AML Frequently Asked Questions

We have created a guide to help members understand more about the AML inspections process and how to prepare for an inspection.

The guide offers a detailed insight into the types of AML inspection that the team do, why each inspection is conducted, the steps involved in an inspection, and what is expected of firms.

It covers: full assurance inspections, re-inspections (full or limited in scope), risk-based single file reviews, thematic reviews and attestation statements.

In addition, there is an overview of the AML team and its purpose, information on how to prepare for an inspection, how to provide requested documents, an extensive list of the types of documentation requested during an inspection, and process flows showing each step of an inspection.

AML Inspection Guide June 2024

Download AML Inspection Guide June 2024 PDF 1mb

Given our supervisory role and remit, the Law Society of Scotland AML team do not offer or endorse any AML-related software, consultancy, support or training - either provided independently by 3rd parties, or in partnership with Law Society of Scotland Commercial Services. We do however welcome initiatives or services designed to support and improve AML compliance across the legal sector.

Regulation 12(1) of the Money Laundering Regulations 2017 details the services which would bring a legal firm in scope for AML Supervision. These are:

(a) the buying and selling of real property or business entities;
(b) the managing of client money, securities or other assets;
(c) the opening or management of bank, savings or securities accounts;
(d) the organisation of contributions necessary for the creation, operation or management of companies; or
(e) the creation, operation or management of trusts, companies, foundations or similar structures, and, for this purpose, a person participates in a transaction by assisting in the planning or execution of the transaction or otherwise acting for or on behalf of a client in the transaction.

While some of these are clear, we are often asked by members who, for example, work in family law, immigration, or criminal defence, what constitutes “managing client money, securities or other assets”.
Although the Society does not advise on whether a firm should claim exemption from AML Supervision, we provide the following information in order to help firms come to a decision around what may not be managing client money.

A non-exhaustive list of actions which may not amount to managing client money are:

• Dispersal of funds as ordered by a court
• When acting in a divorce, dispersal of funds derived from the sale of marital assets when that sale was conducted by another practice, e.g., dispersal to your client of monies received from a separate practice which arise from the sale by that practice of the family home, most likely in terms of a Minute of Agreement
• Dispersing to your client an award arising from civil litigation e.g., a cheque received from an insurance company in connection with a personal injury claim.
• Dispersing to your client an award from the Criminal Injuries Compensation Board.

A non-exhaustive list of services which we believe may fall in scope out with those listed in Regulation 12(1) includes:

• Will writing. Although (at a very basic level) the simple act of writing a will may be treated as out of scope, it should be noted that writing a will could involve the creation of a trust even in a very basic capacity (i.e., holding funds in trust for beneficiaries under a certain age).
• Executry is an in-scope service as it relates to “managing client money”

o Though there may be rare instances where a beneficiary challenges an executor on the proposed division of the estate – therefore it may be solely a court that decides the division of an estate/dispersal of funds and the practice acts wholly on the court’s instructions. In these instances, it may be that the Executry does not fall under the definition of “managing client money” as detailed above.

Practices must determine themselves whether a matter is in scope of the regulations or not and should also be aware that there is no de minimis for small transactions or limited amounts of work. If something you do is in scope, the regulations apply in full.
It is crucial to keep in mind that not undertaking any of the services in Regulation 12 above does not exempt you from statutory obligations under the Proceeds Of Crime act and in particular sections: 327-329.

You should always be vigilant to the possibility of money laundering through your business and your obligation to file a Suspicious Activity Report (SAR) if necessary and therefore you should maintain a basic AML Policy and Procedure which would allow you to pass on basic due diligence to your supervisor or law enforcement.
Please also note, though your practice may be exempt from AML Supervision at a given time, should you undertake any business in future which brings you within scope of Regulation 12(1) as detailed above, you must inform us timeously and comply with the AML Registration and AML Certificate processes.

The Association of Certified Anti Money Laundering Specialists (ACAMS) defines crowdfunding as:

“the procedure of raising expansive amounts of cash from numerous people who are interacting via the internet in online consumer communities”

Crowdfunding brings with it various AML considerations, not least around identity and obfuscation.

Here are some quick tips on what to think about when considering business with crowdfunding:

• Is the crowdfunding platform regulated?  
• Some crowdfunding in the UK is done through an FCA-regulated platform, which may give a higher degree of comfort.
• Is the payment service linked to the crowdfunding regulated? 
• What electronic payment service is being used to transfer funds and is it regulated?
• What is the purpose of the funding? 
• If the funding is intended to purchase an asset or could be recoupable in some way (paid into a trust or similar), this makes it inherently higher risk.
• Why is the funding being sourced in this way? 
• Are you comfortable about the narrative you are given about why crowdfunding is being used as opposed to other traditional methods?
• Who can you identify/verify?  
• If the recipient of the funds is a charity, or if the funds are to be used to inflate a trust, confirm the ownership and control structure of the entity in question.
• It stands to reason that crowdfunding will make it difficult to carry out due diligence on every source of funding. However, you should still expect to be able to identify and verify relevant parties. These could be the individual(s) behind the idea, those controlling the funding or those donating over a certain % of the funds (due diligence should be performed where this individual donates significantly more in comparison to other contributors). You should be comfortable that you are able to show you have gathered adequate due diligence,

What other typical AML rules apply?

