New AML guidance: what you need to know

Approved guidance, such as that of the Legal Sector Affinity Group (LSAG), is a fundamental constituent of the UK anti-money laundering regime. It is intended to convey the wider intention, risk-based nature and spirit of the Money Laundering Regulations to businesses regulated for AML purposes.

It is there to add colour to the underlying regulations. It helps legal professionals understand how to comply with their AML obligations by offering more focused, practical advice, guidance and support across all the main aspects of the UK regime.

The guidance also serves to set out the Society’s supervisory expectations of firms. Practice units are not required to follow the guidance; however, the Society will consider whether firms have complied with this guidance when undertaking AML supervisory inspections and you may be asked by us to justify a decision to deviate from the guidance.

In addition, compliance with approved guidance may provide a possible legal protection for businesses. Essentially, those contemplating civil or criminal action under the Money Laundering Regulations, the Proceeds of Crime Act (POCA) or the Terrorism Act 2000 (TACT) must consider the ability of the business to demonstrate compliance with authorised guidance.

Why has it been updated now?

This significant rework and extension of the guidance from the last iteration in 2018 reflects the increasing prominence and complexity of AML risks, issues and challenges in the legal sector.

These factors, along with increased AML supervisory oversight, mean that it has become even more important to set out clearly our supervisory expectations on firms and give the profession up-to-date, practical and in-depth support to help them comply with their obligations. The changes that have been introduced are intended to support solicitors in this increasingly demanding area of practice. The revised guidance can be accessed through this link: bit.ly/LSAGAML

New guidance: the key changes

Key compliance principles introduced

The new guidance has seen the introduction of 36 High-Level Compliance Principles, which, along with the underlying regulations, should be seen as the building blocks to a strong AML risk control framework within the firm.

These cover all the key AML considerations, and addressing the areas covered in them will really help your practice comply with its AML obligations. Documentary evidence of adherence to these principles will help to demonstrate compliance in any future AML inspection of your practice.

The rest of the guidance document is then built around these principles. The top of each following section repeats the principles that are most applicable to that section, giving in-depth, practical advice in order to help you implement and embed good AML controls at the heart of your business.

Enhanced AML governance and policies, controls and procedures

This section seeks to highlight what strong AML governance and control within your firm may look like. This includes what should be documented in AML policy/procedures and guidance around the roles and responsibilities of both the senior management or partnership of the firm and the specific duties of the MLRO/MLCO. Again, some of this guidance is prescriptive, as per regulatory requirements, and some may depend on the size, nature and risk profile of your firm.

Risk assessment expanded

A risk-based approach is fundamental to the UK AML regime and is an area of AML control that the profession consistently asks for more guidance around. With this in mind, LSAG thought it important and appropriate to greatly expand from the previous version of the guidance, with clear sections relating practice-wide, client and matter level risk assessment.

A robust (and documented) practice-wide risk assessment lies at the heart of AML control at any firm. A question I often pose to MLROs is: “How can you manage AML risk in your business, if you haven’t given consideration to what inherent AML risks your business is actually exposed to?” Only once a practice has adequately assessed and documented these risks can it start to consider the extent of the AML policies, controls and procedures it needs to put in place to mitigate these risks. This can range from due diligence procedures through to what training it should give to staff.

Within the boundaries of regulatory requirements, a good-quality, documented, practice-wide risk assessment may also allow practices to ease AML controls in areas of the business less exposed to AML risk, potentially reducing AML-related resource and cost pressures. This is the essence of a risk-based approach.

The guidance further details the risk factors firms should consider across practice-wide, client and matter risk assessments, and highlights the requirement to link risk assessment outcomes to the level and nature of due diligence undertaken on clients and matters.

Client due diligence (CDD) rewritten

This new section highlights that CDD is far wider than simply verifying and documenting a client’s identity. It is about gaining and documenting a sufficient understanding of the client’s background, sources of funding and the purpose and nature of the matter you are being engaged in. These elements of CDD are critical in determining money laundering risk and therefore safeguarding your business – in many ways actually more so than simply verifying that a client is who he/she says they are.

It also sets out our supervisory position regarding “longstanding relationships”. While “knowing the client and their background” will, of course, be helpful in taking a risk-based approach and undertaking holistic due diligence, a personal or longstanding relationship with a client does not negate or rescind the client due diligence requirements of the regulations.

In our experience, the profession often finds source of funds/source of wealth checking to be challenging, complex and difficult to apply in practice. This section therefore significantly expands guidance in this important area, giving definitions, the circumstances when such checking must or should apply, and what evidence should be documented. It also gives expanded guidance on enhanced due diligence: in what circumstances it is required, and what “enhanced” checks may entail, tailored to specific circumstances of the client/matter.

Technology section added

This is a brand new section close to my heart, both because I wrote it and because it is a hugely significant development in the context of the guidance.

In a modern age, it is clear that non-face-to-face clients/transactions can no longer be viewed as automatically high risk (although this remains a significant risk factor for consideration). It is also clear that the RegTech movement is becoming an increasingly secure and sophisticated way of undertaking identity verification, checking beneficial ownership records, or performing sanctions, PEP and adverse media checking.

While firms can still continue to use traditional documentary means, such as passports etc, technology may in fact be lower risk than traditional means in some circumstances. That bold assertion does not come without caveat – anyone using AML technology must understand and be trained in its functionality, limitations, the quality and accuracy of the underlying data it uses and what any back-end results actually mean. The broad functionality and use within the firm should be documented. It is not enough simply to run a check, put it on file and “tick the box”. RegTech is not a substitute for holistic AML due diligence incorporating an understanding of the nature, purpose and background of the client/transaction.

Legal professional privilege (LPP) extended

This section has been extensively revised by an independent expert, to concentrate on the practical issues, considerations and documentation relating to LPP in a situation where the solicitor is considering submission of a suspicious activity report. This has been undertaken by grouping together relevant resources in one document, a refocus on the circumstances of the underlying retainer and first principles, and the construction of a practical framework to aid and guide you through what is inevitably a challenging position for any practitioner to find themselves in.

Next steps

This article serves only as a short summary of key changes. Firms should still familiarise themselves with the content of the actual guidance and review/update their internal AML policies, controls and procedures accordingly. We will of course allow firms adequate and ample time to do so, particularly given the unprecedented economic pressures caused by the current pandemic.

I hope, too, that the document will serve practitioners in the longer term, by acting as a useful reference tool to be used as and when firms require assistance on a given AML issue.

N.B. The words document, documented, documenting, documentation and documentary appear 14 times across this article, not including this paragraph – for a reason. It is vital that practitioners can evidence the steps they have taken to mitigate and control AML risk within their business. Submission of relevant, contemporaneous AML-related file notes and records can make a huge difference to AML inspection outcomes.