AML: two key stages

Clue: A psychological test whereby black ink shapes on a page must be interpreted by the viewer in order to look for a meaning or pattern.

One point if you said Rorschach test, but I will give half a point for “UK Money Laundering Regulations” or similar. Challenging as it is sometimes, it has never been more important to make a strong effort to comply with those regulations. The Law Society of Scotland’s increased dedicated AML supervision resource, and its provision of a popular new AML CPD course for solicitors, are stark examples of both supervisory intent and “customer demand” in the area, to say nothing of the ever-increasing ethical imperative underpinning the UK AML framework.

I often speak to firms who are interested to hear about the steps they should take and the extent they should go to in customer due diligence. This is right, of course, but there are some underlying AML compliance elements that are regularly overlooked while ruminating over practical CDD, and I cover just a couple of them below.

Practice wide risk assessment

The practice wide risk assessment (“PWRA”) is a crucial first step. It is essentially a look across the business, as opposed to a specific assessment of any one client or matter. By stepping back and measuring and analysing the business through the lens of AML risk, you build a picture of what your types of AML risk exposure are, what direction they are coming from, and at what level or volume you are exposed. The UK regulations require that you consider certain specific risk areas (clients, geography, services, transactions, delivery channels), and also information provided by the supervisory authority – in our case, the Law Society of Scotland’s own sectoral risk assessment, available at its website.

If you are cynical about the importance of the PWRA, and would prefer a stick to a carrot, consider this – the PWRA is likely to be one of the very first things an inspector checks at your firm. Do you want to kick off your inspection as a firm that appears at the outset to be uninterested and lacking knowledge in its risk exposure?

Recommended touchpoints for your PWRA are:

• an analysis of your business data, e.g. volumes of work in different practice areas;
• a review of reg 18 factors for practice risk;
• a review of the UK National Risk Assessment for AML;
• a review of the Law Society of Scotland’s own sectoral risk assessment;
• your assessment of what the above all means for you;
• not just downloading the Society’s template and writing Yes or No next to each section(!).

Key AML regulation: 18
Key Legal Sector Affinity Group guidance section: 5

AML record keeping

There are two areas of the regulations which relate to what I want to talk about in this section. The first is in reg 28, and it tells us that we must be able to demonstrate that the extent of the measures taken is appropriate in view of the risks of money laundering and terrorist financing.

Secondly, in reg 40 which deals with record keeping more broadly, we must retain sufficient supporting records to enable the transaction to be reconstructed.

Taken together, they clearly lay out the need for you to write and keep very strong notes and records for your clients and matters, including risk assessment and CDD steps taken.

Now, any AML inspector worth their salt will tell you: “If you didn’t write it down, it didn’t happen.” While that rule of thumb can be incredibly annoying in practice, as you start to feel bound to spend your time making notes ad nauseam instead of stopping money laundering, it may still help you somewhere down the line.

In my opinion and experience, it is well worth putting template forms in place which induce good notetaking as standard practice. Some firms still operate a sort of file note or blank sheet of paper approach, hoping that roughly the right stuff will be written down. Consider drafting styles which include specific areas for notes on risk assessment, screening, ID, source of funds etc, and where the policy is that each section must be well completed with good detail in order to be compliant with the firm’s approach.

Consider also naming conventions and where you store these documents. If an auditor or inspector asks you for the Joe Bloggs file for review, it is very beneficial to both you and them to be able to lay your hands quickly and cleanly on the relevant AML documentation; your inspector won’t start the review in a good mood if they have to trawl through 100 emails about grazing access for the sheep before they land on the material relevant for the AML.

Key AML regulations: 28(16), 40(1)
Key LSAG guidance section: 10