Apart from “crowdfunding specific” considerations, you shouldn’t lose sight of the normal checks undertaken for AML, what the client’s background is, and including other factors such as high-risk jurisdictions, PEPs, layering, value of transaction etc.

There is no panacea regarding due diligence where crowd funding is concerned - however you should clearly articulate and record the factors you have taken into consideration regarding your risk assessment, the due diligence performed and why you have performed it on specific individuals involved. EDD should be considered in cases where high value assets or recoupable payments are involved.

Regulation 4 (3) states: -

“For the purposes of these Regulations, an estate agent is to be treated as entering into a business relationship with a purchaser (as well as with a seller), at the point when the purchaser’s offer is accepted by the seller.”

On the face of it, this might mean that a selling solicitor has to, as part of their estate agency service, AML check the purchaser as well as their client.

Estate agent is defined in Regulation 3, General Interpretation: -

“Estate agent” has the meaning given by regulation 13(1);”

Regulation 13(1) states: -

“In these Regulations, “estate agent” means a firm or a sole practitioner, who, or whose employees, carry out estate agency work, when the work is being carried out.”

Estate agency work is defined in Regulation 13(2). The relevant part is underlined.

“For the purposes of paragraph (1) “estate agency work” is to be read in accordance with section 1 of the Estate Agents Act 1979(a) (estate agency work), but for those purposes references in that section to disposing of or acquiring an interest in land are (despite anything in section 2 of that Act) to be taken to include references to disposing of or acquiring an estate or interest in land outside the United Kingdom where that estate or interest is capable of being owned or held as a separate interest.”

Section 1(2)(a) of the Estate Agency Act 1979 is immediately below. The relevant part is underlined.

This Act does not apply to things done—

(a)in the course of his profession by a practicing solicitor or a person employed by him or by an incorporated practice (within the meaning of the Solicitors (Scotland) Act 1980) or a person employed by it;”

 Conclusion

• The 2017 Regulations define estate agency work in terms of an Act which does not apply to our members.
• For that reason, it is our view that solicitors are exempted from the definition of ‘Estate Agents’ in the 2017 Regulations.

Therefore, Regulation 4(3) does not apply to our members.

Introduction

A fundamental element of client due diligence is understanding the nature, background and circumstances of the client, including their financial position – and making an assessment as to whether the legal services provided to the client are in keeping with your understanding of that background and circumstances.

The financial circumstances of a client can broadly be categorised into Source of Funds (SoF), and Source of Wealth (SoW).

As per LSAG Guidance, you must take adequate measures to check SoF and SoW as a part of EDD when applied to PEPs. You should also consider doing so as a part of ongoing monitoring of any business relationship (whether high risk or otherwise). You should also apply a source of wealth check in other applications of EDD on a risk-based approach.

Source of Funds

LSAG Guidance states "Source of Funds refers to the funds that are being used to fund the specific transaction in hand – i.e., the origin of the funds used for the transactions or activities that occur within the business relationship or occasional transaction. The question you are seeking to answer should not simply be, "where did the money for the transaction come from," but also "how and from where did the client get the money for this transaction or business relationship." It is not enough to know the money came from a UK bank account".

Thus, Source of Funds means establishing the provenance of the particular funds for use in a transaction - this includes the remitting account details but also an understanding of the activity which generated those specific funds, for example savings from employment or inheritance

You may already be obtaining bank statements to show the client’s possession of the funds in question, and you should continue to do this on the understanding that these statements are also intended to evidence possession and transit of the funds i.e., what account they are coming from and is that in the name of the client

Example: A client is purchasing a flat for £400,000. The client, a teacher at a local high school, has obtained a mortgage but has a deposit of £25,000 to put down. The client explains that the deposit is a mix of employment savings and a gift from parents. The risk assessment is Medium (Standard CDD).

Source of Funds may be assessed and evidenced by, for example, obtaining bank statements to check for sufficient and regular credits from the expected employer and obtaining bank statements to check for gifted funds matching the amount detailed by client. Should remitter details be available, it may also be possible to check any connection/related names to the client’s details)

Where risks are assessed as higher (for example all the funding is being provided by the client) actions might also include more investigation to confirm the source of any gifted funds and/or evidence of employment, though there may also be reasons particular to any transaction (low, medium or high risk) where further investigation or evidence should be sought.

