AML: time for a review, but how?

New year resolutions: easy to make, difficult to keep. It will no doubt be the case that many money-laundering reporting officers (“MLROs”) will have promised themselves to update their anti-money laundering documentation this year. But is it happening? And, what precisely needs to happen?

In practice, most businesses subject to the Money Laundering Regulations have two key documents: (i) a firm-wide risk assessment; and (ii) an AML policy document (or a series of documents) that sets out the policies, controls and procedures the firm has put in place (together referred to as the AML documents in this article).

Law firms (and other businesses subject to the AML regulations) must keep their AML documents under regular review and update them as required. Most will have, at the very least, tinkered at the edges as the legal framework, policy and practice have been updated and developed – whether as a result of statutory changes, updated risk assessments from relevant authorities, guidance from the Law Society of Scotland, or after reported judicial decisions.

But there comes a time when a more comprehensive review is called for to ensure that the AML documents continue to be fit for purpose. This is also a very important health check for the internal controls and procedures that they reflect.

So, why do it? Well, first, a comprehensive review may flag up deficiencies requiring remedial action that, once implemented, should help reduce the risk of money launderers successfully targeting your firm. Secondly, the Society may of its own accord choose to audit your AML documents; you do not want to find yourself on the back foot trying to explain why your AML documents are out of date. And, if things do go wrong, evidence of a comprehensively updated set of AML documents will significantly assist you in any discussion with the Society or other authorities. Put simply, if your AML documents are out of date and no longer reflect either your firm or what is expected of your firm, you will have some very hard questions to answer, at best.

What to look for

To assist, in this article I set out for MLROs (or whoever in your organisation may be tasked with this) the sorts of questions they should be asking themselves as part of the review.

1. What was the origin of your AML documents? Were they a quick fix in 2017 (or later) using online templates? If so, there is a greater likelihood that they will benefit from a thorough review so that they correctly reflect your firm, its business and the degree of risk it carries.
2. Do your AML documents reflect how the AML legal and policy landscape has developed since 2017? Take some time out to go back through the legislative changes, the National Risk Assessment (“NRA”) (Home Office/Treasury, December 2020), the updated Affinity Group guidance (2021) and other guidance and advice from the Society. What has changed and what do you need to change?
3. Do your AML documents take into account developments in your firm, including changes in working practices and any impact they may have had on your assessment of the firm’s risk level, or the procedures and controls that may be required as a result? Take a big picture overview of your firm and, in particular, ask what has happened since 2017. Have any practice areas expanded or contracted? Are there any new service lines? New sources of business? Material changes in the number of employees? New offices? Mergers? New technology? Use of a third-party supplier for client verification? What has been the impact of working from home? Any material changes should be narrated in your updated AML documents so that you can clearly demonstrate to the Society or any other relevant authority that you have taken these into account in the reassessment of risk and in the review of the AML documents.
4. Is your assessment of the level of risk (whether at firm level or for the individual practice areas) the same as when you last did a comprehensive review of the risk level? Bear in mind that the NRA identifies conveyancing (residential or commercial), trust and company services, and the use of a client account, as inherently high risk. If a significant part of your firm’s practice involves any of these, can you reasonably consider that your firm is inherently “low risk”?
5. At a more basic level, do the AML documents properly reflect what is done on a day-to-day basis in your business? It is all very well having carefully crafted procedures and controls set out in a document, but if they are not being adhered to in practice, you need to establish why not and to determine what further changes are required. In practice you need to assess whether what is happening on the ground is (or is not) compliant with the regulations. And if not, consider what action is required to bring practice into line.
6. Review and refresh how you communicate AML requirements with your clients. Your clients are undoubtedly now more familiar with AML compliance requirements than they were in 2017. You can afford to be more directive and less apologetic. They will understand.
7. Is your training programme still appropriate for how your firm has chosen to organise itself in response to requirements of the AML regulations? It is essential that you review your training programme. External webinars have their place but they are not the complete solution. A well-structured training programme should address the evolving needs of your firm and be bespoke for its requirements. The training programme for a firm with a centralised AML team will not (or should not) be the same as that for a firm where the lawyers and their PAs are directly responsible for all client ID and verification as well as the necessary risk assessments.
8. As MLRO, can you be suitably objective? In many cases, the MLRO will in effect be marking their own homework and arguably may be too close to the process. You may want to consider getting someone from outwith the AML team to help you carry out the review (or to conduct a light touch “review of the review”). Sometimes it takes a fresh pair of eyes to test your AML documents robustly.
9. Action on amendments: if the review results in any amendments to your firm’s AML policies, controls and procedures, in terms of the regulations these changes must be approved by senior management and communicated to staff (and a written record kept of that approval and the staff communication).

AML compliance necessarily involves a continual cycle of review. This need not be unduly burdensome if proper thought and action are directed to what good review looks like. It will save you many headaches (or worse) in the future.