Remote working, client interaction and associated use of AML technology
Legal practices and practitioners should be aware that criminals will look to take advantage of people who work or meet/interact with clients remotely.
We understand and support the desire of practices and practitioners to vary how they work, recognising that innovation and change are fundamental aspects of strong anti-money laundering (AML) control.
This includes different ways of undertaking CDD and appropriate levels of ID&V, particularly where clients cannot be met face to face.
In line with a risk-based approach, the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (as amended) (MLRs) provide flexibility in the application of their requirements.
Options exist for practices seeking to comply while also working remotely.
Legal practices and practitioners in scope of the MLRs must still comply with their statutory requirements at all times.
Identification and verification
When it’s not possible or desirable to undertake ID&V in person, using suitable identification documents, you should consider what risks this may create.
An inability to conduct in-person ID&V does not mean you cannot complete CDD, but you may need to consider using other methods that give you the necessary assurance that the person is who they say they are.
Practices and practitioners are reminded to adopt a risk-based approach, taking into account:
- the contents of their practice-wide risk assessment, policies and procedures (and where necessary updating them) and
- the circumstances of and risks presented by individual clients/matters (see part one, section 5 of the AML guidance for the legal sector)
As an alternative to face-to-face documentary verification, legal practices and practitioners may adopt or further use electronic means of ID&V, where appropriate to the risks present in the client/transaction.
Such methods may include (but are not limited to):
- digital ID&V services that meet the requirements of regulation 28(19) – “secure from fraud and misuse and capable of providing an appropriate level of assurance that the person claiming a particular identity is in fact the person with that identity”
- gathering and analysing additional data to triangulate the evidence provided by the client, such as geolocation and IP addresses
- verifying phone numbers, emails and/or physical addresses by sending codes to the client’s address to validate access to accounts
- using live and/or recorded digital video (many reliable and free options exist for this) of the customer showing their face and original photo identification documents so that you can compare them to a scanned copy of the same document (for example, passport or driving licence)
No matter what ID&V service or procedure is used, the responsibility to make sure the ID&V is undertaken correctly is with the relevant practitioner and practice.
If you’re placing reliance on others to conduct CDD under regulation 39 – such as an instructing solicitor or accountant – you should ensure you understand how they have adapted their CDD procedures to the different circumstances.
Make sure that you keep a record and evidence of the processes you follow.
For example, a set method for how video calls are to be conducted and recorded, as well as a log of any video calls you make.
These methods alone may not be sufficient where the money laundering and terrorist financing risks inherent in the particular client or matter are greater.
In high-risk situations, further verification (including verification of source of funds/wealth) will likely be required.
Where you need to update ID&V records for existing clients, you should not rely on old ID just because you cannot currently meet them face to face. This is not an acceptable approach because it is unlikely to address the risk present in the transaction.
Further, information and advice is available on the Law Society website.
You are also referred to section 7 of the AML guidance for the legal sector.
Digital ID&V services
If you’re considering whether to use a digital ID&V service, you must carefully consider whether it provides the assurance needed.
In order to make this judgement, you may have regard to the Financial Action Task Force (FATF) guidance on digital identity, as set out below:
Financial Action Task Force guidance on digital identity
- Understand what the service actually does: what checks is it doing and what databases is it checking (if any), and how often are any checks refreshed to ensure they are drawing on the most up-to-date information
- Take a risk-based approach to relying on the service including understanding the assurance level provided and that it is appropriate to the risk
- Understand whether the service provides levels of assurance and how these may be appropriately used in different circumstances
- Consider whether using the service negates the idea that all non-face-to-face transactions are high risk
- Use anti-fraud, sanctions compliance and other cybersecurity processes to support the service
- Engage with the service provider to ensure the practice has access to the information it may need to prove its compliance to its supervisor or to law enforcement
Another important consideration is whether the service has attained any accreditation or certification from any of the bodies listed in appendix D of the FATF guidance.
Other issues to consider when working remotely
You should consider whether your policies, controls and procedures remain appropriate and whether they need adjustment to reflect the ways and methods by which your practice is conducting business.
For example, if CDD or enhanced due diligence (EDD) processes change then an update of the practice-wide risk assessment, any client/matter risk assessment, and other relevant policies, procedures or controls may be necessary.
Further (non-exhaustive) examples include:
- if staff are working away from the office, making sure they have access to the necessary CDD documentation to be able to fully consider the risks of any client or matter
- record-keeping processes may need to be adapted to ensure compliance with regulatory requirements
- if using digital video or photography to support CDD, or obtaining other personal information, you should obtain consent from the data subject for the capture and storage of this information and have due regard to data protection requirements
- if you are requesting that personal or sensitive information be sent by email or other electronic means in support of CDD, due consideration should be made to the associated information security risks. You should consider and record the necessary steps to mitigate such risks (such as encryption)
- requisite ongoing AML training may be deliverable remotely or via digital means (such as via webinar, or video-conferencing facilities) and you should consider what adaptations your practice must make to ensure compliance where staff are working remotely
If you have questions about whether a specific ID&V method is allowable or any other aspect of the above, contact the Practice Advice Service's AML helpline.
If necessary, obtain independent legal advice from an experienced legal practitioner.
Disclaimer
This note is supplementary to the main Legal Sector Affinity Group (LSAG) anti-money laundering guidance for the legal sector and does not supersede it.
It’s not for your supervisor to provide specific legal advice and/or confirmation on the application of the money laundering regulations (MLRs).
You are required to satisfy yourself on your legal/regulatory obligations under the MLRs and that you have complied with them.
While care has been taken to ensure that this advisory note is accurate, up to date and useful, members of the LSAG will not accept any legal liability in relation to this advisory note (which has not been HM Treasury approved).