Source of Funds - Things to Consider

• Source of Funds should be evidenced in line with risk grading (and may have an effect on your risk grading!)

• It is not just about collecting documents; you should consider what you have been given e.g. Is the client’s explanation and evidence sensible/feasible? Do the bank statements show what you’d expect to see? How many months of statements should you collect in line with the risk profile?

• Document your rationale and decision-making - if the LSS asked you what you had done to satisfy Source of Funds, would you be comfortable explaining and evidencing the decisions you had made, why you made them, what you had done to satisfy requirements?

Source of Wealth

LSAG Guidance states "The source of wealth refers to the origin of a client’s entire body of wealth (i.e., total assets). SoW describes the economic, business and/or commercial activities that generated, or significantly contributed to, the client’s overall net worth/entire body of wealth. This should recognise that the composition of wealth generating activities may change over time, as new activities are identified, and additional wealth is accumulated. You should seek to answer the question: "why and how does the individual have the amount of overall assets they do – and how did they accumulate/generate these?"

When addressing SoW, you should consider whether the SoW is commensurate to your client in general i.e., does it make sense that the client in front of you obtained their wealth in the way that they have advised you?

SoW information will usually give an indication as to the volume of wealth the client would be expected to have, and a picture of how the person acquired such wealth. It does not however require you to account for all of a client’s assets, but to build a rationale and reasoning as to why they have such wealth and to provide assurance that it was obtained through legal means. This will help you to establish whether the transaction makes sense.

Aside from the bank statements you might collect as part of Source of Funds (which remains an obligation even when Source of Wealth checks are engaged), you should collect and assess documents which account for the wider wealth of your client. Depending on the client, this evidence may include audited accounts, share registers, property portfolios or other reliable documents that give you comfort as to the level of wealth of the client, and where it came from.

Example: A non-face to face client instructs your firm in the purchase of an £800,000 home. The client is using her own funds with no mortgage or lending, and during your screening it is confirmed that she is an entrepreneur with a high net worth. She explains that the funds for this purchase are coming from a single property sale, but you know from public sources she generates income from a well-known private equity fund, as well as having a wider property portfolio. Her husband is a senior cabinet minister.

Obtaining bank statements to show the proceeds of the property sale she mentioned would go some way to covering Source of Funds (although in this high-risk situation you may want to check later that the funds arrive from that same account etc.), but the client is a PEP by her association with her PEP husband.

In this situation, you must also establish and evidence the client’s SoW. This may include obtaining documentation regarding drawdowns/income streams from the private equity fund, and the value/ any income derived from the property portfolio.

Source of Wealth - Things to consider

• Does the matter involve high risk or a PEP?

• Along with the specific funds being used in the business relationship/transaction at hand, what is the value of the client’s overall body of wealth and where/what activity is it generated/derived from?

• What types of information, evidence or documentation would help you gain comfort that the client’s wealth is not derived from criminal activities (including the proceeds of corruption) extent do you feel you need to go to satisfy the risk?

Is the client’s explanation and evidence sensible/feasible?

• Document your rationale and decision-making - if the LSS asked you what you had done to satisfy Source of Wealth, would you be comfortable explaining and evidencing the decisions you had made, why you made them, what you had done to satisfy requirements?

Source of Funds and Source of Wealth - Why do they exist separately?

As the inherent risk increases, so does the need to be surer that the funds in use in a matter are not derived from criminal activities (including the proceeds of corruption) by understanding the funds proffered for use in a particular transaction (SoF) and the client’s funds more generally (SoW).

In higher risk situations, it is important to evidence both, in order to ensure that the SoF evidence collated to fund one transaction is not then used again to fund another.

For example, a client is able to demonstrate to your firm that they possess £1m in order to fund a house purchase, and those funds have been derived legitimately (source of funds). The client could then go to another department in your firm, or to another firm and (in the absence of SoW checks being undertaken) potentially use the same SoF information to then buy another £1m property or use for another investment/business activity.

Evidencing Source of Wealth would help prevent or mitigate the risk of this scenario occurring and may also mitigates the risk of commingling funds from another part of the client’s total wealth, which may include the proceeds of crime particularly in PEP/higher risk scenarios.

Summary Table

Further information:

LSAG Guidance

Wolfsberg Guidance on Source of Funds and Source of Wealth

Source of Funds and Source of Wealth: What you need to know 

There are certain jurisdictions around the world which have been deemed as presenting various risks in terms of the funds you may receive from them (for example increased risks of money laundering, corruption, bribery, tax evasion etc).

Risk profiling countries is a difficult task and there is no single global arbitrator on this. For example, the US State Department's Money Laundering Assessment is separate from Transparency International's Corruption Index.

