and may ask to look at the minutes of management and board level meetings to check that AML is actively discussed and not just a tick-box exercise.

You will need easy access to all of your AML policy documents if and when there is an audit.

Many firms struggle to locate everything that is asked for: for example, materials may be tucked away in an office manual.

While it makes sense that an employee screening policy should live in the HR manual, it’s important that you know where it is on the day. This avoids delays and demonstrates that you are on top of all your policies and procedures.

In fact, it’s best practice to ensure that all of your AML policy documents are listed in a central register.

That way, you can use a hyperlink to the latest version, rather than trawling through the documents for the most recent version.

The visit

During the visit, you can expect the SRA to interview some of your fee earners and to go through a selection of their live matters.

You will need to find substitutes where staff members are not available at short notice.

Co-operation from your team is important and it is advisable that staff are made aware of the visit in advance. Those selected for ‘discussion’ can be anyone from partner level through to junior staff.

It is important that your MLRO and MLCO are also available for interview with the SRA.

Your staff should be able to confidently talk through the firm’s AML controls. When conducting file reviews, the SRA will be looking for:

• client care letter
• a sample of the firm’s open and closed files, as well as the client ledger
• verification and identity documents – is conference calling part of your process? If so, where is it documented?
• any e-verification results and how any referred matters have been handled. What has been done to further investigate any false positives? How was this resolved?
• any search engine or adverse findings kept on file
• any company searches – were any anomalies as to beneficial ownership reported to Companies House, using a discrepancy report?
• evidence of source of funds and wealth
• client and matter risk assessments and how the risk is managed through the life cycle of the transaction
• any relevant SARs or defence against money laundering (DAMLs)

Follow up

Once the investigation is over and the regulator has all the information they need, it will write to you again with its findings.

Often, it will highlight areas of good practice, as well as areas for change, along with deadlines for implementation.

Firms that ‘fail’ an SRA audit leave themselves open to enforcement action. The fining levels have been creeping up, and the SRA now has the power to fine a firm (or individuals) up to £25,000.

Do bear in mind as well the potential reputational damage to your firm – the SRA publishes details of AML enforcement, which will be available to your clients, staff, accreditation bodies and insurers.

A version of this article first appeared on the Risk and Compliance Section.