Getting your risk assessment in order
Pearl Moses, Law Society head of Risk and Compliance, shares how to make sure you’re prepared with your risk assessment.
Thousands of firms are to be contacted by the Solicitors Regulation Authority within the coming months asking what measures they have in place to combat money laundering. The SRA has issued a revised warning notice to the profession and announced widespread checks on 7,000 firms that fall under the scope of money laundering regulations, following fears that many are doing little or nothing to met their obligations.
Earlier in 2019 the SRA published its latest Anti-Money Laundering Thematic Review, focusing on firms offering trust and company services. While many firms were fully compliant with their Anti-Money Laundering (AML) obligations, the SRA had substantial concerns about a significant minority and referred 26 firms into its disciplinary processes as an outcome of the review.
Firm-wide risk assessments, which have been a regulatory requirement since 2017 are a particular focus of the SRA. The thematic review found that 135 of the 400 risk assessments submitted were dated after the SRA request to see them went out. Firms need to have a risk assessment (RA) in place and be ready to provide it upon request.
What should I be doing?
The SRA has certain expectations that regulated professionals have the requisite knowledge of the AML framework. If you haven't done so already you should:
- Ensure you have a written high-quality AML risk assessment (RA) that addresses the risks particular to your firm.
- Document your risk factors and ensure they consider risks relating to your customers, countries or geographic areas of operation, products and services, transactions and delivery channels.
- Demonstrate and document that your risk assessments are conducted and kept up to date.
- Create policies and procedures that stem from your RA and are tailored to your firm's individual risk profile.
- Detail and update your processes regularly to reflect any changes you make to your risk assessment.
- Use the contents and results of the review as a guide to what the SRA might expect from you during a thematic review or regulatory visit.
Undertake a high-quality risk assessment
During the review, four out of 59 firms did not have any firm-wide risk assessment. 24 firms had inadequate RAs as set out in reg 18 of the 2017 Regulations. It's crucial that you have an effective and functioning RA that is written down and kept up-to-date. This can be achieved in a variety of formats (ie, in paragraphs, a tabular format, a matrix with risk ratings etc). The key is be thorough and to detail all the risks 'particular' to your firm.
The Law Society's AML Toolkit(2nd edition) has some useful templates as a starting point. Do note that the SRA found that too many firms appeared to take a copy and paste approach, so do ensure you address the specific issues faced by your firm.
It may be helpful to start from scratch with both your RA and, following on from that, your policies and procedures, so that your mitigation steps match up with the risks to your business.
Document your risks
The 2017 AML Regulations outline what you need to consider in your RA including:
1 Clients - ask yourself who you act for. Are they:
- politically exposed persons (PEPs)
- financial institutions/ individuals/ companies
- from riskier sectors such as gambling
- evasive or seeking anonymity.
2 Geographical areas of operation - consider whether you work with or in countries that:
- don't have equivalent AML standards to the UK, ie FATF
- have significant levels of corruption
- are subject to sanctions
- are on the EU high risk list or are tax havens.
3 Products and services - do you offer services in areas deemed 'high risk' due to holding client money such as:
- trust and company services
4 Transactions - consider the characteristics of the transaction such as:
- What is the source of funds?
- Is the transaction unusual, particularly complex or outside your normal area of work?
- What is the payment type?
- Is the size and value of the transaction relevant to your firm?
5 Delivery services - does your firm:
- use agents or intermediaries
- take payments to and from third parties or issue refunds
- provide online services
- meet clients in person as part of your verification process?
None of the factors above mean money laundering is necessarily taking place but any higher risk factors need to be acknowledged in your RA and recorded. Your risk assessment should list the steps you take to mitigate the money laundering risk in the work your firm engages in. You should reference your policies, controls and procedures (PCPs), and state clearly what you do when you identify a high-risk client or matter.
Note also that your policies, controls and procedures should be:
- proportionate to the size and nature of the business
- properly understood and implemented by your staff
- monitored to remain effective in addressing the level of risk you have identified.
For your PCPs to be effective there should be a culture of compliance including:
- an understanding from everyone in the firm that AML training is a regulatory requirement for all staff and that failure to undertake training may result in disciplinary sanction
- firm-wide procedures for accepting payments, monitoring accounts, making SARs, record-keeping etc
- an empowered accounts department and a COFA who will push back if they're suspicious.
- Anti-money Laundering Guidance for the Legal Sector
- Explore our AML resources including all the key legislation, practice notes and top tips
- The Risk and Compliance Service has topical features and podcasts on topics on AML matters
- SRA guidance on risk assessments
- See the joint publication of the International Bar Association, the American Bar Association and the Council of Bars and Law Societies of Europe: A Lawyer's Guide to Detecting and Preventing Money Laundering