We have some useful links in our Jurisdictions and Sanctions section found on our Additional Support page.

In light of the information in these resources, should you deem the client or transaction to be of higher risk, based on jurisdictional risk and/or other factors, Enhanced Due Diligence should be applied. This would include verification of the source of wealth involved in the transaction, as per the previous FAQ.

Sanctions:

Remember, certain jurisdictions, entities and individuals are sanctioned. This is different from the client/transaction or jurisdiction simply being of higher risk and it may preclude you from acting without applying for a licence to do so from the Office of Financial Sanctions Implementation (OFSI).

You should consult the UK government website for further information before progressing any such business. You may also wish to speak to our Professional Practice helpdesk.

A method for screening clients for Sanctions, Politically Exposed Persons (PEPs) and adverse media should be part of your usual procedures. You should implement a procedure relative to the size and nature of your business i.e., you may wish to carry out manual public sources' checks, or you may wish to employ a third-party electronic platform to carry out these searches for you. See our later FAQ on electronic providers.

You will find helpful information in the Financial Sanctions Guidance provided by The Office of Financial Sanctions Implementation (OFSI), (which is part of HM Treasury) and the UK Sanctions List on the UK Government website.

If your client cannot attend your office at any point in the transaction, you may first wish to consider why. A client who avoids much interaction with you may be a red flag, especially if that client is local to you. You should also consider any compounding risk factors.

There will, of course, be times where a client legitimately cannot attend. In this instance you should obtain a copy of their ID which should be certified by an appropriate person. The UK Government website lists these persons. You should be satisfied that the person certifying the document genuinely holds the position they claim to.

Alternatively, you may wish to use R.39 "Reliance" to obtain relevant Customer Due Diligence (CDD) information (including ID and verification) on your client from another regulated professional. This is different to simply obtaining an appropriate certified document. For further information on using this regulation please see the Legal Sector AML Guidance. Please note that at all times the relying firm will remain responsible for the adequacy of the due diligence you obtain under the terms of R.39.

If your client is not attending and someone else claims to be acting on behalf of this person, this is a separate issue, and you must (under Regulation 28.10) verify that that person acts on behalf of your client as well as verifying the representative's identity.

There may be legitimate requests to send payments to a third party (e.g. pay Registers of Scotland or similar providers necessary to the smooth running of the underlying transaction) and therefore there is no Accounts Rule permitting or disallowing this, however, you should keep in mind that there are risks associated with undertaking this, especially if the request is unusual or there appears to be no normal business rationale for doing so. This may represent a risk as these payments can circumvent all the good CDD work you have carried out on the parties in a transaction. We therefore do not recommend paying money to a third party, other than in the normal course of business.

Generally, we recommend paying funds back to the client, who can transfer it on from there.

There are various commercial providers of electronic identification/verification (including Sanctions, PEPs, Adverse Media Checkers, Company Registry Information Providers, and verification of Identification Providers), which collate information from sources such as electoral rolls and other governmental records, credit agencies etc.

These may be acceptable as part of Identification and verification however the onus is on you to take appropriate steps to understand how the tool works, where it derives its data from, how it searches and be satisfied as to the validity and reliability of the information the tool is reporting. Further, you should consider the GDPR/Data Protection implications for incorporating one of these systems into your procedures.

Please note, we do not endorse any particular provider of these services, nor can we make any statement regarding the quality of the underlying data they use or how they collect/use/store this, or your client's data.

Your AML policy statement is the organisation-level document which sets out your approach to AML within your business. You can find an outline policy in the Risk and Policy Templates section of our AML Toolkit, which outlines all necessary sections. Please tailor this to the individual circumstances of your business.

Where you conduct any business on an ongoing basis or which has a recurring element, you must conduct ongoing monitoring. This allows you to ensure you remain compliant. The Money Laundering Regulations stipulate that ongoing monitoring must include;

• Scrutiny of transactions to ensure that the transactions are consistent with your knowledge of your customers business and risk profile
• Undertaking reviews of existing records and keeping the documents or information obtained for the purpose of applying customer due diligence measures up to date.

For long-term business/clients, you should have a clear policy and procedures around how often, and in what way, your AML checks are to be refreshed. At a minimum you should assess the service provision, any changes in ownership and Identification and verification documents for anything which may represent a material change to the risk profile or the validity of your records. These refreshes should be recorded by your business.

If a transaction/matter is undertaken over a more significant timeframe (where significant factors may change such as those involved in the transaction, the amounts involved or even the underlying assets) it may be necessary to undertake interim risk assessments to ensure the risk profile of the transaction has not changed. These interim assessments should also be recorded.

The 2017 Money Laundering Regulations dictate that where “there is more than one supervisory authority for a relevant person, the supervisory authorities may agree that one of them will act as the supervisory authority for that person.” 

