AML Spotlight: Regulation 21 internal controls

Regulation 21 internal controls are the focus of our latest anti-money laundering (AML) blog spotlighting key topics and concerns. Our AML Risk Manager Dale Trahms discusses the benefits of internal controls, appointing a Money Laundering Compliance Officer (MLCO), independent audits and employee screening.

During inspections, we are often asked our opinion on whether a practice should apply internal controls and appoint a MLCO who will hold responsibility for the practice’s compliance with the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs).

As per r.21 of the MLRs, this decision is dependent on the size and nature of the practice unit. We discuss what this means in practical terms, below.

What does “size and nature of a business” mean?

The phrase “size and nature” comes directly from the MLRs and is a buzz phrase amongst regulators, but what does it mean?

While the Legal Sector Affinity Group (LSAG) guidance does not specifically address the meaning of the phrase size and nature, it goes someway to pointing a practice in the right direction by stating this is “a business that may be large OR more complex”.

When determining whether to apply the controls, you should consider the risks and outcomes of your Practice Wide Risk Assessment (PWRA), including:

• Your client base, geographic factors, services provided, and distribution channels
• The number of partners, staff, and offices, including overseas
• Client demographics and services provided
• The risk profile, nature, and complexity of work
• The volume and value of work
• The level of visibility and control senior management has over operational client matters, considering management hierarchy layers.
• Any guidance by your supervisory authority (r.21(10))

Further details can be found in section 9.1 of the LSAG Guidance.

These controls are intended to assist larger and/or more complex businesses by providing methods to identify and mitigate risks associated with their size and complexity.

It is important to note that your practice does not necessarily need to be both of the size AND nature. Considering the nature of the work you complete, regardless of the size of your practice, is encouraged.

Who should the MLCO be and what are the requirements?

R21(1)(a) mandates that, based on the business’s size and nature, a practice must appoint a senior management member or Board member as the MLCO.

The primary focus of this role is to lead within the senior management team, support the MLRO and ensure that the practice’s AML efforts are properly overseen and engaged with at the highest level.

The MLCO should possess:

• A thorough understanding of the business, its service lines and clients.
• Sufficient seniority to direct the activities of all staff members, including senior individuals, and influence resourcing levels and AML controls.
• The authority to ensure the business complies with the regulatory regime.
• The time, capacity and resources necessary to fulfil the role effectively.

Neither the MLRO or MLCO is required under the MLRs to undertake training beyond what is expected of the entire practice. However, specific AML training should be considered to increase knowledge and skills and is therefore encouraged.

Can the MLRO and MLCO be the same person?

Yes!

LSAG guidance 4.5 outlines that the roles can be held by the person. However, larger and higher risk practices should consider the roles being held separately to increase the compliance resource.

It is important to understand that, while the MLCO can delegate some operational day-to-day AML compliance to the MLRO, the MLCO will still remain ultimately responsible and accountable for compliance.

Benefits of applying R.21 internal controls

As noted within LSAG guidance, section 9.1 r.21(1) outlines a further two internal controls that practices must implement, depending on size and nature.

These controls aim to assist practices operating in higher inherent risk areas, by ensuring mechanisms to identify and mitigate risks arising from their scale and complexity. This includes controls to establish an independent audit function and screening relevant employees prior to, and during, their employment.

It is important to note that sole practitioners who do not employ any staff or engage with agents are exempt from implementing these internal controls, as per r.21(6).

Having appropriate internal controls in place help identify and mitigate risks from practice size and complexity, and can help to catch compliance issues before an AML supervisor visits. On this basis, it is our view that adopting these internal controls is encouraged.

Internal audit requirements

The independent audit function aims to assess, evaluate, and provide recommendations on the adequacy and effectiveness of the practice’s AML policies, controls and procedures (PCPs). It is important to distinguish this from the requirements under R19(3)(e), which pertain to the ongoing monitoring and management of compliance with PCPs.

The auditor may not necessarily be external to the practice, but must be independent of the function being reviewed. For example, it should not be the MLRO or MLCO, or the team that performed the original work.

They should possess the necessary skills and knowledge of auditing and AML/CTF to effectively perform their duties and have the authority to access all relevant materials, including file materials, to evaluate and report on the adequacy and effectiveness of the PCPs.

If the audit is conducted by an internal partner or staff member, they must be prepared to report internally to the MLRO, if they have knowledge or reasonable suspicion that a matter involves the Proceeds of Crime.

When a practice engages an external auditor or consultant for AML-related services, it should thoroughly verify the individual's or organisation's expertise in AML and financial crime. This verification process should encompass their specialised knowledge, relevant skills and practical experience in the field. Such due diligence is crucial to ensure that the audit conducted is both comprehensive and effective in addressing the company's AML compliance needs.

Client/matter file sampling should be conducted on a risk-based approach, aligned with the risks identified and the outcomes of the PWRA. Sample sizes must be sufficient to demonstrate effective assurance of the practice’s PCPs across all locations and client/matter types.

A risk-based approach should be taken in relation to how often an independent audit is conducted. However, consideration should be given to clients and matters that pose the highest risk being audited more frequently.

Employee screening

Screening must be conducted both before and during the appointment.

The extent of screening and verification should be appropriate to the individual’s role, their level of independent authority and decision-making responsibilities.

A ‘relevant employee’ for screening purposes is someone whose work impacts your practice’s compliance with the regulations or who can contribute to:

• Identifying or mitigating money laundering and terrorist financing risks to your practice.
• Preventing and detecting money laundering and terrorist financing in relation to your practice.

Adopting an inclusive approach to screening ensures that staff can perform their duties effectively, thereby protecting the practice.

As with other matters, practices must ensure that any information collected for screening purposes is securely stored and complies with data protection legislation.

Pre-appointment screening could check qualifications, references, criminal history, and adverse media. While ongoing screening could monitor changes in criminal history, adverse media and new qualifications.

Further guidance on this is available in section 9.3.1 of the LSAG Guidance.

My practice is the appropriate size and nature. What do I do?

You should inform us as your supervisor of the MLCO appointment within 14 days. This can be done by emailing our member registration team at member.registration@lawscot.org.uk. It should also be updated through your online portal.

It is also essential to record and document the role, responsibilities and duties of the MLCO, as well as the reason for appointment, in your AML governance documents.

My practice is not the appropriate size and nature. What do I do?

Should you determine that your practice does not need to implement these controls, the rationale behind this decision should be clearly documented. You may need to justify to us, as your supervisor, why your practice does not meet this requirement and explain how it will not benefit from the additional protections these measures provide.

Key sources

• LSAG Guidance (relevant sections 4, 8.2 and 9)
• Regulation 21 of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017