AML policies, controls and procedures: ask the right questions

The Solicitors Regulation Authority (SRA) has warned of the risks posed by “off-the-shelf” policies, controls and procedures (PCPs) that can lead to a “tick-box mentality”. Money Laundering Task Force member Emma Williams sets out what questions to ask to get your PCPs right first time.


There is a lot to be said for spending a few moments to consider the why.

The most obvious, compelling reason is that if you come within scope of the Money Laundering Regulations 2017, having PCPs is a legal requirement: compliance is a legal duty.

However, let’s start with a high-level question: why should you have PCPs at all? What purpose do they achieve? What benefit do they serve?

In essence, your PCPs communicate to everyone within the practice what they need to know about the practical application of the legal requirements.

From the conduct of customer due diligence (when and how), the practice’s approach to risk, for how long records are kept (and by whom and where), as well as red flags and reporting obligations.

Under regulation 19, we are required to establish and maintain in writing PCPs to mitigate and manage effectively the risks of money laundering and terrorist financing identified in any risk assessment carried out.

It’s an obvious point, but everything must be documented.

Such PCPs must be proportionate to the size and nature of your practice.

Regulation 19 goes further. As you might expect, it is not enough simply to have PCPs. We are also required to:

  • regularly review and update the PCPs
  • document any changes effected
  • crucially, keep a written record of the steps taken to communicate the PCPs (and any updates) within the practice


Now let’s consider what your PCPs actually look like.

We know they have to be in writing, but what needs to go in there? And what needs to happen with them once drafted?

Helpfully, regulation 19 provides a detailed list of what must be included:

  • risk management practices
  • internal controls
  • customer due diligence
  • reliance and record keeping
  • monitoring and management of compliance with, and internal communication of, PCPs


There are a number of strands to the who (or should that be for whom?) question when it comes to PCPs.

Who writes the PCPs and is responsible for the regular review and consequential updates?

Does this fall on your MLRO or MLCO (if you have one)? Is there a clear delineation as to whose responsibility this is?

Given the significance of accurate and up-to-date PCPs, this duty has to be clearly prioritised. Proactivity rather than reactivity is needed here.

Do not forget the additional regulation 19 requirement that your PCPs (and any updates) have been approved by senior management.

For whom are they written? For the SRA, undoubtedly.

But if you only focus on the regulator, you will miss a large element of the practical application – the people within your practice who need to know what they should be doing, how and when.

The challenge is to have PCPs that make as much sense to the SRA as to your compliance team (or those within the practice who undertake compliance as part of their daily functions) and to all fee-earners. An easy task, right?


When do you need to draft your PCPs? In a word – now – and on an ongoing basis. Regulation 19 requires that we regularly review our PCPs.

What does ‘regularly’ mean to you? As a subjective concept, this may well mean different things to different practices, depending on the size and nature, the risk profile and so on.

However, I would suggest that an annual review would be stretching the limits of ‘regular’.

Monthly – although regular, within its ordinary and natural meaning – seems too frequent, unless you find yourself with unlimited resource and little other work to do.

Quarterly seems about right … unless there is a reason to do so before the next quarter, such as:

  • a change in the law or guidance
  • a Financial Action Task Force recommendation
  • change within your practice such as a new practice area/partner, new technology or new systems


Where are the PCPs held within your practice? Are they accessible by all? Are they held electronically or in hard copy? Does everyone know where to find them?

These are all questions that you should ask yourself – before the SRA does!

A linked point to the “where” question – where do the PCPs apply?

Does your practice have any subsidiaries or branch offices outside the UK? If so, the PCPs will apply to those too.

Look at your organisational structure if in doubt and look at regulation 20 if this might affect you.

I want to know more

Our expert, practical and time-saving online learning courses can support you and your practice in the fight against economic crime:

Visit our AML hub for help keeping ahead of your regulatory obligations and minimising risk.

Maximise your Law Society membership with My LS