We have agreed a memorandum of understanding with the Solicitors Regulation Authority, which assigns responsibility for AML supervision, based on the location of law firms’ registered offices.

For clarity, firms whose registered offices are in Scotland will be supervised for AML compliance by the Law Society of Scotland and the Solicitors Regulation Authority will supervise firms whose registered offices are in England or Wales for AML compliance.

When verifying the identity of a Client, pursuant to Regulation 28 of the Money Laundering Regulations 2017, it is generally understood that you will request to see an identification document, such as a passport, and an original proof of address for a natural person as a minimum.

In order to evidence the date received and, indeed, that you have seen the individual and the documentation at the same time, we recommend that you certify with copies with a statement similar to the following.

For the ID document

“Having seen the individual and the identification document at the same time, I certify that this is a true copy and the photograph bears a reasonable likeness of the individual.”

For other documentation, such as a proof of address:

“Having seen the original and the photocopy at the same time, I certify that this is a true copy of the same.”

For both of the above, the certifier should include the following–

• Name
• Position
• Name of Firm / Organisation
• Contact details, namely their physical address and / or email address plus a contact number
• Signature
• Date

The same applies to certifying the due diligence documentation for any legal entity or arrangement such as a Trust and the connected Principals.

Furthermore, when requesting due diligence from a Third Party such as another regulated entity / relevant person, you should ensure that you receive the original copies of the documentation with a similar statement to those suggested above, signed and dated.

If applicable, the certifier should include the relevant professional body of which they are a member as well as their membership number.

The Law Society of Scotland (LSS) anticipates that the volume of clients wishing to use funding which derives or has derived from cryptocurrency (crypto) will increase over the coming years

Using a source of funds that derives from crypto is entirely legitimate, however it remains inherently high risk and the profession should consider the following information to support potential enhanced due diligence requirements across such matters.

The decision to act for a client whose funds derive from crypto should be considered and documented in detail within the client/matter risk assessment and in the context of the practices risk appetite. The practice should have in place appropriate controls to mitigate any risks present and document these accordingly.

Overarching crypto risks include:

• Pseudo anonymity, particularly where anonymised coins or mixers/tumblers are used (see below)

• Its continued use in underlying/predicate crimes, e.g., it’s use on the dark web including for the purchase of illegal drugs, arms and weapons and certain types of consumer investment frauds such as Ponzi schemes.

• Crypto remains unstable and highly volatile

This advisory note is in respect of whole or partial private funding of conveyancing purchases where this funding has already been converted from crypto to fiat currency (i.e., a government-issued currency that is not backed by a physical commodity, such as gold or silver, but by a government).

It does not extend to situations where a client wishes to fund a transaction directly (either wholly or partially) using cryptocurrency.

What is “crypto”?

The Financial Action Task Force (FATF) defines a virtual asset as a digital representation of value that can be digitally traded, or transferred, and can be used for payment or investment purposes. Virtual assets do not include digital representations of fiat currencies

The term Cryptocurrency - or crypto - relates to the concept that digital assets may be designed to be used as a method of unconventional payment and are a digital currency in which transactions are verified and records maintained by a decentralized system using cryptography, rather than by a centralized authority.

There are many crypto assets, and you may have heard of some tokens in the news, such as Bitcoin and Ethereum.

A cryptocurrency exchange is an online platform that allows customers to trade cryptocurrencies – either in exchange for conventional fiat money or for other cryptocurrencies.

Assessing the AML risk associated with crypto currencies/assets

A client’s involvement with crypto may not in itself present immediate AML/TF concerns, however, the use of crypto is a higher risk factor to be considered during risk assessment (as per LSAG Guidance s 5.6.1.3).

As a result, Practices should strongly consider Enhanced Due Diligence (EDD) measures when sources of funds/wealth are derived from or via crypto.

Practices should consider/document the following:

• Is this within my practice risk appetite?

• Is the use of crypto in keeping with my knowledge of the client, their background and the context of the client/matter? Does the rationale for the use of crypto make sense?

• What is the value of the deposit coming from crypto? How did that asset perform and over what period? i.e., has the asset grown or fallen in value? Can your client provide evidence of this from their crypto account?

• Can you establish and evidence how the client funded the original acquisition of the cryptocurrency (i.e., their original source of funds/wealth). Is the explanation in line with your knowledge of the client, and can this be evidenced?

• Can the client provide evidence of the crypto portfolio? Such as:
o When was it created?
o Evidence of deposits from the client?

• Consideration should be given to whether the crypto wallet is hosted or unhosted.
A crypto wallet can be software or hardware that allows users to store and use crypto. Unhosted wallets are a type of self-custody wallet that allow users to keep their balances off an exchange.

