Since June 2017, firms have been required to conduct a firm-wide anti-money laundering (AML) risk assessment. This risk assessment is required under regulation 18(1) of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (‘the AML regs’).
In this blog, I’ll break down what the assessment needs to cover, as well as offer some practical tips.
What does the regulation say?
Regulation 18 of the AML regs sets out that firms must take appropriate steps to identify and assess the risks of money laundering and terrorist financing in their firm.
The regulation further sets out that firms must consider information available from their supervisory body – which for most firms is the Solicitors Regulation Authority (SRA). They must also consider risk factors relating to:
- their clients
- the countries and geographic areas in which the firm operates
- the firm’s products or services
- the firm’s transactions
- the delivery channels of those services
When undertaking this risk assessment, firms must also consider their size and the nature of the work they undertake. Additionally, firms must keep a record of all steps taken to assess their own risk factors.
Lastly, the regulation states that the SRA can request sight of a firm's risk assessment.
What guidance is available?
Since the implementation of the AML regs, the SRA has increased its focus on AML compliance significantly. To that end, the SRA has conducted a number of firm visits, as well as requested firms’ AML risk assessment for review.
As a consequence of these visits and reviews, the SRA has issued a warning notice on complying with the regulations and guidance on the requirement for a firm-wide AML risk assessment.
Further, the Legal Sector Affinity Group guidance, published in January 2021, has a very useful guide outlining what a firm's AML risk assessment should cover and how that might be approached.
What should you be considering?
The SRA risk assessment
As set out in the regulation itself, your firm must take into account information provided by the SRA and the SRA AML risk assessment.
To that end, if the SRA deems a certain activity high risk and your firm undertakes it, you would be wise to make sure it's covered in your own risk assessment and appropriately risk-rated.
Use templates with care
The SRA noted in its reviews that some firms used templates (which do of course have their uses) but did not tailor them sufficiently enough to the firm at hand.
Find out more about the SRA risk assessment
The AML risk assessment is bespoke to your firm and so it needs to address all practice areas, geographical issues, how your firm services clients, and so on.
There is no set risk assessment format.
Your firm can complete your assessment as a spreadsheet or a word document or table. The SRA has produced a template risk assessment that you can use as a starting point.
Rate your risk and cover with a spoonful of policies, controls and procedures
The purpose of the assessment is to understand your firm’s AML risk better, and put policies, controls and procedures (PCPs) in place (as required under regulation 19) to mitigate identified risk. What PCPs to put in place will naturally be dictated by the risk rating you give yourself.
Points to cover in an assessment
As outlined above, the AML regs give a very high-level list. The following could be your starting point.
Questions you need to ask yourself
Think about your firm’s clients and ask yourself the following:
Think about countries and geographical areas your firm operates in or receives funds from:
Think about the services your firm provides and the transactions it is involved with, and assess how risky those activities are. This could be used to assess:
Think about transactional risk:
Think about how you deliver your services – face to face or remotely:
Think about your people:
The SRA has produced a checklist to help firms prepare their risk assessment.
Your firm should make space in the assessment document to note when it was reviewed last, so you can show you are regularly reviewing it.
There are no set review times, but it would be advisable to review it at least once a year. However, two or three times a year is preferable, especially if your firm conducts work in high-risk categories.
When reviewing the risk assessment, it is a good opportunity to also review your AML policy.
Remember that a firm's AML risk assessment is a living document that needs to be reconsidered and adjusted at regular intervals. Don't let it get dusty.
Views expressed in our blogs are those of the authors and do not necessarily reflect those of the Law Society.
Rebecca is the author of Assessing and Addressing Risk and Compliance In Your Law Firm. Her next financial crime book to include AML is due to be published by the Law Society in September 2021.