If unhosted, can the client prove they have control of the wallet? Consideration should be given as to how the practice would gain comfort around this. i.e., can the client provide screenshots of the wallet, or send a trivial amount to/from the wallet to prove ownership? (commonly known as the “Satoshi Test”)

• Do you have access to any specialist reports (often called Blockchain analytic scans) which provide an understanding of the provenance of the funds used? Can the client provide these?

There are a number of companies that can provide these services, supporting AML compliance in this area. While the LSS does not recommend an individual company, a simple internet search of “blockchain analysis companies” will return various providers.

• Has the client used a reputable crypto service provider? Is it regulated by the FCA? (Some wallet providers remain unregulated and/or are based outside the UK).

A list of the regulated firms can be found on the FCA's website here. Regulated crypto businesses are subject to the MLR’s and are supervised for AML purposes by the FCA (see below section re. the UK regulation of crypto).

• Red flag: has the client used a mixer/tumbler service? (see below). The client should be able to provide evidence that such as service has not been used by showing the end-to-end journey of the crypto through their wallet.

High Risk Mixer/Tumbler Services

Mixer (tumbler) services are a way for a person to gain a level of anonymity while making crypto transactions. This service allows for potentially identifiable funds to be mixed with others in an attempt to disguise the trail.

Should it become apparent that a client has engaged in this type of transaction (or cannot show the end-to-end journey of the crypto through their wallet) this should be taken as an inherent red flag, and robust enhanced due diligence measures applied, including seeking a reasonable explanation from the client as to why they have used such a service.

Mixing services are not supported in the UK, therefore consideration should also be given to any geographical risks inherent in the jurisdiction in which this activity has occurred including whether the same level or standard of AML regulation is applied within this jurisdiction.

The LSS regards the use of crypto mixers/tumblers as an inherently high-risk factor/red flag.

UK Regulation of Crypto

Since 10 January 2020, all UK crypto service providers have been in-scope of the Money Laundering Regulations 2017, must be registered with the Financial Conduct Authority (FCA) and are regulated for AML purposes. Further information on this can be found:

• Money Laundering Regulations 2017, as amended
• Cryptoassets - FCA

LSAG 5.6.1.3 states “where an entity is supervised for AML itself (high value goods businesses, crypto-asset wallet providers etc.) to a comparable standard, this may be seen as presenting reduced risk”. Such factors should be considered within the individual client/matter risk assessment undertaken.

Summary

Fundamentally, many customer due diligence considerations in relation to source of funds and source of wealth remain the same no matter whether crypto assets have been used or not.

There is no one-size-fits-all when it comes to applying risk-based, robust and holistic due diligence.

That said, when the source of funds/wealth to a transaction involves the use of crypto, there are a number of additional considerations to be documented in any risk assessment performed, as outlined across this advisory note.

These should be considered, clearly articulated and recorded across the risk assessment and due diligence performed.

Please be aware that any such transactions undertaken must also be disclosed as part of the next AML Certificate submission.

Suspicious Activity Reporting

As always, if you know or suspect a person is engaged in money laundering or dealing with criminal property you must submit a suspicious activity report to the National Crime Agency (NCA) through the NCA SAR online portal. The NCA glossary code used in relation to concerns around crypto is XXVAXX and should be used accordingly.

Further Information:

Further information can be found at:

FCA Guidance
JMLSG Guidance (Pt II, Chapter 22)
LSAG Guidance
FATF Guidance

When providing regulated AML services, you may wish to place reliance (Regulation 39) on another licensed and regulated service provider (third party) to conduct appropriate and effective Customer Due Diligence CDD checks on your behalf.

The benefits of placing reliance on a third party can save time and expedite the delivery of your services to the client. However, there are factors that you must consider and document -

1. your policies, controls, and procedures (PCPs) must address the associated risks when placing reliance on a third party
2. detail when reliance is permitted, the conditions precedent and the necessary controls you have in place to satisfy your firm that you are indeed meeting your statutory obligations to comply with Regulation 28 of the MLR17
3. obtain the agreement of the third party
4. establish and document that the third party has appropriate and effective PCPs in place to ensure they are robust and executed
5. ensure that the third party can make the CDD information available to you immediately on request
6. ensure that the third party retains the documentation pursuant to Regulation 40 and
7. Periodically test that the arrangements are adequate

Conversely, should your firm be relied upon you must ensure that you have the factors listed above in place and, importantly, that you have the consent of the parties involved in the matter to share the CDD information and documentation that you hold on file.

Please note: You cannot outsource your responsibility to ensure that your firm complies with the Regulations and will remain liable for any failures.

Another factor to consider is the geographical location of the third party. You can only place reliance on the following regulated entities in the UK:
a credit or financial institution as defined in Regulation 10
auditors, insolvency practitioners, external accountants and tax advisers as defined in Regulation 1

• independent legal professionals as defined in Regulation 12
• trust or company service providers as defined in Regulation 12(2)
• estate agents as defined in Regulation 13
• high value dealers as defined in Regulation 14(1) and
• casinos as defined in Regulation 14(2)
  
  Further detail can be found on Reliance within the LSAG Guidance, Section 6.23 (Reliance and Outsourcing)

As per the Law Society of Scotland’s Risk Appetite Statement February 2021, the Society recognises that attempting to pursue or enforce a zero-failure regime across our supervised population is self-defeating, counter-productive and acts against the profession’s and wider public interest in terms of access to justice, cost, and the provision of high-quality legal advice.

To that end, whilst we expect our membership to adhere with the Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 (as amended) (MLRs), we also understand that breaches can and will happen.

As set out schedule 4(12) of MLRs, supervisors must collect information regarding “the number of contraventions of these Regulations committed by supervised persons”.

Therefore, you must report breaches of the regulations to the Society's AML team, where you have not complied with the requirements of the regulations and where the result of a breach has been serious.

Types of breaches

Non-exhaustive examples of serious breaches include:

• Intentional or wilfully negligent breaches of legal requirements in relation to applicable anti-money laundering legislation or regulation.
• repeated unintentional or repeated accidental breaches of legal requirements in relation to applicable anti-money laundering legislation or regulation.
• systemic breaches associated with a failure of AML-related policies, controls, or procedures.
• the facilitation of business activities which bear the hallmarks of money laundering activity (this does not replace the legal requirement to file a SAR where appropriate).

You must also report breaches of related legislation for which AML supervisors don’t have a direct regulatory responsibility but is still relevant to your ability to prevent financial crime (for example breaches of Financial Sanctions legislation).

You do not need to report one-off or non-systematic breaches of the regulations which are limited in scope and impact.

How to report a breach?

Should you wish to make a breach report, you can do so by submitting the MLR Breach Reporting Form and send to AML@Lawscot.org.uk with the subject line: “AML Regulations Breach”.

The information obtained is for the purposes of reviewing and assessing the extent and nature of any breaches, to enhance our risk-based approach to supervision and produce relevant materials to support solicitors fulfil their responsibilities under the MLRs.

If you have concerns about data protection, you can find information about how we use your personal data in our privacy policy.

LSAG Guidance Section 12.6 states:

"Before establishing a business relationship with a:

• Company (registered or unregistered as defined in the Unregistered Companies Regulations 2009(1));
• Limited Liability Partnership; or
• Scottish Partnership;

- a practice must collect proof of registration (e.g., via the client) or an excerpt from the relevant register.

If the firm finds a discrepancy between information relating to the beneficial ownership of the company which it collects as above, and information which becomes available to it
whilst carrying out its duties under the ML Regulations (during its onboarding process), the
discrepancy must be reported to Companies House (R30A(3))

Practices that encounter such discrepancies while fulfilling their AML duties, must report them, but it is not a requirement for practices to actively seek out such discrepancies."

In order to report identified discrepancies to Companies House, you can access the register here.

Further information on people with significant control (PSC) discrepancy reporting in the form of a recorded webinar can also be found here. 

Further information is also available on our AML Toolkit under Other Guidance.

We recently published an updated Scottish sectoral AML risk assessment, which included information on clients and business matters with links to higher risk jurisdictions. It is vital to ensure there continues to be close scrutiny of sources of funds and potential exploitation of legal services by organised crime and in the assessment.

We stated our view that the inherent money-laundering risks associated with Chinese individual direct investment activity, capital flight and high value goods trading are significant in the Scottish legal sectoral context. More information can be found on this subject through the following Supervisory Advice Note and associated webinar:

• Chinese underground banking – Money laundering risks, and potential exploitation of legal services by organised crime
• as well as the Legal Sector Affinity Group (LSAG) – Advisory Notice - Chinese underground banking and funds from China (Published March 2023).

In September 2022 The Money Laundering and Terrorist Financing (Amendment) (No. 2) Regulations 2022 came into force and saw the introduction of the requirement for practices to identify and mitigate the risk of Proliferation Financing (PF)

All Practices in scope of the regulations are asked to consider the definition of PF under r.16A and to either (dependent on size and nature):

• Incorporate PF into their existing Practice Wide Risk Assessment (PWRA) (r.18) and use this to inform their Policies, Controls and Procedures (PCPs) (r.19) in line with r.18A and r.19A or:
• Ensure a separate PF PWRA is created which captures and outlines how PF risk is mitigated at the practice and use this to inform their PCPs (r.19) in line with r.18A and r.19A.

Practices are also asked to consider the risk of PF across all regulatory requirements, including (but not limited to) client/matter risk assessments, CDD/EDD, relevant staff training, internal controls and record keeping.

We ask that practices make themselves familiar with these compulsory additional requirements and continue to monitor and update their Policies, controls, and procedures accordingly.

Additional resources regarding Proliferation Financing, it’s background and context:

• FATF’s Guidance on Proliferation Financing Risk Assessment and Mitigation
• HMT’s National Risk Assessment of Proliferation Financing

Measures were introduced in 2020 to support businesses affected by COVID-19. These measures included loans, grants, and tax allowances. One type of loan provided was the Bounce Back loan. 

Bounce Back loans were provided on the condition that they were not to be used for personal purposes, but could be used, for example, to purchase a company asset such as a vehicle, if it would provide an economic benefit to the business. 

As per our 2022 Sectoral Risk Assessment, we remain of the supervisory opinion that practices should be alert to the potential for fraud that may be related to pandemic government schemes, such as Bounce Back loans.  

Should practices form knowledge or suspicion of such loans being used for reasons not aligning with the conditions set out, they should file a Suspicious Activity Report (SAR) to the National Crime Agency (NCA).  

It is important to note that SARs may also be filed retrospectively and practices are also asked to consider if they have acted on any such transactions.

We acknowledge that the post-pandemic environment has given further opportunities for criminals to launder money and the profession should be alert to this.  

The Society is also aware of the increasing media coverage around Bounce Back loan fraud and corresponding convictions. We urge the profession to remain vigilant and mindful of this when risk assessing their clients source of funds for property/asset purchases. 

HMRC has published a fact sheet on Bounce Back loans that can be found here. This fact sheet covers repayment of the loans, misconduct and provides some case studies.  

Information regarding Suspicious Activity Reporting can be found on our website here and within LSAG Guidance Section 11. 

We recognise that the universal right of access to legal services is an extremely important issue, as is the right to privacy and confidentiality regarding gender identity.

The Money Laundering Regulations (MLRs) and corresponding Legal Sector Affinity Group (LSAG) Guidance require practices to identify and verify a natural person’s name, date of birth and current address. There is no requirement to identify and verify gender or sex of an individual.

LSAG Guidance Section 6.14.4 states that practices may use government photo identification including passports or driving licenses to verify these details. LSAG also emphasises throughout that the requirements to identify and verify should not preclude access to legal services, especially to vulnerable, elderly or disadvantaged clients where it is not possible to obtain standard documentation. Practices should consider the reliability of other sources and assess the risk on a matter by matter basis.

Furthermore, LSAG Guidance Section 6.14.5 states that “You should be mindful that some aspects of an individual’s identity (particularly name and/or sex) may change over time for entirely legitimate reasons, for example due to a change in sex or gender, or due to other life events such as a marriage or discretionary change of name. Such changes should not be used as a reason to withhold legal services in isolation, or necessarily interpreted as an indicator of higher AML risk."

The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs) require practices to carry out anti-money laundering / identification and verification (ID&V) checks on clients, both as individuals and corporate entities, which inevitably involves the processing of personal data and sometimes special category data.  

Practices have a legal obligation to carry out identification and verification checks on clients and therefore, the lawful basis for processing any personal data for this purpose is Article 6(1)(c) of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. 

Consent can be difficult to obtain and maintain given that in the context of personal data processed for the purposes of AML checks, law firms are obliged to retain this information for at least a period of five years. If the client withdraws their consent during that time, then the practice must delete the ID&V information obtained using that consent if requested, as there would be no lawful basis under data protection law to retain this information. 

Data controllers cannot change their lawful basis for processing, so we would advise that consent is not relied upon as a lawful basis for such checks. 

Increasingly practices are using technology to carry out ID&V checks remotely and as such, the technology supplier will be a data processor. Therefore, it is important to remember that the practice remains responsible for the processing carried out through the technology, as they remain the data controller.   

Furthermore, some technology suppliers are utilising the use of biometric data, such as facial recognition. This is classed as special category data, so must be thought about more carefully. 

This technology should only be used if necessary and the decision about necessity lies with the practice.   

Should your practice use biometric data for AML purposes, there is a lawful basis set out in schedule 1 part 2 of the Data Protection Act 2018, which sets out the list of substantial public interests in the UK for processing provided by Article 9(1)(g). Paragraph 12 allows processing that is necessary for the purposes of complying with a regulatory requirement.  

The controller must also consider the retention of AML records and in particular the retention of biometric data. 

The Law Society of Scotland’s supervisory position is that practices should be able to document that relevant verification checks have been completed and a summary of the information on which the check was based is held along with the result and detail of decisions made following the result. 

Due to this, it may not be necessary for the biometric data to be retained by the technology company. As it is a processor, the practice can instruct the technology company to delete personal data held on its behalf.